AnsweredAssumed Answered

code signing tool with hardware security module

Question asked by lwn on Aug 25, 2017
Latest reply on May 23, 2018 by Marouene Boubakri



The code-signing-tool requires access to private/public keys for generating the secure boot headers.

However, the need for having private key files in plain text on the file system for using CST is rather bad.


Private/privileged cryptographic material should be generated and accessible only within a secured environment like a hardware-security-module.


Is there (eventually going to be) any support in the CST to hand off RSA operations with private keys to a HSM?

Right now, there is always this loose end at the very beginning of the trusted-boot-chain, which contradicts best practices from a security standpoint.


u-boot/mkimage already has such capabilities: Add support for signing with pkcs11 ->;a=commit;h=f1ca1fdebf1cde1c37c91b3d85f8b7af111112ea


Thank you!