The code-signing-tool requires access to private/public keys for generating the secure boot headers.
However, the need for having private key files in plain text on the file system for using CST is rather bad.
Private/privileged cryptographic material should be generated and accessible only within a secured environment like a hardware-security-module.
Is there (eventually going to be) any support in the CST to hand off RSA operations with private keys to a HSM?
Right now, there is always this loose end at the very beginning of the trusted-boot-chain, which contradicts best practices from a security standpoint.
u-boot/mkimage already has such capabilities: Add support for signing with pkcs11 -> http://git.denx.de/?p=u-boot.git;a=commit;h=f1ca1fdebf1cde1c37c91b3d85f8b7af111112ea