FAQs
English (US) 日本語 | Japanese 中文 | Chinese (Simplified)

[i.MX-RT1170] secure boot: Is it possible to sign the boot image through our HSM?

cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 

[i.MX-RT1170] secure boot: Is it possible to sign the boot image through our HSM?

‎04-25-2023 12:18 AM
713 Views
carloswei
Contributor II

Hello,

I have read the doc i.MX RT1170 Secure Boot Modes (AN13250).

The boot image shall be signed by the integrated CST + elftosb (or the provisioning tool). However, in my use case, our RSA private key stores in company's HSM (that cannot export the private key, only signing APIs can be called). Is it possible to sign the boot image through our HSM? In other words, I would like to make use of the RSA public key + image signature to generate bootable image.

So, Is there any method to avoid assigning the private key in the step of bootable image creation?

 

0 Kudos
Reply
4 Replies

‎04-26-2023 09:14 PM
672 Views
haochenwei
Contributor I

Loop my account that was registered by my email of my company.

0 Kudos
Reply

‎04-26-2023 09:02 PM
678 Views
kerryzhou
NXP TechSupport
NXP TechSupport

Hi @carloswei ,

     You mean, the key files generated can't be used in the PC, but it is in the system?

Key files with private keys will be generated in the AN13250_SW\tools\blhost_upload\utils\evkmimxrt1170\cst\keys folder.

    Can you run the cst in your company's HSM directly, then just need to use the SPT generate the encrypted image, then you can download it.

   If the cst generated key file can't be used, it may have issues.

   BTW, next time, please use the company email to create the case, it will have higher priority, thanks.

Best Regards,

Kerry

0 Kudos
Reply

‎04-26-2023 09:09 PM
674 Views
carloswei
Contributor II

Thank for your attention.

 

No, the the HSM cannot run any application. 

I would like to use public key + image signature to pack into the bootable image. There is no private key sharing with CST.

Same with the NXP layerscape, there is the --img_hash in CST (only for layerscape chip) to support my requirement.

refer to https://community.nxp.com/t5/Layerscape/LS1046a-secure-boot-Is-it-possible-to-sign-the-boot-image/m-... 

and 

https://docs.nxp.com/bundle/GUID-487B2E69-BB19-42CB-AC38-7EF18C0FE3AE/page/GUID-701632F2-6D8F-4975-A.....

0 Kudos
Reply

‎04-27-2023 12:12 AM
656 Views
kerryzhou
NXP TechSupport
NXP TechSupport

Hi @carloswei ,

  No, private key is used.

  You are from China, you can read our experience sharing in Chinese:

https://www.nxpic.org.cn/module/forum/thread-629176-1-1.html

  More issues, please use your company email account to create the new question post.

 

Best Regards,

Kerry

0 Kudos
Reply