CST-3.3.2 back_end-ssl Interface with HSM API

Hi @Irene,

Appreciate your help & support. Thanks.

I followed the steps mentioned in the document you shared & I am able to use "Mode = HSM" & generated the data_csfsig.bin, data_imgsig.bin, sig_request.txt & csf.bin. I think this use-case is best suites our requirement & hence I need to understand this approach in deep. I have few question regarding this approach. 

• For initial testing purpose we have created development keys & certs on systems filesystem but finally these keys & certs will be kept on remote HSM. For initial testing can we sign the data_csfsig.bin & data_imgsig.bin with the development private key's available on filesystem? If yes, can you please share the command to sign these images?
• In case of signing with HSM, do we also need to send the sig_request.txt along data_csfsig.bin & data_imgsig.bin?
• After receiving the signature, how we can insert them into CSF binary? Is there any command? At what offiset or address? as mentioned in step-3.1 in the document.
• To generate the final signed flash.bin, what is the command to insert CSF binary into flash.bin incase of i.MX8 & appending the CSF binary into u-boot image incase of i.MX6?  We have i.MX6 & i.MX8 based products. At what offiset or address? as mentioned in step-3.2 in the document.
• As mentioned in the step3-Note, if the signature received from HSM is bigger than the pre-calculated size, then in that case the changes required to update the offset(option-1) or update in the code (option-2) will be one time activity, right? 

Hi @Irene 

As mentioned in the document CST generates data_csfsig.bin & data_imgsig.bin. My question is instead of sending these binaries to HSM for signing, can we generate the hash value of each binary & send it to HSM for signature generation? Our standard signing API's needs hash value & keypair ID.

Thanks 

Hey @Irene 

Do you have any update on below query?

For initial testing purpose we have created development keys & certs on systems filesystem but finally these keys & certs will be kept on remote HSM. For initial testing can we sign the data_csfsig.bin & data_imgsig.bin with the development private key's available on filesystem? If yes, can you please share the command to sign these images?

<NXP> Yes, they can; please sign the binaries with the openssl command.

In case of signing with HSM, do we also need to send the sig_request.txt along data_csfsig.bin & data_imgsig.bin?

<NXP> Yes. The sig_request file contains the identification(unique tag) of which signature belongs to which binary.

After receiving the signature, how we can insert them into CSF binary? Is there any command? At what offiset or address? as mentioned in step-3.1 in the document.

<NXP>This is a manual process, and the offset is as described in the diagram in Step 2.

As mentioned in the step3-Note, if the signature received from HSM is bigger than the pre-calculated size, then in that case the changes required to update the offset(option-1) or update in the code (option-2) will be one time activity, right? 

<NXP> The option 2 is better suited for permanent change.

Hey @Irene,

Do you have any update on above queries?

I am following-up with you because the solution mentioned in the document which shared with me is possibly fit for our requirement & it is no where mentioned in the NXP public document. Request you please share if you have application document specifically for "Mode = HSM" works.

Thanks for you support. 

@Irene 

Do you have any update on this?