topic Re: Hardware token support by HAB/CST in i.MX Processors

Hardware token support by HAB/CST

ivandrobyshevs1 — Fri, 07 Jul 2017 16:15:46 GMT

Is it possible to sign U-Boot and other binaries that are later verified by HAB using a hardware token? The disadvantage of using Code Signing Tool as described in tutorial(s) is that private keys are stored in the file system so it's not as secure as it might be in theory.

Re: Hardware token support by HAB/CST

Yuri — Mon, 10 Jul 2017 03:32:54 GMT

Hello,

You may look at Appendix B (Replacing the CST Backend Implementation)

of HAB Code-Signing Tool User’s Guide, Rev. 2.3.2, 3/2016.

Have a great day,
Yuri

-----------------------------------------------------------------------------------------------------------------------
Note: If this post answers your question, please click the Correct Answer button. Thank you!
-----------------------------------------------------------------------------------------------------------------------

Re: Hardware token support by HAB/CST

brianmiller — Mon, 06 Nov 2017 21:56:16 GMT

The back-end code included with the CST needs to be ported to support certificate and key storage other than OpenSSL. For the most part, it is not difficult. The only difficult portion is constructing the CSM signing portion, which requires unraveling the OpenSSL code. You'll need to link directly to the OpenSSL libcrypto.a file. Once you are able to produce the same signature that OpenSSL does, everything works fine.

Re: Hardware token support by HAB/CST

marouene_boubakri — Wed, 23 May 2018 14:11:51 GMT

The best approach to fulfill your request would be creating an OpenSSL engine which talks to your HSM.

In your CST backend, you create the CMS signature using OpenSSL's public accessors. OpenSSL in his turn will offload any cryprohraphic operation involved during signing to the HSM.

Detailed answer can be found here https://community.nxp.com/message/1021666