HABv4 SRK Table#
In HAB4 it is possible to include up to four SRKs in a signed image, although only one may be used per reset cycle. By collecting SRKs in a table it is possible to select one of the SRKs at boot time. Any of the SRKs in the table may be selected without having to change the SRK_HASH value burned to efuses on the SoC. This is useful on NXP processors where additional fuses are available for SRK revocation. That is, in the event one or more of the SRKs in the table are compromised, efuses corresponding to the compromised keys can be burned preventing those SRKs from ever being used again. This is enforced by the HAB library. The next SRK in the table can be used to sign new images. A minimum of one and maximum of four SRKs can be placed in an SRK table.
Note: Only the first three SRKs in a table can be revoked, so it recommended to use an SRK table with four keys in order to have one SRK to fall back on which cannot be revoked.
1. Prerequisites#
SPSDK is needed with examples extension.
pip install spsdk[examples]
(Please refer to the installation documentation.)
import os
WORKSPACE = "workspace/" # change this to path to your workspace
DATA_DIR = os.path.join("..", "..", "_data", "certificates")
SRK_CRTS = [
"srk0_sha256_4096_65537_v3_usr_crt.pem",
"srk1_sha256_4096_65537_v3_usr_crt.pem",
"srk2_sha256_4096_65537_v3_usr_crt.pem",
"srk3_sha256_4096_65537_v3_usr_crt.pem",
]
2. SRK Table generation#
import os
from spsdk.crypto.certificate import Certificate
from spsdk.image.secret import SrkItem, SrkTable
from spsdk.utils.misc import write_file
# Create SRK Table instance
hab_srk = SrkTable(version=0x40)
for cert_file in SRK_CRTS:
certificate = Certificate.load(os.path.join(DATA_DIR, cert_file))
srk_item = SrkItem.from_certificate(certificate)
hab_srk.append(srk_item)
print(hab_srk)
# Export binary SRK table
print("SRK table in binary:")
srk_binary = hab_srk.export()
print(srk_binary.hex())
srk_binary_path = os.path.join(WORKSPACE, "srk_table.bin")
print(f"SRK table saved to: {srk_binary_path}")
write_file(srk_binary, srk_binary_path, mode="wb")
srk_fuses_path = os.path.join(WORKSPACE, "srk_fuses.bin")
print(f"SRK hash fuses values exported to: {srk_fuses_path}")
write_file(hab_srk.export_fuses(), srk_fuses_path, "wb")
------------------------------------------------------------
SRK Table (Version: 4.0, #Keys: 4)
------------------------------------------------------------
SRK Key Index: 0
Algorithm: EnumAlgorithm.PKCS1
Flag: 0x00
Length: 4096 bit
Modulus:
00:95:28:86:38:7b:e9:b6:4a:b8:88:cd:5b:22:41:
2f:cb:da:63:74:0c:3c:ae:61:7a:32:cc:30:41:26:
09:53:34:08:68:d4:46:35:32:9a:13:a6:81:81:9a:
d9:b8:78:25:84:ef:27:f0:4e:28:d7:36:11:c8:e5:
03:d1:69:f8:f4:c6:e0:7a:f0:98:88:89:01:be:57:
f4:98:0b:24:e3:7d:7e:d4:27:fa:f7:4b:73:51:8c:
31:bc:c8:e8:f4:43:16:ed:3c:b8:23:ee:fc:42:53:
38:44:f9:b3:4b:51:db:8d:76:43:c0:53:6d:8a:09:
33:a5:0c:2e:e1:3d:2d:ec:d5:c9:15:5f:ca:b6:53:
b4:71:0f:30:4b:7d:f6:15:0b:fe:e9:90:79:0f:0d:
e3:a4:02:94:67:bd:c9:65:f5:f0:a9:9e:3f:3b:e3:
32:ec:8e:cd:ea:89:49:d7:22:97:f2:c3:93:69:6b:
62:ef:6c:2a:65:78:2b:77:27:68:50:40:84:26:a5:
86:18:f7:b4:d6:d5:93:85:66:de:23:db:04:c3:b5:
cb:7f:a2:f9:37:05:e0:80:f2:b9:91:52:a4:5d:63:
25:b1:84:ac:c1:70:4c:01:62:68:50:dd:2d:83:a4:
1d:75:a5:17:00:a5:fb:d7:e9:63:5b:68:ce:6b:b8:
5b:f8:fd:15:5d:0f:31:10:9c:2f:ed:76:7c:3f:e0:
63:92:0f:2d:17:27:f4:21:39:11:41:1e:92:a8:93:
8a:3b:4c:ee:ef:71:1b:c5:b4:25:d9:35:a7:83:bf:
2c:3a:9b:11:29:fe:b8:de:c2:ae:7d:ab:17:ea:26:
27:de:9f:c4:ba:95:8a:95:a1:f8:e9:de:e9:b8:6d:
c2:d1:31:d4:c3:e6:0b:55:d4:0b:a2:83:e9:3a:1a:
5f:70:5f:da:61:67:cf:fb:4e:2c:30:dc:34:1d:df:
05:b7:94:d7:ce:45:b2:0b:cf:8b:8f:33:c4:31:c1:
d3:a6:f5:49:b6:b9:36:25:e4:bb:c4:eb:62:59:21:
d2:79:4b:c6:e2:67:39:60:27:4c:4c:2e:33:90:ed:
f1:5a:e2:68:7d:83:a5:cc:28:cc:69:0f:ac:3b:c6:
19:18:d5:c6:3c:53:15:7d:b6:7f:59:a8:27:c4:be:
fa:23:bd:e0:7d:97:53:97:f9:da:9e:e5:a6:a2:5f:
cc:95:b5:d3:85:d8:84:cc:be:ac:ec:b2:0b:cd:26:
22:30:d7:43:8e:46:de:d6:21:19:4b:7f:9c:41:40:
79:d7:cc:ce:0d:37:81:6b:85:de:89:4b:30:fe:d9:
7d:36:73:af:eb:ce:6c:0d:6d:3f:ce:b3:df:4c:99:
f6:b9:6b:
Exponent: 65537 (0x10001)
SRK Key Index: 1
Algorithm: EnumAlgorithm.PKCS1
Flag: 0x00
Length: 4096 bit
Modulus:
00:b6:48:5e:16:c4:c6:83:03:ce:b1:cf:e6:a7:be:
48:b1:07:77:2a:69:9a:60:10:d5:70:92:6e:a4:2f:
2a:08:33:1f:db:27:2a:d1:5e:72:c3:34:3a:16:65:
56:b1:bf:1d:bb:c5:51:03:77:68:61:45:98:a1:37:
b3:46:47:7f:11:b0:40:c9:6a:06:d8:d0:5b:3e:a3:
df:6f:d4:2a:fe:05:dc:2a:15:7e:ba:58:a5:f0:d3:
e3:e9:f5:63:2f:74:25:75:73:e2:2a:8c:91:56:9d:
4b:66:44:2a:38:05:95:fd:99:98:51:d8:cb:23:a9:
7c:39:c7:04:76:fd:27:90:e2:50:bf:58:56:a8:b2:
7b:44:69:b5:19:7c:70:07:e1:7c:ef:d5:c3:7f:c3:
cc:b2:46:fb:1a:36:60:77:04:6a:fb:a5:54:d7:39:
58:8a:54:4a:3d:a5:7d:c2:a3:8e:40:63:5e:e0:c4:
9f:e4:bd:5a:a9:d5:1a:f5:94:45:01:54:fc:93:74:
85:f7:50:a7:1e:4d:7a:23:5d:84:3e:73:73:d0:1f:
56:0d:41:17:9a:b7:1b:35:54:59:7b:26:47:85:3f:
e6:66:d2:c3:e0:6e:03:20:de:32:39:6d:ec:76:89:
3e:de:56:fc:72:d7:4c:29:06:63:b3:48:c3:71:73:
b4:70:ac:c2:78:29:fb:07:3d:d8:9a:b4:af:88:87:
d6:66:f0:13:df:c1:d8:f6:97:10:ec:aa:1a:28:27:
bb:73:13:03:b8:39:3c:b7:6d:b1:81:66:40:a9:f0:
8f:eb:92:29:fc:aa:c5:ac:2c:fc:da:3b:a2:6e:fb:
b2:b0:ff:20:35:34:93:a1:e1:0a:27:3c:ca:95:5f:
f2:bb:72:86:7e:ea:c0:ec:14:2b:58:7a:ea:1f:6b:
0c:dd:18:e6:1b:03:fb:f7:1a:7a:a3:27:72:0d:06:
e8:fb:fd:a6:3e:ba:3b:bb:c7:cd:53:c1:b9:e2:61:
56:37:5c:f5:b0:b8:2e:16:fd:23:f9:11:c0:09:db:
ad:e5:b3:ee:9e:fc:91:68:cb:e6:ad:39:f9:9b:0a:
2c:67:af:96:d3:65:b8:7e:b0:96:88:7a:38:ce:b7:
ba:64:ed:7a:0f:e2:0b:79:b5:1e:00:71:a9:22:3c:
72:d8:66:16:df:25:03:d8:3c:58:4f:49:96:bc:5b:
b5:a0:69:8a:9c:4b:30:8f:e6:f7:55:25:af:95:2d:
59:9b:33:a4:df:43:49:12:e3:80:d0:39:20:90:ba:
02:6c:88:03:f2:a3:c2:6e:be:bc:41:2f:45:1e:7b:
d1:9e:fe:c5:79:17:c3:dd:54:28:5f:a7:d5:c3:70:
04:eb:cd:
Exponent: 65537 (0x10001)
SRK Key Index: 2
Algorithm: EnumAlgorithm.PKCS1
Flag: 0x00
Length: 4096 bit
Modulus:
00:a2:a9:e9:1e:76:2a:47:c2:a1:51:c6:d5:1f:3b:
3c:b3:56:85:24:50:ab:39:28:f0:4a:18:49:91:e9:
c5:54:1e:1e:72:60:81:7f:ff:3b:f5:85:3e:d5:d0:
d4:3c:6f:6b:81:eb:06:e5:65:f2:ae:83:f4:17:cd:
5f:16:00:5b:ed:d5:12:61:fa:24:cc:c2:9f:1c:ef:
22:c5:16:91:1b:be:5f:78:26:1e:eb:a5:2a:63:45:
0f:8d:3a:f6:d9:0e:5d:d4:d8:26:d1:ff:58:e5:25:
33:70:95:5e:ea:81:18:43:30:2b:71:74:11:60:9e:
86:bc:8c:c2:a0:36:24:f6:ae:c4:d0:c8:2d:07:8f:
39:de:6a:6d:ac:93:6e:c9:ed:f5:cd:1a:19:d7:44:
aa:e9:ee:79:34:26:00:1d:db:f6:2a:bb:14:ba:03:
48:c0:58:63:07:c0:f6:88:a7:97:ad:43:30:fa:c9:
5f:82:72:fc:46:50:e5:8e:df:91:62:5c:25:c8:42:
e0:f5:dd:6a:6f:95:09:e9:89:91:6e:07:82:99:28:
35:20:16:4e:c5:9c:3c:bd:ee:5e:3c:b4:e3:f6:54:
71:ef:f9:6f:9c:c5:7d:4a:1b:e9:e1:e7:17:cc:c4:
03:85:9f:2b:b2:61:1a:b1:2e:04:64:e3:c4:92:6e:
2d:3c:5f:9d:34:8a:14:15:f0:b4:a2:1d:26:e0:51:
6c:7e:cf:e7:d5:58:bb:b5:b4:ee:d1:90:9f:e7:5c:
7f:a3:12:96:96:2e:fe:92:96:b6:fb:bb:9a:20:7d:
2d:c2:1a:f9:1e:39:af:05:93:5a:43:8f:ea:f1:4f:
65:68:ce:c4:8e:26:5f:5e:8b:bf:e8:f9:01:3d:b3:
51:58:22:93:70:29:94:20:c2:e4:05:f5:96:37:c5:
15:1d:a8:b5:57:4e:03:40:c7:b1:b3:c2:6b:9c:86:
c8:a2:17:2e:cf:55:02:aa:cc:95:89:e2:db:25:85:
e1:de:81:57:77:60:5a:f1:7e:d5:9d:58:e6:01:3a:
c8:03:01:ce:f3:2c:19:5e:60:7f:6a:d6:50:93:63:
bc:b3:79:ac:89:11:b5:fa:9c:2c:2e:64:18:02:13:
8c:9c:80:a2:af:82:8a:ec:72:b7:ac:3c:18:1b:b7:
b3:f1:e6:b8:fe:f8:c8:78:77:09:ef:25:4a:fe:fc:
ab:91:a1:cd:c3:c5:b0:93:ac:60:16:b5:0f:6c:26:
97:89:59:31:c7:50:60:dc:fc:00:b4:60:e7:79:74:
ec:4e:26:7e:76:8a:fa:26:a8:36:5a:42:c2:d8:c1:
4b:7d:f3:54:a9:c3:e7:a7:02:6c:b2:85:54:81:87:
1a:4d:33:
Exponent: 65537 (0x10001)
SRK Key Index: 3
Algorithm: EnumAlgorithm.PKCS1
Flag: 0x00
Length: 4096 bit
Modulus:
00:d1:30:78:b1:ba:34:5e:c5:80:55:e6:03:b0:47:
26:cf:0f:6e:36:60:02:bc:65:5e:91:cc:49:52:64:
93:a0:84:4a:fb:99:ea:5e:de:ec:02:90:08:a2:d7:
b2:09:c9:d4:b4:50:39:a4:fb:29:7d:a6:e4:e2:ad:
fd:8e:34:fa:e9:1c:d6:dc:c9:fc:f8:23:70:82:64:
41:05:b2:8a:43:da:56:dd:7e:22:63:23:66:2c:76:
d6:c9:75:17:9d:a9:e0:cd:bc:de:fc:ee:24:f8:94:
29:c2:7d:a8:49:0f:3a:98:d9:39:19:cd:a4:c5:f3:
78:57:0e:97:0d:33:2c:67:e2:41:1f:82:50:84:71:
db:75:61:68:f2:a1:d0:17:b2:2a:02:53:8c:02:1f:
cf:e8:48:18:54:c2:f7:89:0e:f7:29:ca:4c:5e:55:
45:23:c1:48:b9:de:fe:82:3a:9f:19:88:95:b9:23:
9f:c4:68:a5:46:3d:76:fd:f0:bf:66:6c:a1:8e:6a:
f7:ed:34:06:22:74:34:70:28:07:b8:7e:5d:7c:2c:
6c:5f:d5:49:c2:65:2f:a9:ab:02:16:ae:1d:25:52:
67:2d:a8:46:a7:15:1e:cb:74:71:61:22:4c:73:b2:
11:f4:a3:2f:49:d7:04:9e:f0:74:dd:05:08:91:ac:
08:12:57:e0:c1:01:54:e8:13:91:e0:9f:2d:ce:92:
19:f5:71:75:a4:78:28:15:aa:b4:fe:4f:d0:1c:d8:
3c:d7:b6:70:55:39:bc:52:60:e2:7e:ed:32:1c:95:
84:96:6f:c5:6b:c5:e4:0c:0d:fc:f9:f9:ca:4f:66:
18:f0:fd:87:27:0d:34:63:06:c1:9e:0d:f9:18:7c:
eb:fb:28:8a:f6:39:de:f9:f9:d8:6e:41:ed:4d:80:
e7:ae:cf:02:d2:37:ac:67:3e:0e:5b:e2:9a:e8:76:
8d:75:9e:2c:97:04:1a:46:aa:97:d5:5b:d2:62:75:
f6:79:0d:39:32:6b:80:4a:d0:25:04:8d:70:82:1e:
86:25:3a:99:8b:4a:b5:bd:bb:86:56:bf:65:2a:92:
c6:64:f5:05:24:3b:dd:8d:af:43:1e:92:f2:16:98:
82:2e:58:1e:76:10:c5:23:50:b9:e5:0b:85:b2:35:
46:33:26:35:3e:59:12:fc:1d:61:7e:96:a1:e9:b6:
e4:56:a3:92:8e:8a:78:98:cf:6f:bc:fb:62:e1:6e:
49:5c:45:30:a1:4b:4c:fb:59:37:12:0c:8f:5a:54:
2b:86:4f:0a:65:64:03:25:18:ae:5c:20:20:74:62:
15:7e:b5:9f:b1:89:66:d1:e7:8c:2f:73:49:b9:33:
52:0f:b7:
Exponent: 65537 (0x10001)
SRK table in binary:
d7084040e1020f210000000002000003952886387be9b64ab888cd5b22412fcbda63740c3cae617a32cc3041260953340868d44635329a13a681819ad9b8782584ef27f04e28d73611c8e503d169f8f4c6e07af098888901be57f4980b24e37d7ed427faf74b73518c31bcc8e8f44316ed3cb823eefc42533844f9b34b51db8d7643c0536d8a0933a50c2ee13d2decd5c9155fcab653b4710f304b7df6150bfee990790f0de3a4029467bdc965f5f0a99e3f3be332ec8ecdea8949d72297f2c393696b62ef6c2a65782b77276850408426a58618f7b4d6d5938566de23db04c3b5cb7fa2f93705e080f2b99152a45d6325b184acc1704c01626850dd2d83a41d75a51700a5fbd7e9635b68ce6bb85bf8fd155d0f31109c2fed767c3fe063920f2d1727f4213911411e92a8938a3b4ceeef711bc5b425d935a783bf2c3a9b1129feb8dec2ae7dab17ea2627de9fc4ba958a95a1f8e9dee9b86dc2d131d4c3e60b55d40ba283e93a1a5f705fda6167cffb4e2c30dc341ddf05b794d7ce45b20bcf8b8f33c431c1d3a6f549b6b93625e4bbc4eb625921d2794bc6e2673960274c4c2e3390edf15ae2687d83a5cc28cc690fac3bc61918d5c63c53157db67f59a827c4befa23bde07d975397f9da9ee5a6a25fcc95b5d385d884ccbeacecb20bcd262230d7438e46ded621194b7f9c414079d7ccce0d37816b85de894b30fed97d3673afebce6c0d6d3fceb3df4c99f6b96b010001e1020f210000000002000003b6485e16c4c68303ceb1cfe6a7be48b107772a699a6010d570926ea42f2a08331fdb272ad15e72c3343a166556b1bf1dbbc551037768614598a137b346477f11b040c96a06d8d05b3ea3df6fd42afe05dc2a157eba58a5f0d3e3e9f5632f74257573e22a8c91569d4b66442a380595fd999851d8cb23a97c39c70476fd2790e250bf5856a8b27b4469b5197c7007e17cefd5c37fc3ccb246fb1a366077046afba554d739588a544a3da57dc2a38e40635ee0c49fe4bd5aa9d51af594450154fc937485f750a71e4d7a235d843e7373d01f560d41179ab71b3554597b2647853fe666d2c3e06e0320de32396dec76893ede56fc72d74c290663b348c37173b470acc27829fb073dd89ab4af8887d666f013dfc1d8f69710ecaa1a2827bb731303b8393cb76db1816640a9f08feb9229fcaac5ac2cfcda3ba26efbb2b0ff20353493a1e10a273cca955ff2bb72867eeac0ec142b587aea1f6b0cdd18e61b03fbf71a7aa327720d06e8fbfda63eba3bbbc7cd53c1b9e26156375cf5b0b82e16fd23f911c009dbade5b3ee9efc9168cbe6ad39f99b0a2c67af96d365b87eb096887a38ceb7ba64ed7a0fe20b79b51e0071a9223c72d86616df2503d83c584f4996bc5bb5a0698a9c4b308fe6f75525af952d599b33a4df434912e380d0392090ba026c8803f2a3c26ebebc412f451e7bd19efec57917c3dd54285fa7d5c37004ebcd010001e1020f210000000002000003a2a9e91e762a47c2a151c6d51f3b3cb356852450ab3928f04a184991e9c5541e1e7260817fff3bf5853ed5d0d43c6f6b81eb06e565f2ae83f417cd5f16005bedd51261fa24ccc29f1cef22c516911bbe5f78261eeba52a63450f8d3af6d90e5dd4d826d1ff58e5253370955eea811843302b717411609e86bc8cc2a03624f6aec4d0c82d078f39de6a6dac936ec9edf5cd1a19d744aae9ee793426001ddbf62abb14ba0348c0586307c0f688a797ad4330fac95f8272fc4650e58edf91625c25c842e0f5dd6a6f9509e989916e078299283520164ec59c3cbdee5e3cb4e3f65471eff96f9cc57d4a1be9e1e717ccc403859f2bb2611ab12e0464e3c4926e2d3c5f9d348a1415f0b4a21d26e0516c7ecfe7d558bbb5b4eed1909fe75c7fa31296962efe9296b6fbbb9a207d2dc21af91e39af05935a438feaf14f6568cec48e265f5e8bbfe8f9013db35158229370299420c2e405f59637c5151da8b5574e0340c7b1b3c26b9c86c8a2172ecf5502aacc9589e2db2585e1de815777605af17ed59d58e6013ac80301cef32c195e607f6ad6509363bcb379ac8911b5fa9c2c2e641802138c9c80a2af828aec72b7ac3c181bb7b3f1e6b8fef8c8787709ef254afefcab91a1cdc3c5b093ac6016b50f6c2697895931c75060dcfc00b460e77974ec4e267e768afa26a8365a42c2d8c14b7df354a9c3e7a7026cb2855481871a4d33010001e1020f210000000002000003d13078b1ba345ec58055e603b04726cf0f6e366002bc655e91cc49526493a0844afb99ea5edeec029008a2d7b209c9d4b45039a4fb297da6e4e2adfd8e34fae91cd6dcc9fcf8237082644105b28a43da56dd7e226323662c76d6c975179da9e0cdbcdefcee24f89429c27da8490f3a98d93919cda4c5f378570e970d332c67e2411f82508471db756168f2a1d017b22a02538c021fcfe8481854c2f7890ef729ca4c5e554523c148b9defe823a9f198895b9239fc468a5463d76fdf0bf666ca18e6af7ed3406227434702807b87e5d7c2c6c5fd549c2652fa9ab0216ae1d2552672da846a7151ecb747161224c73b211f4a32f49d7049ef074dd050891ac081257e0c10154e81391e09f2dce9219f57175a4782815aab4fe4fd01cd83cd7b6705539bc5260e27eed321c9584966fc56bc5e40c0dfcf9f9ca4f6618f0fd87270d346306c19e0df9187cebfb288af639def9f9d86e41ed4d80e7aecf02d237ac673e0e5be29ae8768d759e2c97041a46aa97d55bd26275f6790d39326b804ad025048d70821e86253a998b4ab5bdbb8656bf652a92c664f505243bdd8daf431e92f21698822e581e7610c52350b9e50b85b235463326353e5912fc1d617e96a1e9b6e456a3928e8a7898cf6fbcfb62e16e495c4530a14b4cfb5937120c8f5a542b864f0a6564032518ae5c20207462157eb59fb18966d1e78c2f7349b933520fb7010001
SRK table saved to: workspace/srk_table.bin
SRK hash fuses values exported to: workspace/srk_fuses.bin
32