為了便於大家快速驗證軟件HAB簽名功能,特將已開啟HAB簽名功能的cst工具上傳至百度網盤,僅用作個人學習用途,違者后果自負。
-- 鏈接: https://pan.baidu.com/s/15kFA3qwwFyY4BuL3ZpDqSQ
-- 提取碼: rivb
使用方法:將下載到的壓縮包cst_3.0.1_hab_auth.zip解壓后將其所有文件拷貝到 \NXP-MCUBootUtility\tools\cst 文件夾下即可。
1 Reason for enabling HAB signature function 為什么要開啟HAB簽名功能
NXP-MCUBootUtility is a tool designed for NXP MCU secure encryption boot. It fully supports secure encryption boot functions (signature only, signature and encryption) based on HAB implementation. HAB related functions are based on NXP's official HAB enablement tools. Due to the restriction of export control on security product, HAB Code Signing Tool cannot be directly integrated into NXP-MCUBootUtility installation package, so if you want to enbale HAB signature and encryption function for NXP-MCUBootUtility, You need to add HAB Code Signing Tool into NXP-MCUBootUtility manually. This article teaches you how to add HAB Code Signing Tool into NXP-MCUBootUtility to activate HAB signature function.
NXP-MCUBootUtility是一個專為NXP MCU安全加密啟動而設計的工具,其能完整支持基於HAB實現的安全加密啟動(單簽名,簽名和加密),而HAB相關的功能是借助恩智浦官方的HAB Code Signing Tool工具來實現的,HAB Code Signing Tool跟安全加密有關,因為一些跟歐美出口管制有關的原因,NXP-MCUBootUtility不能夠直接將HAB Code Signing Tool工具集成到軟件安裝包里,所以如果要在NXP-MCUBootUtility里開啟HAB簽名和加密功能,需要自己將HAB Code Signing Tool工具添加到NXP-MCUBootUtility里,本篇文章即教大家如何添加HAB Code Signing Tool工具進NXP-MCUBootUtility以激活HAB簽名功能。
2 Download the HAB Code Signing Tool 下載HAB CST包
First, you need to download HAB Code Signing Tool from the NXP official website. before downloading, The following web page will pop up, click 'I Accept' and then you can download cst-3.1.0.tgz (downloaded at 2018.12, the version may change over time).
首先需要從NXP官網下載 HAB CST工具,下載前會彈出如下界面,點擊'I Accept'后便可以下載到cst-3.1.0.tgz(下載於2018.12,隨着時間推移,版本會有所變化)。
This Agreement clause must be read through and agreed, This step must be done. This is one of the reasons why CST tool can not be directly put into NXP-MCUBootUtility package.
這個Agreement條款必須要通讀並且要同意才可以下載CST工具,這一步是必須要做的,這也是NXP-MCUBootUtility不直接將CST工具放到軟件包里的原因之一。
3 Placed in the \NXP-MCUBootUtility\tools\cst\ directory 放置於\NXP-MCUBootUtility\tools\cst\目錄下
After downloading the cst-3.1.0.tgz package, unzip it into \NXP-MCUBootUtility\tools\cst \ directory as shown below:
下載到cst-3.1.0.tgz包后將其解壓(需要2次解壓才能看到\cst-3.1.0\cst-3.1.0\release里的內容)放在\NXP-MCUBootUtility\tools\cst\目錄下即可,如下圖所示:
4 Change the hab4_pki_tree.bat script 改動hab4_pki_tree.bat腳本
The HAB signature certificate generation function in NXP-MCUBootUtility is implemented by calling the \NXP-MCUBootUtility\tools\cst\keys\hab4_pki_tree.bat script. You need to make the following minor changes to this script to use it for NXP-MCUBootUtility.
NXP-MCUBootUtility里的HAB簽名證書生成功能是調用\NXP-MCUBootUtility\tools\cst\keys\hab4_pki_tree.bat腳本實現的,需要對該腳本做如下輕微改動才可以為NXP-MCUBootUtility所用。
First, You need to comment the following 6 lines of code:
首先需要注釋如下6行代碼:
:: Comment line 72 注釋第72行
::set /P existing_ca="Do you want to use an existing CA key (y/n)?: "
:: Comment line 80 注釋第80行
::set /P use_ecc="Do you want to use Elliptic Curve Cryptography (y/n)?: "
:: Comment line 104 注釋第104行
::set /P kl="Enter key length in bits for PKI tree: "
:: Comment line 115 注釋第115行
::set /P duration="Enter PKI tree duration (years): "
:: Comment line 121 注釋第121行
::set /P num_srk="How many Super Root Keys should be generated? "
:: Comment line 133 注釋第133行
::set /P srk_ca="Do you want the SRK certificates to have the CA flag set? (y/n)?: "
Then you need to add the following 6 lines of code starting from line 2.:
然后需要從第2行開始添加如下6行代碼:
@echo off
:: Add below codes 如下為新增代碼
set existing_ca=%1
set use_ecc=n
set kl=%2
set duration=%3
set num_srk=%4
set srk_ca=%5
At this point, the HAB signature function of NXP-MCUBootUtility is activated. Open the NXP-MCUBootUtility and select the "HAB Signed Image Boot" mode in the Secure Boot Type and then enjoy it. If you want to go on activating the HAB encryption function of the NXP-MCUBootUtility, please refer to 《開啟NXP-MCUBootUtility工具的HAB加密功能 - CST》.
至此NXP-MCUBootUtility的HAB簽名功能便被激活了,打開NXP-MCUBootUtility軟件,在Secure Boot Type里選擇"HAB Signed Image Boot"模式試試吧。如果要繼續激活NXP-MCUBootUtility軟件的HAB加密功能,請繼續參考 《開啟NXP-MCUBootUtility工具的HAB加密功能 - CST》
