FAQs
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 

How to use a smartcard (pkcs11) with create_cert/fiptool

workhero
Associate II

‎2022-11-18 04:50 AM

Hi All.

Our target, using the STM32MP153c, shall boot secure. The signing private keys should not be accessible via the filesystem. The secure boot signing is implemented with development keys within yocto at moment. Moving to productive environment will need to use the private secrets from a smart card in a kind of after-yocto signing script.

Currently all private keys used to sign images are in files on filesystem. To sign the TF-A the STM32MP_SigningTool_CLI seems to be feasible of using a secret provided via smartcard, but how to achieve this with the create_cert and/or fiptool for signing the fip image? Especially as the STM32MP_SigningTool_CLI and fiptool should use the same private key. (from my expectation because there is only one public key hash in OTP used to verify the signatures by bootrom and tf-a).

At moment I do not see any other solution then having the private key in filesystem what is not useable in our productive environment. Please hint how to sign the fip image with a HSM (smart card, libp11, openssl-engine).

Thanks in advance.

KR, workhero

Labels:
0 Kudos
11 REPLIES 11
SimK
Associate II

‎2024-10-01 06:08 AM

It's a while since i did this, i didn't check the newest baseline from ST, but back then for kirkstone it was really incomplete support for FIP signing (and no yocto support for TF-A signing at all).

 

I had to build and install it for my host environment (HOSTTOOLS) in order to do the "communication" with the host openssl / pkcs11 instance for the ROT key (which is an USB stick in my case).

Clone it from master (https://github.com/ARM-software/arm-trusted-firmware.git) and then get the baseline for your yocto (e.g. based on the used BSP from ST). I used kirkstone v4 so we used v2.6 and i backported all changes for the cert_create folder of tf-a. (a handfull commits).


in case we are signing via PKCS11 i set the CERTTOOL variable to the external "cert_create", which is installed under a different name in our build system:

CERTTOOL = "${@bb.utils.contains('EXTERNAL_SIGN_PKCS11','1','cert_create_ext', 'cert_create',d)}"

FIP_SIGN_KEY has then to point to the URI like

pkcs11:model=SoftHSM%20v2;manufacturer=SoftHSM%20project;serial=xyz;token=xyz;id=%01;object=tfa-pkey00;type=private

i used the STM32MP_KeyGen_CLI to create the keys (for STM32MP13 eight keys):

STM32MP_KeyGen_CLI -abs <path> -pwd <pwd1> <pwd2>... -n8
(this is relatively good documented)
 
then import it into your token, e.g with softhsm
softhsm2-util --import privateKey00.pem --label tfa-pkey00 ....
 
if you need the infos for URI creation i can recommend the p11tool with the option "--list-all". It shows all infos which should be part of the URI.
 
If i remember correctly you have to import all eight ROT keys (no matter that you use only one selected key for signing) so that the Signing-Tool can use them to create the hashtable for fusing at the end.
0 Kudos
AZaki.2
Associate III

‎2024-10-01 06:17 AM - edited ‎2024-10-01 06:36 AM

Hi,

 

we have integrated automated HSM Signing (SoftHSM, NitroKey, AWS) for TF-A/FIP/FitImage in Yocto Build,

Please get in touch on info@embetrix.com for Commercial Support if needed.

 

Best regards 

0 Kudos
Top