Why not use only fast authentication?

Hi Yuri.

Thanks for your reply.

If the goal was to allow different teams to have different keys, why there are different keys for CSF signing and for image signing? Both CSF and image signatures are generated by the CST in one step.

Regards,

Michal

Hello,

  "Additional keys may be added to the tree later using a separate script."

 You may look at section 3.2.5 (Adding a Key to a HAB4 PKI Tree) of the recent CST (2.3.3) documentation.

  Also, customers may use own CST (Appendix B Replacing the CST Backend Implementation)

Regards,

Yuri.

Hi Yuri.

I am using CST Rev. 2.3.1 so sorry if my questions are already answered in the updated document.

My questions are:

1) Why would someone want to use one key for CST signing and a different key for IMG signing when both keys are used by the same tool? I cannot see any advantage in it.

2) Certificates generated by the add_key.sh script have a validity interval based on user's input. Is HAB checking certificate validity during boot time?

Regards,

Michal

Hello,

 1. 

    IMX boot ROM HAB implementation does not allow to use one key for CST signing and

a different key for IMG signing.

2.

  Details of  boot ROM HAB implementation are not provided publically.

Please create request / ticket.

Support|NXP  

Have a great day,

Yuri

------------------------------------------------------------------------------

Note: If this post answers your question, please click the Correct Answer

button. Thank you!

Hi Yuri.

Sorry, there was a typo in the first question - should be CSF signing and not CST signing. The question is:

1) Why would someone want to use one key for CSF signing and a different key for IMG signing when both keys are used by the same tool? I cannot see any advantage in it.

CSF key is installed by the CSF command [Install CSFK], IMG key by the [Install Key] command.

Regards,

Michal