topic Re: i.MX8MP Secure boot - HAB errors using HSM Signatures in i.MX Processors

i.MX8MP Secure boot - HAB errors using HSM Signatures

se_cguerr — Tue, 24 Jun 2025 12:27:01 GMT

Hi NXP,

I'm working on enabling secure boot on a board based on the i.MX8M Plus.

Secure boot works correctly when using certificates, keys, and signatures generated with the CST Tool version 4.0.0. Running hab_status shows no events in this case.

However, on another board, when we attempt the secure boot process using certificates, keys, and signatures generated in our internal PKI environment, hab_status reports multiple errors.

Below, I’ve included the CSF files and the HAB events we’re encountering. We are using "HSM Mode" and have configured the signature size accordingly.

We would like to understand which options or parameters we should use when generating signatures—particularly if we want to simulate the process using an OpenSSL command.

Thank you in advance for your support.

Best regards,
Christophe Guerreiro

Re: i.MX8MP Secure boot - HAB errors using HSM Signatures

anda_despotovici — Tue, 24 Jun 2025 14:21:27 GMT

Hello,

I am not able to see the CSF files and HAB events mentioned in the description. Could you please confirm if you have followed the procedure described in CST UG in chapter Using CST with Hardware Security Module? If not, is anything that requires a different approach on your side? Thank you.

Anda

Re: i.MX8MP Secure boot - HAB errors using HSM Signatures

se_cguerr — Tue, 24 Jun 2025 14:51:18 GMT

See below files mentionned in my first post.

I've read the UG10106.

We are using the CST in HSM mode while we get a signature request. We inject back the signature on the appropriate unique tag and rebuild the flash.bin file.

This procedure works with certificates/keys generated from CST.

We don't use PKCS#11 in our case. We are using a signing room.

Thanks for your fast reply.

Regards,
Christophe

Re: i.MX8MP Secure boot - HAB errors using HSM Signatures

marouene_boubakri — Fri, 04 Jul 2025 10:50:52 GMT

Hi @se_cguerr,

CC @anda_despotovici, @ZeeFrench,

Following our call yesterday, we were able to successfully simulate your use case, and we have a properly signed image.

To answer your questions above, here is example command to generate CMS signature with OpenSSL:

openssl cms -sign -md sha256 -outform DER -nosmimecap -nocerts -binary -in ${csf_sigreq_file} -out ${csf_sig_file} -signer ${csf_crt} -inkey ${csf_key} -passin file:../keys/key_pass.txt

I assume for this one you have the same command as shown during the call.

As per your request here is the command to verify the generated signature:

openssl cms -verify -in ${csf_sig_file} -inform DER -binary -content ${csf_sigreq_file} -certsout /dev/null -certfile ${csf_crt} -noverify -out verified_csf_output.txt

Duplicate these commands for IMG.

Duplicate signing process for SPL & FIT.

In my case, the size of output signature size is 509 bytes.

Therefore I modify my CSF headers and set

[Header] <snip> Signature Size = 509

Regarding the current limitation of your signing room—which only supports signing a provided hash and not raw content, there’s an important update worth noting. As of OpenSSL >= 3.2, an undocumented feature allows you to pass a precomputed hash using the -digest option.

I’ve tested this on my side, and it works as expected.

Updated Signing Process:

Compute the hash of the content externally.

csf_sigreq_digest=$(openssl dgst -sha256 ${csf_sigreq_file} | awk '{printf $2}')

Sign the precomputed hash using the -digest option.

$OPENSSL_PATH/openssl cms -sign -md sha256 -outform DER -nosmimecap -nocerts -binary -digest ${csf_sigreq_digest} -out ${csf_sig_file} -signer ${csf_crt} -inkey ${csf_key} -passin file:../keys/key_pass.txt

Verify:

$OPENSSL_PATH/openssl cms -verify -in ${csf_sig_file} -inform DER -binary -content ${csf_sigreq_file} -certsout /dev/null -certfile ${csf_crt} -noverify -out verified_csf_output.txt

I hope this helps. Let us know if this works for you.

Best
Maro

Re: i.MX8MP Secure boot - HAB errors using HSM Signatures

se_cguerr — Fri, 08 Aug 2025 13:11:59 GMT

So, here an update.

It appears that when using 4 certificates, the SRK_TABLE is bigger.
As our signature are big, this leads on big CSF Binary and get overlapped as some Memory zone are used for other functions.

We need to try to reduce the CMS content as it was recommended.

I will update the ticket here once this is done.