痞子衡嵌入式：開啓NXP-MCUBootUtility工具的HAB簽名功能 - CST（中英雙語）

爲了便於你們快速驗證軟件HAB簽名功能，特將已開啓HAB簽名功能的cst工具上傳至百度網盤，僅用做我的學習用途，違者後果自負。
  -- 連接: https://pan.baidu.com/s/15kFA3qwwFyY4BuL3ZpDqSQ
  -- 提取碼: rivb
  使用方法：將下載到的壓縮包cst_3.0.1_hab_auth.zip解壓後將其全部文件拷貝到 \NXP-MCUBootUtility\tools\cst 文件夾下便可。

1 Reason for enabling HAB signature function 爲何要開啓HAB簽名功能

　　NXP-MCUBootUtility is a tool designed for NXP MCU secure encryption boot. It fully supports secure encryption boot functions (signature only, signature and encryption) based on HAB implementation. HAB related functions are based on NXP's official HAB enablement tools. Due to the restriction of export control on security product, HAB Code Signing Tool cannot be directly integrated into NXP-MCUBootUtility installation package, so if you want to enbale HAB signature and encryption function for NXP-MCUBootUtility, You need to add HAB Code Signing Tool into NXP-MCUBootUtility manually. This article teaches you how to add HAB Code Signing Tool into NXP-MCUBootUtility to activate HAB signature function.

　　NXP-MCUBootUtility是一個專爲NXP MCU安全加密啓動而設計的工具，其能完整支持基於HAB實現的安全加密啓動（單簽名，簽名和加密），而HAB相關的功能是藉助恩智浦官方的HAB Code Signing Tool工具來實現的，HAB Code Signing Tool跟安全加密有關，由於一些跟歐美出口管制有關的緣由，NXP-MCUBootUtility不可以直接將HAB Code Signing Tool工具集成到軟件安裝包裏，因此若是要在NXP-MCUBootUtility裏開啓HAB簽名和加密功能，須要本身將HAB Code Signing Tool工具添加到NXP-MCUBootUtility裏，本篇文章即教你們如何添加HAB Code Signing Tool工具進NXP-MCUBootUtility以激活HAB簽名功能。

2 Download the HAB Code Signing Tool 下載HAB CST包

　　First, you need to download HAB Code Signing Tool from the NXP official website. before downloading, The following web page will pop up, click 'I Accept' and then you can download cst-3.1.0.tgz (downloaded at 2018.12, the version may change over time).　

　　首先須要從NXP官網下載 HAB CST工具，下載前會彈出以下界面，點擊'I Accept'後即可如下載到cst-3.1.0.tgz（下載於2018.12，隨着時間推移，版本會有所變化）。

　　This Agreement clause must be read through and agreed, This step must be done. This is one of the reasons why CST tool can not be directly put into NXP-MCUBootUtility package.

　　這個Agreement條款必需要通讀而且要贊成才能夠下載CST工具，這一步是必需要作的，這也是NXP-MCUBootUtility不直接將CST工具放到軟件包裏的緣由之一。

3 Placed in the \NXP-MCUBootUtility\tools\cst directory 放置於\NXP-MCUBootUtility\tools\cst\目錄下

　　After downloading the cst-3.1.0.tgz package, unzip it into \NXP-MCUBootUtility\tools\cst  directory as shown below:

　　下載到cst-3.1.0.tgz包後將其解壓（須要2次解壓才能看到\cst-3.1.0\cst-3.1.0\release裏的內容）放在\NXP-MCUBootUtility\tools\cst\目錄下便可，以下圖所示：

4 Change the hab4_pki_tree.bat script 改動hab4_pki_tree.bat腳本

　　The HAB signature certificate generation function in NXP-MCUBootUtility is implemented by calling the \NXP-MCUBootUtility\tools\cst\keys\hab4_pki_tree.bat script. You need to make the following minor changes to this script to use it for NXP-MCUBootUtility.

　　NXP-MCUBootUtility裏的HAB簽名證書生成功能是調用\NXP-MCUBootUtility\tools\cst\keys\hab4_pki_tree.bat腳本實現的，須要對該腳本作以下輕微改動才能夠爲NXP-MCUBootUtility所用。

　　First, You need to comment the following 6 lines of code：

　　首先須要註釋以下6行代碼：

:: Comment line 72 註釋第72行
::set /P existing_ca="Do you want to use an existing CA key (y/n)?: "
:: Comment line 80 註釋第80行
::set /P use_ecc="Do you want to use Elliptic Curve Cryptography (y/n)?: "
:: Comment line 104 註釋第104行
::set /P kl="Enter key length in bits for PKI tree: "
:: Comment line 115 註釋第115行
::set /P duration="Enter PKI tree duration (years): "
:: Comment line 121 註釋第121行
::set /P num_srk="How many Super Root Keys should be generated? "
:: Comment line 133 註釋第133行
::set /P srk_ca="Do you want the SRK certificates to have the CA flag set? (y/n)?: "

　　Then you need to add the following 6 lines of code starting from line 2.：

　　而後須要從第2行開始添加以下6行代碼：

@echo off

:: Add below codes 以下爲新增代碼
set existing_ca=%1
set use_ecc=n
set kl=%2
set duration=%3
set num_srk=%4
set srk_ca=%5

　　At this point, the HAB signature function of NXP-MCUBootUtility is activated. Open the NXP-MCUBootUtility and select the "HAB Signed Image Boot" mode in the Secure Boot Type and then enjoy it. If you want to go on activating the HAB encryption function of the NXP-MCUBootUtility, please refer to 《開啓NXP-MCUBootUtility工具的HAB加密功能 - CST》.

　　至此NXP-MCUBootUtility的HAB簽名功能便被激活了，打開NXP-MCUBootUtility軟件，在Secure Boot Type裏選擇"HAB Signed Image Boot"模式試試吧。若是要繼續激活NXP-MCUBootUtility軟件的HAB加密功能，請繼續參考 《開啓NXP-MCUBootUtility工具的HAB加密功能 - CST》