From f1ca1fdebf1cde1c37c91b3d85f8b7af111112ea Mon Sep 17 00:00:00 2001 From: George McCollister Date: Fri, 6 Jan 2017 13:14:17 -0600 Subject: mkimage: Add support for signing with pkcs11 Add support for signing with the pkcs11 engine. This allows FIT images to be signed with keys securely stored on a smartcard, hardware security module, etc without exposing the keys. Support for other engines can be added in the future by modifying rsa_engine_get_pub_key() and rsa_engine_get_priv_key() to construct correct key_id strings. Signed-off-by: George McCollister --- tools/mkimage.c | 10 +++++++--- 1 file changed, 7 insertions(+), 3 deletions(-) (limited to 'tools/mkimage.c') diff --git a/tools/mkimage.c b/tools/mkimage.c index f48135ff798..b0c98f6f551 100644 --- a/tools/mkimage.c +++ b/tools/mkimage.c @@ -98,14 +98,15 @@ static void usage(const char *msg) " -i => input filename for ramdisk file\n"); #ifdef CONFIG_FIT_SIGNATURE fprintf(stderr, - "Signing / verified boot options: [-E] [-k keydir] [-K dtb] [ -c ] [-p addr] [-r]\n" + "Signing / verified boot options: [-E] [-k keydir] [-K dtb] [ -c ] [-p addr] [-r] [-N engine]\n" " -E => place data outside of the FIT structure\n" " -k => set directory containing private keys\n" " -K => write public keys to this .dtb file\n" " -c => add comment in signature node\n" " -F => re-sign existing FIT image\n" " -p => place external data at a static position\n" - " -r => mark keys used as 'required' in dtb\n"); + " -r => mark keys used as 'required' in dtb\n" + " -N => engine to use for signing (pkcs11)\n"); #else fprintf(stderr, "Signing / verified boot not supported (CONFIG_FIT_SIGNATURE undefined)\n"); @@ -143,7 +144,7 @@ static void process_args(int argc, char **argv) int opt; while ((opt = getopt(argc, argv, - "a:A:b:c:C:d:D:e:Ef:Fk:i:K:ln:p:O:rR:qsT:vVx")) != -1) { + "a:A:b:c:C:d:D:e:Ef:Fk:i:K:ln:N:p:O:rR:qsT:vVx")) != -1) { switch (opt) { case 'a': params.addr = strtoull(optarg, &ptr, 16); @@ -224,6 +225,9 @@ static void process_args(int argc, char **argv) case 'n': params.imagename = optarg; break; + case 'N': + params.engine_id = optarg; + break; case 'O': params.os = genimg_get_os_id(optarg); if (params.os < 0) { -- cgit v1.2.3