Skip to content

CST signing

In order to do CST signing for i.MX based devices following actions/configurations are required

  • Product is created with a configuration which supports (A)HAB trees and signing.
    • Product operation SignHAB has been configured

HAB based products

Product configuration for HAB based products

CST signing is using the HAB tree generated during the product creation.

  1. Create product for HAB tree and CST signing operation.
    1. Check product for CST signing.

The HAB tree keys CSF and IMG under SRK0 are used.

The system detects if the input file is SPL or FIT image and then uses the appropriate CSF template

SPL CSF template:

[Header]
Version = 4.1
Hash Algorithm = sha256
Engine Configuration = 0
Certificate Format = X509
Signature Format = CMS
Engine = <ENGINE>

[Install SRK]
File = "<SRK_TABLE_PATH>"
Source index = 0

[Install CSFK]
File = "pkcs11:token=<TOKEN>;object=<CSF_X509_LABEL>;type=cert;pin-source=./token"

[Authenticate CSF]

[Unlock]
Engine = CAAM
Features = MID

[Install Key]
# Key slot index used to authenticate the key to be installed
Verification index = 0

# Target key slot in HAB key store where key will be installed
Target index = 2
# Key to install
File = "pkcs11:token=<TOKEN>;object=<IMG_X509_LABEL>;type=cert;pin-source=./token"

[Authenticate Data]
Verification index = 2

#        Address      Offset     Length       Data File Path
Blocks = <BLOCKS> "<FILENAME>"

FIT CSF template:

[Header]
Version = 4.1
Hash Algorithm = sha256
Engine Configuration = 0
Certificate Format = X509
Signature Format = CMS
Engine = <ENGINE>

[Install SRK]
File = "<SRK_TABLE_PATH>"
Source index = 0

[Install CSFK]
File = "pkcs11:token=<TOKEN>;object=<CSF_X509_LABEL>;type=cert;pin-source=./token"

[Authenticate CSF]

[Install Key]
# Key slot index used to authenticate the key to be installed
Verification index = 0

# Target key slot in HAB key store where key will be installed
Target index = 2
# Key to install
File = "pkcs11:token=<TOKEN>;object=<IMG_X509_LABEL>;type=cert;pin-source=./token"

[Authenticate Data]
Verification index = 2

#        Address      Offset     Length       Data File Path
Blocks = <BLOCKS> "<FILENAME>"```

Input data for CST signing

The input is a either an SPL or FIT image

Example usage with reference client package: CST signing

NXP i.MX6 packages can be also signed with the CST tool based operation. CST signing examples ($TOKEN contains the "regular" user token and $APPROVERTOKEN contains a token for a user that's in the approvers group):

(venv) $ ./signing-tool.py -c -t $TOKEN -a https://app.laavat.io/<CustomerName>/api/v1 imagesigning add SignHAB \
    -N test -D test2 -P adcb30d8-f009-438e-b1b2-96f507b306cb --operid 4add90e9-ffb3-4708-9554-ed2e82e8fd71 -F SPL-hab

# Approve the cst signing request
(venv) $ ./signing-tool.py -c -t $APPROVERTOKEN -a https://app.laavat.io/<CustomerName>/api/v1 imagesigning \
    approve -I a83081a6-1d3b-4117-a81b-0ebcfcf0669c

# Get the signed payload
(venv) $ ./signing-tool.py -c -t $TOKEN -a https://app.laavat.io/<CustomerName>/api/v1 imagesigning \
    get -I a83081a6-1d3b-4117-a81b-0ebcfcf0669c -O /tmp/signed.bin

AHAB based products

Product configuration for AHAB based products

CST signing is using the AHAB tree generated during the product creation.

  1. Create product for HAB tree and CST signing operation.
    1. Check product for CST signing.

The HAB tree key SGK under SRK0 are used.

AHAB CSF template:

[Header]
Target = AHAB
Version = 1.0

[Install SRK]
# SRK table generated by srktool
File = "<SRK_TABLE_PATH>"
# Public key certificate in PEM format
Source = "pkcs11:token=<TOKEN>;object=<SRK_X509_LABEL>;type=cert;pin-source=./token"
# Index of the public key certificate within the SRK table (0 .. 3)
Source index = 0
# Type of SRK set (NXP or OEM)
Source set = OEM
# bitmask of the revoked SRKs
Revocations = 0x0

# Optional subordinate SGK key
[Install Certificate]
# Public key certificate in PEM format
File = "pkcs11:token=<TOKEN>;object=<SGK_X509_LABEL>;type=cert;pin-source=./token"
# bitmask of the permissions
Permissions = 0x1

[Authenticate Data]
# Binary to be signed generated by mkimage
File = "<FILENAME>"
# Offsets = Container header  Signature block (printed out by mkimage)
Offsets   = <BLOCKS>

Input data for CST signing

The input is an AHAB container. If multiple containers are signed then they need to be signed step by step and just 1 container is signed each time.

Example usage with reference client package: CST signing

NXP i.MX9 containers are signed the CST tool based operation. CST signing examples ($TOKEN contains the "regular" user token and $APPROVERTOKEN contains a token for a user that's in the approvers group):

(venv) $ ./signing-tool.py -c -t $TOKEN -a https://app.laavat.io/<CustomerName>/api/v1 imagesigning add SignHAB \
    -N test -D test2 -P adcb30d8-f009-438e-b1b2-96f507b306cb --operid 4add90e9-ffb3-4708-9554-ed2e82e8fd71 -F SPL-hab

# Approve the cst signing request
(venv) $ ./signing-tool.py -c -t $APPROVERTOKEN -a https://app.laavat.io/<CustomerName>/api/v1 imagesigning \
    approve -I a83081a6-1d3b-4117-a81b-0ebcfcf0669c

# Get the signed payload
(venv) $ ./signing-tool.py -c -t $TOKEN -a https://app.laavat.io/<CustomerName>/api/v1 imagesigning \
    get -I a83081a6-1d3b-4117-a81b-0ebcfcf0669c -O /tmp/signed.bin