Dear concerned,
Is there any security module (HSM) to store private keys for the devices to crease CSR (Certificate signing request) in Toradex iMX8M Plus?
Best Regards
Md Khaled Ibn Hassan
Hi, I’m the Toradex AI Assistant. The Toradex Support team will follow up with you shortly!
Did you like my answer?
Yes, the Toradex iMX8M Plus features a Hardware Security Module (HSM) that is designed to securely store private keys. This is essential for cryptographic operations, including the generation of Certificate Signing Requests (CSRs). The HSM enhances the security of key management and cryptographic functions within the device, ensuring that sensitive data, such as private keys, are protected from unauthorized access and tampering.
Please, also check if these links can help you solve your problem:
Would be helpful if can get reference or reading materials.
What I think you’re looking for is the CAAM module.
Checkout the meta-toradex-security layer on GitHub.
As @izzycoding suggested perhaps CAAM could be of use to you. As for HSM, we don’t have any HSMs on the Verdin i.MX8M Plus by default. If you strictly need an HSM this would need to be added as additional hardware.
store private keys for the devices to crease CSR (Certificate signing request)
Is this the only use-case you need an HSM for, or do you have any other cryptographic uses-cases that require dedicated hardware?
Best Regards,
Jeremias
You definitely have some options here. As @izzycoding and @jeremias.tx indicated, it is quite possible to make use of the CAAM for this. One important note is that you MUST use HAB/AHAB and close the device for the CAAM to be effective; if the device is not closed, the CAAM will use an insecure development key.
As an alternative, you might also consider a TPM. One major advantage of using a TPM is that the TPM 2.0 API is exceptionally stable and very widely used, so there is extensive open-source support for it, including openssl engine and provider libraries. So you may find that your integration goes a bit smoother compared to using the CAAM. The disadvantage of TPMs are that they’re relatively slow. They’re an excellent (and indeed often recommended) solution for the use case you describe. But you can’t rely on a TPM for high-throughput cryptographic operations; they’re just not intended for that purpose. So if you are asking about HSMs specifically because you need speed and high-throughput operations, don’t use a TPM. If you just need to generate a CSR based on a hardware-bound key, then use that cert for proving device identity or authentication to something (e.g. Azure IoT or AWS Greengrass) the TPM’s endorsement hierarchy is usually a recommended solution.
We have a documented TPM reference design based on our Mallow carrier board, so you can base a design off that.
You can also use a firmware TPM running inside the OP-TEE trusted execution environment, which is in the end secured by ARM TrustZone. Depending on your requirements and threat model, this can be a great way to get TPM functionality without having to add any additional hardware to your design. The meta-toradex-security layer already has OP-TEE and fTPM support for three of our modules, and we are actively working on bringing that support to the entire line.
I hope that helps give some guidance. If you aren’t planning on using HAB/AHAB, you should definitely use an external crypto chip (TPM or HSM). If you do use HAB/AHAB, you can use the CAAM or an fTPM running in OP-TEE, depending on your use case and needs.
HI we need to store the private key in HSM and need to ensure that keys never leave the device.
Hello @khaled.hassan,
Did the answer from Jon above help you get clarification on how to do that?
Or do you need further support with this topic?
Best Regards,
Bruno