Hi,
In cst-3.3.2, on cst/code/ path there is back_end-ssl & back_end-pkcs11. I want to sign the build images through remote HSM. There are HSM signing API's which we need to call for signing particular image. I just want to know how we can integrate these HSM API call in CST backend implementation.
Can you please explain what is the purpose of back_end-ssl & back_end-pkcs11 & which is the best approach to call HSM API for signing images.
Thanks
Hi @Irene,
Appreciate your help & support. Thanks.
I followed the steps mentioned in the document you shared & I am able to use "Mode = HSM" & generated the data_csfsig.bin, data_imgsig.bin, sig_request.txt & csf.bin. I think this use-case is best suites our requirement & hence I need to understand this approach in deep. I have few question regarding this approach.
Hi @Irene
As mentioned in the document CST generates data_csfsig.bin & data_imgsig.bin. My question is instead of sending these binaries to HSM for signing, can we generate the hash value of each binary & send it to HSM for signature generation? Our standard signing API's needs hash value & keypair ID.
Thanks
For initial testing purpose we have created development keys & certs on systems filesystem but finally these keys & certs will be kept on remote HSM. For initial testing can we sign the data_csfsig.bin & data_imgsig.bin with the development private key's available on filesystem? If yes, can you please share the command to sign these images?
<NXP> Yes, they can; please sign the binaries with the openssl command.
In case of signing with HSM, do we also need to send the sig_request.txt along data_csfsig.bin & data_imgsig.bin?
<NXP> Yes. The sig_request file contains the identification(unique tag) of which signature belongs to which binary.
After receiving the signature, how we can insert them into CSF binary? Is there any command? At what offiset or address? as mentioned in step-3.1 in the document.
<NXP>This is a manual process, and the offset is as described in the diagram in Step 2.
As mentioned in the step3-Note, if the signature received from HSM is bigger than the pre-calculated size, then in that case the changes required to update the offset(option-1) or update in the code (option-2) will be one time activity, right?
<NXP> The option 2 is better suited for permanent change.
Hey @Irene,
Do you have any update on above queries?
I am following-up with you because the solution mentioned in the document which shared with me is possibly fit for our requirement & it is no where mentioned in the NXP public document. Request you please share if you have application document specifically for "Mode = HSM" works.
Thanks for you support.
Let me look into this issue.
Do you have any update on this?