Use cst tool to verify signature of images

cancel
Showing results for 
Show  only  | Search instead for 
Did you mean: 

Use cst tool to verify signature of images

1,107 Views
haGkiu
Contributor I

Hello community,

 

I want to use cst tool to sign binary images of my software and then use the same tool to verify the signed software( verify that they are signed correctly)

Is that possible with cst tool ?

Can anyone help me .

 

 

 

0 Kudos
Reply
7 Replies

1,072 Views
hector_delgado
NXP TechSupport
NXP TechSupport

Hi @haGkiu ,

I hope you're doing well!

Can you let me know what processor are you using? And is it an EVK or a custom board?

Thank you.

Best regards,
Hector.

0 Kudos
Reply

1,035 Views
haGkiu
Contributor I

Hello,

I am using a phytec phycore card with an imx6q processor.

 

0 Kudos
Reply

1,028 Views
hector_delgado
NXP TechSupport
NXP TechSupport

Hi @haGkiu ,

In order to verify/authenticate a signed image you can use the U-Boot command hab_auth_img

3.4 Verifying HAB events
-------------------------

The U-Boot includes the hab_auth_img command which can be used for
authenticating and troubleshooting the signed image, zImage must be
loaded at the load address specified in the IVT.

- Authenticate additional image:

=> hab_auth_img <Load Address> <Image Size> <IVT Offset>

If no HAB events were found the zImage is successfully signed.

I'd recommend the following guide for secure boot in i.MX 6 devices: uboot-imx/doc/imx/habv4/guides/mx6_mx7_secure_boot.txt at lf_v2022.04 · nxp-imx/uboot-imx · GitHub

Let me know if this was of any help.

Best regards,
Hector.

0 Kudos
Reply

1,020 Views
haGkiu
Contributor I

Hello,

 

I am working with barebox not u_boot , do you have any information on how to sign barebox with cst (so it can be authenticated by hab).

0 Kudos
Reply

983 Views
hector_delgado
NXP TechSupport
NXP TechSupport

Hi @haGkiu ,

Other bootloaders besides our U-Boot are currently out of our scope of support, so we don't have any previous tests/guides/examples using barebox for our CST software. Our tools were also designed around our software in this case, but I won't be able to confirm 100% if the process would be the same or if some critical modifications would be needed to ensure barebox compatibility. Is there a particular reason to not use U-boot?

Best regards,
Hector.

0 Kudos
Reply

923 Views
haGkiu
Contributor I

Hello @hector_delgado ,

The company in which I work is using barebox as a boatloder on the project.

Do you have an idea if there is a tool I can use to sign barebox ( to be authenticated by HAB module on imx6 electronic cards).

Best regards,

Moufida.

 

 

0 Kudos
Reply

912 Views
hector_delgado
NXP TechSupport
NXP TechSupport

Hi @haGkiu ,

From previous cases I've found the following link to barebox documentation which apparently has built in support for CST: https://www.barebox.org/doc/latest/boards/imx.html#high-assurance-boot

I can't guarantee full compatibility but I think it's worth to look at.

Thank you.

Best regards,
Hector.

0 Kudos
Reply