Changes between Version 7 and Version 8 of venice/secure_boot


Ignore:
Timestamp:
06/23/2023 10:20:24 PM (11 months ago)
Author:
Tim Harvey
Comment:

updated instructions for latest NXP code-signing tools cst-3.3.2

Legend:

Unmodified
Added
Removed
Modified

  • venice/secure_boot

    v7 v8  
    4848
    4949Detailed Procedure (for Venice):
    50  1. Creation of Code Signing Key:
     50 1. Creation of Code Signing Key: '''This is an example - read the CST documentation and tailor to your needs'''
    5151  a. Retrieve the NXP Code Signing Tool (CST): https://www.nxp.com/webapp/Download?colCode=IMX_CST_TOOL_NEW (Account required on NXP site)
    5252  b. Unpack the CST :
    5353{{{#!bash
    54 tar xvf cst-3.3.1.tgz
    55 cd cst-3.3.1/keys
     54tar xvf cst-3.3.2.tgz
     55cd cst-3.3.2/keys
    5656}}}
    5757  c. Create a text file named "serial", which contains 8 digits. OpenSSL uses the contents of this file for the 'certificate serial numbers'.
     
    6969...
    7070Do you want to use an existing CA key (y/n)?: n
    71 Do you want to use Elliptic Curve Cryptography (y/n)?: n
     71Select the key type (possible values: rsa, rsa-pss, ecc)?: rsa
    7272Enter key length in bits for PKI tree: 4096
    7373Enter PKI tree duration (years): 10
     
    7676...
    7777}}}
    78    * this creates the following files which you can archive away as your 'PKI tree':
    79 {{{#!bash
    80 ../crts/CA1_sha256_4096_65537_v3_ca_crt.der
    81 ../crts/CA1_sha256_4096_65537_v3_ca_crt.pem
    82 ../crts/CSF1_1_sha256_4096_65537_v3_usr_crt.der
    83 ../crts/CSF1_1_sha256_4096_65537_v3_usr_crt.pem
    84 ../crts/CSF2_1_sha256_4096_65537_v3_usr_crt.der
    85 ../crts/CSF2_1_sha256_4096_65537_v3_usr_crt.pem
    86 ../crts/CSF3_1_sha256_4096_65537_v3_usr_crt.der
    87 ../crts/CSF3_1_sha256_4096_65537_v3_usr_crt.pem
    88 ../crts/CSF4_1_sha256_4096_65537_v3_usr_crt.der
    89 ../crts/CSF4_1_sha256_4096_65537_v3_usr_crt.pem
    90 ../crts/IMG1_1_sha256_4096_65537_v3_usr_crt.der
    91 ../crts/IMG1_1_sha256_4096_65537_v3_usr_crt.pem
    92 ../crts/IMG2_1_sha256_4096_65537_v3_usr_crt.der
    93 ../crts/IMG2_1_sha256_4096_65537_v3_usr_crt.pem
    94 ../crts/IMG3_1_sha256_4096_65537_v3_usr_crt.der
    95 ../crts/IMG3_1_sha256_4096_65537_v3_usr_crt.pem
    96 ../crts/IMG4_1_sha256_4096_65537_v3_usr_crt.der
    97 ../crts/IMG4_1_sha256_4096_65537_v3_usr_crt.pem
    98 ../crts/SRK1_sha256_4096_65537_v3_ca_crt.der
    99 ../crts/SRK1_sha256_4096_65537_v3_ca_crt.pem
    100 ../crts/SRK2_sha256_4096_65537_v3_ca_crt.der
    101 ../crts/SRK2_sha256_4096_65537_v3_ca_crt.pem
    102 ../crts/SRK3_sha256_4096_65537_v3_ca_crt.der
    103 ../crts/SRK3_sha256_4096_65537_v3_ca_crt.pem
    104 ../crts/SRK4_sha256_4096_65537_v3_ca_crt.der
    105 ../crts/SRK4_sha256_4096_65537_v3_ca_crt.pem
    106 ./CA1_sha256_4096_65537_v3_ca_key.der
    107 ./CA1_sha256_4096_65537_v3_ca_key.pem
    108 ./CSF1_1_sha256_4096_65537_v3_usr_key.der
    109 ./CSF1_1_sha256_4096_65537_v3_usr_key.pem
    110 ./CSF2_1_sha256_4096_65537_v3_usr_key.der
    111 ./CSF2_1_sha256_4096_65537_v3_usr_key.pem
    112 ./CSF3_1_sha256_4096_65537_v3_usr_key.der
    113 ./CSF3_1_sha256_4096_65537_v3_usr_key.pem
    114 ./CSF4_1_sha256_4096_65537_v3_usr_key.der
    115 ./CSF4_1_sha256_4096_65537_v3_usr_key.pem
    116 ./IMG1_1_sha256_4096_65537_v3_usr_key.der
    117 ./IMG1_1_sha256_4096_65537_v3_usr_key.pem
    118 ./IMG2_1_sha256_4096_65537_v3_usr_key.der
    119 ./IMG2_1_sha256_4096_65537_v3_usr_key.pem
    120 ./IMG3_1_sha256_4096_65537_v3_usr_key.der
    121 ./IMG3_1_sha256_4096_65537_v3_usr_key.pem
    122 ./IMG4_1_sha256_4096_65537_v3_usr_key.der
    123 ./IMG4_1_sha256_4096_65537_v3_usr_key.pem
    124 ./SRK1_sha256_4096_65537_v3_ca_key.der
    125 ./SRK1_sha256_4096_65537_v3_ca_key.pem
    126 ./SRK2_sha256_4096_65537_v3_ca_key.der
    127 ./SRK2_sha256_4096_65537_v3_ca_key.pem
    128 ./SRK3_sha256_4096_65537_v3_ca_key.der
    129 ./SRK3_sha256_4096_65537_v3_ca_key.pem
    130 ./SRK4_sha256_4096_65537_v3_ca_key.der
    131 ./SRK4_sha256_4096_65537_v3_ca_key.pem
    132 }}}
     78   *  this creates the files in the ../crts directory which you can archive away as your 'PKI tree'
    13379  f. Create the fuse table and binary (to be programmed to IMX OPT fuse blocks) using the SRK*_ca_crt.pem files created in the crts dir with srktool:
    13480{{{#!bash
    135 ../linux64/bin/srktool -h 4 -t SRK_1_2_3_4_table.bin -e SRK_1_2_3_4_fuse.bin -d sha256 -c ./SRK1_sha256_4096_65537_v3_ca_crt.pem,./SRK2_sha256_4096_65537_v3_ca_crt.pem,./SRK3_sha256_4096_65537_v3_ca_crt.pem,./SRK4_sha256_4096_65537_v3_ca_crt.pem -f 1
     81cd ../crts
     82../linux64/bin/srktool -h 4 -t SRK_1_2_3_4_table.bin -e SRK_1_2_3_4_fuse.bin -d sha256 -c ./SRK1_sha256_4096_65537_v3_ca_crt.pem,./SRK2_sha256_4096_65537_v3_ca_crt.pem,./SRK3_sha256_4096_65537_v3_ca_crt.pem,./SRK4_sha256_4096_65537_v3_ca_crt.pem
    13683}}}
    13784   * creates SRK_1_2_3_4_table.bin SRK_1_2_3_4_fuse.bin and