- Forums
- Product Forums
- General Purpose MicrocontrollersGeneral Purpose Microcontrollers
- i.MX Forumsi.MX Forums
- QorIQ Processing PlatformsQorIQ Processing Platforms
- Identification and SecurityIdentification and Security
- Power ManagementPower Management
- Wireless ConnectivityWireless Connectivity
- RFID / NFCRFID / NFC
- Advanced AnalogAdvanced Analog
- MCX Microcontrollers
- S32G
- S32K
- S32V
- MPC5xxx
- Other NXP Products
- S12 / MagniV Microcontrollers
- Powertrain and Electrification Analog Drivers
- Sensors
- Vybrid Processors
- Digital Signal Controllers
- 8-bit Microcontrollers
- ColdFire/68K Microcontrollers and Processors
- PowerQUICC Processors
- OSBDM and TBDML
- S32M
- S32Z/E
-
- Solution Forums
- Software Forums
- MCUXpresso Software and ToolsMCUXpresso Software and Tools
- CodeWarriorCodeWarrior
- MQX Software SolutionsMQX Software Solutions
- Model-Based Design Toolbox (MBDT)Model-Based Design Toolbox (MBDT)
- FreeMASTER
- eIQ Machine Learning Software
- Embedded Software and Tools Clinic
- S32 SDK
- S32 Design Studio
- GUI Guider
- Zephyr Project
- Voice Technology
- Application Software Packs
- Secure Provisioning SDK (SPSDK)
- Processor Expert Software
- Generative AI & LLMs
-
- Topics
- Mobile Robotics - Drones and RoversMobile Robotics - Drones and Rovers
- NXP Training ContentNXP Training Content
- University ProgramsUniversity Programs
- Rapid IoT
- NXP Designs
- SafeAssure-Community
- OSS Security & Maintenance
- Using Our Community
-
- Cloud Lab Forums
-
- Knowledge Bases
- ARM Microcontrollers
- i.MX Processors
- Identification and Security
- Model-Based Design Toolbox (MBDT)
- QorIQ Processing Platforms
- S32 Automotive Processing Platform
- Wireless Connectivity
- CodeWarrior
- MCUXpresso Suite of Software and Tools
- MQX Software Solutions
- RFID / NFC
- Advanced Analog
-
- NXP Tech Blogs
i.MX8MP Secure boot - HAB errors using HSM Signatures
06-24-2025
05:27 AM
1,341 次查看
Hi NXP,
I'm working on enabling secure boot on a board based on the i.MX8M Plus.
Secure boot works correctly when using certificates, keys, and signatures generated with the CST Tool version 4.0.0. Running hab_status shows no events in this case.
However, on another board, when we attempt the secure boot process using certificates, keys, and signatures generated in our internal PKI environment, hab_status reports multiple errors.
Below, I’ve included the CSF files and the HAB events we’re encountering. We are using "HSM Mode" and have configured the signature size accordingly.
We would like to understand which options or parameters we should use when generating signatures—particularly if we want to simulate the process using an OpenSSL command.
Thank you in advance for your support.
Best regards,
Christophe Guerreiro
4 回复数
08-08-2025
06:11 AM
799 次查看
So, here an update.
It appears that when using 4 certificates, the SRK_TABLE is bigger.
As our signature are big, this leads on big CSF Binary and get overlapped as some Memory zone are used for other functions.
We need to try to reduce the CMS content as it was recommended.
I will update the ticket here once this is done.
07-04-2025
03:50 AM
1,162 次查看
marouene_boubak
NXP Employee
Hi @se_cguerr,
CC @anda_despotovici, @ZeeFrench,
Following our call yesterday, we were able to successfully simulate your use case, and we have a properly signed image.
To answer your questions above, here is example command to generate CMS signature with OpenSSL:
openssl cms -sign -md sha256 -outform DER -nosmimecap -nocerts -binary -in ${csf_sigreq_file} -out ${csf_sig_file} -signer ${csf_crt} -inkey ${csf_key} -passin file:../keys/key_pass.txtI assume for this one you have the same command as shown during the call.
As per your request here is the command to verify the generated signature:
openssl cms -verify -in ${csf_sig_file} -inform DER -binary -content ${csf_sigreq_file} -certsout /dev/null -certfile ${csf_crt} -noverify -out verified_csf_output.txtDuplicate these commands for IMG.
Duplicate signing process for SPL & FIT.
In my case, the size of output signature size is 509 bytes.
Therefore I modify my CSF headers and set
[Header]
<snip>
Signature Size = 509
Regarding the current limitation of your signing room—which only supports signing a provided hash and not raw content, there’s an important update worth noting. As of OpenSSL >= 3.2, an undocumented feature allows you to pass a precomputed hash using the -digest option.
I’ve tested this on my side, and it works as expected.
Updated Signing Process:
Compute the hash of the content externally.
csf_sigreq_digest=$(openssl dgst -sha256 ${csf_sigreq_file} | awk '{printf $2}')Sign the precomputed hash using the -digest option.
$OPENSSL_PATH/openssl cms -sign -md sha256 -outform DER -nosmimecap -nocerts -binary -digest ${csf_sigreq_digest} -out ${csf_sig_file} -signer ${csf_crt} -inkey ${csf_key} -passin file:../keys/key_pass.txtVerify:
$OPENSSL_PATH/openssl cms -verify -in ${csf_sig_file} -inform DER -binary -content ${csf_sigreq_file} -certsout /dev/null -certfile ${csf_crt} -noverify -out verified_csf_output.txt
I hope this helps. Let us know if this works for you.
Best
Maro
回复
06-24-2025
07:21 AM
1,298 次查看
anda_despotovic
NXP Employee
Hello,
I am not able to see the CSF files and HAB events mentioned in the description. Could you please confirm if you have followed the procedure described in CST UG in chapter Using CST with Hardware Security Module? If not, is anything that requires a different approach on your side? Thank you.
Anda
06-24-2025
07:51 AM
1,287 次查看
See below files mentionned in my first post.
I've read the UG10106.
We are using the CST in HSM mode while we get a signature request. We inject back the signature on the appropriate unique tag and rebuild the flash.bin file.
This procedure works with certificates/keys generated from CST.
We don't use PKCS#11 in our case. We are using a signing room.
Thanks for your fast reply.
Regards,
Christophe
