FAQs
English (US) 日本語 | Japanese 中文 | Chinese (Simplified)

Hardware token support by HAB/CST

cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
SOLVED
Jump to solution

Hardware token support by HAB/CST

Jump to solution
‎07-07-2017 09:15 AM
1,171 Views
ivandrobyshevs1
Contributor II

Is it possible to sign U-Boot and other binaries that are later verified by HAB using a hardware token? The disadvantage of using Code Signing Tool as described in tutorial(s) is that private keys are stored in the file system so it's not as secure as it might be in theory.

0 Kudos
Reply
1 Solution

Jump to solution
‎07-09-2017 08:32 PM
767 Views
Yuri
NXP Employee
NXP Employee

Hello,

  You may look at Appendix B (Replacing the CST Backend Implementation)

of HAB Code-Signing Tool User’s Guide, Rev. 2.3.2, 3/2016.

Have a great day,
Yuri

-----------------------------------------------------------------------------------------------------------------------
Note: If this post answers your question, please click the Correct Answer button. Thank you!
-----------------------------------------------------------------------------------------------------------------------

View solution in original post

0 Kudos
Reply
3 Replies

Jump to solution
‎05-23-2018 07:11 AM
767 Views
marouene_boubakri
NXP Employee
NXP Employee

The best approach to fulfill your request would be creating an OpenSSL engine which talks to your HSM.

In your CST backend, you create the CMS signature using OpenSSL's public accessors. OpenSSL in his turn will offload any cryprohraphic operation involved during signing to the HSM.

Detailed answer can be found here https://community.nxp.com/message/1021666 

0 Kudos
Reply

Jump to solution
‎11-06-2017 02:56 PM
767 Views
brianmiller
Contributor II

The back-end code included with the CST needs to be ported to support certificate and key storage other than OpenSSL.  For the most part, it is not difficult.  The only difficult portion is constructing the CSM signing portion, which requires unraveling the OpenSSL code.  You'll need to link directly to the OpenSSL libcrypto.a file.  Once you are able to produce the same signature that OpenSSL does, everything works fine.

0 Kudos
Reply

Jump to solution
‎07-09-2017 08:32 PM
768 Views
Yuri
NXP Employee
NXP Employee

Hello,

  You may look at Appendix B (Replacing the CST Backend Implementation)

of HAB Code-Signing Tool User’s Guide, Rev. 2.3.2, 3/2016.

Have a great day,
Yuri

-----------------------------------------------------------------------------------------------------------------------
Note: If this post answers your question, please click the Correct Answer button. Thank you!
-----------------------------------------------------------------------------------------------------------------------

0 Kudos
Reply