cst(code signing tool) binary issue

rakesh3 — Sat, 04 Nov 2023 17:45:28 GMT

Hi team,

I am using the imx8qxp-mek board and implementing the secure-boot.

So, I am following this doc for signing the uboot

https://github.com/nxp-imx/uboot-imx/blob/lf_v2023.04/doc/imx/ahab/guides/mx8_mx8x_spl_secure_boot.txt

I am using the debian yocto environment for build package.

I have to use the cst binary to sign the uboot-atf file. which I am using in the uboot debian/rules file.

Below is my code snippet for signing the uboot-atf

ifneq ($(DEB_BUILD_GNU_TYPE),$(DEB_HOST_GNU_TYPE))
export CROSS_COMPILE=$(DEB_HOST_GNU_TYPE)-
SET_CROSS_BUILD_TOOLS=CROSS_BUILD_TOOLS=y
endif

override_dh_auto_build:

$(MAKE) $(PARALLEL_BUILD) -C tools/imx/ SOC=${IMX8_SOC} REV=C0 u-boot-atf-container.img
@echo "--- Copy uboot-atf ---"
set -x
cp tools/imx/${IMX8_SOC_DIR}/u-boot-atf-container.img release/linux64/
@echo "--- Sign the uboot-atf ---"
cd release/linux64/ && \
echo "---- Current directory: $$(pwd) ---" && \
ls -l && \
bash ./bin/cst -i csf_uboot_atf.txt -o signed-u-boot-atf-container.img

But while doing this I am getting the error saying below.

./bin/cst: ./bin/cst: cannot execute binary file

Could you please give some suggestion on this issue, I am unable to run the cst binary !

Is this because cst is not supported on ARM64 or platform issue?

How to acheive this uboot-atf signing and then using this further for imx-mkimage flash_spl build.

Your input on this would really be helpful.

Regards,

Re: cst(code signing tool) binary issue

Harvey021 — Mon, 06 Nov 2023 08:02:25 GMT

No support for ARM platform as I know so far.

As you see these platform supported. linux32 mingw32 linux64 osx

Best regards

Harvey

Re: cst(code signing tool) binary issue

rakesh3 — Fri, 10 Nov 2023 12:33:10 GMT

Hi @Harvey021 ,

while running the ahab_pki_tree.sh on imx8qxp board, I am getting below error.

release/linux64# ./ahab_pki_tree.sh

+++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
This script is a part of the Code signing tools for NXP's
Advanced High Assurance Boot. It generates a basic PKI tree. The
PKI tree consists of one or more Super Root Keys (SRK), with each
SRK having one subordinate keys:
+ a Signing key (SGK)
Additional keys can be added to the PKI tree but a separate
script is available for this. This this script assumes openssl
is installed on your system and is included in your search
path. Finally, the private keys generated are password
protectedwith the password provided by the file key_pass.txt.
The format of the file is the password repeated twice:
my_password
my_password
All private keys in the PKI tree are in PKCS #8 format will be
protected by the same password.

+++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
Do you want to use an existing CA key (y/n)?: n
Do you want to use Elliptic Curve Cryptography (y/n)?: y
Enter length for elliptic curve to be used for PKI tree:
Possible values p256, p384, p521: p384
Enter the digest algorithm to use: sha384
Enter PKI tree duration (years): 5
Do you want the SRK certificates to have the CA flag set? (y/n)?: y

+++++++++++++++++++++++++++++++++++++
+ Generating CA key and certificate +
+++++++++++++++++++++++++++++++++++++

Can't open "../ca/openssl.cnf" for reading, No such file or directory
2030030355000000:error:80000002:system library:BIO_new_file:No such file or directory:../crypto/bio/bss_file.c:67:calling fopen(../ca/openssl.cnf, r)
2030030355000000:error:10000080:BIO routines:BIO_new_file:no such file:../crypto/bio/bss_file.c:75:
Can't open "temp_ca.pem" for reading, No such file or directory
2030030355000000:error:80000002:system library:BIO_new_file:No such file or directory:../crypto/bio/bss_file.c:67:calling fopen(temp_ca.pem, r)
2030030355000000:error:10000080:BIO routines:BIO_new_file:no such file:../crypto/bio/bss_file.c:75:
Can't open "temp_ca.pem" for reading, No such file or directory
2030030355000000:error:80000002:system library:BIO_new_file:No such file or directory:../crypto/bio/bss_file.c:67:calling fopen(temp_ca.pem, r)
2030030355000000:error:10000080:BIO routines:BIO_new_file:no such file:../crypto/bio/bss_file.c:75:
rm: cannot remove 'temp_ca.pem': No such file or directory

++++++++++++++++++++++++++++++++++++++++
+ Generating SRK key and certificate 1 +
++++++++++++++++++++++++++++++++++++++++

read EC key
writing EC key
Using configuration from ../ca/openssl.cnf
Can't open "../ca/openssl.cnf" for reading, No such file or directory
2030030355000000:error:80000002:system library:BIO_new_file:No such file or directory:../crypto/bio/bss_file.c:67:calling fopen(../ca/openssl.cnf, r)
2030030355000000:error:10000080:BIO routines:BIO_new_file:no such file:../crypto/bio/bss_file.c:75:

++++++++++++++++++++++++++++++++++++++++
+ Generating SGK key and certificate 1 +
++++++++++++++++++++++++++++++++++++++++

Am i missing any thing here.

Could you please suggest on this.

Regards,

i.MX ProcessorsのトピックRe: cst(code signing tool) binary issue

cst(code signing tool) binary issue

Re: cst(code signing tool) binary issue

Re: cst(code signing tool) binary issue