Greetings @Srimoki,
Let me try to address your questions as best as I can. By the way I’m assuming you’re using the Verdin i.MX8M Plus as you were in your other question. Let me know if this isn’t the case here since “secure boot” implementations can differ depending on the module.
Key rotation: Is it possible to rotate the SRK (Super Root Key) to a different one if our CA key is accidentally leaked online? If yes, how can this be done?
This is not possible as far as I know. The high-assurance-boot (HAB) architecture from NXP allows up to 4 SRKs per signed image. When you set the fuses on a device it programs the public component of the SRK to the device. Since these fuses are one time programmable and can’t be modified once set, it’s not really possible to rotate these on the device after the initial programming.
For further context, the boot image is then signed via a SRK table which contains information from all the generated SRKs. One of these SRKs will be used by the image during boot to validate itself. The SRK that is used is controlled by the “Source Index” field in the CSF file that is used to create the signed image.
While you can’t really rotate the keys, you can revoke one of the SRKs on the device, if they are compromised. That way if an image is trying to use a revoked SRK to validate it will fail. That said, since the fuses are permanent you can only revoke up to 3 of the 4 SRKs, since revoking all 4 would just mean the device can’t boot anything anymore.
For more information on this mechanism and other information about HAB I would recommend you refer to NXPs AN4581 document. This document can be downloaded from the NXP website though you will need an NXP account.
Docker container signing: How does Docker container signing work currently? I noticed it is marked as “coming soon”—do you have an estimated timeline for when this will be available?
At the moment we don’t have much to share on this upcoming feature. It’s still quite early in planning for this. The best timeline I can provide is that we hope to conclude work on it later this year maybe around Q3/Q4. Though I wouldn’t say this is a hard timeline as things can easily change between now and then.
Best practices: What are the best practices for using Secure Boot?
This is a bit of a broad question, do you have any specifics? For general overall usage NXP has many documents and articles covering HAB.
For example, if we generate a unique CA key for each device, it would result in different SRK keys being hashed into eFuses on each device. In this scenario, if one key is leaked, we would only need to update the compromised device rather than all devices in production.
Just to clarify this comment of yours. Are you saying you want to generate a completely unique set of keys and certs for each device of yours?
Best Regards,
Jeremias