[i.MX-RT1170] secure boot: Is it possible to sign the boot image through our HSM?

cancel
Showing results for 
Show  only  | Search instead for 
Did you mean: 

[i.MX-RT1170] secure boot: Is it possible to sign the boot image through our HSM?

956 Views
carloswei
Contributor II

Hello,

I have read the doc i.MX RT1170 Secure Boot Modes (AN13250).

The boot image shall be signed by the integrated CST + elftosb (or the provisioning tool). However, in my use case, our RSA private key stores in company's HSM (that cannot export the private key, only signing APIs can be called). Is it possible to sign the boot image through our HSM? In other words, I would like to make use of the RSA public key + image signature to generate bootable image.

So, Is there any method to avoid assigning the private key in the step of bootable image creation?

 

0 Kudos
Reply
4 Replies

915 Views
haochenwei
Contributor I

Loop my account that was registered by my email of my company.

0 Kudos
Reply

921 Views
kerryzhou
NXP TechSupport
NXP TechSupport

Hi @carloswei ,

     You mean, the key files generated can't be used in the PC, but it is in the system?

Key files with private keys will be generated in the AN13250_SW\tools\blhost_upload\utils\evkmimxrt1170\cst\keys folder.

    Can you run the cst in your company's HSM directly, then just need to use the SPT generate the encrypted image, then you can download it.

   If the cst generated key file can't be used, it may have issues.

   BTW, next time, please use the company email to create the case, it will have higher priority, thanks.

Best Regards,

Kerry

0 Kudos
Reply

917 Views
carloswei
Contributor II

Thank for your attention.

 

No, the the HSM cannot run any application. 

I would like to use public key + image signature to pack into the bootable image. There is no private key sharing with CST.

Same with the NXP layerscape, there is the --img_hash in CST (only for layerscape chip) to support my requirement.

refer to https://community.nxp.com/t5/Layerscape/LS1046a-secure-boot-Is-it-possible-to-sign-the-boot-image/m-... 

and 

https://docs.nxp.com/bundle/GUID-487B2E69-BB19-42CB-AC38-7EF18C0FE3AE/page/GUID-701632F2-6D8F-4975-A.....

0 Kudos
Reply

899 Views
kerryzhou
NXP TechSupport
NXP TechSupport

Hi @carloswei ,

  No, private key is used.

  You are from China, you can read our experience sharing in Chinese:

https://www.nxpic.org.cn/module/forum/thread-629176-1-1.html

  More issues, please use your company email account to create the new question post.

 

Best Regards,

Kerry

0 Kudos
Reply