Hello,

 

Just following up on my question regarding HSMs (pasted below). Do any of the maintainers of cert_create have feedback on this? Thanks!

 

-Brian

 

Just a quick follow-up on this question of using an HSM (or in general, some form of Key Management Infrastructure) to sign TF-A images.

 

U-Boot has support for this with its mkimage utility (see https://github.com/u-boot/u-boot/blob/master/doc/uImage.FIT/signature.txt#L5...). This appears to a custom engine in OpenSSL (and in this case, the pkcs11 engine). My questions are:

 

1.  Does TF-A’s cert_create tool support using custom OpenSSL engines?

2.  If so, is there a procedure for using this?

3.  If not, is there a plan to add support for this in the roadmap somewhere?

     *   Or, in general, is there a plan to add HSM support for TF-A image signing?