topic Re: CST-3.3.2 back_end-ssl Interface with HSM API in i.MX Processors

CST-3.3.2 back_end-ssl Interface with HSM API

jbhaijy — Mon, 21 Aug 2023 06:18:39 GMT

Hi,

In cst-3.3.2, on cst/code/ path there is back_end-ssl & back_end-pkcs11. I want to sign the build images through remote HSM. There are HSM signing API's which we need to call for signing particular image. I just want to know how we can integrate these HSM API call in CST backend implementation.

Can you please explain what is the purpose of back_end-ssl & back_end-pkcs11 & which is the best approach to call HSM API for signing images.

Thanks

Re: CST-3.3.2 back_end-ssl Interface with HSM API

Irene — Mon, 21 Aug 2023 13:48:11 GMT

Let me look into this issue.

Re: CST-3.3.2 back_end-ssl Interface with HSM API

jbhaijy — Tue, 22 Aug 2023 18:14:47 GMT

@Irene

Do you have any update on this?

Re: CST-3.3.2 back_end-ssl Interface with HSM API

Irene — Tue, 22 Aug 2023 18:31:30 GMT

This might help address your questions.

Re: CST-3.3.2 back_end-ssl Interface with HSM API

jbhaijy — Thu, 24 Aug 2023 06:58:07 GMT

Hi @Irene,

Appreciate your help & support. Thanks.

I followed the steps mentioned in the document you shared & I am able to use "Mode = HSM" & generated the data_csfsig.bin, data_imgsig.bin, sig_request.txt & csf.bin. I think this use-case is best suites our requirement & hence I need to understand this approach in deep. I have few question regarding this approach.

For initial testing purpose we have created development keys & certs on systems filesystem but finally these keys & certs will be kept on remote HSM. For initial testing can we sign the data_csfsig.bin & data_imgsig.bin with the development private key's available on filesystem? If yes, can you please share the command to sign these images?
In case of signing with HSM, do we also need to send the sig_request.txt along data_csfsig.bin & data_imgsig.bin?
After receiving the signature, how we can insert them into CSF binary? Is there any command? At what offiset or address? as mentioned in step-3.1 in the document.
To generate the final signed flash.bin, what is the command to insert CSF binary into flash.bin incase of i.MX8 & appending the CSF binary into u-boot image incase of i.MX6? We have i.MX6 & i.MX8 based products. At what offiset or address? as mentioned in step-3.2 in the document.
As mentioned in the step3-Note, if the signature received from HSM is bigger than the pre-calculated size, then in that case the changes required to update the offset(option-1) or update in the code (option-2) will be one time activity, right?

Re: CST-3.3.2 back_end-ssl Interface with HSM API

jbhaijy — Sat, 26 Aug 2023 13:53:15 GMT

Hey @Irene,

Do you have any update on above queries?

I am following-up with you because the solution mentioned in the document which shared with me is possibly fit for our requirement & it is no where mentioned in the NXP public document. Request you please share if you have application document specifically for "Mode = HSM" works.

Thanks for you support.

Re: CST-3.3.2 back_end-ssl Interface with HSM API

Irene — Tue, 29 Aug 2023 17:01:55 GMT

For initial testing purpose we have created development keys & certs on systems filesystem but finally these keys & certs will be kept on remote HSM. For initial testing can we sign the data_csfsig.bin & data_imgsig.bin with the development private key's available on filesystem? If yes, can you please share the command to sign these images?

<NXP> Yes, they can; please sign the binaries with the openssl command.

In case of signing with HSM, do we also need to send the sig_request.txt along data_csfsig.bin & data_imgsig.bin?

<NXP> Yes. The sig_request file contains the identification(unique tag) of which signature belongs to which binary.

After receiving the signature, how we can insert them into CSF binary? Is there any command? At what offiset or address? as mentioned in step-3.1 in the document.

<NXP>This is a manual process, and the offset is as described in the diagram in Step 2.

As mentioned in the step3-Note, if the signature received from HSM is bigger than the pre-calculated size, then in that case the changes required to update the offset(option-1) or update in the code (option-2) will be one time activity, right?

<NXP> The option 2 is better suited for permanent change.

Re: CST-3.3.2 back_end-ssl Interface with HSM API

jbhaijy — Mon, 11 Sep 2023 13:45:49 GMT

Hi @Irene

As mentioned in the document CST generates data_csfsig.bin & data_imgsig.bin. My question is instead of sending these binaries to HSM for signing, can we generate the hash value of each binary & send it to HSM for signature generation? Our standard signing API's needs hash value & keypair ID.

Thanks

Re: CST-3.3.2 back_end-ssl Interface with HSM API

jbhaijy — Wed, 13 Sep 2023 17:09:25 GMT

Hey @Irene

Do you have any update on below query?