Visible to Intel only — GUID: tnm1569381911918
Ixiasoft
3.1. Installing PACSign
3.2. PACSign Tool
3.3. Creating Unsigned Images
3.4. Using an HSM Manager
3.5. Creating Keys
3.6. Root Entry Hash Bitstream Creation
3.7. Signing Images
3.8. Creating a CSK ID Cancellation Bitstream
3.9. PACSign PKCS11 Manager *.json Reference
3.10. Creating a Custom HSM Manager
3.11. PACSign Man Page
Visible to Intel only — GUID: tnm1569381911918
Ixiasoft
3.10.3. Signing Operation Flow
A PACSign command that invokes the PKCS #11 manager plugin initializes it with the configuration file name.
PACSign performs insertion of authentication blocks into the bitstream, signed by the root and code signing keys. The resultant signed bitstream is written to the specified output file.
PACSign requests that the HSM manager retrieve the public key X and Y values for the root key and the code signing key. The HSM manager returns the R and S signature over PACSign-provided 256-bit hash values using the root key and code signing key. The following code snippet demonstrates how PACSign utilizes the HSM manager.
self.pub_root_key_c = self.hsm_manager.get_public_key(args.root_key)
common_util.assert_in_error(self.pub_root_key_c, \
"Cannot retrieve root public key")
self.pub_root_key = self.pub_root_key_c.get_X_Y()
self.pub_root_key_perm = self.pub_root_key_c.get_permission()
self.pub_root_key_id = self.pub_root_key_c.get_ID()
self.pub_root_key_type = self.pub_root_key_c.get_content_type()
self.pub_CSK_c = self.hsm_manager.get_public_key(args.code_signing_key)
common_util.assert_in_error(self.pub_CSK_c != None, \
"Cannot retrieve public CSK")
self.pub_CSK = self.pub_CSK_c.get_X_Y()
self.pub_CSK_perm = self.pub_CSK_c.get_permission()
self.pub_CSK_id = self.pub_CSK_c.get_ID()
self.pub_CSK_type = self.pub_CSK_c.get_content_type()
sha = sha256(block0.data).digest()
rs = self.hsm_manager.sign(sha, args.code_signing_key)
sha = sha256(csk_body.data).digest()
rs = self.hsm_manager.sign(sha, args.root_key)