Qoriq Trust Architecture 2.1 User Guide

Once secure boot is active, leverage the Cryptographic Accelerator and Assurance Module (CAAM) for high-speed crypto.

Security requires heavy math, which is slow on general-purpose CPUs.

The SRK is not a single key but a table of up to 4 public keys. You generate 4 key pairs: SRK1, SRK2, SRK3, SRK4. qoriq trust architecture 2.1 user guide

cd cst/keys
openssl ecparam -name prime256v1 -genkey -noout -out srk1_256.pem   # for ECC
# OR for RSA 4K:
openssl genrsa -out srk1_4096.pem 4096
openssl rsa -pubout -in srk1_4096.pem -out srk1_4096_pub.pem
# Repeat for srk2, srk3, srk4

Then generate the SRK table (hash + public keys):

../cst --gen-srk-table --srk-list srk1_4096.pem,srk2_4096.pem,srk3_4096.pem,srk4_4096.pem --out srk_table.bin

This outputs srk_table.bin and also calculates the SRK Hash (displayed on console). Guard that hash with your life—it’s the fingerprint of your root of trust. Once secure boot is active, leverage the Cryptographic

Use the secboot_hdrs tool or NXP’s ls-secure-boot from the FlexBuild scripts.

Example using JTAG (or via U-Boot when in OEM Open): Then generate the SRK table (hash + public keys):

via U-Boot command line:

=> fuse prog -y 0 0x0 0x3C2F...
... (you must split the 256-bit SRK hash across 8 32-bit fuse rows)

Better: Use NXP’s i.MX / QorIQ secure provisioning tool:

./secboot_hdrs --srk-hash <your_hash> --program-fuses

After blowing, reboot. The console should show:

ISBC: ESBC verification passed.
Trust Architecture 2.1: Secure boot enabled.