CST support for API based HSM

jbhaijy · ‎08-03-2023

Hi,

We are using i.MX8mini & trying to understand the CST tool to sign the images. Below are my questions,

Does CST(cst-3.3.1 or 3.3.2) tool have inbuilt support to connect to API based HSM to get the image signed?

CST tool ------> API server -----> Digicert HSM

2. Does pre-built cst-3.3.2 have default built in support to communicate with HSM? or do we need to rebuild again the cst-3.3.2 for CST-HSM?

3. Can we build the cst-3.3.2 tool natively without using the docker file? What are the steps or guidelines?

4. Can we use the CST tool to access the remote HSM which is not in our network? Like DigiCert HSM?

5. We have proven signing PKI structure for i.MX6, can we use the same PKI key's & cert for i.MX8(i.e. CA, SRK, IMG & CSF)?

Thanks

jbhaijy · ‎08-07-2023

@Bio_TICFSL Thanks for reply.

I don't see back_end-hsm anywhere in the cst-3.3.2 directory. But I see cst, hab_log_parser, srktool binaries under cst-3.3.2/linux64/bin. Just wanted to confirm are these binaries have support to interface with HSM?

Bio_TICFSL · ‎08-04-2023

Hello,

1) No,

2) You may have it allready, check cst-3.3.2/code/back_end-hsm

3) yes you can build it but there is no step guide.

The following works for me on Linux,

Extract cst-3.3.2.tgz
Change into ./cst-3.3.2/code/cst and run: bash -c "OSTYPE=linux64 make rel_bin"
Change into ./cst-3.3.2/code/back_end-engine/src and run:
1. sed -i 's#^ROOT :=.*#ROOT := ../../cst/code#g' ./Makefile
2. sed -i 's#^FRONTEND :=.*#FRONTEND := $(ROOT)/obj.linux$(BITNESS)/libfrontend.a#g' ./Makefile
3. bash -c "OSTYPE=linux64 make"

The cst binary for the HSM is now ./cst-3.3.2/code/back_end-engine/src/cst

4) I don't think so

5) Yes you can.

Regards

CST support for API based HSM

CST support for API based HSM

i.MX 8M | i.MX 8M Mini | i.MX 8M Nano

Linux

Security