CST3.4.0 with HSM

jbhaijy · ‎01-23-2024

Hi,

I am using latest CST-3.4.0 & I want to explore the CST-3.4.0 with third party HSM. I configured openssl.cnf as like below,

openssl_conf = openssl_init
[openssl_init]
engines = engine_section
[engine_section]
pkcs11 = pkcs11_section
[pkcs11_section]
#Path to the Compiled OpenSSL PKCS11 from OpenSC - libp11
dynamic_path = /usr/lib/x86_64-linux-gnu/engines-1.1/libpkcs11.so
MODULE_PATH = /home/jbhaijy/digicert/smtools-linux-x64/smpkcs11.so

I run the CST with -b pkcs11 option to sign the images through HSM, but I am getting below errors.

./cst --verbose -b pkcs11 -i dev_spl.csf -o dev_spl.bin
Install SRK
Install CSFK
Certificate not found.
Public key certificate is invalid in file pkcs11:model=DigiCert%20PKCS%2311;manufacturer=DigiCert;serial=SS0123456789;token=Virtual%20PKCS%2311%20Token;id=%36%34%33%39%61%63%61%32%2D%35%36%61%30%2D%34%64%64%63%2D%39%36%30%39%2D%65%62%64%39%31%63%36%33%65%33%62%39;object=imx6-hab-csf2-key-test;type=private

Please help me identify the problems here.

Thanks for you support.

imx8mp_developer · ‎10-15-2025

I am trying to accomplish the signature using Digicert for imx93 with AHAB.

I am able to sign both os_cntr_signed.bin and imx-boot-imx93-var-som-aski-sd.bin-flash_singleboot_gdet but once I try to verify them using ~/cst-4.0.0/linux64/bin/ahab_image_verifier I get a incoherent result:

By doing: ahab_image_verifier os_cntr_signed.bin 0 0 I get

Signature Block:
Version: 0
Length: 2648 bytes
Tag: 0x90
Certificate Offset: 0x0
SRK Table/Array Offset: 0x10
SRK Table:
   Tag: 0xD7
   Length: 2112 bytes
   Version: 66
   SRK Record:
     Tag: 0xE1
     Length: 527 bytes
     Sign Algorithm: RSA
     Hash Algorithm: SHA2_384
     Key Size/Curve: RSA4096
     SRK Flags: CA Flags
     Modulus (N):
.....
Signature verification failed

While by doing: ahab_image_verifier imx-boot-imx93-var-som-aski-sd.bin-flash_singleboot_gdet 0 0 I get:

Signature Block:
Version: 0
Length: 400 bytes
Tag: 0x90
Certificate Offset: 0x0
SRK Table/Array Offset: 0x10
SRK Table:
   Tag: 0xD7
   Length: 308 bytes
   Version: 66
   SRK Record:
     Tag: 0xE1
     Length: 76 bytes
     Sign Algorithm: ECDSA
     Hash Algorithm: SHA2_256
     Key Size/Curve: PRIME256V1
     SRK Flags: None
     X Coordinate: ....
     Y Coordinate: ...

......

Signature verification successful

I used the same csf.cfg as input to cst-signer, thus same SRK Table and Digicert Token are used in cst's .csf files

does anybody have a clue?! I also posted this question in here

mathiyalagan_c · ‎07-09-2024

Hi @jbhaijy how to get latest cst with hsm, unable to find the latest.

jbhaijy · ‎07-09-2024

You can download from https://www.nxp.com/search?keyword=IMX_CST_TOOL
Default this CST tool have HSM support but you need to configure your CSF to get it images signed from HSM.

Explore the documentation in this tool for further details.

jbhaijy · ‎01-23-2024

@hector_delgado

Thank for the reply.
We want to have CST signing solution for i.MX6 & i.MX8 both. Both are custom boards. I am running Ubuntu-22.04 VM.

hector_delgado · ‎01-24-2024

Hi @jbhaijy ,

Have you followed all steps from our Application Note Using Code-Signing Tool with Hardware Security Module (https://www.nxp.com/webapp/Download?colCode=AN12812&location=null)?

Even though it's an old guide, I believe it should still apply to our current CST release.

Let me know if this was of any help.

Best regards,
Hector.

jbhaijy · ‎01-27-2024

Hi @hector_delgado

I followed the steps mentioned in the AN12812, Instead of SoftHSM we are using 3rd party HSM.

What could be the possible reasons?

Regards,

jbhaijy

roke · ‎07-10-2024

https://community.nxp.com/t5/i-MX-Processors-Knowledge-Base/HSM-Code-Signing-Journey/ta-p/1882244

hector_delgado · ‎02-01-2024

Hi @jbhaijy ,

Could you try the following changes to your openssl.cnf file?

openssl_conf = openssl_def

[openssl_def]
engines = engine_section


[engine_section]
pkcs11 = pkcs11_section


[pkcs11_section]
engine_id = pkcs11
#Path to the Compiled OpenSSL PKCS11 from OpenSC - libp11
dynamic_path = /usr/lib/x86_64-linux-gnu/engines-1.1/libpkcs11.so
MODULE_PATH = /home/jbhaijy/digicert/smtools-linux-x64/smpkcs11.so
init = 0

Let me know if it solves the issue.

Best regards,
Hector.

hector_delgado · ‎01-23-2024

Hi @jbhaijy ,

I hope you're doing well!

What i.MX are you using? Is it a custom board or one of our EVKs? Also, what distro and version of Linux are you using in your host environment?

Best regards,
Hector.