mkimage: Add support for signing with pkcs11

Add support for signing with the pkcs11 engine. This allows FIT images to be signed with keys securely stored on a smartcard, hardware security module, etc without exposing the keys. Support for other engines can be added in the future by modifying rsa_engine_get_pub_key() and rsa_engine_get_priv_key() to construct correct key_id strings. Signed-off-by: George McCollister <george.mccollister@gmail.com>
author: George McCollister <george.mccollister@gmail.com> 2017-01-06 13:14:17 -0600
committer: Tom Rini <trini@konsulko.com> 2017-01-14 16:47:13 -0500
commit: f1ca1fdebf1cde1c37c91b3d85f8b7af111112ea (patch)
tree: b34c5ae6c177400ed6ed5524266cd2912138a292 /tools
parent: b1c6a54a534d2579db1375039a45572fe38d0ce8 (diff)
4 files changed, 28 insertions, 16 deletions
diff --git a/tools/fit_image.c b/tools/fit_image.c
index efd8a97a0b..4dc8bd8862 100644
--- a/tools/fit_image.c
+++ b/tools/fit_image.c
@@ -59,7 +59,8 @@ static int fit_add_file_data(struct image_tool_params *params, size_t size_inc,
 	if (!ret) {
 		ret = fit_add_verification_data(params->keydir, dest_blob, ptr,
 						params->comment,
-						params->require_keys);
+						params->require_keys,
+						params->engine_id);
 	}
 
 	if (dest_blob) {
diff --git a/tools/image-host.c b/tools/image-host.c
index c1a01225e2..5e4d690714 100644
--- a/tools/image-host.c
+++ b/tools/image-host.c
@@ -149,7 +149,7 @@ static int fit_image_write_sig(void *fit, int noffset, uint8_t *value,
 
 static int fit_image_setup_sig(struct image_sign_info *info,
 		const char *keydir, void *fit, const char *image_name,
-		int noffset, const char *require_keys)
+		int noffset, const char *require_keys, const char *engine_id)
 {
 	const char *node_name;
 	char *algo_name;
@@ -170,6 +170,7 @@ static int fit_image_setup_sig(struct image_sign_info *info,
 	info->checksum = image_get_checksum_algo(algo_name);
 	info->crypto = image_get_crypto_algo(algo_name);
 	info->require_keys = require_keys;
+	info->engine_id = engine_id;
 	if (!info->checksum || !info->crypto) {
 		printf("Unsupported signature algorithm (%s) for '%s' signature node in '%s' image node\n",
 		       algo_name, node_name, image_name);
@@ -194,12 +195,13 @@ static int fit_image_setup_sig(struct image_sign_info *info,
  * @size:	size of data in bytes
  * @comment:	Comment to add to signature nodes
  * @require_keys: Mark all keys as 'required'
+ * @engine_id:	Engine to use for signing
  * @return 0 if ok, -1 on error
  */
 static int fit_image_process_sig(const char *keydir, void *keydest,
 		void *fit, const char *image_name,
 		int noffset, const void *data, size_t size,
-		const char *comment, int require_keys)
+		const char *comment, int require_keys, const char *engine_id)
 {
 	struct image_sign_info info;
 	struct image_region region;
@@ -209,7 +211,7 @@ static int fit_image_process_sig(const char *keydir, void *keydest,
 	int ret;
 
 	if (fit_image_setup_sig(&info, keydir, fit, image_name, noffset,
-				require_keys ? "image" : NULL))
+				require_keys ? "image" : NULL, engine_id))
 		return -1;
 
 	node_name = fit_get_name(fit, noffset, NULL);
@@ -288,11 +290,12 @@ static int fit_image_process_sig(const char *keydir, void *keydest,
  * @image_noffset: Requested component image node
  * @comment:	Comment to add to signature nodes
  * @require_keys: Mark all keys as 'required'
+ * @engine_id:	Engine to use for signing
  * @return: 0 on success, <0 on failure
  */
 int fit_image_add_verification_data(const char *keydir, void *keydest,
 		void *fit, int image_noffset, const char *comment,
-		int require_keys)
+		int require_keys, const char *engine_id)
 {
 	const char *image_name;
 	const void *data;
@@ -329,7 +332,7 @@ int fit_image_add_verification_data(const char *keydir, void *keydest,
 				strlen(FIT_SIG_NODENAME))) {
 			ret = fit_image_process_sig(keydir, keydest,
 				fit, image_name, noffset, data, size,
-				comment, require_keys);
+				comment, require_keys, engine_id);
 		}
 		if (ret)
 			return ret;
@@ -569,7 +572,8 @@ static int fit_config_get_data(void *fit, int conf_noffset, int noffset,
 
 static int fit_config_process_sig(const char *keydir, void *keydest,
 		void *fit, const char *conf_name, int conf_noffset,
-		int noffset, const char *comment, int require_keys)
+		int noffset, const char *comment, int require_keys,
+		const char *engine_id)
 {
 	struct image_sign_info info;
 	const char *node_name;
@@ -587,7 +591,7 @@ static int fit_config_process_sig(const char *keydir, void *keydest,
 		return -1;
 
 	if (fit_image_setup_sig(&info, keydir, fit, conf_name, noffset,
-				require_keys ? "conf" : NULL))
+				require_keys ? "conf" : NULL, engine_id))
 		return -1;
 
 	ret = info.crypto->sign(&info, region, region_count, &value,
@@ -635,7 +639,7 @@ static int fit_config_process_sig(const char *keydir, void *keydest,
 
 static int fit_config_add_verification_data(const char *keydir, void *keydest,
 		void *fit, int conf_noffset, const char *comment,
-		int require_keys)
+		int require_keys, const char *engine_id)
 {
 	const char *conf_name;
 	int noffset;
@@ -654,7 +658,7 @@ static int fit_config_add_verification_data(const char *keydir, void *keydest,
 			     strlen(FIT_SIG_NODENAME))) {
 			ret = fit_config_process_sig(keydir, keydest,
 				fit, conf_name, conf_noffset, noffset, comment,
-				require_keys);
+				require_keys, engine_id);
 		}
 		if (ret)
 			return ret;
@@ -664,7 +668,8 @@ static int fit_config_add_verification_data(const char *keydir, void *keydest,
 }
 
 int fit_add_verification_data(const char *keydir, void *keydest, void *fit,
-			      const char *comment, int require_keys)
+			      const char *comment, int require_keys,
+			      const char *engine_id)
 {
 	int images_noffset, confs_noffset;
 	int noffset;
@@ -687,7 +692,7 @@ int fit_add_verification_data(const char *keydir, void *keydest, void *fit,
 		 * i.e. component image node.
 		 */
 		ret = fit_image_add_verification_data(keydir, keydest,
-				fit, noffset, comment, require_keys);
+				fit, noffset, comment, require_keys, engine_id);
 		if (ret)
 			return ret;
 	}
@@ -710,7 +715,8 @@ int fit_add_verification_data(const char *keydir, void *keydest, void *fit,
 	     noffset = fdt_next_subnode(fit, noffset)) {
 		ret = fit_config_add_verification_data(keydir, keydest,
 						       fit, noffset, comment,
-						       require_keys);
+						       require_keys,
+						       engine_id);
 		if (ret)
 			return ret;
 	}
diff --git a/tools/imagetool.h b/tools/imagetool.h
index 15c2a0c0e1..a8d505423b 100644
--- a/tools/imagetool.h
+++ b/tools/imagetool.h
@@ -76,6 +76,7 @@ struct image_tool_params {
 	bool external_data;	/* Store data outside the FIT */
 	bool quiet;		/* Don't output text in normal operation */
 	unsigned int external_offset;	/* Add padding to external data */
+	const char *engine_id;	/* Engine to use for signing */
 };
 
 /*
diff --git a/tools/mkimage.c b/tools/mkimage.c
index f48135ff79..b0c98f6f55 100644
--- a/tools/mkimage.c
+++ b/tools/mkimage.c
@@ -98,14 +98,15 @@ static void usage(const char *msg)
 		"          -i => input filename for ramdisk file\n");
 #ifdef CONFIG_FIT_SIGNATURE
 	fprintf(stderr,
-		"Signing / verified boot options: [-E] [-k keydir] [-K dtb] [ -c <comment>] [-p addr] [-r]\n"
+		"Signing / verified boot options: [-E] [-k keydir] [-K dtb] [ -c <comment>] [-p addr] [-r] [-N engine]\n"
 		"          -E => place data outside of the FIT structure\n"
 		"          -k => set directory containing private keys\n"
 		"          -K => write public keys to this .dtb file\n"
 		"          -c => add comment in signature node\n"
 		"          -F => re-sign existing FIT image\n"
 		"          -p => place external data at a static position\n"
-		"          -r => mark keys used as 'required' in dtb\n");
+		"          -r => mark keys used as 'required' in dtb\n"
+		"          -N => engine to use for signing (pkcs11)\n");
 #else
 	fprintf(stderr,
 		"Signing / verified boot not supported (CONFIG_FIT_SIGNATURE undefined)\n");
@@ -143,7 +144,7 @@ static void process_args(int argc, char **argv)
 	int opt;
 
 	while ((opt = getopt(argc, argv,
-			     "a:A:b:c:C:d:D:e:Ef:Fk:i:K:ln:p:O:rR:qsT:vVx")) != -1) {
+			     "a:A:b:c:C:d:D:e:Ef:Fk:i:K:ln:N:p:O:rR:qsT:vVx")) != -1) {
 		switch (opt) {
 		case 'a':
 			params.addr = strtoull(optarg, &ptr, 16);
@@ -224,6 +225,9 @@ static void process_args(int argc, char **argv)
 		case 'n':
 			params.imagename = optarg;
 			break;
+		case 'N':
+			params.engine_id = optarg;
+			break;
 		case 'O':
 			params.os = genimg_get_os_id(optarg);
 			if (params.os < 0) {
author	George McCollister <george.mccollister@gmail.com>	2017-01-06 13:14:17 -0600
committer	Tom Rini <trini@konsulko.com>	2017-01-14 16:47:13 -0500
commit	f1ca1fdebf1cde1c37c91b3d85f8b7af111112ea (patch)
tree	b34c5ae6c177400ed6ed5524266cd2912138a292 /tools
parent	b1c6a54a534d2579db1375039a45572fe38d0ce8 (diff)