ヘルプ
英语(美国) | English (US) 日本語 | Japanese 中文 | Chinese (Simplified)

i.MX8MP Secure boot - HAB errors using HSM Signatures

キャンセル
提案をオンにする
自動提案では、入力時に可能な一致が提案されるので検索結果を素早く絞り込むことができます。
次の結果を表示 
表示  限定  | 次の代わりに検索 
もしかして: 

i.MX8MP Secure boot - HAB errors using HSM Signatures

‎06-24-2025 05:27 AM
935件の閲覧回数
se_cguerr
Contributor III

Hi NXP,

I'm working on enabling secure boot on a board based on the i.MX8M Plus.

Secure boot works correctly when using certificates, keys, and signatures generated with the CST Tool version 4.0.0. Running hab_status shows no events in this case.

However, on another board, when we attempt the secure boot process using certificates, keys, and signatures generated in our internal PKI environment, hab_status reports multiple errors.

Below, I’ve included the CSF files and the HAB events we’re encountering. We are using "HSM Mode" and have configured the signature size accordingly.

We would like to understand which options or parameters we should use when generating signatures—particularly if we want to simulate the process using an OpenSSL command.

Thank you in advance for your support.

Best regards,
Christophe Guerreiro

ラベル(2)
0 件の賞賛
返信
4 返答(返信)

‎08-08-2025 06:11 AM
393件の閲覧回数
se_cguerr
Contributor III

So, here an update.

It appears that when using 4 certificates, the SRK_TABLE is bigger.
As our signature are big, this leads on big CSF Binary and get overlapped as some Memory zone are used for other functions.

We need to try to reduce the CMS content as it was recommended.

I will update the ticket here once this is done.

0 件の賞賛
返信

‎07-04-2025 03:50 AM
756件の閲覧回数
marouene_boubakri
NXP Employee
NXP Employee

Hi @se_cguerr,

CC @anda_despotovici@ZeeFrench,

Following our call yesterday, we were able to successfully simulate your use case, and we have a properly signed image.

To answer your questions above, here is example command to generate CMS signature with OpenSSL:

openssl cms -sign -md sha256 -outform DER -nosmimecap -nocerts -binary -in ${csf_sigreq_file} -out ${csf_sig_file} -signer ${csf_crt} -inkey ${csf_key} -passin file:../keys/key_pass.txt

 I assume for this one you have the same command as shown during the call.

As per your request here is the command to verify the generated signature:

openssl cms -verify -in ${csf_sig_file} -inform DER -binary -content ${csf_sigreq_file} -certsout /dev/null -certfile ${csf_crt} -noverify -out verified_csf_output.txt

Duplicate these commands for IMG.

Duplicate signing process for SPL & FIT.

In my case, the size of output signature size is 509 bytes.

Therefore I modify my CSF headers and set 

[Header]
<snip>
   Signature Size = 509


Regarding the current limitation of your signing room—which only supports signing a provided hash and not raw content, there’s an important update worth noting. As of OpenSSL >= 3.2, an undocumented feature allows you to pass a precomputed hash using the -digest option.

I’ve tested this on my side, and it works as expected.

Updated Signing Process:

Compute the hash of the content externally.

csf_sigreq_digest=$(openssl dgst -sha256 ${csf_sigreq_file} | awk '{printf $2}')

Sign the precomputed hash using the -digest option.

$OPENSSL_PATH/openssl cms -sign -md sha256 -outform DER -nosmimecap -nocerts -binary -digest ${csf_sigreq_digest} -out ${csf_sig_file} -signer ${csf_crt} -inkey ${csf_key} -passin file:../keys/key_pass.txt

Verify:

$OPENSSL_PATH/openssl cms -verify -in ${csf_sig_file} -inform DER -binary -content ${csf_sigreq_file} -certsout /dev/null -certfile ${csf_crt} -noverify -out verified_csf_output.txt


I hope this helps. Let us know if this works for you.

Best
Maro

返信

‎06-24-2025 07:21 AM
892件の閲覧回数
anda_despotovici
NXP Employee
NXP Employee

Hello,

 

I am not able to see the CSF files and HAB events mentioned in the description. Could you please confirm if you have followed the procedure described in CST UG in chapter Using CST with Hardware Security Module? If not, is anything that requires a different approach on your side? Thank you.

 

Anda

0 件の賞賛
返信

‎06-24-2025 07:51 AM
881件の閲覧回数
se_cguerr
Contributor III

See below files mentionned in my first post.

I've read the UG10106. 

We are using the CST in HSM mode while we get a signature request. We inject back the signature on the appropriate unique tag and rebuild the flash.bin file.

This  procedure works with certificates/keys generated from CST.

We don't use PKCS#11 in our case. We are using a signing room.

Thanks for your fast reply.

Regards,
Christophe

ファイルをプレビュー
1 KB
ファイルをプレビュー
1 KB
ファイルをプレビュー
3 KB
0 件の賞賛
返信