AnsweredAssumed Answered

CST 3.3.0 returns Undefined error

Question asked by AURELIEN BOUIN on Jul 7, 2020
Latest reply on Jul 8, 2020 by AURELIEN BOUIN


I am trying to setup secure boot on my iMX8MM device

I end up with an error with cst tool versio 3.3.0 :

Error: Cannot open key file CSF1_1_sha256_4096_65537_v3_usr_key.pem
140578450752768:error:06065064:digital envelope routines:EVP_DecryptFinal_ex:bad decrypt:evp_enc.c:563:
140578450752768:error:23077074:PKCS12 routines:PKCS12_pbe_crypt:pkcs12 cipherfinal error:p12_decr.c:108:
140578450752768:error:2306A075:PKCS12 routines:PKCS12_item_decrypt_d2i:pkcs12 pbe crypt error:p12_decr.c:139:
140578450752768:error:0907B00D:PEM routines:PEM_READ_BIO_PRIVATEKEY:ASN1 lib:pem_pkey.c:142:
Undefined error

The procedure I use to create the keys :

Starting from an empty folder where there is not much than the fresh download cst-3.3.0.tgz :

tar xzf cst-3.3.0.tgz
cd $BASE_DIR/release/keys

echo "$PASS_PHRASE" > key_pass.txt
echo "$PASS_PHRASE" >> key_pass.txt

./ -existing-ca n -use-ecc n -kl 4096 -duration 20 -num-srk 4 -srk-ca y

cd $BASE_DIR/release/crts

../linux64/bin/srktool -h 4 -t SRK_1_2_3_4_table.bin -e SRK_1_2_3_4_fuse.bin -d sha256 -c ./SRK1_sha256_4096_65537_v3_ca_crt.pem,./SRK2_sha256_4096_65537_v3_ca_crt.pem,./SRK3_sha256_4096_65537_v3_ca_crt.pem,./SRK4_sha256_4096_65537_v3_ca_crt.pem -f 1

Then I am using these first file : csf_spl.txt

Version = 4.3
Hash Algorithm = sha256
Engine = CAAM
Engine Configuration = 0
Certificate Format = X509
Signature Format = CMS

[Install SRK]
# Index of the key location in the SRK table to be installed
File = "../../crts/SRK_1_2_3_4_table.bin"
Source index = 0

[Install CSFK]
# Key used to authenticate the CSF data
File = "../../crts/CSF1_1_sha256_4096_65537_v3_usr_crt.pem"

[Authenticate CSF]

# Leave Job Ring and DECO master ID registers Unlocked
Engine = CAAM
Features = MID

[Install Key]
# Key slot index used to authenticate the key to be installed
Verification index = 0
# Target key slot in HAB key store where key will be installed
Target index = 2
# Key to install
File = "../../crts/IMG1_1_sha256_4096_65537_v3_usr_crt.pem"

[Authenticate Data]
# Key slot index used to authenticate the image data
Verification index = 2
# Authenticate Start Address, Offset, Length and file
Blocks = 0x7e0fc0 0x0 0x2c400 "flash.bin"

and the problem happen when I do :

cd $BASE_DIR/release/linux64/bin/

./cst --o csf_spl.bin --i csf_spl.txt

This is not a path problem else I would have get a different error message


I use openssl : OpenSSL 1.1.1f  31 Mar 2020


Any help would be appreciated

Thank you by advance

Best regards

Aurelien BOUIN