CST Signing Process in Mode = HSM

cancel
Showing results for 
Show  only  | Search instead for 
Did you mean: 

CST Signing Process in Mode = HSM

Jump to solution
1,216 Views
jbhaijy
Contributor III

Hi,

I am signing the i.MX6 SPL & U-boot images through CST in Mode = HSM. I am able to sign the SPL & SPL is authenticated by i.MX6 HAB.

We also signed the i.MX6 u-boot but while flashing it got stuck with message failed.

jbhaijy_3-1706551175136.png

For u-boot signing we have process set to sign the u-boot with [Authenticate Data] for DCD block along with [Authenticate Data] for HAB Blocks in the CSF file.

jbhaijy_1-1706551105121.png

As per the document attached & discussed here as well, when we execute the CST in ‘Mode = HSM’ it generates the data_imgcsf.bin & data_csfsig.bin but the sig_request.txt is showing three unique_tag. I also confirmed that csf.bin(output of cst tool) is also having three unique_tag which I think there will be three signature needed to be replace with unique_tags. But the CST generated only data_imgcsf.bin & data_csfsig.bin. What will be the 3rd .bin which will get signed from HSM?

jbhaijy_2-1706551105140.png

After comparing HSM signed u-boot image with working u-boot(signed without HSM mode) it seems that the working u-boot also has three signatures but the HSM signed u-boot have only 2 signatures & missing one more signature in the u-boot.  

I think because of missing signature the the flashing got stuck & failed.

Request you to please help to solve this missing signature problem.

CST tool version: CST-3.4.0

Working OS: Ubuntu 18.04

 

Thanks,

jbhaijy

0 Kudos
Reply
1 Solution
1,117 Views
jbhaijy
Contributor III

Hi @hector_delgado ,

 

I have solved the problem by combining the two different [Authenticate Data] in one. Like below,

jbhaijy_0-1707804116568.png

In this case the CST generates signature binary for CSF commands & combined signature data binary for actual image.  

 

View solution in original post

0 Kudos
Reply
4 Replies
1,118 Views
jbhaijy
Contributor III

Hi @hector_delgado ,

 

I have solved the problem by combining the two different [Authenticate Data] in one. Like below,

jbhaijy_0-1707804116568.png

In this case the CST generates signature binary for CSF commands & combined signature data binary for actual image.  

 

0 Kudos
Reply
1,130 Views
hector_delgado
NXP TechSupport
NXP TechSupport

Hi @jbhaijy ,

Could you please let me know if you're using a third party HSM or are you using softhsm2 like the examples from our HSM guide? 

Thank you.

Best regards,
Hector.

0 Kudos
Reply
1,118 Views
jbhaijy
Contributor III

Hi @hector_delgado ,

I am using 3rd party HSM. 

 

Regards,

jbhaijy

0 Kudos
Reply
1,187 Views
hector_delgado
NXP TechSupport
NXP TechSupport

Hi @jbhaijy ,

I hope you're doing well. Let me check this thoroughly and I'll get back to you as soon as possible. Also, just to be sure, i.MX 6 processors are to be used with HAB not AHAB (as it was implied with your attached document) but I'm sure you probably may have uploaded the wrong file even though you might have used the correct one for the signing process. 

Best regards,
Hector.

0 Kudos
Reply