In this case, we are creating an unsigned encrypted image, then sign it with HSM. To create an unsigned image use the sign command, but without the signing-key property. The result of the

Sign image

command are two unsigned images in the MCUboot format - encrypted and decrypted. The encrypted one is the image we are going to attach the signature generated by HSM. The decrypted one is the image we have to provide to HSM for signing. The signature is calculated from the non-encrypted data.

  • The

    Extract payload

    command extracts from the decrypted image the part to be signed (header, body, protected TLV).

  • The

    Custom script

    command signs the payload with HSM and saves the signature to the signature.bin file.

  • The

    Add signature

    command adds the signature returned by HSM to the encrypted MCUboot format image.

{
    "schema-version": 1.0,
    "content": [
        {
            "name" : "BootloaderHSM",
            "description": "Use case 3: Signing image with HSM",
            "enabled": true,
            "commands": [
                {
                    "command": "sign",
                    "inputs": [
                        {
                            "description": "Path to the input hex file",
                            "file": "bootloader_path/bootloader.hex"
                        }
                    ],
                    "outputs" : [
                        {
                            "description": "Save encrypted bootloader and binary payload to sign on HSM",
                            "header-size": "0x400",
                            "fill-value": "0x00",
                            "slot-size": "0x20000",
                            "pad": true,
                            "encryption-key": "key-path/public_key.pem",
                            "format" : "ihex",
                            "file" : "out-path/encryptedBoot.hex",
                            "decrypted" : "out-path/decryptedBoot.bin"
                        }
                    ]
                },                {
                    "command": "custom-script",
                    "inputs": [
                        {
                            "description": "Signing with HSM command. The command does not have the 'outputs' property. If necessary, the outputs are handled by the command line.",
                            "command-line": "cxitool.exe Dev=3001@127.0.0.1 LogonPass=USR_0000,2222 Group=SLOT_0000 Spec=2 InFile=decryptedBoot.bin Signature=signature.bin,raw Sign=SHA256,on_hsm,PSS"
                        }
                    ]
                },
                {
                    "command": "add-signature",
                    "inputs": [
                        {
                            "description": "Encrypted unsigned bootloader",
                            "file": "out-path/encryptedBoot.hex"
                        },
                        {
                            "description": "Signature returned by HSM",
                            "file": "signature.bin"
                        }
                    ],
                    "outputs" : [
                        {
                            "description": "Final image signed with HSM",
                            "format" : "ihex",
                            "file" : "out-path/boot_encrypted_signed.hex"
                        }
                    ]
                }
            ]
        }
    ]
}