tct2

tct2 [[-S|--sign] | [-P|--pack] | [-E|--encrypt] | [--add-sig] | [--sign-and-pack] | [--print-sigs] | [--unpack-skycert] | [--unpack-sar-payload]] [--sigfile=<NAME> ] [-k|--key=<IDENT>] [[--is-machine] |[--machine-key=<HASH>]| [--machinekey-ident=<IDENT> ] [-T|--machine-type=<TYPE>]] [-m|--module=<MODULE> ] [-o|--outfile=<OUTFILE>] [--non-interactive] [--show-metadata] [-v|--verbose] [-q|--quiet] [[-i|--infile=]<INFILE>]

Trusted Code Tool: enables users to sign, pack, and encrypt file archives so that they can be loaded onto an SEE-Ready nShield HSM. tct2 uses keys that are protected by a Security World or an OCS and creates SAR files.

Examples of how tct2 can be used are provided in Example SEE machines.

Encrypted SEE machines are not supported for use with nShield Connect HSMs. When the SEEMachine binary is installed on the Connect itself for automated loading at boot, the SEE Confidentiality key is not available. However, when a client host loads a SEEMachine, it has access to the SEE Confidentiality key and can cause the binary to be decrypted. In this scenario, the Connect works fine with encrypted SEEMachine binaries.

Check the documentation supplied by the application vendor to see if you need to use tct2 to set up and use the application.

Option Description

Program options, use exactly one

--add-sig

Creates a signed SAR file --outfile=<OUTFILE> from the unsigned SAR file --infile=<INFILE> and the key --key=<IDENT>.

-E, --encrypt

Encrypts the packed SAR file --infile=<INFILE>.
--key=<IDENT> must be specified.

-P, --pack

Packs the file --infile=<INFILE> and any signatures --sigfile=<NAME> into a SAR file --outfile=<OUTFILE>.
When creating an SEE machine image, the input file is a .SXF file produced by the elftool utility.
When creating a SEE user data file, the input format is determined by the SEE machine type.

--print-sigs

Displays the key hashes used to sign the SAR file --infile=<INFILE>.

-S, --sign

Creates a signature on the file --infile=<INFILE>. You must specify --key=<IDENT> and one of

  • --is-machine

  • --machine-key=<HASH>

  • --machine-key-ident=<IDENT>

--sign-and-pack

Creates a signature on the file --infile=<INFILE> using --key=<IDENT> and one of --is-machine, --machine-key=<HASH>, or --machine-key-ident=<IDENT>, then to pack it in the file --outfile=<OUTFILE>.

--unpack-sar-payload

Retrieves the payload of the SAR file --infile=<INFILE>.

Packing and signing options

--sigfile=<NAME>

File that contains the signature. This option can be repeated to specify multiple signatures.

Machine key specification options for signing operations

--is-machine

Uses SEE machine signing mode.

--machine-key=<HASH>

Key hash of the SEE machine for which this signature is good.

--machine-key-ident=<IDENT>

Retrieves the hash of key <IDENT> then behaves like --machine-key=<HASH>. Only one machine key specification option can be specified.

-T, --machine-type=<TYPE>

SEE machine type.
If you are not sure which SEE machine type is appropriate for your HSM, run enquiry and check the SEE Machine Type output.
If you do not specify an SEE machine type with this option, tct2 tries to determine the appropriate type by reading the format of the code to be signed. If tct2 cannot determine the appropriate SEE machine type, it returns an error message. In such a case, run tct2 again, explicitly setting the SEE machine type with this option.
Machine type parameter (<TYPE>) for tct2 as a string or a number:

SEE Machine Type

tct2 machine type parameter

PowerPCSXF

PowerPCSXF or 2

PowerPCELF

PowerPCELF or 5

Other options

-i, --infile=<INFILE>

Name of the input .sxf file.
You can also specify the input file without the using --infile option by including the file name at the end of the command.

--non-interactive

Sets non-interactive mode.
If you have not already loaded any required card sets, tct2 fails (instead of prompting you to load any required card sets).

-o, --outfile=<OUTFILE>

Name of the output .sar file to create.
This option is valid only with the Program options that create an output file.

-q, --quiet

Decrease the verbosity level. Use repeatedly, for example as -qqq to jump-decrease the level.

--show-metadata

Shows the image metadata before signing.

-v, --verbose

Increase the verbosity level. Use repeatedly, for example as -vvv to jump-increase the level.

Module selection

-m, --module=MODULE

Specifies the number ID to use.
If you only have one module, MODULE is 1.
If you do not specify a module ID, tct2 uses all modules by default.

Help options

-h, --help

Displays help for tct2.

-u, --usage

Displays a brief usage summary for tct2.

-V, --version

Displays the version number of the Security World Software that deploys tct2.

Sign with tct2

Use one of the following methods to create a signing key:

  • During the KeySafe key-generation process, ensure you select the SEE Code Integrity option.

  • When generating the key with the generatekey command-line utility, ensure you select the application type seeinteg.

Signing keys can be DSA or RSA. You can sign a file any number of times using different signing keys.

For information about key application types, see Key application type (APPNAME).

For information about generating keys, see Generating keys.

To create a signature, give a command of the form:

tct2 -S|--sign [-m|--module=<MODULE>] -k|--key=<IDENT> [--machine-key=<HASH>| --machine-key-ident=<IDENT> | --is-machine] -o|--outfile=<OUTFILE> [-i|--infile=<INFILE>]

If the signing key is protected by an OCS, tct2 prompts you for the passphrase for the inserted card.

Pack with tct2

All files must be packed even if you are not adding signatures. The packing operation must be performed once and only once. Your application vendor may have supplied a pre-packed SAR file.

Packing a file creates a new SAR file. The packed file contains:

  • The original file

  • Specified signatures, if any.

To pack a file and any signatures, give a command of the form:

tct2 -P|--pack -o|--outfile=<OUTFILE> [-i|--infile=]<INFILE> [sigfile...]

Encrypt with tct2

Encrypted SEE machines are not currently supported for use with nShield Connects. When the SEEMachine binary is installed on the Connect itself for automated loading at boot, the SEE Confidentiality key is not available. However, when a client host loads a SEEMachine, it has access to the SEE Confidentiality key and can cause the binary to be decrypted. In this scenario, the Connect works fine with encrypted SEEMachine binaries.

Use one of the following methods to create an encryption key:

  • During the KeySafe key-generation process, ensure you select the SEE Code Confidentiality option.

  • When generating the key with the generatekey command-line utility, ensure you select the application type seeconf.

Encryption keys can be either Triple DES or AES keys. Encryption keys can be protected by the Security World or by a 1/N OCS.

For information about key application types, see Key application type (APPNAME).

For information about generating keys, see the User Guide.

A .sar file can be encrypted only once. To encrypt a .sar file, use the command:

tct2 -E|--encrypt -k|--key=<IDENT> [-m|--module=<MODULE>] -o|--outfile=<OUTFILE> [-i|--infile=]<INFILE>