File: Release_Notes.txt

package info (click to toggle)
imx-code-signing-tool 3.3.0%2Bdfsg2-1
  • links: PTS, VCS
  • area: main
  • in suites: bullseye
  • size: 5,560 kB
  • sloc: ansic: 10,151; sh: 1,167; python: 384; yacc: 245; makefile: 83; lex: 59
file content (267 lines) | stat: -rw-r--r-- 8,917 bytes parent folder | download
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
186
187
188
189
190
191
192
193
194
195
196
197
198
199
200
201
202
203
204
205
206
207
208
209
210
211
212
213
214
215
216
217
218
219
220
221
222
223
224
225
226
227
228
229
230
231
232
233
234
235
236
237
238
239
240
241
242
243
244
245
246
247
248
249
250
251
252
253
254
255
256
257
258
259
260
261
262
263
264
265
266
267
                CST 3.3.0 Release Notes


PROJECT(S):             CST
DATE:                   April, 2019

           COPYRIGHT 2017-2019 NXP

1 READ ME FIRST
    This is the NXP Code Signing Tool (CST) for the High
    Assurance Boot (HAB) library and the Advanced High Assurance
    Boot (AHAB) subsystem. The CST provides software code
    signing support designed for use with NXP processors that
    integrate the HAB library in the internal boot ROM or the
    AHAB subsystem. This release provides the features required
    for the code signing for SoC supporting HAB version 4 and AHAB.

1.1 REQUIREMENTS
    This release supports Linux, MacOS, and Windows hosts
    For Linux, the CST is known to work on Ubuntu 14.04 and later.
    For Windows, the CST is known to work on Windows 7 and later.
    For MacOS, the CST is known to work on Mojave and later.

    Most Linux distributions should work but they have not been fully
    tested. If you run into library problems, see section 2.1 below
    for instructions on how to relink CST.

1.2 PROBLEM REPORTING INSTRUCTIONS
    Problems with this release may be reported to your local NXP
    representative or at community.nxp.com.


2 NEW FEATURES & Fixes
    The following is included in this release:

2.1 Encrypted Boot support
    This version of CST allows the user to relink the executable
    to include support for generating encrypted boot images.

    To relink on Ubuntu 14.04 machines, please first install binutils 2.26:
        sudo apt-get install binutils-2.26
        export PATH=/usr/lib/binutils-2.26/bin:${PATH}

    To relink on 32 bit Linux machines:
       This requires the GCC compiler and the OpenSSL header files and
       library. For example on Ubuntu machines:
       sudo apt-get install gcc libssl-dev

       cd <CST install directory>/code/back_end/src
       gcc -o cst -I ../hdr -L ../../../linux32/lib *.c \
           -lfrontend -lcrypto
       cp cst ../../../linux32

    To relink on 64 bit Linux machines:
       This requires the GCC compiler and the OpenSSL header files and
       library. For example on Ubuntu machines:
       sudo apt-get install gcc libssl-dev

       cd <CST install directory/code/back_end/src
       gcc -o cst -I ../hdr -L ../../../linux64/lib *.c -lfrontend -lcrypto
       cp cst ../../../linux64

    To relink on Windows machines:
       This requires the MINGW compiler and OpenSSL header files and
       library. The easiest way to get them is to install Cygwin

       cd <CST install directory/code/back_end/src
       i686-w64-mingw32-gcc -o cst.exe -I ../hdr -L ../../../mingw32/lib \
         *.c -lfrontend -lcrypto -static -lgdi32 -lws2_32 -lz
       cp cst.exe ../../../mingw32

       If cst.exe crashes, please try to relink with the small C snippet
       applink.c provided by OpenSSL (if applicable to your platform).
       To do so, please add the compilation flag -DUSE_APPLINK.

       i686-w64-mingw32-gcc -o cst.exe -I ../hdr -L ../../../mingw32/lib \
         *.c -lfrontend -lcrypto -static -lgdi32 -lws2_32 -lz -DUSE_APPLINK

        Please refer to https://www.openssl.org/docs/man1.1.0/crypto/OPENSSL_Applink.html
        and https://www.openssl.org/docs/faq.html#PROG3

    This was added in CST 2.3.0

    Please note that there was an issue in 3.0.1 that prevented this
    feature from working.

    The encrypted boot support for AHAB was added in CST 3.2.0.

2.2 64 bit native binaries
    CST now includes both 32 and 64 bit native binaries. They are
    located in the linux32 and linux64 directories, respectively.

    This was added in CST 2.3.0

2.3 Issue INIT RNG command
    On closed i.MX devices with CAAM, HAB will initialize the RNG by
    default. If the RNG trim fuses have not been set correctly, RNG
    iniatialization will fail, causing the boot to fail.

    To prevent HAB from initializing the RNG, you can add an UNLOCK
    command to the CST input file.

    This version of CST will add that command automatically if the CSF
    includes "Engine = CAAM" in the header unless
    explicitly told otherwise. The way to disable this behavior is to
    add the following to the CST input file:
        [Init]
             Engine = CAAM
             Features = RNG

    This was added in CST 2.3.1, fixed in 2.3.2

2.4 Changed CST input file handling
    Previous versions of CST got the CSF input file on standard
    input. This has changed. Now the input filename is supplied as a
    command line argument.

    Example:
       cst --output csf.bin --input input.csf

    This was added in CST 2.3.2

2.5 Added unlock command for Manufacturing Protection
    The new unlock command will cause HAB to keep the manufacturing
    protection key in internal CAAM memory after boot.

    This was added in CST 2.3.2

2.6 Windows support
    This version of CST adds support for Microsoft Windows.

    This was added in CST 2.3.3

2.7 Removed several commands
    This version of CST removed support for the following commands:
        Write Data
        Clear Mask
        Set Mask
        Check All Clear
        Check All Set
        Check Any Clear
        Check Any Set
        Set MID

    This was added in CST 2.3.3

2.8 AHAB support
    This version of CST adds support for AHAB.

    This was added in CST 3.0.0

2.9 ECDSA support for HAB4
    This version of CST adds support for ECDSA for HAB4.
    ECDSA support was added in HAB 4.5

    This was added in CST 3.1.0

2.10 OpenSSL 1.1.0
    This version of CST adds support for OpenSSL 1.1.0.
    Even if OpenSSL 1.0.2 is known to work with CST, OpenSSL 1.1.0
    or later is recommended.

    This was added in CST 3.1.0

2.11 Add-ons
    This version of the CST package includes additional tools.
    Please refer to the CST User Guide for more information.
        - HSM Back-End support
        - HABv4 log parser tool
        - HABv4 CSF parser tool
        - HABv4 SRKTool scripts

    This was added in CST 3.1.0

2.12 HAB3 support
    This version of the CST package removes support for HAB3.

    This was added in CST 3.2.0.

2.13 CST source code
    This version of the CST package includes the CST source code.

    To rebuild on Ubuntu 16.04 machines, please first install the packages:
        gcc
        make
        git
        byacc
        flex
        mingw-w64
        g++-multilib
        libssl-dev
        libssl-dev:i386

    Please change your working directory.
        cd <CST install directory>/code/cst/

    The Makefile includes the possibilty to recompile OpenSSL. This is mainly
    interesting when cross-compiling CST (e.g. for Win32 builds).
        make OSTYPE=mingw32 OPENSSL_PATH=<OpenSSL git repository> openssl

    To rebuild the CST binaries:
        make OSTYPE=linux64 rel_bin
    with OpenSSL dependencies:
        make OSTYPE=mingw32 OPENSSL_PATH=<OpenSSL git repository> rel_bin

    Existing OS types (OSTYPE) are: linux32 | linux64 | mingw32.

    The generated binaries can be found in <CST install directory>/code/cst/release

    This was added in CST 3.2.0

2.14 MacOS Support
    This version of the CST package includes support for macOS.

    The executables are provided in the 'osx' directory.
    The Makefile included with the source code includes the build support
    for macOS.

    To build on macOS: 
    Please change your working directory.
        cd <CST install directory>/code/cst/

    The Makefile includes a build target for OpenSSL. The OpenSSL project should
    be downloaded and built with this build target.
        make OSTYPE=mingw32 OPENSSL_PATH=<OpenSSL git repository> openssl

    To rebuild the CST binaries:
        make OSTYPE=osx rel_bin
    with OpenSSL dependencies:
        make OSTYPE=osx OPENSSL_PATH=<OpenSSL git repository> rel_bin

    The generated binaries can be found in:
       <CST install directory>/code/cst/release/osx/bin

    This was added in CST 3.3.0
    
2.15 Encryption Support Enabled
    This version of the CST is released with encryption support enabled by default.

    This was added in CST 3.3.0

2.16 PKI Generation Script Updated
    The version of the CST package includes updated PKI generation scripts
    supporting command line input of parameters. Previously the scripts
    interactively queried the user for input options.

    This was added in CST 3.3.0

2.17 Dockerfile Added to Source Code
    This version of the CST package include a 'Dockerfile' in the source
    code directory to provide the environment for building the source.

    This was added in CST 3.3.0

2.18 AHAB Signature Block Parser
    This version of the CST package includes a new AHAB Signature Block Parser
    utility. The parser evaluates an image and dumps details about the AHAB
    signatures.

    The parser is found at:
       <CST install directory>/code/ahab_signature_block_parser

    This was added in CST 3.3.0

3 KNOWN ISSUES

No known issues.