Is it possible to sign U-Boot and other binaries that are later verified by HAB using a hardware token? The disadvantage of using Code Signing Tool as described in tutorial(s) is that private keys are stored in the file system so it's not as secure as it might be in theory.
Solved! Go to Solution.
Hello,
You may look at Appendix B (Replacing the CST Backend Implementation)
of HAB Code-Signing Tool User’s Guide, Rev. 2.3.2, 3/2016.
Have a great day,
Yuri
-----------------------------------------------------------------------------------------------------------------------
Note: If this post answers your question, please click the Correct Answer button. Thank you!
-----------------------------------------------------------------------------------------------------------------------
The best approach to fulfill your request would be creating an OpenSSL engine which talks to your HSM.
In your CST backend, you create the CMS signature using OpenSSL's public accessors. OpenSSL in his turn will offload any cryprohraphic operation involved during signing to the HSM.
Detailed answer can be found here https://community.nxp.com/message/1021666
The back-end code included with the CST needs to be ported to support certificate and key storage other than OpenSSL. For the most part, it is not difficult. The only difficult portion is constructing the CSM signing portion, which requires unraveling the OpenSSL code. You'll need to link directly to the OpenSSL libcrypto.a file. Once you are able to produce the same signature that OpenSSL does, everything works fine.
Hello,
You may look at Appendix B (Replacing the CST Backend Implementation)
of HAB Code-Signing Tool User’s Guide, Rev. 2.3.2, 3/2016.
Have a great day,
Yuri
-----------------------------------------------------------------------------------------------------------------------
Note: If this post answers your question, please click the Correct Answer button. Thank you!
-----------------------------------------------------------------------------------------------------------------------