Available HSM Models for Code Signing

hayashida-katsutoshi · ‎03-05-2025

We manufacture products that use i.MX7 based processors. We have been using a code signing tool (cst-hsm.exe) to sign uboot with SafeNet eToken.

This has worked well, but for security reasons we are trying to use the Thales Luna USB HSM 7 as an alternative. This does not work well with the following error. It is possible to use these HSMs for purposes other than uboot.

khayashida@US01LPT12909 MINGW64 /c/cst
$ ./cst-hsm.exe -o u-boot_csf.bin -i u-boot.csf
14696:error:8007E065:lib(128):HSM_PREINIT:unable to load PKCS#11 DSO:e_hsm.c:885:
14696:error:80067098:lib(128):HSM_CTRL:Token in requested slot is not available:e_hsm.c:1221:
14696:error:80067099:lib(128):HSM_CTRL:No slot selected, please add slot = <num> to your hsm.cfg configuration file:e_hsm.c:1231:
14696:error:80064065:lib(128):HSM_INIT:unable to load PKCS#11 DSO:e_hsm.c:994:
14696:error:80074099:lib(128):HSM_GETSESSION:No slot selected, please add slot = <num> to your hsm.cfg configuration file:e_hsm.c:419:
Unable to load cert with id ec705018e9bf8ad60096e13cb2f0fbad
Undefined error

khayashida@US01LPT12909 MINGW64 /c/cst
$ ./cst-hsm.exe --version
Code Signing Tool release version 3.2.0

I get the same result with YubiKey 5 FIPS. I don't think I made a mistake in editing the hsm.cfg. I understand that it needs to correctly specify the PKCS#11 module for the HSM.

These results suggest that cst-hsm.exe may only work with SafeNet eToken.

Please let me know which HSMs can work with it. Please also let us know if it works with Luna USB HSM 7.

hayashida-katsutoshi · ‎03-11-2025

Thank you, Harvey. I am able to download CST 4.0.0. Please give me a few days to try it.

Harvey021 · ‎03-14-2025

Can you please let me know how it is with CST4.0?

Regards

Harvey

hayashida-katsutoshi · ‎03-20-2025

I tried CST 4.0 but it did not work, it seems to fail to load the PKCS11 module (x64).

khayashida@US01LPT12909 MINGW64 /c/cst
$ export PKCS11_MODULE_PATH=C:\\Program\ Files\\SafeNet\\LunaClient\\cryptoki.dll

khayashida@US01LPT12909 MINGW64 /c/cst
$ export PKCS11_PIN=********

khayashida@US01LPT12909 MINGW64 /c/cst
$ gdb ./mingw64/bin/cst.exe
GNU gdb (GDB) 15.1
Copyright (C) 2024 Free Software Foundation, Inc.
License GPLv3+: GNU GPL version 3 or later <http://gnu.org/licenses/gpl.html>
This is free software: you are free to change and redistribute it.
There is NO WARRANTY, to the extent permitted by law.
Type "show copying" and "show warranty" for details.
This GDB was configured as "x86_64-w64-mingw32".
Type "show configuration" for configuration details.
For bug reporting instructions, please see:
<https://www.gnu.org/software/gdb/bugs/>.
Find the GDB manual and other documentation resources online at:
    <http://www.gnu.org/software/gdb/documentation/>.

For help, type "help".
Type "apropos word" to search for commands related to "word"...
Reading symbols from ./mingw64/bin/cst.exe...
(gdb) r  -b pkcs11 --verbose -o u-boot_csf.bin -i u-boot.csf
Starting program: C:\cst\mingw64\bin\cst.exe -b pkcs11 --verbose -o u-boot_csf.bin -i u-boot.csf
[New Thread 21416.0x72d8]
[New Thread 21416.0x6878]
[New Thread 21416.0x1f58]
Install SRK
Install no CAK

Thread 1 received signal SIGSEGV, Segmentation fault.
0x00007ff743fe30bf in bind_engine ()

I was hoping to build cst.exe and get a stack trace, but could not build it because I could not run docker on mingw64.

khayashida@US01LPT12909 MINGW64 /c/cst/src
$ ƒdocker run -it -v $(pwd):/home/$USER/cst cst:build /bin/bash C:\Program Files\Docker\Docker\resources\bin\docker.exe: Error response from daemon: Mount denied:
The source path "C:/cst/src;C"
doesn't exist and is not known to Docker.
See 'C:\Program Files\Docker\Docker\resources\bin\docker.exe run --help'.

The HSM used is the Luna HSM. You can download it from here, but you need an account to access it. Sharing the client from us may have a licensing issue.

https://thalesdocs.com/gphsm/luna/7/docs/network/Content/CRN/Luna/client/10-7-2.htm

It also generates the segmentation error for YubiKey FIPS 5. The PKCS11 module for YubiKey can be downloaded here.

https://developers.yubico.com/yubico-piv-tool/Releases/

If you do not have these HSMs, you can still try the PKCS11 modules to see if it crashes in the bind_engine function. If it can load YubiKey modules, I would expect it to be able to load Luna HSM modules as well.

Harvey021 · ‎03-23-2025

I made more investigation using Yubico PIV Tool, I was able to successfully load the PKCS#11 module without any issue, see below: (I don't have Yubikey attached to my machine so the specified token is not found, the goal is to check if CST loads properly the PKCS#11 module).

C:\Yubico\Yubico PIV Tool\bin>cst.exe -b pkcs11 -i bootimage.csf -o signed_flash.bin
[DEBUG] engine_ctx_init()
[DEBUG] ENGINE_load_builtin_engines()
[DEBUG] ENGINE_new()
[DEBUG] getenv(PKCS11_MODULE_PATH)
The value of PKCS11_MODULE_PATH is: C:\Yubico\Yubico PIV Tool\bin\libykcs11.dll
[DEBUG] bind_engine()
[DEBUG] ENGINE_init()
[DEBUG] engine_ctx_init() -> success
No matching initialized token was found for certificate
No matching initialized token was found for certificate
The certificate was not found at: pkcs11:token=CST-HSM-DEMO;object=SRK1_sha384_secp384r1_ca;type=cert;pin-value=12345678
00000000:error:42800065:pkcs11 engine:ERR_ENG_error:object not found:eng_back.c:764:

[ERROR] CST: Unable to read pkcs11:token=CST-HSM-DEMO;object=SRK1_sha384_secp384r1_ca;type=cert;pin-value=12345678

C:\Yubico\Yubico PIV Tool\bin>
Please note that I'm running cst.exe with Administrator privileges and placing cst.exe in the same path with libykcs11.dll (probably libykcs11.dll depends on libcrypto-3-x64.dll).

Please add some debug messages and try again. To build for mingw64:

OSTYPE=mingw64 ./scripts/build.sh -F

I did more testing in other environments; CST may indeed sporadically fail in Windows. Please try the attached patch and share feedback.

Regards

Harvey

hayashida-katsutoshi · ‎03-25-2025

Hi Harvey,

Could you share me the patched cst.exe for Mingw 64bit?

Building the CST is not my goal.

Katsutoshi

hayashida-katsutoshi · ‎03-24-2025

I ran CST with Admin and got the same result.

When I run the build, I get an error with the libp11 build. Please see the attached config.log for the build log.

I set OPENSSL_VERSION="3.4.1" in the build.sh file.

Harvey021 · ‎03-25-2025

Please refer to src/BUILD.md for building instructions. That's the only build environment that we test.

Regards

Harvey

hayashida-katsutoshi · ‎03-26-2025

As mentioned above, the Docker build fails. Does this require Linux? I have no experience with Docker, so this is a hurdle for me. Could you provide me with a patched cst.exe?

Harvey021 · ‎03-28-2025

Will send you one for testing purpose only.

Regards

Harvey

hayashida-katsutoshi · ‎03-24-2025

I'm attaching the file again as reCAPTCHA deleted it.

hayashida-katsutoshi · ‎03-14-2025

I am very busy right now, so I am unable to try out CST. I hope to find some time in the next week or two.

Harvey021 · ‎03-11-2025

Since CST worked with a previous HSM so there should not be any issue or bug right there. So probably the new HSM is not properly configured, or parameters provided to CST are not correct.
According to the error messages from the log you provided, the token/slot has not been initialized or the slot number provided to CST is not correct.

We had similar cases with customers before, and I believe you should work with your HSM provider instead to properly configure the HSM. You can use external tools like pkcs11-tool to investigate further why SW is not able to connect to HSM and use it.

Otherwise, I highly recommend to upgrade to latest CST release, 3.2.0 is quite old. CST 4.0.0 has built-in PKCS#11 support, so there is no need to recompile the code or do extra configuration (no more cfg file.) Simply provide correct PKCS #11 UR to signing key.

Refer to section "Using CST with Hardware Security Module" in UG10106 Code Signing Tool User Guide that can be found in the release package (docs/UG10106_Rev4.0.pdf).

We tested that with a Yubikey HSM and working great.

Please note that usage of Docker is not a must, we are providing this to have a common environment and get hints on needed dependencies.

Hope this helps.

Regards

Harvey