帮助
英语(美国) | English (US) 日本語 | Japanese 中文 | Chinese (Simplified)

CST3.4.0 with HSM

取消
开启建议
自动建议可通过在您键入时建议可能的匹配,而快速缩小您的搜索结果范围。
显示结果 
显示  仅  | 搜索替代 
您的意思是: 

CST3.4.0 with HSM

‎01-23-2024 06:27 AM
3,579 次查看
jbhaijy
Contributor III

Hi,

 

I am using latest CST-3.4.0 & I want to explore the CST-3.4.0 with third party HSM. I configured openssl.cnf as like below,

openssl_conf = openssl_init
[openssl_init]
engines = engine_section
[engine_section]
pkcs11 = pkcs11_section
[pkcs11_section]
#Path to the Compiled OpenSSL PKCS11 from OpenSC - libp11
dynamic_path = /usr/lib/x86_64-linux-gnu/engines-1.1/libpkcs11.so
MODULE_PATH = /home/jbhaijy/digicert/smtools-linux-x64/smpkcs11.so

I run the CST with -b pkcs11 option to sign the images through HSM, but I am getting below errors.

./cst --verbose -b pkcs11 -i dev_spl.csf -o dev_spl.bin
Install SRK
Install CSFK
Certificate not found.
Public key certificate is invalid in file pkcs11:model=DigiCert%20PKCS%2311;manufacturer=DigiCert;serial=SS0123456789;token=Virtual%20PKCS%2311%20Token;id=%36%34%33%39%61%63%61%32%2D%35%36%61%30%2D%34%64%64%63%2D%39%36%30%39%2D%65%62%64%39%31%63%36%33%65%33%62%39;object=imx6-hab-csf2-key-test;type=private

 

Please help me identify the problems here. 

Thanks for you support.  

 

0 项奖励
回复
8 回复数

‎07-09-2024 02:17 AM
2,856 次查看
mathiyalagan_c
Contributor I

Hi @jbhaijy  how to get latest cst with hsm, unable to find the latest. 

0 项奖励
回复

‎07-09-2024 07:23 AM
2,847 次查看
jbhaijy
Contributor III

You can download from https://www.nxp.com/search?keyword=IMX_CST_TOOL
Default this CST tool have HSM support but you need to configure your CSF to get it images signed from HSM. 

Explore the documentation in this tool for further details.

0 项奖励
回复

‎01-23-2024 10:06 AM
3,555 次查看
jbhaijy
Contributor III

@hector_delgado 

Thank for the reply. 
We want to have CST signing solution for i.MX6 & i.MX8 both. Both are custom boards. I am running Ubuntu-22.04 VM.  

0 项奖励
回复

‎01-24-2024 09:47 AM
3,527 次查看
hector_delgado
NXP TechSupport
NXP TechSupport

Hi @jbhaijy ,

Have you followed all steps from our Application Note Using Code-Signing Tool with Hardware Security Module (https://www.nxp.com/webapp/Download?colCode=AN12812&location=null)?

Even though it's an old guide, I believe it should still apply to our current CST release.

Let me know if this was of any help.

Best regards,
Hector.

0 项奖励
回复

‎01-27-2024 06:03 AM
3,508 次查看
jbhaijy
Contributor III

Hi @hector_delgado 

I followed the steps mentioned in the AN12812, Instead of SoftHSM we are using 3rd party HSM. 

What could be the possible reasons?

 

Regards,

jbhaijy

0 项奖励
回复

‎02-01-2024 12:53 PM
3,414 次查看
hector_delgado
NXP TechSupport
NXP TechSupport

Hi @jbhaijy ,

Could you try the following changes to your openssl.cnf file?

openssl_conf = openssl_def

[openssl_def]
engines = engine_section


[engine_section]
pkcs11 = pkcs11_section


[pkcs11_section]
engine_id = pkcs11
#Path to the Compiled OpenSSL PKCS11 from OpenSC - libp11
dynamic_path = /usr/lib/x86_64-linux-gnu/engines-1.1/libpkcs11.so
MODULE_PATH = /home/jbhaijy/digicert/smtools-linux-x64/smpkcs11.so
init = 0


Let me know if it solves the issue.

Best regards,
Hector.

0 项奖励
回复

‎01-23-2024 09:56 AM
3,561 次查看
hector_delgado
NXP TechSupport
NXP TechSupport

Hi @jbhaijy ,

I hope you're doing well!

What i.MX are you using? Is it a custom board or one of our EVKs? Also, what distro and version of Linux are you using in your host environment? 

Best regards,
Hector.

0 项奖励
回复