处理器-SDK-AM64X：Is there any solution to use HSM for image signing （linux sdk）?

1/. Linux SDK 8.x
code signing reference scripts
https://git.ti.com/cgit/k3-image-gen/k3-image-gen/tree/gen_x509_cert.sh
For example, “openssl req -new -x509 -key $KEY -nodes -outform DER -out $CERT -config $TEMP_X509 -$SHA”
https://git.ti.com/cgit/k3-image-gen/k3-image-gen/tree/gen_x509_cert.sh#n335

2/. Linux SDK 9.x
Starting from SDK 9.x, BINMAN was introduced for code signing, where "openssl" is still being used.
reference on code signing using BINMAN
https://git.ti.com/gitweb?p=ti-u-boot/ti-u-boot.git;a=commit;h=dd467d4f53808c92dd4b47d7e3f57825607670cf

In general, the reference code signing scripts (i.e. openssl based) need to be integrated with the secure key server, where openssl cmds involving secrete keys (RSA key, symmetric key etc...) in the reference scripts need to be ported with the secure key server.

Best,
-Hong

Can fitImage(kernel+dts) be signed via binman?.

The kernel FIT image is generated differently as described here
https://software-dl.ti.com/processor-sdk-linux/esd/AM62X/10_00_07_04/exports/docs/linux/Foundational_Components_Kernel_Users_Guide.html#creating-the-kernel-fitimage-for-high-security-device-gp-devices
Best,
-Hong

Hello Supporter,

Because the os of our HSM is windows , so we can not use the uboot mkimage on windows  . So i want to know if  there is some other method to do this signing?

Thanks~

I'm not aware of alternative other than the uboot mkimage to create FIT image.
Best,
-Hong

About otp_keywriter, currently we use otp_keywriter_am62x-windows-installer.exe to test secureboot locally. In the future, we will integrate gen_keywr_cert.sh into HSM. 

I want to know if the gen_keywr_cert.sh script  in otp_keywriter_am62x-windows-installer.exe is a generic script? Can it be used on other TI secure hardware platforms? Because we have another TI hardware platform project doing the same thing.