1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30 31 32 33 34 35 36 37 38 39 40 41 42 43 44 45 46 47 48 49 50 51 52 53 54 55 56 57 58 59 60 61 62 63 64 65 66 67 68 69 70 71 72 73 74 75 76 77 78 79 80 81 82 83 84 85 86 87 88 89 90 91 92 93 94 95 96 97 98 99 100 101 102 103 104 105 106 107 108 109 110 111 112 113 114 115 116 117 118 119 120 121 122 123 124 125 126 127 128 129 130 131 132 133 134 135 136 137 138 139 140 141 142 143 144 145 146 147 148 149 150 151 152 153 154 155 156 157 158 159 160 161 162 163 164 165 166 167 168 169 170 171 172 173 174 175 176 177 178 179 180 181 182 183 184 185 186 187 188 189 190 191 192 193 194 195 196 197 198 199 200 201 202 203 204 205 206 207 208 209 210 211 212 213 214 215 216 217 218 219 220 221 222 223 224 225 226 227 228 229 230 231 232 233 234 235 236 237 238 239 240 241 242 243 244 245 246 247 248 249 250 251 252 253 254 255 256 257 258 259 260 261 262 263 264 265 266 267
|
CST 3.3.0 Release Notes
PROJECT(S): CST
DATE: April, 2019
COPYRIGHT 2017-2019 NXP
1 READ ME FIRST
This is the NXP Code Signing Tool (CST) for the High
Assurance Boot (HAB) library and the Advanced High Assurance
Boot (AHAB) subsystem. The CST provides software code
signing support designed for use with NXP processors that
integrate the HAB library in the internal boot ROM or the
AHAB subsystem. This release provides the features required
for the code signing for SoC supporting HAB version 4 and AHAB.
1.1 REQUIREMENTS
This release supports Linux, MacOS, and Windows hosts
For Linux, the CST is known to work on Ubuntu 14.04 and later.
For Windows, the CST is known to work on Windows 7 and later.
For MacOS, the CST is known to work on Mojave and later.
Most Linux distributions should work but they have not been fully
tested. If you run into library problems, see section 2.1 below
for instructions on how to relink CST.
1.2 PROBLEM REPORTING INSTRUCTIONS
Problems with this release may be reported to your local NXP
representative or at community.nxp.com.
2 NEW FEATURES & Fixes
The following is included in this release:
2.1 Encrypted Boot support
This version of CST allows the user to relink the executable
to include support for generating encrypted boot images.
To relink on Ubuntu 14.04 machines, please first install binutils 2.26:
sudo apt-get install binutils-2.26
export PATH=/usr/lib/binutils-2.26/bin:${PATH}
To relink on 32 bit Linux machines:
This requires the GCC compiler and the OpenSSL header files and
library. For example on Ubuntu machines:
sudo apt-get install gcc libssl-dev
cd <CST install directory>/code/back_end/src
gcc -o cst -I ../hdr -L ../../../linux32/lib *.c \
-lfrontend -lcrypto
cp cst ../../../linux32
To relink on 64 bit Linux machines:
This requires the GCC compiler and the OpenSSL header files and
library. For example on Ubuntu machines:
sudo apt-get install gcc libssl-dev
cd <CST install directory/code/back_end/src
gcc -o cst -I ../hdr -L ../../../linux64/lib *.c -lfrontend -lcrypto
cp cst ../../../linux64
To relink on Windows machines:
This requires the MINGW compiler and OpenSSL header files and
library. The easiest way to get them is to install Cygwin
cd <CST install directory/code/back_end/src
i686-w64-mingw32-gcc -o cst.exe -I ../hdr -L ../../../mingw32/lib \
*.c -lfrontend -lcrypto -static -lgdi32 -lws2_32 -lz
cp cst.exe ../../../mingw32
If cst.exe crashes, please try to relink with the small C snippet
applink.c provided by OpenSSL (if applicable to your platform).
To do so, please add the compilation flag -DUSE_APPLINK.
i686-w64-mingw32-gcc -o cst.exe -I ../hdr -L ../../../mingw32/lib \
*.c -lfrontend -lcrypto -static -lgdi32 -lws2_32 -lz -DUSE_APPLINK
Please refer to https://www.openssl.org/docs/man1.1.0/crypto/OPENSSL_Applink.html
and https://www.openssl.org/docs/faq.html#PROG3
This was added in CST 2.3.0
Please note that there was an issue in 3.0.1 that prevented this
feature from working.
The encrypted boot support for AHAB was added in CST 3.2.0.
2.2 64 bit native binaries
CST now includes both 32 and 64 bit native binaries. They are
located in the linux32 and linux64 directories, respectively.
This was added in CST 2.3.0
2.3 Issue INIT RNG command
On closed i.MX devices with CAAM, HAB will initialize the RNG by
default. If the RNG trim fuses have not been set correctly, RNG
iniatialization will fail, causing the boot to fail.
To prevent HAB from initializing the RNG, you can add an UNLOCK
command to the CST input file.
This version of CST will add that command automatically if the CSF
includes "Engine = CAAM" in the header unless
explicitly told otherwise. The way to disable this behavior is to
add the following to the CST input file:
[Init]
Engine = CAAM
Features = RNG
This was added in CST 2.3.1, fixed in 2.3.2
2.4 Changed CST input file handling
Previous versions of CST got the CSF input file on standard
input. This has changed. Now the input filename is supplied as a
command line argument.
Example:
cst --output csf.bin --input input.csf
This was added in CST 2.3.2
2.5 Added unlock command for Manufacturing Protection
The new unlock command will cause HAB to keep the manufacturing
protection key in internal CAAM memory after boot.
This was added in CST 2.3.2
2.6 Windows support
This version of CST adds support for Microsoft Windows.
This was added in CST 2.3.3
2.7 Removed several commands
This version of CST removed support for the following commands:
Write Data
Clear Mask
Set Mask
Check All Clear
Check All Set
Check Any Clear
Check Any Set
Set MID
This was added in CST 2.3.3
2.8 AHAB support
This version of CST adds support for AHAB.
This was added in CST 3.0.0
2.9 ECDSA support for HAB4
This version of CST adds support for ECDSA for HAB4.
ECDSA support was added in HAB 4.5
This was added in CST 3.1.0
2.10 OpenSSL 1.1.0
This version of CST adds support for OpenSSL 1.1.0.
Even if OpenSSL 1.0.2 is known to work with CST, OpenSSL 1.1.0
or later is recommended.
This was added in CST 3.1.0
2.11 Add-ons
This version of the CST package includes additional tools.
Please refer to the CST User Guide for more information.
- HSM Back-End support
- HABv4 log parser tool
- HABv4 CSF parser tool
- HABv4 SRKTool scripts
This was added in CST 3.1.0
2.12 HAB3 support
This version of the CST package removes support for HAB3.
This was added in CST 3.2.0.
2.13 CST source code
This version of the CST package includes the CST source code.
To rebuild on Ubuntu 16.04 machines, please first install the packages:
gcc
make
git
byacc
flex
mingw-w64
g++-multilib
libssl-dev
libssl-dev:i386
Please change your working directory.
cd <CST install directory>/code/cst/
The Makefile includes the possibilty to recompile OpenSSL. This is mainly
interesting when cross-compiling CST (e.g. for Win32 builds).
make OSTYPE=mingw32 OPENSSL_PATH=<OpenSSL git repository> openssl
To rebuild the CST binaries:
make OSTYPE=linux64 rel_bin
with OpenSSL dependencies:
make OSTYPE=mingw32 OPENSSL_PATH=<OpenSSL git repository> rel_bin
Existing OS types (OSTYPE) are: linux32 | linux64 | mingw32.
The generated binaries can be found in <CST install directory>/code/cst/release
This was added in CST 3.2.0
2.14 MacOS Support
This version of the CST package includes support for macOS.
The executables are provided in the 'osx' directory.
The Makefile included with the source code includes the build support
for macOS.
To build on macOS:
Please change your working directory.
cd <CST install directory>/code/cst/
The Makefile includes a build target for OpenSSL. The OpenSSL project should
be downloaded and built with this build target.
make OSTYPE=mingw32 OPENSSL_PATH=<OpenSSL git repository> openssl
To rebuild the CST binaries:
make OSTYPE=osx rel_bin
with OpenSSL dependencies:
make OSTYPE=osx OPENSSL_PATH=<OpenSSL git repository> rel_bin
The generated binaries can be found in:
<CST install directory>/code/cst/release/osx/bin
This was added in CST 3.3.0
2.15 Encryption Support Enabled
This version of the CST is released with encryption support enabled by default.
This was added in CST 3.3.0
2.16 PKI Generation Script Updated
The version of the CST package includes updated PKI generation scripts
supporting command line input of parameters. Previously the scripts
interactively queried the user for input options.
This was added in CST 3.3.0
2.17 Dockerfile Added to Source Code
This version of the CST package include a 'Dockerfile' in the source
code directory to provide the environment for building the source.
This was added in CST 3.3.0
2.18 AHAB Signature Block Parser
This version of the CST package includes a new AHAB Signature Block Parser
utility. The parser evaluates an image and dumps details about the AHAB
signatures.
The parser is found at:
<CST install directory>/code/ahab_signature_block_parser
This was added in CST 3.3.0
3 KNOWN ISSUES
No known issues.
|