diff options
author | George McCollister <george.mccollister@gmail.com> | 2017-01-06 13:14:17 -0600 |
---|---|---|
committer | Tom Rini <trini@konsulko.com> | 2017-01-14 16:47:13 -0500 |
commit | f1ca1fdebf1cde1c37c91b3d85f8b7af111112ea (patch) | |
tree | b34c5ae6c177400ed6ed5524266cd2912138a292 /tools/mkimage.c | |
parent | b1c6a54a534d2579db1375039a45572fe38d0ce8 (diff) | |
download | u-boot-f1ca1fdebf1cde1c37c91b3d85f8b7af111112ea.zip u-boot-f1ca1fdebf1cde1c37c91b3d85f8b7af111112ea.tar.gz u-boot-f1ca1fdebf1cde1c37c91b3d85f8b7af111112ea.tar.bz2 |
mkimage: Add support for signing with pkcs11
Add support for signing with the pkcs11 engine. This allows FIT images
to be signed with keys securely stored on a smartcard, hardware security
module, etc without exposing the keys.
Support for other engines can be added in the future by modifying
rsa_engine_get_pub_key() and rsa_engine_get_priv_key() to construct
correct key_id strings.
Signed-off-by: George McCollister <george.mccollister@gmail.com>
Diffstat (limited to 'tools/mkimage.c')
-rw-r--r-- | tools/mkimage.c | 10 |
1 files changed, 7 insertions, 3 deletions
diff --git a/tools/mkimage.c b/tools/mkimage.c index f48135f..b0c98f6 100644 --- a/tools/mkimage.c +++ b/tools/mkimage.c @@ -98,14 +98,15 @@ static void usage(const char *msg) " -i => input filename for ramdisk file\n"); #ifdef CONFIG_FIT_SIGNATURE fprintf(stderr, - "Signing / verified boot options: [-E] [-k keydir] [-K dtb] [ -c <comment>] [-p addr] [-r]\n" + "Signing / verified boot options: [-E] [-k keydir] [-K dtb] [ -c <comment>] [-p addr] [-r] [-N engine]\n" " -E => place data outside of the FIT structure\n" " -k => set directory containing private keys\n" " -K => write public keys to this .dtb file\n" " -c => add comment in signature node\n" " -F => re-sign existing FIT image\n" " -p => place external data at a static position\n" - " -r => mark keys used as 'required' in dtb\n"); + " -r => mark keys used as 'required' in dtb\n" + " -N => engine to use for signing (pkcs11)\n"); #else fprintf(stderr, "Signing / verified boot not supported (CONFIG_FIT_SIGNATURE undefined)\n"); @@ -143,7 +144,7 @@ static void process_args(int argc, char **argv) int opt; while ((opt = getopt(argc, argv, - "a:A:b:c:C:d:D:e:Ef:Fk:i:K:ln:p:O:rR:qsT:vVx")) != -1) { + "a:A:b:c:C:d:D:e:Ef:Fk:i:K:ln:N:p:O:rR:qsT:vVx")) != -1) { switch (opt) { case 'a': params.addr = strtoull(optarg, &ptr, 16); @@ -224,6 +225,9 @@ static void process_args(int argc, char **argv) case 'n': params.imagename = optarg; break; + case 'N': + params.engine_id = optarg; + break; case 'O': params.os = genimg_get_os_id(optarg); if (params.os < 0) { |