i.MX8MP Secure boot - HAB errors using HSM Signatures

取消
显示结果 
显示  仅  | 搜索替代 
您的意思是: 

i.MX8MP Secure boot - HAB errors using HSM Signatures

1,194 次查看
se_cguerr
Contributor III

Hi NXP,

I'm working on enabling secure boot on a board based on the i.MX8M Plus.

Secure boot works correctly when using certificates, keys, and signatures generated with the CST Tool version 4.0.0. Running hab_status shows no events in this case.

However, on another board, when we attempt the secure boot process using certificates, keys, and signatures generated in our internal PKI environment, hab_status reports multiple errors.

Below, I’ve included the CSF files and the HAB events we’re encountering. We are using "HSM Mode" and have configured the signature size accordingly.

We would like to understand which options or parameters we should use when generating signatures—particularly if we want to simulate the process using an OpenSSL command.

Thank you in advance for your support.

Best regards,
Christophe Guerreiro

0 项奖励
回复
4 回复数

652 次查看
se_cguerr
Contributor III

So, here an update.

It appears that when using 4 certificates, the SRK_TABLE is bigger.
As our signature are big, this leads on big CSF Binary and get overlapped as some Memory zone are used for other functions.

We need to try to reduce the CMS content as it was recommended.

I will update the ticket here once this is done.

0 项奖励
回复

1,015 次查看
marouene_boubakri
NXP Employee
NXP Employee

Hi @se_cguerr,

CC @anda_despotovici@ZeeFrench,

Following our call yesterday, we were able to successfully simulate your use case, and we have a properly signed image.

To answer your questions above, here is example command to generate CMS signature with OpenSSL:

openssl cms -sign -md sha256 -outform DER -nosmimecap -nocerts -binary -in ${csf_sigreq_file} -out ${csf_sig_file} -signer ${csf_crt} -inkey ${csf_key} -passin file:../keys/key_pass.txt

 I assume for this one you have the same command as shown during the call.

As per your request here is the command to verify the generated signature:

openssl cms -verify -in ${csf_sig_file} -inform DER -binary -content ${csf_sigreq_file} -certsout /dev/null -certfile ${csf_crt} -noverify -out verified_csf_output.txt

Duplicate these commands for IMG.

Duplicate signing process for SPL & FIT.

In my case, the size of output signature size is 509 bytes.

Therefore I modify my CSF headers and set 

[Header]
<snip>
   Signature Size = 509


Regarding the current limitation of your signing room—which only supports signing a provided hash and not raw content, there’s an important update worth noting. As of OpenSSL >= 3.2, an undocumented feature allows you to pass a precomputed hash using the -digest option.

I’ve tested this on my side, and it works as expected.

Updated Signing Process:

Compute the hash of the content externally.

csf_sigreq_digest=$(openssl dgst -sha256 ${csf_sigreq_file} | awk '{printf $2}')

Sign the precomputed hash using the -digest option.

$OPENSSL_PATH/openssl cms -sign -md sha256 -outform DER -nosmimecap -nocerts -binary -digest ${csf_sigreq_digest} -out ${csf_sig_file} -signer ${csf_crt} -inkey ${csf_key} -passin file:../keys/key_pass.txt

Verify:

$OPENSSL_PATH/openssl cms -verify -in ${csf_sig_file} -inform DER -binary -content ${csf_sigreq_file} -certsout /dev/null -certfile ${csf_crt} -noverify -out verified_csf_output.txt


I hope this helps. Let us know if this works for you.

Best
Maro

1,151 次查看
anda_despotovici
NXP Employee
NXP Employee

Hello,

 

I am not able to see the CSF files and HAB events mentioned in the description. Could you please confirm if you have followed the procedure described in CST UG in chapter Using CST with Hardware Security Module? If not, is anything that requires a different approach on your side? Thank you.

 

Anda

0 项奖励
回复

1,140 次查看
se_cguerr
Contributor III

See below files mentionned in my first post.

I've read the UG10106. 

We are using the CST in HSM mode while we get a signature request. We inject back the signature on the appropriate unique tag and rebuild the flash.bin file.

This  procedure works with certificates/keys generated from CST.

We don't use PKCS#11 in our case. We are using a signing room.

Thanks for your fast reply.

Regards,
Christophe

0 项奖励
回复