How to use a smartcard (pkcs11) with create_cert/fiptool

Forum|Forum|3 years ago
November 18, 2022
11 replies
5925 views

Hi All.

Our target, using the STM32MP153c, shall boot secure. The signing private keys should not be accessible via the filesystem. The secure boot signing is implemented with development keys within yocto at moment. Moving to productive environment will need to use the private secrets from a smart card in a kind of after-yocto signing script.

Currently all private keys used to sign images are in files on filesystem. To sign the TF-A the STM32MP_SigningTool_CLI seems to be feasible of using a secret provided via smartcard, but how to achieve this with the create_cert and/or fiptool for signing the fip image? Especially as the STM32MP_SigningTool_CLI and fiptool should use the same private key. (from my expectation because there is only one public key hash in OTP used to verify the signatures by bootrom and tf-a).

At moment I do not see any other solution then having the private key in filesystem what is not useable in our productive environment. Please hint how to sign the fip image with a HSM (smart card, libp11, openssl-engine).

Thanks in advance.

KR, workhero

Show previous replies

AZaki.2

Associate III

I'm pleased to share stm32mp-sign-tool with the community :

It is a lightweight open-source alternative to STM32_SigningTool_CLI that does not require the full STM32CubeProgrammer installation and dependencies.

GitHub Repository: https://github.com/embetrix/stm32mp-sign-tool

Sign up

Login with SSO

Login to the community

Login with SSO

Scanning file for viruses.

This file cannot be downloaded