colin/u-boot
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

mkimage: Add support for signing with pkcs11

Browse Source 
Add support for signing with the pkcs11 engine. This allows FIT images
to be signed with keys securely stored on a smartcard, hardware security
module, etc without exposing the keys.

Support for other engines can be added in the future by modifying
rsa_engine_get_pub_key() and rsa_engine_get_priv_key() to construct
correct key_id strings.

Signed-off-by: George McCollister <george.mccollister@gmail.com>
This commit is contained in:
George McCollister
2017-01-06 13:14:17 -06:00
committed by Tom Rini
parent b1c6a54a53
commit f1ca1fdebf
7 changed files with 408 additions and 28 deletions
Download Patch File Download Diff File Expand all files Collapse all files

10
tools/mkimage.c
View File

@@ -98,14 +98,15 @@ static void usage(const char *msg)
" -i => input filename for ramdisk file\n");
#ifdef CONFIG_FIT_SIGNATURE
fprintf(stderr,
"Signing / verified boot options: [-E] [-k keydir] [-K dtb] [ -c <comment>] [-p addr] [-r]\n"
"Signing / verified boot options: [-E] [-k keydir] [-K dtb] [ -c <comment>] [-p addr] [-r] [-N engine]\n"
" -E => place data outside of the FIT structure\n"
" -k => set directory containing private keys\n"
" -K => write public keys to this .dtb file\n"
" -c => add comment in signature node\n"
" -F => re-sign existing FIT image\n"
" -p => place external data at a static position\n"
" -r => mark keys used as 'required' in dtb\n");
" -r => mark keys used as 'required' in dtb\n"
" -N => engine to use for signing (pkcs11)\n");
#else
fprintf(stderr,
"Signing / verified boot not supported (CONFIG_FIT_SIGNATURE undefined)\n");
@@ -143,7 +144,7 @@ static void process_args(int argc, char **argv)
int opt;
while ((opt = getopt(argc, argv,
"a:A:b:c:C:d:D:e:Ef:Fk:i:K:ln:p:O:rR:qsT:vVx")) != -1) {
"a:A:b:c:C:d:D:e:Ef:Fk:i:K:ln:N:p:O:rR:qsT:vVx")) != -1) {
switch (opt) {
case 'a':
params.addr = strtoull(optarg, &ptr, 16);
@@ -224,6 +225,9 @@ static void process_args(int argc, char **argv)
case 'n':
params.imagename = optarg;
break;
case 'N':
params.engine_id = optarg;
break;
case 'O':
params.os = genimg_get_os_id(optarg);
if (params.os < 0) {