To sign an image, you must first generate several certificates (each with its own private key). This is a manual process and the PKI tree must be in place before you configure your Digi Embedded Yocto project for secure boot.
Each certificate has a different purpose and name:
CA (Certification Authority): This certificate is used to sign the SRK keys and establish the author of the other keys. There is only one CA certificate per PKI tree. This certificate is never used on the target and has no requirements. An existing certificate can be used as CA during the generation of all these keys. The remainder of the keys and certificates are always generated and have special requirements, as they are directly used on the target.
SRK (Super Root Keys): This certificate is used to sign the CSF and IMG certificates. There are up to four SRK certificates per PKI tree (each one is used to sign one CSF and one IMG certificates). See Revoke a key for more information on having multiple SRK certificates.
Generate a Public Key Infrastructure (PKI) tree
Download and extract the NXP Code Signing Tool (CST) from NXP servers and place it under your Digi Embedded Yocto installation directory (by default
/usr/local/dey-3.2). Note that you will need to register with the NXP website.
If you already have a certificate that you want to use as CA, skip this step. Otherwise, create a plain text file called
<CST_path>/keysfolder. The content of this file must be a positive 32-bit number that uniquely identifies the certificate per certification authority.<CST_path>/keys/serial
Also, create a plain text file called
<CST_path>/keysfolder. This file defines the password (at least four characters long) to be used to protect all the generated private keys. The content of this file is the password repeated twice:<CST_path>/keys/key_pass.txt
The user is responsible for protecting the pass phrase for the private keys as well as the private keys themselves. Loss of the pass phrase or the private keys will result in not being able to sign code with the affected keys.
To customize the certificate information (company name, country, email, etc.), edit the configuration files under the
cafolder. Refer to the OpenSSL documentation for more information about those files.
ahab_pki_treebash script to generate the PKI tree. You will be asked about the following parameters:
$ cd /usr/local/dey-3.2/cst-3.3.1/keys $ ./ahab_pki_tree.sh (...) Do you want to use an existing CA key (y/n)?: n Do you want to use Elliptic Curve Cryptography (y/n)?: y Enter length for elliptic curve to be used for PKI tree: Possible values p256, p384, p521: p521 Enter the digest algorithm to use: sha512 Enter PKI tree duration (years): 10 Do you want the SRK certificates to have the CA flag set? (y/n)?: y
You can use an existing key as CA key by answering 'y' in the first question and then providing the path without extension of the certificate and the key for the certificate to be used as CA.
The PKI duration is used to compute the expiration date for the certificates.
AHAB does not take into account the expiration date. A signed U-Boot image will remain valid if its certificate has expired.
You must generate four keys (for key revocation purposes).
The last question regarding the “CA flag” in the SRK must be answered as 'y'
At this point, the script creates the complete PKI tree.
For more information about the PKI tree and the PKI tree generation process, see the documentation under the
|The CST folder to be used in Digi Embedded Yocto should only contain one PKI tree and no other security-related files (keys, certificates, passwords, etc.) in any subfolder. Attempting to use a CST folder with several PKI trees or extra certificates or keys could fail.|
Add this line to your
local.conf file to use the generated keys:
TRUSTFENCE_SIGN_KEYS_PATH = /path/to/keys