Skip to main content
S
saman_
Associate
November 11, 2024
Question

STM32_Signingtool: Unable to sign tf-a using softhsm (pkcs11)

  • November 11, 2024
  • 1 reply
  • 1087 views

I want to place my signing keys in secure location, like HSM or softhsm. Keys get placed but the given arguments dont work for signing through the secure keys within object store of PKCS11.

- If I provide my slot, it givees se3gmentation fault

 

ept@de3:~/build/senec/yocto$ sudo /home/ept/STMicroelectronics/STM32Cube/STM32CubeProgrammer/bin/STM32MP_SigningTool_CLI --module /usr/lib/softhsm/libsofthsm2.so -ki 1 -si 5407DACB907 -bin build/tmp/deploy/images/stm32mp1-ems-c2-faa1/arm-trusted-firmware/bl2/tf-a-stm32mp157f-ems-c2-faa1-mx-usb.bin -o tf-a-stm32mp157f-ems-c2-faa1-mx-usb_Signed.stm32 -pwd epteck -type fsbl -la 0x2ffc2500 -ep 0x2ffe9000
 -------------------------------------------------------------------
 STM32MP Signing Tool v2.15.0 
 -------------------------------------------------------------------

 Error: Invalid slot index valueept@de3:~/build/senec/yocto$ 
ept@de3:~/build/senec/yocto$ sudo /home/ept/STMicroelectronics/STM32Cube/STM32CubeProgrammer/bin/STM32MP_SigningTool_CLI --module /usr/lib/softhsm/libsofthsm2.so -ki 1 -si 1409800907 -bin build/tmp/deploy/images/stm32mp1-ems-c2-faa1/arm-trusted-firmware/bl2/tf-a-stm32mp157f-ems-c2-faa1-mx-usb.bin -o tf-a-stm32mp157f-ems-c2-faa1-mx-usb_Signed.stm32 -pwd epteck -type fsbl -la 0x2ffc2500 -ep 0x2ffe9000
 -------------------------------------------------------------------
 STM32MP Signing Tool v2.15.0 
 -------------------------------------------------------------------

+++ PKCS#11 interface +++

Library Info: 
 Manufacturer ID : SoftHSM 
 Library Description: Implementation of PKCS11 
 Library Version : 2.5
 CryptoKi Version : 2.40
 Slots number : 2
Segmentation fault

 

- If I use slot index to be zero, it says object handled isnt done correctly, same error if we place key or not

 

ept@de3:~/build/senec/yocto$ sudo /home/ept/STMicroelectronics/STM32Cube/STM32CubeProgrammer/bin/STM32MP_SigningTool_CLI --module /usr/lib/softhsm/libsofthsm2.so -ki 0x64 -si 0 -bin build/tmp/deploy/images/stm32mp1-ems-c2-faa1/arm-trusted-firmware/bl2/tf-a-stm32mp157f-ems-c2-faa1-mx-usb.bin -o tf-a-stm32mp157f-ems-c2-faa1-mx-usb_Signed.stm32 -pwd epteck -type fsbl -la 0x2ffc2500 -ep 0x2ffe9000 -iv 1
 -------------------------------------------------------------------
 STM32MP Signing Tool v2.15.0 
 -------------------------------------------------------------------

+++ PKCS#11 interface +++

Library Info: 
 Manufacturer ID : SoftHSM 
 Library Description: Implementation of PKCS11 
 Library Version : 2.5
 CryptoKi Version : 2.40
 Slots number : 2

Slot Info:
 Slot index : 0
 Manufacturer ID : SoftHSM project 
 Description : SoftHSM slot ID 0x5407dacb 
 Hardware version : 2.5
 Firmware version : 2.5
 
Token Info:
 Manufacturer ID : SoftHSM project 
 Label : tfa token 
 Model : SoftHSM v2 
 Serial number : c2533329d407dacb
 PIN min lenght : 4
 PIN max lenght : 255
 Hardware version : 2.5
 Firmware version : 2.5

Public key search object : 
 ID : 0x64
Error: CKR_OBJECT_HANDLE_INVALID
 Error: Cannot extract public key from pkcs11 module !

 

Question:

- Am I using any argment wrong?

- What am I supposed to put in key-index argument? I have tried with 1 and also with object id of the placed keys

- Will this -pwd argument serve as the SO/user pin for accessing secure keys?

Following: https://wiki.st.com/stm32mpu/wiki/Signing_tool#Additional_PKCS-2311_commands

#STM32MP_SigningTool

1 reply

Aziz BRIGUI
Aziz BRIGUI
Technical Moderator
November 18, 2024

Hello @saman_,

Could you try testing with STM32CubeProgrammer v2.17 and get back to us with the results ?

Thanks in advance,

Aziz

In order to give better visibility on the answered topics, please click on 'Accept as Solution' on the reply which solved your issue or answered your question.
S
saman_Author
Associate
November 19, 2024

It's the same with both cases:

ept@de3:~/build/senec/yocto$ sudo /home/ept/STMicroelectronics/STM32Cube/STM32CubeProgrammer/bin/STM32MP_SigningTool_CLI --module /usr/lib/softhsm/libsofthsm2.so -ki 1 -si 1409800907 -bin build/tmp/deploy/images/stm32mp1-ems-c2-faa1/arm-trusted-firmware/bl2/tf-a-stm32mp157f-ems-c2-faa1-mx-usb.bin -o tf-a-stm32mp157f-ems-c2-faa1-mx-usb_Signed.stm32 -pwd epteck -type fsbl -la 0x2ffc2500 -ep 0x2ffe9000
 -------------------------------------------------------------------
 STM32MP Signing Tool v2.17.0 
 -------------------------------------------------------------------

+++ PKCS#11 interface +++

Library Info: 
 Manufacturer ID : SoftHSM 
 Library Description: Implementation of PKCS11 
 Library Version : 2.5
 CryptoKi Version : 2.40
 Slots number : 2
Segmentation fault
Aziz BRIGUI
Aziz BRIGUI
Technical Moderator
December 5, 2024

Hello @saman_ ,

Sorry for the late reply, missed your comment initially.

Your observation is correct since Signing Tool for now takes in the slot offset (Not the identifier). A change request is submitted internally under Ticket 196625 and will be available in STM32CubeProgrammer v2.19.

For now, you can put in the offset after -si option. For example, if it's the first slot you created, the full command should look like this :

STM32MP_SigningTool_CLI --module /usr/lib/softhsm/libsofthsm2.so -ki 1 -si 1 -bin build/tmp/deploy/images/stm32mp1-ems-c2-faa1/arm-trusted-firmware/bl2/tf-a-stm32mp157f-ems-c2-faa1-mx-usb.bin -o tf-a-stm32mp157f-ems-c2-faa1-mx-usb_Signed.stm32 -pwd epteck -type fsbl -la 0x2ffc2500 -ep 0x2ffe9000

Hope this helps,

Aziz

In order to give better visibility on the answered topics, please click on 'Accept as Solution' on the reply which solved your issue or answered your question.
Terms & ConditionsAccessibility statement