topic Re: When will the tools support openssl 3? in MCUXpresso Secure Provisioning Tool

When will the tools support openssl 3?

mastupristi — Fri, 29 Sep 2023 07:32:51 GMT

the latest version of cst that I have the sources for is 3.3.2. It requires openssl1.1.1t.
This very much constrains the versions of ubuntu on which it is possible to compile it.
For example, the ubuntu 20.04 LTS integrates openssl1.1.1f, while the ubuntu 22.04 LTS uses openssl 3.0.2
The last non-LTS ubuntu that has openssl 1.1 (1.1.1l) is 21.10, which is no longer supported as of 2022-07-14.
For about two years ubuntu no longer uses openssl1.1, also since September openssl 1.1.1 has been declared obsolete (see https://www.openssl.org/blog/blog/2023/09/11/eol-111/)

I could download openssl sources but (I already tried) in some cases they conflict with the openssl3 installation I have on my machines. Especially trying to use HSM tokens with pkcs11 interface.

Basically you MUST update your tools so that they can use openssl 3.x

do you have it on the roadmap yet?
When can we hope to have the tools updated?

best regards

Max

Re: When will the tools support openssl 3?

liborukropec — Fri, 29 Sep 2023 07:58:04 GMT

Hello Max,

in Secure Provisioning Tool we do not maintain CST, we just use it as it is. Also for the upcoming version we are going to remove the dependency on the CST completely and we will use SPSDK only. Only for the i.MX we've used CST and starting v8 SPSDK should cover all supported families.

Please note that SPSDK has a possibility to create a custom plugin - Signature Provider, where one can integrate e.g. custom HSM.

This should be improved in SPSDK 2.0 and hopefully integrated into Secure Provisioning Tool later on.

- https://spsdk.readthedocs.io/en/latest/examples/signature_prov.html

- https://community.nxp.com/t5/Secure-Provisioning-SDK-SPSDK/tkb-p/SPSDK

Regards,

Libor

Re: When will the tools support openssl 3?

mastupristi — Fri, 29 Sep 2023 11:23:48 GMT

in Secure Provisioning Tool we do not maintain CST, we just use it as it is

It is my understanding that cst was developed and maintained by NXP, at least up to version 3.3.2

I will take a look at SPSDK.

what is the roadmap for the release of SPSDK 2.0, and consequently that for Provisioning Tool v8?

regards

Max

Re: When will the tools support openssl 3?

liborukropec — Fri, 29 Sep 2023 12:52:00 GMT

It is my understanding that cst was developed and maintained by NXP, at least up to version 3.3.2

It is true, CST is from NXP, by statement:

in Secure Provisioning Tool we do not maintain CST,

I meant that we, developers of Secure Provisioning Tool (NXP), do not maintain CST tool (NXP) so I cannot comment technical details of the CST internals.

Regards,

Libor

Re: When will the tools support openssl 3?

mastupristi — Fri, 29 Sep 2023 13:05:03 GMT

who are the cst maintainers? Where can I ask these questions?

However, you can answer the other questions:

what is the roadmap for the release of SPSDK 2.0, and consequently that for Provisioning Tool v8?

regards

Max

Re: When will the tools support openssl 3?

liborukropec — Fri, 29 Sep 2023 13:29:59 GMT

Hi Max,

who are the cst maintainers? Where can I ask these questions?

I already asked internally for the answer, unfortunately who can help is in different time zone.

roadmap for the release of SPSDK 2.0

it was in the link, SPSDK 2.0 should be at the end of the September. I know, it is almost the end so in a week or two or so.

This is the community for SPSDK, you can ask here: https://community.nxp.com/t5/Secure-Provisioning-SDK-SPSDK/tkb-p/SPSDK

consequently that for Provisioning Tool v8

I cannot say exact date, let's say v8 won't be earlier than in January 2024; realistic time frame is in the middle of Q1 24 (this is not an official promise of public release).

Regards,

Libor