Forums - Secure Boot

1 post / 0 new
Secure Boot
andreas
Join Date: 21 Oct 19
Posts: 22
Posted: Wed, 2020-05-20 00:40

Hi forum,
I am referring to the document Enable Secure Boot and Image Encryption on QCA402x (CDB2x), where the secure boot for QCA4020 is explained.

I stumbled upon the PK_HASH value for OTP fuses that is mentioned in the document. The document describes PK_HASH to be the SHA256 hash of the users root certificate. In the following it seems that this hash is related to a root certificate located in the SDK, qpsa_rootca.cer

What I don't understand is, if this is a user specific certificate, how does the secure boot loader know from the hash the accompanying users certificate to verfiy the secure image? I do not see where the user certificate is loaded into the QCA4020 for this verification.

If it is always the qpsa_rootca.cer and the hash for that certificate, then everyone having the SDK and that cert can sign an image and run it on the SoC.

Maybe I do not understand everything correctly here. Can someone explain how this works with a user specific certificate, and what the secure bootloader is actually verifiying?

Thanks and best regards

Andreas

  • Up0
  • Down0

Opinions expressed in the content posted here are the personal opinions of the original authors, and do not necessarily reflect those of Qualcomm Incorporated or its subsidiaries (“Qualcomm”). The content is provided for informational purposes only and is not meant to be an endorsement or representation by Qualcomm or any other party. This site may also provide links or references to non-Qualcomm sites and resources. Qualcomm makes no representations, warranties, or other commitments whatsoever about any non-Qualcomm sites or third-party resources that may be referenced, accessible from, or linked to this site.