Hello,

 

Just a quick follow-up on this question of using an HSM (or in general, some form of Key Management Infrastructure) to sign TF-A images.

 

U-Boot has support for this with its mkimage utility (see https://github.com/u-boot/u-boot/blob/master/doc/uImage.FIT/signature.txt#L514). This appears to a custom engine in OpenSSL (and in this case, the pkcs11 engine). My questions are:

 

1. Does TF-A’s cert_create tool support using custom OpenSSL engines?
2. If so, is there a procedure for using this?
3. If not, is there a plan to add support for this in the roadmap somewhere?
   1. Or, in general, is there a plan to add HSM support for TF-A image signing?

 

Thanks,

Brian