Other Parts Discussed in Thread: UNIFLASH
Hi,
I am trying to figure out the OTP and X509 certificate and I have a few questions. It's a lot to digest and I'd like to be sure I know what I am doing before I do something I can't just undo. Thanks for your patience.
1. OTP MMR: Is there more than just the 3 MMRS (9,10,11) MMR 9&10 could be used for PCIE and USB, but where would MAC go to?
2. X509 System Firmware Extensions: The script "gen_keywr_cert.sh" generates the x509 Keywriter extension certificate binary, but what generates the x509 System Firmware Extension certificate? How are the System Firmware extensions programmed?
3. X509 Keywriter Extensions Keys: There seems to be 6 in the OTP, but we only generate 4, well actually 5 with the aes256.key (see Sample x509 template)
- Encrypted SMPK Signed AES extension = (bmek.key, bmpk.pem, smek.key, smpk.pem)
- Encrypted BMPK Signed AES extension = (bmek.key, bmpk.pem, smek.key, smpk.pem)
- AES Encrypted SMPKH = (bmek.key, bmpk.pem, smek.key, smpk.pem)
- AES Encrypted SMEK = (bmek.key, bmpk.pem, smek.key, smpk.pem)
- AES Encrypted BMPKH = (bmek.key, bmpk.pem, smek.key, smpk.pem)
- AES Encrypted BMEK = (bmek.key, bmpk.pem, smek.key, smpk.pem)
4. If using the script generates the certificate binary, then what is the purpose of the certificate? Can that be filled in manually, then another script can be run instead of running the above script? (see Sample x509 template)
5. When running the commands "/construct_ext_otp_data.sh" and "/gen_keywr_cert.sh", does it add to the certificate, or generate and new certificate? I'm not sure how the process works of keep generating certificates to program each MMR.
6. What actually sets the Keys and prevents changing keys? Incrementing the keyrev, or write protecting the keys? If I update the keyrev, can I later on program other keys, then just write protect them?
7. When writing the keys, can the OPT MMRs be programmed at a later time?
Thank you,
