https://community.nxp.com/t5/i-MX-Processors/CST-Signing-Process-in-Mode-HSM/m-p/1805624#M219905 <P>Hi&nbsp;<a href="https://community.nxp.com/t5/user/viewprofilepage/user-id/207913">@hector_delgado</a>&nbsp;,</P><P>I am using 3rd party HSM.&nbsp;</P><P>&nbsp;</P><P>Regards,</P><P>jbhaijy</P> Tue, 13 Feb 2024 05:57:23 GMT jbhaijy 2024-02-13T05:57:23Z https://community.nxp.com/t5/i-MX-Processors/CST-Signing-Process-in-Mode-HSM/m-p/1797065#M219322 <P>Hi,</P><P>I am signing the i.MX6 SPL &amp; U-boot images through CST in Mode = HSM. I am able to sign the SPL &amp; SPL is authenticated by i.MX6 HAB.</P><P>We also signed the i.MX6 u-boot but while flashing it got stuck with message failed.</P><P><span class="lia-inline-image-display-wrapper lia-image-align-inline" image-alt="jbhaijy_3-1706551175136.png" style="width: 400px;"><img src="https://community.nxp.com/t5/image/serverpage/image-id/260603i4BA8B59875173BF7/image-size/medium?v=v2&amp;px=400" role="button" title="jbhaijy_3-1706551175136.png" alt="jbhaijy_3-1706551175136.png" /></span></P><P><STRONG>For u-boot signing we have process set to sign the u-boot with [Authenticate Data] for DCD block along with [Authenticate Data] for HAB Blocks in the CSF file. </STRONG></P><P><span class="lia-inline-image-display-wrapper lia-image-align-inline" image-alt="jbhaijy_1-1706551105121.png" style="width: 400px;"><img src="https://community.nxp.com/t5/image/serverpage/image-id/260601iA633C63EBC7C7B50/image-size/medium?v=v2&amp;px=400" role="button" title="jbhaijy_1-1706551105121.png" alt="jbhaijy_1-1706551105121.png" /></span></P><P>As per the document attached &amp; <A href="https://community.nxp.com/t5/i-MX-Processors/CST-3-3-2-Mode-HSM-for-Remote-HSM-signing/m-p/1726455#M212886" target="_self">discussed here as well</A>, when we execute the CST in ‘Mode = HSM’ it generates the data_imgcsf.bin &amp; data_csfsig.bin but the sig_request.txt is showing three unique_tag. I also confirmed that csf.bin(output of cst tool) is also having three unique_tag which I think there will be three signature needed to be replace with unique_tags. But the CST generated only data_imgcsf.bin &amp; data_csfsig.bin. <STRONG>What will be the 3rd .bin which will get signed from HSM? </STRONG></P><P><span class="lia-inline-image-display-wrapper lia-image-align-inline" image-alt="jbhaijy_2-1706551105140.png" style="width: 400px;"><img src="https://community.nxp.com/t5/image/serverpage/image-id/260602iC4B9806630F70E71/image-size/medium?v=v2&amp;px=400" role="button" title="jbhaijy_2-1706551105140.png" alt="jbhaijy_2-1706551105140.png" /></span></P><P>After comparing HSM signed u-boot image with working u-boot(signed without HSM mode) it seems that the working u-boot also has three signatures but the HSM signed u-boot have only 2 signatures &amp; missing one more signature in the u-boot. &nbsp;</P><P>I think because of missing signature the the flashing got stuck &amp; failed.</P><P>Request you to please help to solve this missing signature problem.</P><P>CST tool version: CST-3.4.0</P><P>Working OS: Ubuntu 18.04</P><P>&nbsp;</P><P>Thanks,</P><P>jbhaijy</P> Mon, 29 Jan 2024 18:11:50 GMT https://community.nxp.com/t5/i-MX-Processors/CST-Signing-Process-in-Mode-HSM/m-p/1797065#M219322 jbhaijy 2024-01-29T18:11:50Z https://community.nxp.com/t5/i-MX-Processors/CST-Signing-Process-in-Mode-HSM/m-p/1800251#M219543 <P>Hi&nbsp;<a href="https://community.nxp.com/t5/user/viewprofilepage/user-id/148045">@jbhaijy</a>&nbsp;,</P> <P>I hope you're doing well. Let me check this thoroughly and I'll get back to you as soon as possible. Also, just to be sure, i.MX 6 processors are to be used with HAB not AHAB (as it was implied with your attached document) but I'm sure you probably may have uploaded the wrong file even though you might have used the correct one for the signing process.&nbsp;</P> <P>Best regards,<BR />Hector.</P> Thu, 01 Feb 2024 20:14:06 GMT https://community.nxp.com/t5/i-MX-Processors/CST-Signing-Process-in-Mode-HSM/m-p/1800251#M219543 hector_delgado 2024-02-01T20:14:06Z https://community.nxp.com/t5/i-MX-Processors/CST-Signing-Process-in-Mode-HSM/m-p/1805447#M219889 <P>Hi&nbsp;<a href="https://community.nxp.com/t5/user/viewprofilepage/user-id/148045">@jbhaijy</a>&nbsp;,</P> <P>Could you please let me know if you're using a third party HSM or are you using softhsm2 like the examples from our HSM guide?&nbsp;</P> <P>Thank you.</P> <P>Best regards,<BR />Hector.</P> Mon, 12 Feb 2024 18:26:57 GMT https://community.nxp.com/t5/i-MX-Processors/CST-Signing-Process-in-Mode-HSM/m-p/1805447#M219889 hector_delgado 2024-02-12T18:26:57Z https://community.nxp.com/t5/i-MX-Processors/CST-Signing-Process-in-Mode-HSM/m-p/1805624#M219905 <P>Hi&nbsp;<a href="https://community.nxp.com/t5/user/viewprofilepage/user-id/207913">@hector_delgado</a>&nbsp;,</P><P>I am using 3rd party HSM.&nbsp;</P><P>&nbsp;</P><P>Regards,</P><P>jbhaijy</P> Tue, 13 Feb 2024 05:57:23 GMT https://community.nxp.com/t5/i-MX-Processors/CST-Signing-Process-in-Mode-HSM/m-p/1805624#M219905 jbhaijy 2024-02-13T05:57:23Z https://community.nxp.com/t5/i-MX-Processors/CST-Signing-Process-in-Mode-HSM/m-p/1805628#M219906 <P>Hi&nbsp;<a href="https://community.nxp.com/t5/user/viewprofilepage/user-id/207913">@hector_delgado</a>&nbsp;,</P><P>&nbsp;</P><P>I have solved the problem by combining the two different [Authenticate Data] in one. Like below,</P><P><span class="lia-inline-image-display-wrapper lia-image-align-inline" image-alt="jbhaijy_0-1707804116568.png" style="width: 400px;"><img src="https://community.nxp.com/t5/image/serverpage/image-id/262898iF4B6BA41C6A5B553/image-size/medium?v=v2&amp;px=400" role="button" title="jbhaijy_0-1707804116568.png" alt="jbhaijy_0-1707804116568.png" /></span></P><P>In this case the CST generates signature binary for CSF commands &amp; combined signature data binary for actual image.&nbsp;&nbsp;</P><P>&nbsp;</P> Tue, 13 Feb 2024 06:03:54 GMT https://community.nxp.com/t5/i-MX-Processors/CST-Signing-Process-in-Mode-HSM/m-p/1805628#M219906 jbhaijy 2024-02-13T06:03:54Z