Hello Brian,
Sorry for the delay in responding to your query.
1. No, TF-A's cert_create tool does not support using custom OpenSSL engines for signing TF-A images right now.
3. I am not aware of any plan to add support for this.
As you probably know, TF-A's cert_create tool uses OpenSSL already so I suppose it could be extended to use the same pkcs11 engine APIs as U-Boot's mkimage tool. We would welcome such a contribution and we would be happy to review it.
Best regards, Sandrine
On 11/11/22 19:58, Neely, Brian wrote:
Hello,
Just following up on my question regarding HSMs (pasted below). Do any of the maintainers of cert_create have feedback on this? Thanks!
-Brian
Just a quick follow-up on this question of using an HSM (or in general, some form of Key Management Infrastructure) to sign TF-A images.
U-Boot has support for this with its mkimage utility (see https://github.com/u-boot/u-boot/blob/master/doc/uImage.FIT/signature.txt#L5...). This appears to a custom engine in OpenSSL (and in this case, the pkcs11 engine). My questions are:
1. Does TF-A’s cert_create tool support using custom OpenSSL engines?
2. If so, is there a procedure for using this?
3. If not, is there a plan to add support for this in the roadmap somewhere?
* Or, in general, is there a plan to add HSM support for TF-A image signing?