FAQs
English (US) 日本語 | Japanese 中文 | Chinese (Simplified)

CST - hab3_pki_tree.sh generate PKI tree directly into HSM

cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 

CST - hab3_pki_tree.sh generate PKI tree directly into HSM

‎09-14-2021 12:56 AM
1,007 Views
bhatnagarashish1998
Contributor I

Hello,

I am in need to generate the HAB3 PKI tree via HSM simulator so that the keys will be safe inside a secure environment. I do not want to write keys to HSM, I need to generate it on HSM.

For this can I directly execute the commands present in hab3_pki_tree.sh script into the HSM simulator like for example can I directly run the below command in HSM simulator??

openssl req -newkey rsa:2048 -passout file:./key_pass.txt -subj /CN=CA1_sha256_2048_65537_v3_ca/ -x509 -extensions v3_ca -keyout ./temp_ca.pem -out CA_CERT.pem -days 365 -config ../ca/openssl.cnf

Labels (1)
Labels
0 Kudos
Reply
3 Replies

‎09-14-2021 11:19 PM
1,000 Views
Yuri
NXP Employee
NXP Employee

@bhatnagarashish1998 
Hello,

  What i.MX device is used in Your case?

Secure boot features for processors, such as i.MX25, i.MX35, and i.MX51,
which use HABv3, are documented in "Secure Boot on i.MX25, i.MX35, and i.MX51
using HAB3" (AN4547).

https://www.nxp.com/docs/en/application-note/AN4547.pdf

According to CST documentation:
 An alternative Back-End replacement is proposed under the directory /code/back_end-hsm.
This alternative provides the support to interact with an Hardware Security Module (HSM)
by using the PKCS#11 interface definition.
More detailed information can be found in the documentation located in the directory
/code/back_end-hsm/doc.

https://www.nxp.com/webapp/Download?colCode=IMX_CST_TOOL

Note: we do not have examples for HABv3.

Regards,
Yuri.

0 Kudos
Reply

‎09-15-2021 03:28 AM
994 Views
bhatnagarashish1998
Contributor I

Hello @Yuri,

Thanks!! for your fast response.

In my case i.MX25 processor is used.

I have gone through the Back-End replacement alternative /code/back_end-hsm/HSM-CST_UG.pdf as mentioned by you but this won't fulfill my requirement.

My requirement is not to generate the HABv3 PKI tree externally and pass the keys into HSM.

I want to generate the HABv3 PKI tree inside the HSM simulator and sign the bootloader via the HSM simulator.

I wanted to know is it possible to generate the PKI tree inside HSM or do I have to generate the tree externally and then pass the keys to HSM, and if it is possible to do how I am supposed to do it??

 

Thanks and Regards

Ashish Bhatnagar

0 Kudos
Reply

‎09-20-2021 11:40 PM
983 Views
Yuri
NXP Employee
NXP Employee

@bhatnagarashish1998 
Hello,

    Our solution does not support Your requirements.
Nevertheless You may design own one.

  Also:

https://community.nxp.com/t5/i-MX-Processors/CST-hab4-pki-tree-sh-generate-keys-directly-to-HSM/td-p...

 

Regards,
Yuri.

0 Kudos
Reply