Should we use a different key to encrypt images or the same key for signing?

[zhiyong-ft]

Hi,

I have tried using either a separate key or the same key for signing images, both approaches work just fine. My question is, from security's perspective, which is better practice?

My concern about using the same key for both signing and encryption is that both private and public key will co-exist in bootloader. On the other hand, if someone already acquired a copy of the bootloader, then it doesn't matter whether the public and private key are actually a pair.

So please advise.

Thanks.