STM32_Signingtool: Unable to sign tf-a using softhsm (pkcs11)

saman_ · ‎2024-11-11

I want to place my signing keys in secure location, like HSM or softhsm. Keys get placed but the given arguments dont work for signing through the secure keys within object store of PKCS11.

- If I provide my slot, it givees se3gmentation fault

ept@de3:~/build/senec/yocto$ sudo /home/ept/STMicroelectronics/STM32Cube/STM32CubeProgrammer/bin/STM32MP_SigningTool_CLI --module /usr/lib/softhsm/libsofthsm2.so -ki 1 -si 5407DACB907 -bin build/tmp/deploy/images/stm32mp1-ems-c2-faa1/arm-trusted-firmware/bl2/tf-a-stm32mp157f-ems-c2-faa1-mx-usb.bin -o tf-a-stm32mp157f-ems-c2-faa1-mx-usb_Signed.stm32 -pwd epteck -type fsbl -la 0x2ffc2500 -ep 0x2ffe9000
       -------------------------------------------------------------------
                       STM32MP Signing Tool v2.15.0                     
       -------------------------------------------------------------------

 Error: Invalid slot index valueept@de3:~/build/senec/yocto$ 
ept@de3:~/build/senec/yocto$ sudo /home/ept/STMicroelectronics/STM32Cube/STM32CubeProgrammer/bin/STM32MP_SigningTool_CLI --module /usr/lib/softhsm/libsofthsm2.so -ki 1 -si 1409800907 -bin build/tmp/deploy/images/stm32mp1-ems-c2-faa1/arm-trusted-firmware/bl2/tf-a-stm32mp157f-ems-c2-faa1-mx-usb.bin -o tf-a-stm32mp157f-ems-c2-faa1-mx-usb_Signed.stm32 -pwd epteck -type fsbl -la 0x2ffc2500 -ep 0x2ffe9000
       -------------------------------------------------------------------
                       STM32MP Signing Tool v2.15.0                     
       -------------------------------------------------------------------

+++ PKCS#11 interface +++

Library Info: 
   Manufacturer ID    : SoftHSM                         
   Library Description: Implementation of PKCS11        
   Library Version    : 2.5
   CryptoKi Version   : 2.40
   Slots number       : 2
Segmentation fault

- If I use slot index to be zero, it says object handled isnt done correctly, same error if we place key or not

ept@de3:~/build/senec/yocto$ sudo /home/ept/STMicroelectronics/STM32Cube/STM32CubeProgrammer/bin/STM32MP_SigningTool_CLI --module /usr/lib/softhsm/libsofthsm2.so -ki 0x64 -si 0 -bin build/tmp/deploy/images/stm32mp1-ems-c2-faa1/arm-trusted-firmware/bl2/tf-a-stm32mp157f-ems-c2-faa1-mx-usb.bin -o tf-a-stm32mp157f-ems-c2-faa1-mx-usb_Signed.stm32 -pwd epteck -type fsbl -la 0x2ffc2500 -ep 0x2ffe9000 -iv 1
       -------------------------------------------------------------------
                       STM32MP Signing Tool v2.15.0                     
       -------------------------------------------------------------------

+++ PKCS#11 interface +++

Library Info: 
   Manufacturer ID    : SoftHSM                         
   Library Description: Implementation of PKCS11        
   Library Version    : 2.5
   CryptoKi Version   : 2.40
   Slots number       : 2

Slot Info:
   Slot index       : 0
   Manufacturer ID  : SoftHSM project                 
   Description      : SoftHSM slot ID 0x5407dacb                                      
   Hardware version : 2.5
   Firmware version : 2.5
 
Token Info:
   Manufacturer ID  : SoftHSM project                 
   Label            : tfa token                       
   Model            : SoftHSM v2      
   Serial number    : c2533329d407dacb
   PIN min lenght   : 4
   PIN max lenght   : 255
   Hardware version : 2.5
   Firmware version : 2.5

Public key search object : 
   ID      : 0x64
Error: CKR_OBJECT_HANDLE_INVALID
 Error: Cannot extract public key from pkcs11 module !

Question:

- Am I using any argment wrong?

- What am I supposed to put in key-index argument? I have tried with 1 and also with object id of the placed keys

- Will this -pwd argument serve as the SO/user pin for accessing secure keys?

Following: https://wiki.st.com/stm32mpu/wiki/Signing_tool#Additional_PKCS-2311_commands

#STM32MP_SigningTool

Aziz BRIGUI · ‎2024-11-18

Hello @saman_,

Could you try testing with STM32CubeProgrammer v2.17 and get back to us with the results ?

Thanks in advance,

Aziz

In order to give better visibility on the answered topics, please click on 'Accept as Solution' on the reply which solved your issue or answered your question.

saman_ · ‎2024-11-19

It's the same with both cases:

ept@de3:~/build/senec/yocto$ sudo /home/ept/STMicroelectronics/STM32Cube/STM32CubeProgrammer/bin/STM32MP_SigningTool_CLI --module /usr/lib/softhsm/libsofthsm2.so -ki 1 -si 1409800907 -bin build/tmp/deploy/images/stm32mp1-ems-c2-faa1/arm-trusted-firmware/bl2/tf-a-stm32mp157f-ems-c2-faa1-mx-usb.bin -o tf-a-stm32mp157f-ems-c2-faa1-mx-usb_Signed.stm32 -pwd epteck -type fsbl -la 0x2ffc2500 -ep 0x2ffe9000
       -------------------------------------------------------------------
                       STM32MP Signing Tool v2.17.0                     
       -------------------------------------------------------------------

+++ PKCS#11 interface +++

Library Info: 
   Manufacturer ID    : SoftHSM                         
   Library Description: Implementation of PKCS11        
   Library Version    : 2.5
   CryptoKi Version   : 2.40
   Slots number       : 2
Segmentation fault

Aziz BRIGUI · ‎2024-12-05

Hello @saman_ ,

Sorry for the late reply, missed your comment initially.

Your observation is correct since Signing Tool for now takes in the slot offset (Not the identifier). A change request is submitted internally under Ticket 196625 and will be available in STM32CubeProgrammer v2.19.

For now, you can put in the offset after -si option. For example, if it's the first slot you created, the full command should look like this :

STM32MP_SigningTool_CLI --module /usr/lib/softhsm/libsofthsm2.so -ki 1 -si 1 -bin build/tmp/deploy/images/stm32mp1-ems-c2-faa1/arm-trusted-firmware/bl2/tf-a-stm32mp157f-ems-c2-faa1-mx-usb.bin -o tf-a-stm32mp157f-ems-c2-faa1-mx-usb_Signed.stm32 -pwd epteck -type fsbl -la 0x2ffc2500 -ep 0x2ffe9000

Hope this helps,

Aziz

In order to give better visibility on the answered topics, please click on 'Accept as Solution' on the reply which solved your issue or answered your question.