FAQs
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 

STM32_Signingtool: Unable to sign tf-a using softhsm (pkcs11)

saman_
Associate

‎2024-11-11 12:12 AM - edited ‎2024-11-11 01:29 AM

I want to place my signing keys in secure location, like HSM or softhsm. Keys get placed but the given arguments dont work for signing through the secure keys within object store of PKCS11.

- If I provide my slot, it givees se3gmentation fault

 

ept@de3:~/build/senec/yocto$ sudo /home/ept/STMicroelectronics/STM32Cube/STM32CubeProgrammer/bin/STM32MP_SigningTool_CLI --module /usr/lib/softhsm/libsofthsm2.so -ki 1 -si 5407DACB907 -bin build/tmp/deploy/images/stm32mp1-ems-c2-faa1/arm-trusted-firmware/bl2/tf-a-stm32mp157f-ems-c2-faa1-mx-usb.bin -o tf-a-stm32mp157f-ems-c2-faa1-mx-usb_Signed.stm32 -pwd epteck -type fsbl -la 0x2ffc2500 -ep 0x2ffe9000
       -------------------------------------------------------------------
                       STM32MP Signing Tool v2.15.0                     
       -------------------------------------------------------------------

 Error: Invalid slot index valueept@de3:~/build/senec/yocto$ 
ept@de3:~/build/senec/yocto$ sudo /home/ept/STMicroelectronics/STM32Cube/STM32CubeProgrammer/bin/STM32MP_SigningTool_CLI --module /usr/lib/softhsm/libsofthsm2.so -ki 1 -si 1409800907 -bin build/tmp/deploy/images/stm32mp1-ems-c2-faa1/arm-trusted-firmware/bl2/tf-a-stm32mp157f-ems-c2-faa1-mx-usb.bin -o tf-a-stm32mp157f-ems-c2-faa1-mx-usb_Signed.stm32 -pwd epteck -type fsbl -la 0x2ffc2500 -ep 0x2ffe9000
       -------------------------------------------------------------------
                       STM32MP Signing Tool v2.15.0                     
       -------------------------------------------------------------------

+++ PKCS#11 interface +++

Library Info: 
   Manufacturer ID    : SoftHSM                         
   Library Description: Implementation of PKCS11        
   Library Version    : 2.5
   CryptoKi Version   : 2.40
   Slots number       : 2
Segmentation fault

 

- If I use slot index to be zero, it says object handled isnt done correctly, same error if we place key or not

 

ept@de3:~/build/senec/yocto$ sudo /home/ept/STMicroelectronics/STM32Cube/STM32CubeProgrammer/bin/STM32MP_SigningTool_CLI --module /usr/lib/softhsm/libsofthsm2.so -ki 0x64 -si 0 -bin build/tmp/deploy/images/stm32mp1-ems-c2-faa1/arm-trusted-firmware/bl2/tf-a-stm32mp157f-ems-c2-faa1-mx-usb.bin -o tf-a-stm32mp157f-ems-c2-faa1-mx-usb_Signed.stm32 -pwd epteck -type fsbl -la 0x2ffc2500 -ep 0x2ffe9000 -iv 1
       -------------------------------------------------------------------
                       STM32MP Signing Tool v2.15.0                     
       -------------------------------------------------------------------

+++ PKCS#11 interface +++

Library Info: 
   Manufacturer ID    : SoftHSM                         
   Library Description: Implementation of PKCS11        
   Library Version    : 2.5
   CryptoKi Version   : 2.40
   Slots number       : 2

Slot Info:
   Slot index       : 0
   Manufacturer ID  : SoftHSM project                 
   Description      : SoftHSM slot ID 0x5407dacb                                      
   Hardware version : 2.5
   Firmware version : 2.5
 
Token Info:
   Manufacturer ID  : SoftHSM project                 
   Label            : tfa token                       
   Model            : SoftHSM v2      
   Serial number    : c2533329d407dacb
   PIN min lenght   : 4
   PIN max lenght   : 255
   Hardware version : 2.5
   Firmware version : 2.5

Public key search object : 
   ID      : 0x64
Error: CKR_OBJECT_HANDLE_INVALID
 Error: Cannot extract public key from pkcs11 module !

 

Question:

- Am I using any argment wrong?

- What am I supposed to put in key-index argument? I have tried with 1 and also with object id of the placed keys

- Will this -pwd argument serve as the SO/user pin for accessing secure keys?

Following: https://wiki.st.com/stm32mpu/wiki/Signing_tool#Additional_PKCS-2311_commands

#STM32MP_SigningTool

Labels:
0 Kudos
2 REPLIES 2
Aziz BRIGUI
ST Employee

‎2024-11-18 07:06 AM

Hello @saman_,

Could you try testing with STM32CubeProgrammer v2.17 and get back to us with the results ?

Thanks in advance,

Aziz


In order to give better visibility on the answered topics, please click on 'Accept as Solution' on the reply which solved your issue or answered your question.
0 Kudos
saman_
Associate
In response to Aziz BRIGUI

‎2024-11-19 11:30 AM

It's the same with both cases:

ept@de3:~/build/senec/yocto$ sudo /home/ept/STMicroelectronics/STM32Cube/STM32CubeProgrammer/bin/STM32MP_SigningTool_CLI --module /usr/lib/softhsm/libsofthsm2.so -ki 1 -si 1409800907 -bin build/tmp/deploy/images/stm32mp1-ems-c2-faa1/arm-trusted-firmware/bl2/tf-a-stm32mp157f-ems-c2-faa1-mx-usb.bin -o tf-a-stm32mp157f-ems-c2-faa1-mx-usb_Signed.stm32 -pwd epteck -type fsbl -la 0x2ffc2500 -ep 0x2ffe9000
       -------------------------------------------------------------------
                       STM32MP Signing Tool v2.17.0                     
       -------------------------------------------------------------------

+++ PKCS#11 interface +++

Library Info: 
   Manufacturer ID    : SoftHSM                         
   Library Description: Implementation of PKCS11        
   Library Version    : 2.5
   CryptoKi Version   : 2.40
   Slots number       : 2
Segmentation fault
0 Kudos
Top