AnsweredAssumed Answered

code signing tool with hardware security module

Question asked by lwn on Aug 25, 2017
Latest reply on May 23, 2018 by Marouene Boubakri

Hello,

 

The code-signing-tool requires access to private/public keys for generating the secure boot headers.

However, the need for having private key files in plain text on the file system for using CST is rather bad.

 

Private/privileged cryptographic material should be generated and accessible only within a secured environment like a hardware-security-module.

 

Is there (eventually going to be) any support in the CST to hand off RSA operations with private keys to a HSM?

Right now, there is always this loose end at the very beginning of the trusted-boot-chain, which contradicts best practices from a security standpoint.

 

u-boot/mkimage already has such capabilities: Add support for signing with pkcs11 -> http://git.denx.de/?p=u-boot.git;a=commit;h=f1ca1fdebf1cde1c37c91b3d85f8b7af111112ea

 

Thank you!

Outcomes