Hardware token support by HAB/CST

cancel
Showing results for 
Search instead for 
Did you mean: 

Hardware token support by HAB/CST

Jump to solution
510 Views
ivandrobyshevs1
Contributor II

Is it possible to sign U-Boot and other binaries that are later verified by HAB using a hardware token? The disadvantage of using Code Signing Tool as described in tutorial(s) is that private keys are stored in the file system so it's not as secure as it might be in theory.

0 Kudos
1 Solution
106 Views
Yuri
NXP TechSupport
NXP TechSupport

Hello,

  You may look at Appendix B (Replacing the CST Backend Implementation)

of HAB Code-Signing Tool User’s Guide, Rev. 2.3.2, 3/2016.

Have a great day,
Yuri

-----------------------------------------------------------------------------------------------------------------------
Note: If this post answers your question, please click the Correct Answer button. Thank you!
-----------------------------------------------------------------------------------------------------------------------

View solution in original post

0 Kudos
3 Replies
106 Views
marouene_boubakri
NXP Employee
NXP Employee

The best approach to fulfill your request would be creating an OpenSSL engine which talks to your HSM.

In your CST backend, you create the CMS signature using OpenSSL's public accessors. OpenSSL in his turn will offload any cryprohraphic operation involved during signing to the HSM.

Detailed answer can be found here https://community.nxp.com/message/1021666 

0 Kudos
106 Views
brianmiller
Contributor II

The back-end code included with the CST needs to be ported to support certificate and key storage other than OpenSSL.  For the most part, it is not difficult.  The only difficult portion is constructing the CSM signing portion, which requires unraveling the OpenSSL code.  You'll need to link directly to the OpenSSL libcrypto.a file.  Once you are able to produce the same signature that OpenSSL does, everything works fine.

0 Kudos
107 Views
Yuri
NXP TechSupport
NXP TechSupport

Hello,

  You may look at Appendix B (Replacing the CST Backend Implementation)

of HAB Code-Signing Tool User’s Guide, Rev. 2.3.2, 3/2016.

Have a great day,
Yuri

-----------------------------------------------------------------------------------------------------------------------
Note: If this post answers your question, please click the Correct Answer button. Thank you!
-----------------------------------------------------------------------------------------------------------------------

View solution in original post

0 Kudos