1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
186
187
188
189
190
191
192
193
194
195
196
197
198
199
200
201
202
203
204
205
206
207
208
209
210
211
212
213
214
215
216
217
218
219
220
221
222
223
224
225
226
227
228
229
230
231
232
233
234
235
236
237
238
239
240
241
242
243
244
245
246
247
248
249
250
251
252
253
254
255
256
257
258
259
260
261
262
263
264
265
266
267
268
269
270
271
272
273
274
275
276
277
278
279
280
281
282
283
284
285
286
287
288
289
290
291
292
293
294
295
296
297
298
299
300
301
302
303
304
305
306
307
308
309
|
CST 3.3.1 Release Notes
PROJECT(S): CST
DATE: July, 2020
COPYRIGHT 2017-2020 NXP
1 READ ME FIRST
This is the NXP Code Signing Tool (CST) for the High
Assurance Boot (HAB) library and the Advanced High Assurance
Boot (AHAB) subsystem. The CST provides software code
signing support designed for use with NXP processors that
integrate the HAB library in the internal boot ROM or the
AHAB subsystem. This release provides the features required
for the code signing for SoC supporting HAB version 4 and AHAB.
1.1 REQUIREMENTS
This release supports Linux, MacOS, and Windows hosts.
For Linux, the CST is known to work on Ubuntu 14.04 and later.
For Windows, the CST is known to work on Windows 7 and later.
For MacOS, the CST is known to work on Mojave and later.
Most Linux distributions should work but they have not been fully
tested. If you run into library problems, see section 2.1 below
for instructions on how to relink CST.
1.2 PROBLEM REPORTING INSTRUCTIONS
Problems with this release may be reported to your local NXP
representative or at community.nxp.com.
2 KNOWN ISSUES
No known issues.
3 Current Release Notes
Release 3.3.1:
** New Features **
1. Binaries now built using OpenSSL 1.1.1g
2. Increased error checking to CSF input file parsing logic
The error checking has been extended to more input file issues
resulting in an issue with the resulting binary when attempted on
the target.
3. HABv4 log parsing utility for OSX and Windows
The log parsing utility previously only supported Linux. The OSX
and Windows versions have been added, but won't support the USB SDP
feature.
4. PKI reference script updates
Added options to output to directories besides hardcoded crts/keys.
5. Added user feedback output to the srktool utility
6. Removed the frontend library. Historically, it was inluded to support
relinking to a user modified backend. The frontend library can now be
built from the included source.
** Bug Fixes **
1. Bug fixes for issues with non-portable variable types used for size
parameters. A big thanks to Andrej Shadura for the debug effort and
patches addressing the issue.
2. Fixed issue when adding keys to PKI in Windows platform.
4. Historical Release Notes
Please note that there was an issue in 3.0.1 that prevented this
feature from working.
Release 3.3.0:
** New Features **
1. MacOS Support
This version of the CST package includes support for macOS.
The executables are provided in the 'osx' directory.
The Makefile included with the source code includes the build support
for macOS.
To build on macOS:
Please change your working directory.
cd <CST install directory>/code/cst/
The Makefile includes a build target for OpenSSL. The OpenSSL project should
be downloaded and built with this build target.
make OSTYPE=mingw32 OPENSSL_PATH=<OpenSSL git repository> openssl
To rebuild the CST binaries:
make OSTYPE=osx rel_bin
with OpenSSL dependencies:
make OSTYPE=osx OPENSSL_PATH=<OpenSSL git repository> rel_bin
The generated binaries can be found in:
<CST install directory>/code/cst/release/osx/bin
2. Encryption Support Enabled in Release Binaries
This version of the CST is released with encryption support
enabled by default.
3. PKI Generation Script Updated
The version of the CST package includes updated PKI generation scripts
supporting command line input of parameters. Previously the scripts
interactively queried the user for input options.
4. Dockerfile Added to Source Code
This version of the CST package include a 'Dockerfile' in the source
code directory to provide the environment for building the source.
5. AHAB Signature Block Parser
This version of the CST package includes a new AHAB Signature Block Parser
utility. The parser evaluates an image and dumps details about the AHAB
signatures.
The parser is found at:
<CST install directory>/code/ahab_signature_block_parser
** Bug Fixes **
-NONE-
Release 3.2.0:
** New Features **
1. HAB3 support
This version of the CST package removes support for HAB3.
2. Encrypted boot support for AHAB
3. CST source code
This version of the CST package includes the CST source code. To
rebuild on Ubuntu 16.04 machines, please first install the packages:
gcc
make
git
byacc
flex
mingw-w64
g++-multilib
libssl-dev
libssl-dev:i386
Please change your working directory.
cd <CST install directory>/code/cst/
The Makefile includes the possibilty to recompile OpenSSL. This is mainly
interesting when cross-compiling CST (e.g. for Win32 builds).
make OSTYPE=mingw32 OPENSSL_PATH=<OpenSSL git repository> openssl
To rebuild the CST binaries:
make OSTYPE=linux64 rel_bin
with OpenSSL dependencies:
make OSTYPE=mingw32 OPENSSL_PATH=<OpenSSL git repository> rel_bin
Existing OS types (OSTYPE) are: linux32 | linux64 | mingw32.
The generated binaries can be found in <CST install directory>/code/cst/release
** Bug Fixes **
-NONE-
Release 3.1.0:
** New Features **
1. ECDSA support for HAB4
This version of CST adds support for ECDSA for HAB4.
ECDSA support was added in HAB 4.5
2. OpenSSL 1.1.0
This version of CST adds support for OpenSSL 1.1.0.
Even if OpenSSL 1.0.2 is known to work with CST, OpenSSL 1.1.0
or later is recommended.
3. Add-ons
This version of the CST package includes additional tools.
Please refer to the CST User Guide for more information.
- HSM Back-End support
- HABv4 log parser tool
- HABv4 CSF parser tool
- HABv4 SRKTool scripts
** Bug Fixes **
-NONE-
Release 3.0.0:
** New Features **
1. AHAB support
This version of CST adds support for AHAB.
** Bug Fixes **
-NONE-
Release 2.3.3:
** New Features **
1. Windows support
This version of CST adds support for Microsoft Windows.
2. Removed several commands
This version of CST removed support for the following commands:
Write Data
Clear Mask
Set Mask
Check All Clear
Check All Set
Check Any Clear
Check Any Set
Set MID
** Bug Fixes **
-NONE-
Release 2.3.2
** New Features **
1. Changed CST input file handling
Previous versions of CST got the CSF input file on standard
input. This has changed. Now the input filename is supplied as a
command line argument.
Example:
cst --output csf.bin --input input.csf
This was added in CST 2.3.2
2. Added unlock command for Manufacturing Protection
The new unlock command will cause HAB to keep the manufacturing
protection key in internal CAAM memory after boot.
** Bug Fixes **
1. Fixed INIT RNG Unlock Command
Release 2.3.1:
** New Features **
1. Encrypted Boot support
This version of CST allows the user to relink the executable
to include support for generating encrypted boot images.
To relink on Ubuntu 14.04 machines, please first install binutils 2.26:
sudo apt-get install binutils-2.26
export PATH=/usr/lib/binutils-2.26/bin:${PATH}
To relink on 32 bit Linux machines:
This requires the GCC compiler and the OpenSSL header files and
library. For example on Ubuntu machines:
sudo apt-get install gcc libssl-dev
cd <CST install directory>/code/back_end/src
gcc -o cst -I ../hdr -L ../../../linux32/lib *.c \
-lfrontend -lcrypto
cp cst ../../../linux32
To relink on 64 bit Linux machines:
This requires the GCC compiler and the OpenSSL header files and
library. For example on Ubuntu machines:
sudo apt-get install gcc libssl-dev
cd <CST install directory/code/back_end/src
gcc -o cst -I ../hdr -L ../../../linux64/lib *.c -lfrontend -lcrypto
cp cst ../../../linux64
To relink on Windows machines:
This requires the MINGW compiler and OpenSSL header files and
library. The easiest way to get them is to install Cygwin
cd <CST install directory/code/back_end/src
i686-w64-mingw32-gcc -o cst.exe -I ../hdr -L ../../../mingw32/lib \
*.c -lfrontend -lcrypto -static -lgdi32 -lws2_32 -lz
cp cst.exe ../../../mingw32
If cst.exe crashes, please try to relink with the small C snippet
applink.c provided by OpenSSL (if applicable to your platform).
To do so, please add the compilation flag -DUSE_APPLINK.
i686-w64-mingw32-gcc -o cst.exe -I ../hdr -L ../../../mingw32/lib \
*.c -lfrontend -lcrypto -static -lgdi32 -lws2_32 -lz -DUSE_APPLINK
Please refer to https://www.openssl.org/docs/man1.1.0/crypto/OPENSSL_Applink.html
and https://www.openssl.org/docs/faq.html#PROG3
2. Issue INIT RNG command
On closed i.MX devices with CAAM, HAB will initialize the RNG by
default. If the RNG trim fuses have not been set correctly, RNG
iniatialization will fail, causing the boot to fail.
To prevent HAB from initializing the RNG, you can add an UNLOCK
command to the CST input file.
This version of CST will add that command automatically if the CSF
includes "Engine = CAAM" in the header unless
explicitly told otherwise. The way to disable this behavior is to
add the following to the CST input file:
[Init]
Engine = CAAM
Features = RNG
** Bug Fixes **
-NONE-
Release 2.3.0
** New Features **
1. 64 bit native binaries
CST now includes both 32 and 64 bit native binaries. They are
located in the linux32 and linux64 directories, respectively.
** Bug Fixes **
-NONE-
|
