Verifying Code Signing Tool (CST) Output on i.MX6SX

shauntomaszewsk · ‎05-15-2017

Hello,

We are in the process of integrating an HSM with NXP's Code Signing Tool (CST). We replaced the libbackend.a with calls for our HSM.

We were able to get the CST to sign successfully using our HSM.

Is there a way to verify the output of the CST executable? We did not see one. Ideally we would be able to verify our image without having to load it on an i.MX6SX processor every time. We would like to automate the signing/verifying process and manually having to load it on the i.MX6SX processor would slow that down.

lwn · ‎08-28-2017

Hello,

u-boot/mkimage recently too gained such capabilities: Add support for signing with pkcs11 -> http://git.denx.de/?p=u-boot.git;a=commit;h=f1ca1fdebf1cde1c37c91b3d85f8b7af111112ea

What kind of interface/protocol did you use to connect to your HSM from CST? pkcs11?

Thanks!

Yuri · ‎05-22-2017

Hello,

We do not have tools to test the CST outputs - the using i.MX6SX target for checking

is the best way.

Have a great day,
Yuri

-----------------------------------------------------------------------------------------------------------------------
Note: If this post answers your question, please click the Correct Answer button. Thank you!
-----------------------------------------------------------------------------------------------------------------------