Hi @utkarsh_gupta,
I saw one of your document(attached) where you explain about how we can use the Mode = HSM to instruct the CST tool to prepare a signing request & generates data_csfsig.bin & data_imgsig.bin. This guide is very helpful for me because our use case is somewhat similar.
I am able to generate the above binaries & generate signature with the private key's but I am stuck at how we can insert the received signature at particular offset programmatically. sig_request.txt generates the same unique tag for csf & img file. Can you please help me how we can find out the offset to insert the signature. I am using i.MX8mm CPU. Can you please share if you have any example project.
>> cat sig_request.txt
Signing Request:
data_imgsig.bin
unique tag: 6815c4024c5ccd76
Signing Request:
data_csfsig.bin
unique tag: 6815c4024c5ccd76
已解决! 转到解答。
Hi @jbhaijy ,
I hope you're doing great!
Sorry for the confusion. The HSM Mode described in the guide has not been a fully supported CSF feature for HAB4.
As indicated, the latest revision of the CST doesn't correctly generate unique tag values. The locations where the signatures should be inserted can still be identified using the non-unique tag value. The tag value is at the start of the signature region, so it should be overwritten.
CST version 3.3.2 will create the csf binary with the signature for csf in the last allocated signature region. Therefore, in the example, the signature created for data_csfsig.bin should be inserted in the last signature region. The signature for data_imgsig.bin will go into the first signature region in the binary.
Best regards,
Hector.
Hi @jbhaijy ,
I hope you're doing well. I'd recommend looking at the following file for details on the offsets uboot-imx/doc/imx/habv4/guides/mx8m_encrypted_boot.txt at lf_v2022.04 · nxp-imx/uboot-imx · GitHub.
Also, if you haven't reviewed the following guide (https://www.nxp.com/webapp/Download?colCode=AN12812&location=null), it's a good compliment for using CST with HSM in general.
Let me know if this was of any help!
Best regards,
Hector.
Hi Hector,
I know the offsets in CSF file generated by mkimage tool. I am asking specifically steps mentioned in previously attached pdf. If you go through the steps mentioned in the pdf, you will get some idea what help I am asking for. In step 1.2 CST generated 4 files, data_csfsig.bin & data_imgsig.bin, csf.bin & sig_request.txt.
data_csfsig.bin & data_imgsig.bin we need to send for signing with its respective private key. Then received signature will get inserted into csf.bin to make signed_csf.bin. (as mentioned in Step 3.1)
My question is, How we can find the offset (for data_csfsig.bin & data_imgsig.bin) so that we can insert the received signature into csf.bin file? Step 3.1 mentioned insert the signature manually but I am looking if CST tool can help me to get the offset. Please suggest.
CC: @utkarsh_gupta
Thanks.
Hi @jbhaijy ,
I hope you're doing great!
Sorry for the confusion. The HSM Mode described in the guide has not been a fully supported CSF feature for HAB4.
As indicated, the latest revision of the CST doesn't correctly generate unique tag values. The locations where the signatures should be inserted can still be identified using the non-unique tag value. The tag value is at the start of the signature region, so it should be overwritten.
CST version 3.3.2 will create the csf binary with the signature for csf in the last allocated signature region. Therefore, in the example, the signature created for data_csfsig.bin should be inserted in the last signature region. The signature for data_imgsig.bin will go into the first signature region in the binary.
Best regards,
Hector.
Hi @hector_delgado,
Thanks for your support.
Yes, you are correct on below statement, & with this I am able to boot the iMX6/8 SoC without any HAB events.
"CST version 3.3.2 will create the csf binary with the signature for csf in the last allocated signature region. Therefore, in the example, the signature created for data_csfsig.bin should be inserted in the last signature region. The signature for data_imgsig.bin will go into the first signature region in the binary."
But now I am facing some other problem which I think you have some solution on that.
As per one of the NXP document which I shared previously, I am able to run the CST in “Mode = HSM” & it produces 4 different files in the output. Locally I am able to sign the data_csfsig.bin & data_imgsig.bin with its respective private key/certs using the OpenSSL cms command(As mentioned in your document). The signatures data_csfsig.sig & data_imgsig.sig inserted at its respective unique_tag offset mentioned in sig_request. And the signed SPL boots on the i.MX6 SoC without any HAB event. With the same process I am able to boot i.MX8 SoC as well.
To sign with the remote HSM, we calculated the hash of data_csfsig.bin & data_imgsig.bin, encoded in base64 format & send to our signing API endpoint. In response we received the signature which is not matching with the reference signature we generated with OpenSSL cms command.
We compared the OpenSSL cms generated signature with remote HSM signature & we found the signature differences.
It seems that CST generates the signature data in cms format by default even if we disable the “Signature Format” in CSF header.
Questions:
Your suggestions/input always welcome. Thanks for your valuable support.
Hi @jbhaijy ,
We're still reviewing this, I'm sorry this has taken so long. I'll get back to you with an update in the following days. Thank you for understanding.
Best regards,
Hector.
Hi @jbhaijy ,
I see now, sorry for the confusion. Let me review this with our team since I'm encountering some issues with CST and HSM. I'll get back to you as soon as we get some clarification on this issue. Thank you.
Best regards,
Hector.