Hello,
I have read the doc i.MX RT1170 Secure Boot Modes (AN13250).
The boot image shall be signed by the integrated CST + elftosb (or the provisioning tool). However, in my use case, our RSA private key stores in company's HSM (that cannot export the private key, only signing APIs can be called). Is it possible to sign the boot image through our HSM? In other words, I would like to make use of the RSA public key + image signature to generate bootable image.
So, Is there any method to avoid assigning the private key in the step of bootable image creation?
Loop my account that was registered by my email of my company.
Hi @carloswei ,
You mean, the key files generated can't be used in the PC, but it is in the system?
Key files with private keys will be generated in the AN13250_SW\tools\blhost_upload\utils\evkmimxrt1170\cst\keys folder.
Can you run the cst in your company's HSM directly, then just need to use the SPT generate the encrypted image, then you can download it.
If the cst generated key file can't be used, it may have issues.
BTW, next time, please use the company email to create the case, it will have higher priority, thanks.
Best Regards,
Kerry
Thank for your attention.
No, the the HSM cannot run any application.
I would like to use public key + image signature to pack into the bootable image. There is no private key sharing with CST.
Same with the NXP layerscape, there is the --img_hash in CST (only for layerscape chip) to support my requirement.
and
Hi @carloswei ,
No, private key is used.
You are from China, you can read our experience sharing in Chinese:
https://www.nxpic.org.cn/module/forum/thread-629176-1-1.html
More issues, please use your company email account to create the new question post.
Best Regards,
Kerry