Why not use only fast authentication?

キャンセル
次の結果を表示 
表示  限定  | 次の代わりに検索 
もしかして: 

Why not use only fast authentication?

ソリューションへジャンプ
1,146件の閲覧回数
michalhojsik
Contributor II

Hi.

I am using the authenticated boot feature of i.MX6ul and I would like to ask:

What is the advantage of using dedicated CSF and IMG signing keys compared to using directly the SRKs for signing (so-called "fast authentication")?

Regards,

Michal

ラベル(1)
0 件の賞賛
1 解決策
992件の閲覧回数
Yuri
NXP Employee
NXP Employee

Hello,

  The IMG also may be encrypted, CSF should be only signed.   

Regards,

Yuri.

元の投稿で解決策を見る

0 件の賞賛
7 返答(返信)
992件の閲覧回数
Yuri
NXP Employee
NXP Employee

Hello,

   Classical  Public Key Infrastructure (PKI) approach allows to use multiple CSF and IMG keys,

say for different design teams. 

Have a great day,
Yuri

-----------------------------------------------------------------------------------------------------------------------
Note: If this post answers your question, please click the Correct Answer button. Thank you!
-----------------------------------------------------------------------------------------------------------------------

0 件の賞賛
992件の閲覧回数
michalhojsik
Contributor II

Hi Yuri.

Thanks for your reply.

If the goal was to allow different teams to have different keys, why there are different keys for CSF signing and for image signing? Both CSF and image signatures are generated by the CST in one step.

Regards,

Michal

0 件の賞賛
992件の閲覧回数
Yuri
NXP Employee
NXP Employee

Hello,

  "Additional keys may be added to the tree later using a separate script."

 You may look at section 3.2.5 (Adding a Key to a HAB4 PKI Tree) of the recent CST (2.3.3) documentation.

  Also, customers may use own CST (Appendix B Replacing the CST Backend Implementation)

 

Regards,

Yuri.

0 件の賞賛
992件の閲覧回数
michalhojsik
Contributor II

Hi Yuri.

I am using CST Rev. 2.3.1 so sorry if my questions are already answered in the updated document.

My questions are:

1) Why would someone want to use one key for CST signing and a different key for IMG signing when both keys are used by the same tool? I cannot see any advantage in it.

2) Certificates generated by the add_key.sh script have a validity interval based on user's input. Is HAB checking certificate validity during boot time?

Regards,

Michal

0 件の賞賛
992件の閲覧回数
Yuri
NXP Employee
NXP Employee

Hello,

 

 1. 

    IMX boot ROM HAB implementation does not allow to use one key for CST signing and

a different key for IMG signing.

2.

  Details of  boot ROM HAB implementation are not provided publically.

Please create request / ticket.

Support|NXP  

Have a great day,

Yuri

 

------------------------------------------------------------------------------

Note: If this post answers your question, please click the Correct Answer

button. Thank you!

0 件の賞賛
992件の閲覧回数
michalhojsik
Contributor II

Hi Yuri.

Sorry, there was a typo in the first question - should be CSF signing and not CST signing. The question is:

1) Why would someone want to use one key for CSF signing and a different key for IMG signing when both keys are used by the same tool? I cannot see any advantage in it.

CSF key is installed by the CSF command [Install CSFK], IMG key by the [Install Key] command.

Regards,

Michal

0 件の賞賛
993件の閲覧回数
Yuri
NXP Employee
NXP Employee

Hello,

  The IMG also may be encrypted, CSF should be only signed.   

Regards,

Yuri.

0 件の賞賛