FAQs
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 

How to use a smartcard (pkcs11) with create_cert/fiptool

workhero
Associate II

‎2022-11-18 04:50 AM

Hi All.

Our target, using the STM32MP153c, shall boot secure. The signing private keys should not be accessible via the filesystem. The secure boot signing is implemented with development keys within yocto at moment. Moving to productive environment will need to use the private secrets from a smart card in a kind of after-yocto signing script.

Currently all private keys used to sign images are in files on filesystem. To sign the TF-A the STM32MP_SigningTool_CLI seems to be feasible of using a secret provided via smartcard, but how to achieve this with the create_cert and/or fiptool for signing the fip image? Especially as the STM32MP_SigningTool_CLI and fiptool should use the same private key. (from my expectation because there is only one public key hash in OTP used to verify the signatures by bootrom and tf-a).

At moment I do not see any other solution then having the private key in filesystem what is not useable in our productive environment. Please hint how to sign the fip image with a HSM (smart card, libp11, openssl-engine).

Thanks in advance.

KR, workhero

Labels:
0 Kudos
15 REPLIES 15
SimK
Associate II

‎2024-10-01 06:08 AM

It's a while since i did this, i didn't check the newest baseline from ST, but back then for kirkstone it was really incomplete support for FIP signing (and no yocto support for TF-A signing at all).

 

I had to build and install it for my host environment (HOSTTOOLS) in order to do the "communication" with the host openssl / pkcs11 instance for the ROT key (which is an USB stick in my case).

Clone it from master (https://github.com/ARM-software/arm-trusted-firmware.git) and then get the baseline for your yocto (e.g. based on the used BSP from ST). I used kirkstone v4 so we used v2.6 and i backported all changes for the cert_create folder of tf-a. (a handfull commits).


in case we are signing via PKCS11 i set the CERTTOOL variable to the external "cert_create", which is installed under a different name in our build system:

CERTTOOL = "${@bb.utils.contains('EXTERNAL_SIGN_PKCS11','1','cert_create_ext', 'cert_create',d)}"

FIP_SIGN_KEY has then to point to the URI like

pkcs11:model=SoftHSM%20v2;manufacturer=SoftHSM%20project;serial=xyz;token=xyz;id=%01;object=tfa-pkey00;type=private

i used the STM32MP_KeyGen_CLI to create the keys (for STM32MP13 eight keys):

STM32MP_KeyGen_CLI -abs <path> -pwd <pwd1> <pwd2>... -n8
(this is relatively good documented)
 
then import it into your token, e.g with softhsm
softhsm2-util --import privateKey00.pem --label tfa-pkey00 ....
 
if you need the infos for URI creation i can recommend the p11tool with the option "--list-all". It shows all infos which should be part of the URI.
 
If i remember correctly you have to import all eight ROT keys (no matter that you use only one selected key for signing) so that the Signing-Tool can use them to create the hashtable for fusing at the end.
0 Kudos
AZaki.2
Associate III

‎2024-10-01 06:17 AM - edited ‎2024-10-01 06:36 AM

Hi,

 

we have integrated automated HSM Signing (SoftHSM, NitroKey, AWS) for TF-A/FIP/FitImage in Yocto Build,

Please get in touch on info@embetrix.com for Commercial Support if needed.

 

Best regards 

0 Kudos
GatienC
ST Employee

‎2024-12-05 08:56 AM - edited ‎2024-12-05 08:57 AM

Hello, I made a guide using SoftHSM as the external HSM. This example uses a PKCS11 engine. Please have a look here: Signing a software using an external HSM.

 

Hope this helps. Note that some OpenSSLV1.x version will need the following patch: Certtool patch 

0 Kudos
SimK
Associate II
In response to GatienC

‎2024-12-05 11:28 PM

Hi, thank you for the article. The real effort for us was not using PKCS but building the signing into the Yocto build process, at least for kirkstone there was nothing. It would be nice if complete signing of TF-A and FIP could be incorporated into the BSP. We were able to add everything to the existing tasks thanks to Yocto's prepend/append mechanism, but it was a bit of effort. 

And ST could consider disclosing the source code of the signing tool so that you can see directly what is happening.

0 Kudos
AZaki.2
Associate III
In response to SimK

‎2024-12-05 11:58 PM

Hi, We have developed an alternative BSP layer for the STM32MP15x platform:
 
Secure Boot Chain of Trust, fully implemented signing for:
TF-A → FIP (Optee + U-Boot) → FitImage → Kernel Modules
 
It also Utilizes a reverse-engineered Python tool, stm32mp-keygen, instead of ST's official signing tools.

 

It's Lightweight and Flexible and seamlessly integrates into Yocto builds and Docker-based containerized build environments.
 
Comprehensive build instructions are provided n README for easy setup.

 

Premium Offering:
For paying customers, we also provide HSM-based signing solutions for enhanced security and compliance.

 

If you’re interested in leveraging this solution and security-focused BSP layer or the advanced HSM signing capabilities, feel free to reach out at : info@embetrix.com
0 Kudos
AZaki.2
Associate III

‎2024-12-17 10:36 AM - edited ‎2024-12-17 10:37 AM

I'm pleased to share stm32mp-sign-tool with the community :
 
It is a lightweight open-source alternative to STM32_SigningTool_CLI that does not require the full STM32CubeProgrammer installation and dependencies.

0 Kudos
Top