Debug Credentials with Signature Provider for rt5xx

Debug Credentials with Signature Provider for rt5xx#

This notebook describes how to use a custom remote signing service for debug certificate generation

%run ../../init_notebook.ipynb

import pprint
import os

pp = pprint.PrettyPrinter(indent=4)

plugins_dir = '../common/plugins/'

SASP_PLUGIN = os.path.join(plugins_dir, '')
WORKSPACE = "workspace/dat/" # change this to path to your workspace
DATA_DIR = "data_dat/" # change this to path to your workspace
VERBOSITY = "-v" # verbosity of commands, might be -v or -vv for debug or blank for no additional info
Created `%!` as an alias for `%execute`.

Signature Provider Plugin#

First, we need to setup the Signature Provider plugin and start the custom HSM. In order to do that, open Signature Provider notebook and follow the instructions there. Once you are done, come back and continue here.

Config File Setup#

The nxpdebugmbox configuration file must be updated in order to integrate the custom Signature Provider.

The signature provider configuration must meet following rules:

  • Configuration key

    • key names sign_provider or signProvider are allowed

  • Configuration value

    • format "type=<sp_type>;<key1>=<value1>;<key2>=<value2>;..."

    • the sp_type has to match the sp_type class attribute defined in the custom signature provider(plugins/

    • the remaining key-value pairs are passed to the __init__ method of the concrete Signature Provider

    • e.g.: "type=file;file_path=private_key.pem" will instantiate spsdk.crypto.PlainFileSP(file_path='private_key.pem')

New configuration field rot_id has been introduced: - due to the nature of creating Debug Credential file we need to know in advance which of the private keys will be used to perform the actual signing - rot_id is a 0-based index representing the private key that will be used with respect to rot_meta - e.g.: if we want to use a private key that corresponds to the public key, rot_id has to be set to 1

import yaml
import os
import shutil
from spsdk.utils.misc import load_configuration
# choose family for the MCU
FAMILY = "rt5xx"
CONFIG_PATH = os.path.join(WORKSPACE, 'dck_rsa_2048.yml')

os.makedirs(WORKSPACE, exist_ok=True)
shutil.copyfile(os.path.join(DATA_DIR, 'dck_rsa_2048.yml'), CONFIG_PATH)

config = load_configuration(CONFIG_PATH)
del config['rotk']
config['sign_provider'] = "type=sasp;key_number=0;key_type=rsa2048"

with open(CONFIG_PATH, 'w') as file:
    yaml.dump(config, file, default_flow_style=False)

files_needed = ['', '', '']
for file in files_needed:
    shutil.copyfile(os.path.join(DATA_DIR, file), os.path.join(WORKSPACE, file))

pp.pprint(f"All files are ready in folder '{WORKSPACE}'")
"All files are ready in folder 'workspace/dat/'"


At this point, we have everything we need to run create debug certificate signed by remote HSM.

CONFIG_PATH = os.path.join(WORKSPACE, 'dck_rsa_2048.yml')
OUTPUT_PATH = os.path.join(WORKSPACE, 'dc_out.cert')

%! nxpdebugmbox --protocol 1.0 gendc --config $CONFIG_PATH --plugin $SASP_PLUGIN  --output $OUTPUT_PATH
# check if the signed image exists
assert os.path.exists(OUTPUT_PATH)
nxpdebugmbox --protocol 1.0 gendc --config workspace/dat/dck_rsa_2048.yml --plugin ../common/plugins/  --output workspace/dat/dc_out.cert 
Output file already exists. Please use --force is you want to overwrite existing files.

HSM teardown#

Last step is to stop custom HSM. In order to do that, open again the HSM Setup notebook and stop the running jupyter notebook code cell.