- NXP Forums
- Product Forums
- General Purpose MicrocontrollersGeneral Purpose Microcontrollers
- i.MX Forumsi.MX Forums
- QorIQ Processing PlatformsQorIQ Processing Platforms
- Identification and SecurityIdentification and Security
- Power ManagementPower Management
- MCX Microcontrollers
- S32G
- S32K
- S32V
- MPC5xxx
- Other NXP Products
- Wireless Connectivity
- S12 / MagniV Microcontrollers
- Powertrain and Electrification Analog Drivers
- Sensors
- Vybrid Processors
- Digital Signal Controllers
- 8-bit Microcontrollers
- ColdFire/68K Microcontrollers and Processors
- PowerQUICC Processors
- OSBDM and TBDML
-
- Solution Forums
- Software Forums
- MCUXpresso Software and ToolsMCUXpresso Software and Tools
- CodeWarriorCodeWarrior
- MQX Software SolutionsMQX Software Solutions
- Model-Based Design Toolbox (MBDT)Model-Based Design Toolbox (MBDT)
- FreeMASTER
- eIQ Machine Learning Software
- Embedded Software and Tools Clinic
- S32 SDK
- S32 Design Studio
- GUI Guider
- Zephyr Project
- Voice Technology
- Application Software Packs
- Secure Provisioning SDK (SPSDK)
- Processor Expert Software
- MCUXpresso Training Hub
-
- Topics
- Mobile Robotics - Drones and RoversMobile Robotics - Drones and Rovers
- NXP Training ContentNXP Training Content
- University ProgramsUniversity Programs
- Rapid IoT
- NXP Designs
- SafeAssure-Community
- OSS Security & Maintenance
- Using Our Community
-
- Cloud Lab Forums
-
- Home
- :
- i.MX Forums
- :
- i.MX Processors
- :
- CST-3.3.2 Mode = HSM for Remote HSM signing
CST-3.3.2 Mode = HSM for Remote HSM signing
- Subscribe to RSS Feed
- Mark Topic as New
- Mark Topic as Read
- Float this Topic for Current User
- Bookmark
- Subscribe
- Mute
- Printer Friendly Page
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Hi @utkarsh_gupta,
I saw one of your document(attached) where you explain about how we can use the Mode = HSM to instruct the CST tool to prepare a signing request & generates data_csfsig.bin & data_imgsig.bin. This guide is very helpful for me because our use case is somewhat similar.
I am able to generate the above binaries & generate signature with the private key's but I am stuck at how we can insert the received signature at particular offset programmatically. sig_request.txt generates the same unique tag for csf & img file. Can you please help me how we can find out the offset to insert the signature. I am using i.MX8mm CPU. Can you please share if you have any example project.
>> cat sig_request.txt
Signing Request:
data_imgsig.bin
unique tag: 6815c4024c5ccd76
Signing Request:
data_csfsig.bin
unique tag: 6815c4024c5ccd76
Solved! Go to Solution.
hector_delgado
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Hi @jbhaijy ,
I hope you're doing great!
Sorry for the confusion. The HSM Mode described in the guide has not been a fully supported CSF feature for HAB4.
As indicated, the latest revision of the CST doesn't correctly generate unique tag values. The locations where the signatures should be inserted can still be identified using the non-unique tag value. The tag value is at the start of the signature region, so it should be overwritten.
CST version 3.3.2 will create the csf binary with the signature for csf in the last allocated signature region. Therefore, in the example, the signature created for data_csfsig.bin should be inserted in the last signature region. The signature for data_imgsig.bin will go into the first signature region in the binary.
Best regards,
Hector.
hector_delgado
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Hi @jbhaijy ,
I hope you're doing well. I'd recommend looking at the following file for details on the offsets uboot-imx/doc/imx/habv4/guides/mx8m_encrypted_boot.txt at lf_v2022.04 · nxp-imx/uboot-imx · GitHub.
Also, if you haven't reviewed the following guide (https://www.nxp.com/webapp/Download?colCode=AN12812&location=null), it's a good compliment for using CST with HSM in general.
Let me know if this was of any help!
Best regards,
Hector.
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Hi Hector,
I know the offsets in CSF file generated by mkimage tool. I am asking specifically steps mentioned in previously attached pdf. If you go through the steps mentioned in the pdf, you will get some idea what help I am asking for. In step 1.2 CST generated 4 files, data_csfsig.bin & data_imgsig.bin, csf.bin & sig_request.txt.
data_csfsig.bin & data_imgsig.bin we need to send for signing with its respective private key. Then received signature will get inserted into csf.bin to make signed_csf.bin. (as mentioned in Step 3.1)
My question is, How we can find the offset (for data_csfsig.bin & data_imgsig.bin) so that we can insert the received signature into csf.bin file? Step 3.1 mentioned insert the signature manually but I am looking if CST tool can help me to get the offset. Please suggest.
CC: @utkarsh_gupta
Thanks.
hector_delgado
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Hi @jbhaijy ,
I hope you're doing great!
Sorry for the confusion. The HSM Mode described in the guide has not been a fully supported CSF feature for HAB4.
As indicated, the latest revision of the CST doesn't correctly generate unique tag values. The locations where the signatures should be inserted can still be identified using the non-unique tag value. The tag value is at the start of the signature region, so it should be overwritten.
CST version 3.3.2 will create the csf binary with the signature for csf in the last allocated signature region. Therefore, in the example, the signature created for data_csfsig.bin should be inserted in the last signature region. The signature for data_imgsig.bin will go into the first signature region in the binary.
Best regards,
Hector.
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Hi @hector_delgado,
Thanks for your support.
Yes, you are correct on below statement, & with this I am able to boot the iMX6/8 SoC without any HAB events.
"CST version 3.3.2 will create the csf binary with the signature for csf in the last allocated signature region. Therefore, in the example, the signature created for data_csfsig.bin should be inserted in the last signature region. The signature for data_imgsig.bin will go into the first signature region in the binary."
But now I am facing some other problem which I think you have some solution on that.
As per one of the NXP document which I shared previously, I am able to run the CST in “Mode = HSM” & it produces 4 different files in the output. Locally I am able to sign the data_csfsig.bin & data_imgsig.bin with its respective private key/certs using the OpenSSL cms command(As mentioned in your document). The signatures data_csfsig.sig & data_imgsig.sig inserted at its respective unique_tag offset mentioned in sig_request. And the signed SPL boots on the i.MX6 SoC without any HAB event. With the same process I am able to boot i.MX8 SoC as well.
To sign with the remote HSM, we calculated the hash of data_csfsig.bin & data_imgsig.bin, encoded in base64 format & send to our signing API endpoint. In response we received the signature which is not matching with the reference signature we generated with OpenSSL cms command.
We compared the OpenSSL cms generated signature with remote HSM signature & we found the signature differences.
It seems that CST generates the signature data in cms format by default even if we disable the “Signature Format” in CSF header.
Questions:
- Is there any use case you experienced where you find the signature difference between local OpenSSL cms & HSM received signature. If yes, how you solved such issues?
- Does the CST produced the signature data any other Signature Format other than cms for HABv4. If yes, then what configuration we need to do? & Where?
- CST seems to be based on OpenSSL CMS -sign which (I believe) is generating a signature based on the binary itself whereas our HSM API is based on OpenSSL DGST -sign which is generating a signature based on a HASH of the binary
- We sign the data_csfsig.bin & data_imgsig.bin binaries locally with OpenSSL cms command without calculating the hash/encode. But to sign with remote HSM do we need to calculate the hash/base64 encode to get the signature?
Your suggestions/input always welcome. Thanks for your valuable support.
hector_delgado
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Hi @jbhaijy ,
We're still reviewing this, I'm sorry this has taken so long. I'll get back to you with an update in the following days. Thank you for understanding.
Best regards,
Hector.
hector_delgado
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Hi @jbhaijy ,
I see now, sorry for the confusion. Let me review this with our team since I'm encountering some issues with CST and HSM. I'll get back to you as soon as we get some clarification on this issue. Thank you.
Best regards,
Hector.
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Hi @utkarsh_gupta,
Did you get a chance to look through below query? Your help will be appreciated. Thanks.
