I am referring to the document Enable Secure Boot and Image Encryption on QCA402x (CDB2x), where the secure boot for QCA4020 is explained.
I stumbled upon the PK_HASH value for OTP fuses that is mentioned in the document. The document describes PK_HASH to be the SHA256 hash of the users root certificate. In the following it seems that this hash is related to a root certificate located in the SDK, qpsa_rootca.cer
What I don't understand is, if this is a user specific certificate, how does the secure boot loader know from the hash the accompanying users certificate to verfiy the secure image? I do not see where the user certificate is loaded into the QCA4020 for this verification.
If it is always the qpsa_rootca.cer and the hash for that certificate, then everyone having the SDK and that cert can sign an image and run it on the SoC.
Maybe I do not understand everything correctly here. Can someone explain how this works with a user specific certificate, and what the secure bootloader is actually verifiying?
Thanks and best regards