FAQs
English (US) 日本語 | Japanese 中文 | Chinese (Simplified)

Code Signing Tool with a Hardware Security Module

cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
SOLVED
Jump to solution

Code Signing Tool with a Hardware Security Module

Jump to solution
a week ago
260 Views
endrunner_smw
Contributor III

I am aware that there are multiple versions of the code signing tool from different locations.

I currently am using the CST located at github.com/nxp-qoriq/cst. This appears to be version 2.0 and matches what documentation I seem to come across. I have also seen versions in the 3.* range as well as a 4.* version. From postings on the forums it seems these version 3 and 4 versions of CST can support a HSM through some configuration changes.

However, I can't seem to find an equivalent for CST 2.0? Can CST 2.0 utilize a HSM? If yes what steps would be required, if no, then can other versions of CST be used as drop in replacements?

I also noticed that the latest CST 4 doesn't appear to have actual source code available, or am I just looking in the wrong place? The precompiled binaries are only available for x86_64, but I'm developing natively on the LS1043A aarch64, so the precompiled binaries are obviously not an option. I don't mind building a different version, I just need to know where the source is and if there are any compatibility issues to be aware of?

Thank you for your time.

Tags (3)
0 Kudos
Reply
1 Solution

Jump to solution
a week ago
187 Views
Bio_TICFSL
NXP TechSupport
NXP TechSupport

Hello,

CST 2.0 does not have documented native HSM/PKCSsupport; for Layerscape the supported path is detached external signing with --img_hash plus sign_embedding , while i.MX CST 3.x/newer adds HSM features but is not verified as a drop-in replacement for QorIQ CST 2.0.

 

Regards

View solution in original post

0 Kudos
Reply
1 Reply

Jump to solution
a week ago
188 Views
Bio_TICFSL
NXP TechSupport
NXP TechSupport

Hello,

CST 2.0 does not have documented native HSM/PKCSsupport; for Layerscape the supported path is detached external signing with --img_hash plus sign_embedding , while i.MX CST 3.x/newer adds HSM features but is not verified as a drop-in replacement for QorIQ CST 2.0.

 

Regards

0 Kudos
Reply
%3CLINGO-SUB%20id%3D%22lingo-sub-2358847%22%20slang%3D%22en-US%22%20mode%3D%22CREATE%22%3ECode%20Signing%20Tool%20with%20a%20Hardware%20Security%20Module%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-2358847%22%20slang%3D%22en-US%22%20mode%3D%22CREATE%22%3E%3CP%3EI%20am%20aware%20that%20there%20are%20multiple%20versions%20of%20the%20code%20signing%20tool%20from%20different%20locations.%3C%2FP%3E%3CP%3EI%20currently%20am%20using%20the%20CST%20located%20at%20github.com%2Fnxp-qoriq%2Fcst.%20This%20appears%20to%20be%20version%202.0%20and%20matches%20what%20documentation%20I%20seem%20to%20come%20across.%20I%20have%20also%20seen%20versions%20in%20the%203.*%20range%20as%20well%20as%20a%204.*%20version.%20From%20postings%20on%20the%20forums%20it%20seems%20these%20version%203%20and%204%20versions%20of%20CST%20can%20support%20a%20HSM%20through%20some%20configuration%20changes.%3C%2FP%3E%3CP%3EHowever%2C%20I%20can't%20seem%20to%20find%20an%20equivalent%20for%20CST%202.0%3F%20Can%20CST%202.0%20utilize%20a%20HSM%3F%20If%20yes%20what%20steps%20would%20be%20required%2C%20if%20no%2C%20then%20can%20other%20versions%20of%20CST%20be%20used%20as%20drop%20in%20replacements%3F%3C%2FP%3E%3CP%3EI%20also%20noticed%20that%20the%20latest%20CST%204%20doesn't%20appear%20to%20have%20actual%20source%20code%20available%2C%20or%20am%20I%20just%20looking%20in%20the%20wrong%20place%3F%20The%20precompiled%20binaries%20are%20only%20available%20for%20x86_64%2C%20but%20I'm%20developing%20natively%20on%20the%20LS1043A%20aarch64%2C%20so%20the%20precompiled%20binaries%20are%20obviously%20not%20an%20option.%20I%20don't%20mind%20building%20a%20different%20version%2C%20I%20just%20need%20to%20know%20where%20the%20source%20is%20and%20if%20there%20are%20any%20compatibility%20issues%20to%20be%20aware%20of%3F%3C%2FP%3E%3CP%3EThank%20you%20for%20your%20time.%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-2359491%22%20slang%3D%22en-US%22%20mode%3D%22CREATE%22%20translate%3D%22no%22%3ERe%3A%20Code%20Signing%20Tool%20with%20a%20Hardware%20Security%20Module%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-2359491%22%20slang%3D%22en-US%22%20mode%3D%22CREATE%22%3E%3CP%3EHello%2C%3C%2FP%3E%0A%3CP%3ECST%202.0%20does%20not%20have%20documented%20native%20HSM%2FPKCSsupport%3B%20for%20Layerscape%20the%20supported%20path%20is%20detached%20external%20signing%20with%20%3CCODE%20class%3D%22%22%3E--img_hash%3C%2FCODE%3E%20plus%20%3CCODE%20class%3D%22%22%3Esign_embedding%3C%2FCODE%3E%20%2C%20while%20i.MX%20CST%203.x%2Fnewer%20adds%20HSM%20features%20but%20is%20not%20verified%20as%20a%20drop-in%20replacement%20for%20QorIQ%20CST%202.0.%3C%2FP%3E%0A%3CBR%20%2F%3E%0A%3CP%3ERegards%3C%2FP%3E%3C%2FLINGO-BODY%3E