Signing firmware , how to restrict ?

cancel
Showing results for 
Show  only  | Search instead for 
Did you mean: 

Signing firmware , how to restrict ?

Jump to solution
1,248 Views
trescurieux
Contributor III

Hi

Sorry in advance if this is a dumb question about signed firmware.

I've read the Secure Boot AN and the LPC55  user manual, but there is something i'm missing

The secure boot firmware contains the signing public key (in the certificate(s)), and is signed  with it if it got it correctly.

So far so good.

The part i dont understand is how a LPC55 is pinned to a certificate  or a set of certificates ?

i.e. how can i prevent a completely valid secure firmware e. signed by somebody else to be used ?

There is something in the PFR to deal with that i guess, but i could not figure it out.

I expected the root  public key somewhere there, so that i could be used to validate the whole chain, and reject every signature not coming from MY certificate chain but i didnt find it.

If someone could kindly redirect me to the relevant part of the doc /and or shed some light that would be appreciated

Thank you in advance

Tc

Labels (1)
0 Kudos
1 Solution
1,191 Views
Alice_Yang
NXP TechSupport
NXP TechSupport

Hello Tres,

Yes, pay attention in "5.5CMPA page preparation" of secure boot AN, program RKTH 

to chip, this hash is generated from certificates during signing process.  So it corresponding to your private key and certificate.

pastedImage_1.png

Regards,

Alice

View solution in original post

0 Kudos
3 Replies
1,191 Views
trescurieux
Contributor III

Hello again

Maybe just the hash of the root certificate is stored in the PFR and is checked against the one in the firmware  image ?

So only firmware(s) with the right root certificate hash are accepted ?

Thanks

Tc

0 Kudos
1,192 Views
Alice_Yang
NXP TechSupport
NXP TechSupport

Hello Tres,

Yes, pay attention in "5.5CMPA page preparation" of secure boot AN, program RKTH 

to chip, this hash is generated from certificates during signing process.  So it corresponding to your private key and certificate.

pastedImage_1.png

Regards,

Alice

0 Kudos
1,191 Views
trescurieux
Contributor III

Thanks a lot !

Best Regards

Tres

0 Kudos