CST-3.3.2 back_end-ssl Interface with HSM API

キャンセル
次の結果を表示 
表示  限定  | 次の代わりに検索 
もしかして: 

CST-3.3.2 back_end-ssl Interface with HSM API

2,120件の閲覧回数
jbhaijy
Contributor III

Hi,

In cst-3.3.2, on cst/code/ path there is back_end-sslback_end-pkcs11. I want to sign the build images through remote HSM. There are HSM signing API's which we need to call for signing particular image. I just want to know how we can integrate these HSM API call in CST backend implementation. 

Can you please explain what is the purpose of back_end-ssl & back_end-pkcs11 & which is the best approach to call HSM API for signing images.

 

Thanks

 

0 件の賞賛
返信
8 返答(返信)

2,073件の閲覧回数
Irene
NXP Pro Support
NXP Pro Support

This might help address your questions. 

0 件の賞賛
返信

2,041件の閲覧回数
jbhaijy
Contributor III

Hi @Irene,

Appreciate your help & support. Thanks.

I followed the steps mentioned in the document you shared & I am able to use "Mode = HSM" & generated the data_csfsig.bin, data_imgsig.bin, sig_request.txt & csf.bin. I think this use-case is best suites our requirement & hence I need to understand this approach in deep. I have few question regarding this approach. 

  • For initial testing purpose we have created development keys & certs on systems filesystem but finally these keys & certs will be kept on remote HSM. For initial testing can we sign the data_csfsig.bin & data_imgsig.bin with the development private key's available on filesystem? If yes, can you please share the command to sign these images?
  • In case of signing with HSM, do we also need to send the sig_request.txt along data_csfsig.bin & data_imgsig.bin?
  • After receiving the signature, how we can insert them into CSF binary? Is there any command? At what offiset or address? as mentioned in step-3.1 in the document.
  • To generate the final signed flash.bin, what is the command to insert CSF binary into flash.bin incase of i.MX8 & appending the CSF binary into u-boot image incase of i.MX6?  We have i.MX6 & i.MX8 based products. At what offiset or address? as mentioned in step-3.2 in the document.
  • As mentioned in the step3-Note, if the signature received from HSM is bigger than the pre-calculated size, then in that case the changes required to update the offset(option-1) or update in the code (option-2) will be one time activity, right? 
0 件の賞賛
返信

1,819件の閲覧回数
jbhaijy
Contributor III

Hi @Irene 

 

As mentioned in the document CST generates data_csfsig.bin & data_imgsig.bin. My question is instead of sending these binaries to HSM for signing, can we generate the hash value of each binary & send it to HSM for signature generation? Our standard signing API's needs hash value & keypair ID.

 

Thanks 

タグ(4)
0 件の賞賛
返信

1,772件の閲覧回数
jbhaijy
Contributor III

Hey @Irene 

 

Do you have any update on below query?

0 件の賞賛
返信

1,961件の閲覧回数
Irene
NXP Pro Support
NXP Pro Support

For initial testing purpose we have created development keys & certs on systems filesystem but finally these keys & certs will be kept on remote HSM. For initial testing can we sign the data_csfsig.bin & data_imgsig.bin with the development private key's available on filesystem? If yes, can you please share the command to sign these images?

<NXP> Yes, they can; please sign the binaries with the openssl command.

In case of signing with HSM, do we also need to send the sig_request.txt along data_csfsig.bin & data_imgsig.bin?

 

<NXP> Yes. The sig_request file contains the identification(unique tag) of which signature belongs to which binary.

After receiving the signature, how we can insert them into CSF binary? Is there any command? At what offiset or address? as mentioned in step-3.1 in the document.

 

 

<NXP>This is a manual process, and the offset is as described in the diagram in Step 2.

As mentioned in the step3-Note, if the signature received from HSM is bigger than the pre-calculated size, then in that case the changes required to update the offset(option-1) or update in the code (option-2) will be one time activity, right? 

<NXP> The option 2 is better suited for permanent change.

 

 

 

 

0 件の賞賛
返信

2,005件の閲覧回数
jbhaijy
Contributor III

Hey @Irene,

 

Do you have any update on above queries?

I am following-up with you because the solution mentioned in the document which shared with me is possibly fit for our requirement & it is no where mentioned in the NXP public document. Request you please share if you have application document specifically for "Mode = HSM" works.

Thanks for you support. 

0 件の賞賛
返信

2,102件の閲覧回数
Irene
NXP Pro Support
NXP Pro Support

Let me look into this issue.

0 件の賞賛
返信

2,078件の閲覧回数
jbhaijy
Contributor III

@Irene 

Do you have any update on this?

0 件の賞賛
返信