Number of keys allowed in secure boot on iMX8X?

取消
显示结果 
显示  仅  | 搜索替代 
您的意思是: 

Number of keys allowed in secure boot on iMX8X?

1,311 次查看
Gandalf-kern
Contributor IV

1) If I need to change keys, what is the process to change private and public keys in secure boot on iMX8X and how many keys are allowed?

2) To be specific, what are the number of private and public keys allowed in secure boot on iMX8X?

3) And how many root keys are allowed on iMX8X?

0 项奖励
回复
6 回复数

1,305 次查看
Yuri
NXP Employee
NXP Employee

@Gandalf-kern 
Hello,

   Use app note "Secure Boot on i.MX 8 and i.MX 8X Families using AHAB".

https://www.nxp.com/docs/en/application-note/AN12312.pdf

 In particular, section 3.3 (Generating a PKI tree).

 

Regards,
Yuri.

0 项奖励
回复

1,297 次查看
Gandalf-kern
Contributor IV

Hi Yuri,

thanks but the document never mentions the number of allowable public and private keys. It mentions four root keys but not how many private and public keys are allowed. Do you have any idea or can you ask the secure boot team? Thanks!

0 项奖励
回复

1,291 次查看
Yuri
NXP Employee
NXP Employee

@Gandalf-kern 
Hello,

  from CST documentation (Install Key command) key index range 0 .. 4 are allowed.

Regards,
Yuri.

0 项奖励
回复

1,265 次查看
Gandalf-kern
Contributor IV

I am reading AN4581 i.MX Secure Boot on HABv4 Supported Devices.

AN4581 says "only one SRK may be selected at boot time through an install SRK CSF command. In the case where one or more SRKs are compromised, it is possible to revoke that SRK.  There are up to four SRK revoke fuse bits that map to the SRK table indexes. An SRK key is revoked by burning the corresponding bit in the SRK_REVOKE[3:0] efuse field." The details are cryptic. 

I don't understand how to do SRK revocation. There are four SRK revoke fuse bits and an SRK key is revoked by burning the corresponding bit in the SRK_REVOKE[3:0].  How do I do this in u-boot from the command line? 

I used the SRK took to create a SRK table with four SRK keys. Then I get the fuses using the od command and program the fuses in u-boot. Now I want to revoke the second and last public keys. How do I do this? (I don't have any SECO events after rebooting.  Everything looks fine after programming the fuses).

1) Now I want to revoke SRK2 and SRK4 public keys, how do I do this from the u-boot command line?

2) I have programmed fuses 730-745 per NXP instructions, how many of these fuses are revoked for each SRK key that is revoked? One fuse for each SRK is revoked, so there are four fuses?

3) Are all four public keys available at boot time, or only the one SRK selected at boot time? In other words, can I have two public keys available at boot time if I want to use two public keys for some reason, one for a user and one for an admin as an example?

0 项奖励
回复

1,259 次查看
Yuri
NXP Employee
NXP Employee

@Gandalf-kern 
Hello,

   use the following resource regarding the revoking:

https://community.nxp.com/t5/i-MX-Processors/i-MX8X-permanently-revoke-a-SRK-key/m-p/1209783

Note; details of i.MX8 revoking are not public. Please create request:

https://www.nxp.com/support/support:SUPPORTHOME?tid=sbmenu

 

 Also: only public key is available at boot time.

Regards,
Yuri.

0 项奖励
回复

1,253 次查看
Gandalf-kern
Contributor IV

I have created a case for the AHAB documentation for revocation.