In some production configurations, there is a desire to protect the root of trust using a Hardware Security Module (HSM). This device keeps the private keys protected, and uses a protocol (typically USB) to request the device generate the signatures.
This issue covers adding support for HSM to MCUboot (likely to imgtool). It will probably be needed to do some initial investigation as to what HSM to initially support. Some of these are very expensive ($10-20k) and although they may be useful for production systems, and particularly good choices for initial support in an open-source project. Even the YubiHSM module sells for $650. Without an economical device, we may have to leave the support simulated, with hooks, so that someone needing these devices can add the support.