diff options
author | George McCollister <george.mccollister@gmail.com> | 2017-01-06 13:14:17 -0600 |
---|---|---|
committer | Tom Rini <trini@konsulko.com> | 2017-01-14 16:47:13 -0500 |
commit | f1ca1fdebf1cde1c37c91b3d85f8b7af111112ea (patch) | |
tree | b34c5ae6c177400ed6ed5524266cd2912138a292 /tools | |
parent | b1c6a54a534d2579db1375039a45572fe38d0ce8 (diff) | |
download | u-boot-f1ca1fdebf1cde1c37c91b3d85f8b7af111112ea.zip u-boot-f1ca1fdebf1cde1c37c91b3d85f8b7af111112ea.tar.gz u-boot-f1ca1fdebf1cde1c37c91b3d85f8b7af111112ea.tar.bz2 |
mkimage: Add support for signing with pkcs11
Add support for signing with the pkcs11 engine. This allows FIT images
to be signed with keys securely stored on a smartcard, hardware security
module, etc without exposing the keys.
Support for other engines can be added in the future by modifying
rsa_engine_get_pub_key() and rsa_engine_get_priv_key() to construct
correct key_id strings.
Signed-off-by: George McCollister <george.mccollister@gmail.com>
Diffstat (limited to 'tools')
-rw-r--r-- | tools/fit_image.c | 3 | ||||
-rw-r--r-- | tools/image-host.c | 30 | ||||
-rw-r--r-- | tools/imagetool.h | 1 | ||||
-rw-r--r-- | tools/mkimage.c | 10 |
4 files changed, 28 insertions, 16 deletions
diff --git a/tools/fit_image.c b/tools/fit_image.c index efd8a97..4dc8bd8 100644 --- a/tools/fit_image.c +++ b/tools/fit_image.c @@ -59,7 +59,8 @@ static int fit_add_file_data(struct image_tool_params *params, size_t size_inc, if (!ret) { ret = fit_add_verification_data(params->keydir, dest_blob, ptr, params->comment, - params->require_keys); + params->require_keys, + params->engine_id); } if (dest_blob) { diff --git a/tools/image-host.c b/tools/image-host.c index c1a0122..5e4d690 100644 --- a/tools/image-host.c +++ b/tools/image-host.c @@ -149,7 +149,7 @@ static int fit_image_write_sig(void *fit, int noffset, uint8_t *value, static int fit_image_setup_sig(struct image_sign_info *info, const char *keydir, void *fit, const char *image_name, - int noffset, const char *require_keys) + int noffset, const char *require_keys, const char *engine_id) { const char *node_name; char *algo_name; @@ -170,6 +170,7 @@ static int fit_image_setup_sig(struct image_sign_info *info, info->checksum = image_get_checksum_algo(algo_name); info->crypto = image_get_crypto_algo(algo_name); info->require_keys = require_keys; + info->engine_id = engine_id; if (!info->checksum || !info->crypto) { printf("Unsupported signature algorithm (%s) for '%s' signature node in '%s' image node\n", algo_name, node_name, image_name); @@ -194,12 +195,13 @@ static int fit_image_setup_sig(struct image_sign_info *info, * @size: size of data in bytes * @comment: Comment to add to signature nodes * @require_keys: Mark all keys as 'required' + * @engine_id: Engine to use for signing * @return 0 if ok, -1 on error */ static int fit_image_process_sig(const char *keydir, void *keydest, void *fit, const char *image_name, int noffset, const void *data, size_t size, - const char *comment, int require_keys) + const char *comment, int require_keys, const char *engine_id) { struct image_sign_info info; struct image_region region; @@ -209,7 +211,7 @@ static int fit_image_process_sig(const char *keydir, void *keydest, int ret; if (fit_image_setup_sig(&info, keydir, fit, image_name, noffset, - require_keys ? "image" : NULL)) + require_keys ? "image" : NULL, engine_id)) return -1; node_name = fit_get_name(fit, noffset, NULL); @@ -288,11 +290,12 @@ static int fit_image_process_sig(const char *keydir, void *keydest, * @image_noffset: Requested component image node * @comment: Comment to add to signature nodes * @require_keys: Mark all keys as 'required' + * @engine_id: Engine to use for signing * @return: 0 on success, <0 on failure */ int fit_image_add_verification_data(const char *keydir, void *keydest, void *fit, int image_noffset, const char *comment, - int require_keys) + int require_keys, const char *engine_id) { const char *image_name; const void *data; @@ -329,7 +332,7 @@ int fit_image_add_verification_data(const char *keydir, void *keydest, strlen(FIT_SIG_NODENAME))) { ret = fit_image_process_sig(keydir, keydest, fit, image_name, noffset, data, size, - comment, require_keys); + comment, require_keys, engine_id); } if (ret) return ret; @@ -569,7 +572,8 @@ static int fit_config_get_data(void *fit, int conf_noffset, int noffset, static int fit_config_process_sig(const char *keydir, void *keydest, void *fit, const char *conf_name, int conf_noffset, - int noffset, const char *comment, int require_keys) + int noffset, const char *comment, int require_keys, + const char *engine_id) { struct image_sign_info info; const char *node_name; @@ -587,7 +591,7 @@ static int fit_config_process_sig(const char *keydir, void *keydest, return -1; if (fit_image_setup_sig(&info, keydir, fit, conf_name, noffset, - require_keys ? "conf" : NULL)) + require_keys ? "conf" : NULL, engine_id)) return -1; ret = info.crypto->sign(&info, region, region_count, &value, @@ -635,7 +639,7 @@ static int fit_config_process_sig(const char *keydir, void *keydest, static int fit_config_add_verification_data(const char *keydir, void *keydest, void *fit, int conf_noffset, const char *comment, - int require_keys) + int require_keys, const char *engine_id) { const char *conf_name; int noffset; @@ -654,7 +658,7 @@ static int fit_config_add_verification_data(const char *keydir, void *keydest, strlen(FIT_SIG_NODENAME))) { ret = fit_config_process_sig(keydir, keydest, fit, conf_name, conf_noffset, noffset, comment, - require_keys); + require_keys, engine_id); } if (ret) return ret; @@ -664,7 +668,8 @@ static int fit_config_add_verification_data(const char *keydir, void *keydest, } int fit_add_verification_data(const char *keydir, void *keydest, void *fit, - const char *comment, int require_keys) + const char *comment, int require_keys, + const char *engine_id) { int images_noffset, confs_noffset; int noffset; @@ -687,7 +692,7 @@ int fit_add_verification_data(const char *keydir, void *keydest, void *fit, * i.e. component image node. */ ret = fit_image_add_verification_data(keydir, keydest, - fit, noffset, comment, require_keys); + fit, noffset, comment, require_keys, engine_id); if (ret) return ret; } @@ -710,7 +715,8 @@ int fit_add_verification_data(const char *keydir, void *keydest, void *fit, noffset = fdt_next_subnode(fit, noffset)) { ret = fit_config_add_verification_data(keydir, keydest, fit, noffset, comment, - require_keys); + require_keys, + engine_id); if (ret) return ret; } diff --git a/tools/imagetool.h b/tools/imagetool.h index 15c2a0c..a8d5054 100644 --- a/tools/imagetool.h +++ b/tools/imagetool.h @@ -76,6 +76,7 @@ struct image_tool_params { bool external_data; /* Store data outside the FIT */ bool quiet; /* Don't output text in normal operation */ unsigned int external_offset; /* Add padding to external data */ + const char *engine_id; /* Engine to use for signing */ }; /* diff --git a/tools/mkimage.c b/tools/mkimage.c index f48135f..b0c98f6 100644 --- a/tools/mkimage.c +++ b/tools/mkimage.c @@ -98,14 +98,15 @@ static void usage(const char *msg) " -i => input filename for ramdisk file\n"); #ifdef CONFIG_FIT_SIGNATURE fprintf(stderr, - "Signing / verified boot options: [-E] [-k keydir] [-K dtb] [ -c <comment>] [-p addr] [-r]\n" + "Signing / verified boot options: [-E] [-k keydir] [-K dtb] [ -c <comment>] [-p addr] [-r] [-N engine]\n" " -E => place data outside of the FIT structure\n" " -k => set directory containing private keys\n" " -K => write public keys to this .dtb file\n" " -c => add comment in signature node\n" " -F => re-sign existing FIT image\n" " -p => place external data at a static position\n" - " -r => mark keys used as 'required' in dtb\n"); + " -r => mark keys used as 'required' in dtb\n" + " -N => engine to use for signing (pkcs11)\n"); #else fprintf(stderr, "Signing / verified boot not supported (CONFIG_FIT_SIGNATURE undefined)\n"); @@ -143,7 +144,7 @@ static void process_args(int argc, char **argv) int opt; while ((opt = getopt(argc, argv, - "a:A:b:c:C:d:D:e:Ef:Fk:i:K:ln:p:O:rR:qsT:vVx")) != -1) { + "a:A:b:c:C:d:D:e:Ef:Fk:i:K:ln:N:p:O:rR:qsT:vVx")) != -1) { switch (opt) { case 'a': params.addr = strtoull(optarg, &ptr, 16); @@ -224,6 +225,9 @@ static void process_args(int argc, char **argv) case 'n': params.imagename = optarg; break; + case 'N': + params.engine_id = optarg; + break; case 'O': params.os = genimg_get_os_id(optarg); if (params.os < 0) { |