This discussion has been locked.
You can no longer post new replies to this discussion. If you have a question you can start a new discussion

TFA Secure boot : How to interface cert_create tool with external signature platform


On my Project we want to use TF-A (5.8. Trusted Board Boot — Trusted Firmware-A documentation) for our booting solution in order to enable secure boot on our arm platform.

For our test, we use the arm ./cert_create tool to create the BLx_Key_Certificates and the BLx_Content_Certificates.

-> As inputs for ./cert_create tool- we give test public and private keys.

Now we want to use our infrastructure (signature platform where we can't retrieve the private key). Our signature platform get raw data to sign and return a signature.

As sum-up, the arm./cert_create tool solution is to use create self-signed BLx_Key_Certificates and the BLx_Content_Certificate using the Public Key and Private Key given as input of the tool:

Here a sum-up, on how BLx_Key_Certificates and the BLx_Content_Certificate are created.
x = X509_new();
X509_sign(x, privKey, digestAlgo) -> As mentionned we don't have access to the Private Key... so we can't use this function.

So we would like to

  • compute the digest of the created certificate,
  • send it to our signature platform and get back the signature
  • Fill the received signature inside the certificate

Do you know how we should proceed to do it ? Does the arm ./cert_create tool propose dedicated "option" to be interfaced with an external signature platform to generate the signature ?

Thank you for your help