CST-3.3.2 back_end-ssl Interface with HSM API

cancel
Showing results for 
Show  only  | Search instead for 
Did you mean: 

CST-3.3.2 back_end-ssl Interface with HSM API

2,129 Views
jbhaijy
Contributor III

Hi,

In cst-3.3.2, on cst/code/ path there is back_end-sslback_end-pkcs11. I want to sign the build images through remote HSM. There are HSM signing API's which we need to call for signing particular image. I just want to know how we can integrate these HSM API call in CST backend implementation. 

Can you please explain what is the purpose of back_end-ssl & back_end-pkcs11 & which is the best approach to call HSM API for signing images.

 

Thanks

 

0 Kudos
Reply
8 Replies

2,082 Views
Irene
NXP Pro Support
NXP Pro Support

This might help address your questions. 

0 Kudos
Reply

2,050 Views
jbhaijy
Contributor III

Hi @Irene,

Appreciate your help & support. Thanks.

I followed the steps mentioned in the document you shared & I am able to use "Mode = HSM" & generated the data_csfsig.bin, data_imgsig.bin, sig_request.txt & csf.bin. I think this use-case is best suites our requirement & hence I need to understand this approach in deep. I have few question regarding this approach. 

  • For initial testing purpose we have created development keys & certs on systems filesystem but finally these keys & certs will be kept on remote HSM. For initial testing can we sign the data_csfsig.bin & data_imgsig.bin with the development private key's available on filesystem? If yes, can you please share the command to sign these images?
  • In case of signing with HSM, do we also need to send the sig_request.txt along data_csfsig.bin & data_imgsig.bin?
  • After receiving the signature, how we can insert them into CSF binary? Is there any command? At what offiset or address? as mentioned in step-3.1 in the document.
  • To generate the final signed flash.bin, what is the command to insert CSF binary into flash.bin incase of i.MX8 & appending the CSF binary into u-boot image incase of i.MX6?  We have i.MX6 & i.MX8 based products. At what offiset or address? as mentioned in step-3.2 in the document.
  • As mentioned in the step3-Note, if the signature received from HSM is bigger than the pre-calculated size, then in that case the changes required to update the offset(option-1) or update in the code (option-2) will be one time activity, right? 
0 Kudos
Reply

1,828 Views
jbhaijy
Contributor III

Hi @Irene 

 

As mentioned in the document CST generates data_csfsig.bin & data_imgsig.bin. My question is instead of sending these binaries to HSM for signing, can we generate the hash value of each binary & send it to HSM for signature generation? Our standard signing API's needs hash value & keypair ID.

 

Thanks 

0 Kudos
Reply

1,781 Views
jbhaijy
Contributor III

Hey @Irene 

 

Do you have any update on below query?

0 Kudos
Reply

1,970 Views
Irene
NXP Pro Support
NXP Pro Support

For initial testing purpose we have created development keys & certs on systems filesystem but finally these keys & certs will be kept on remote HSM. For initial testing can we sign the data_csfsig.bin & data_imgsig.bin with the development private key's available on filesystem? If yes, can you please share the command to sign these images?

<NXP> Yes, they can; please sign the binaries with the openssl command.

In case of signing with HSM, do we also need to send the sig_request.txt along data_csfsig.bin & data_imgsig.bin?

 

<NXP> Yes. The sig_request file contains the identification(unique tag) of which signature belongs to which binary.

After receiving the signature, how we can insert them into CSF binary? Is there any command? At what offiset or address? as mentioned in step-3.1 in the document.

 

 

<NXP>This is a manual process, and the offset is as described in the diagram in Step 2.

As mentioned in the step3-Note, if the signature received from HSM is bigger than the pre-calculated size, then in that case the changes required to update the offset(option-1) or update in the code (option-2) will be one time activity, right? 

<NXP> The option 2 is better suited for permanent change.

 

 

 

 

0 Kudos
Reply

2,014 Views
jbhaijy
Contributor III

Hey @Irene,

 

Do you have any update on above queries?

I am following-up with you because the solution mentioned in the document which shared with me is possibly fit for our requirement & it is no where mentioned in the NXP public document. Request you please share if you have application document specifically for "Mode = HSM" works.

Thanks for you support. 

0 Kudos
Reply

2,111 Views
Irene
NXP Pro Support
NXP Pro Support

Let me look into this issue.

0 Kudos
Reply

2,087 Views
jbhaijy
Contributor III

@Irene 

Do you have any update on this?

0 Kudos
Reply