aboutsummaryrefslogtreecommitdiff
path: root/tools
diff options
context:
space:
mode:
authorGeorge McCollister <george.mccollister@gmail.com>2017-01-06 13:14:17 -0600
committerTom Rini <trini@konsulko.com>2017-01-14 16:47:13 -0500
commitf1ca1fdebf1cde1c37c91b3d85f8b7af111112ea (patch)
treeb34c5ae6c177400ed6ed5524266cd2912138a292 /tools
parentb1c6a54a534d2579db1375039a45572fe38d0ce8 (diff)
downloadu-boot-f1ca1fdebf1cde1c37c91b3d85f8b7af111112ea.zip
u-boot-f1ca1fdebf1cde1c37c91b3d85f8b7af111112ea.tar.gz
u-boot-f1ca1fdebf1cde1c37c91b3d85f8b7af111112ea.tar.bz2
mkimage: Add support for signing with pkcs11
Add support for signing with the pkcs11 engine. This allows FIT images to be signed with keys securely stored on a smartcard, hardware security module, etc without exposing the keys. Support for other engines can be added in the future by modifying rsa_engine_get_pub_key() and rsa_engine_get_priv_key() to construct correct key_id strings. Signed-off-by: George McCollister <george.mccollister@gmail.com>
Diffstat (limited to 'tools')
-rw-r--r--tools/fit_image.c3
-rw-r--r--tools/image-host.c30
-rw-r--r--tools/imagetool.h1
-rw-r--r--tools/mkimage.c10
4 files changed, 28 insertions, 16 deletions
diff --git a/tools/fit_image.c b/tools/fit_image.c
index efd8a97..4dc8bd8 100644
--- a/tools/fit_image.c
+++ b/tools/fit_image.c
@@ -59,7 +59,8 @@ static int fit_add_file_data(struct image_tool_params *params, size_t size_inc,
if (!ret) {
ret = fit_add_verification_data(params->keydir, dest_blob, ptr,
params->comment,
- params->require_keys);
+ params->require_keys,
+ params->engine_id);
}
if (dest_blob) {
diff --git a/tools/image-host.c b/tools/image-host.c
index c1a0122..5e4d690 100644
--- a/tools/image-host.c
+++ b/tools/image-host.c
@@ -149,7 +149,7 @@ static int fit_image_write_sig(void *fit, int noffset, uint8_t *value,
static int fit_image_setup_sig(struct image_sign_info *info,
const char *keydir, void *fit, const char *image_name,
- int noffset, const char *require_keys)
+ int noffset, const char *require_keys, const char *engine_id)
{
const char *node_name;
char *algo_name;
@@ -170,6 +170,7 @@ static int fit_image_setup_sig(struct image_sign_info *info,
info->checksum = image_get_checksum_algo(algo_name);
info->crypto = image_get_crypto_algo(algo_name);
info->require_keys = require_keys;
+ info->engine_id = engine_id;
if (!info->checksum || !info->crypto) {
printf("Unsupported signature algorithm (%s) for '%s' signature node in '%s' image node\n",
algo_name, node_name, image_name);
@@ -194,12 +195,13 @@ static int fit_image_setup_sig(struct image_sign_info *info,
* @size: size of data in bytes
* @comment: Comment to add to signature nodes
* @require_keys: Mark all keys as 'required'
+ * @engine_id: Engine to use for signing
* @return 0 if ok, -1 on error
*/
static int fit_image_process_sig(const char *keydir, void *keydest,
void *fit, const char *image_name,
int noffset, const void *data, size_t size,
- const char *comment, int require_keys)
+ const char *comment, int require_keys, const char *engine_id)
{
struct image_sign_info info;
struct image_region region;
@@ -209,7 +211,7 @@ static int fit_image_process_sig(const char *keydir, void *keydest,
int ret;
if (fit_image_setup_sig(&info, keydir, fit, image_name, noffset,
- require_keys ? "image" : NULL))
+ require_keys ? "image" : NULL, engine_id))
return -1;
node_name = fit_get_name(fit, noffset, NULL);
@@ -288,11 +290,12 @@ static int fit_image_process_sig(const char *keydir, void *keydest,
* @image_noffset: Requested component image node
* @comment: Comment to add to signature nodes
* @require_keys: Mark all keys as 'required'
+ * @engine_id: Engine to use for signing
* @return: 0 on success, <0 on failure
*/
int fit_image_add_verification_data(const char *keydir, void *keydest,
void *fit, int image_noffset, const char *comment,
- int require_keys)
+ int require_keys, const char *engine_id)
{
const char *image_name;
const void *data;
@@ -329,7 +332,7 @@ int fit_image_add_verification_data(const char *keydir, void *keydest,
strlen(FIT_SIG_NODENAME))) {
ret = fit_image_process_sig(keydir, keydest,
fit, image_name, noffset, data, size,
- comment, require_keys);
+ comment, require_keys, engine_id);
}
if (ret)
return ret;
@@ -569,7 +572,8 @@ static int fit_config_get_data(void *fit, int conf_noffset, int noffset,
static int fit_config_process_sig(const char *keydir, void *keydest,
void *fit, const char *conf_name, int conf_noffset,
- int noffset, const char *comment, int require_keys)
+ int noffset, const char *comment, int require_keys,
+ const char *engine_id)
{
struct image_sign_info info;
const char *node_name;
@@ -587,7 +591,7 @@ static int fit_config_process_sig(const char *keydir, void *keydest,
return -1;
if (fit_image_setup_sig(&info, keydir, fit, conf_name, noffset,
- require_keys ? "conf" : NULL))
+ require_keys ? "conf" : NULL, engine_id))
return -1;
ret = info.crypto->sign(&info, region, region_count, &value,
@@ -635,7 +639,7 @@ static int fit_config_process_sig(const char *keydir, void *keydest,
static int fit_config_add_verification_data(const char *keydir, void *keydest,
void *fit, int conf_noffset, const char *comment,
- int require_keys)
+ int require_keys, const char *engine_id)
{
const char *conf_name;
int noffset;
@@ -654,7 +658,7 @@ static int fit_config_add_verification_data(const char *keydir, void *keydest,
strlen(FIT_SIG_NODENAME))) {
ret = fit_config_process_sig(keydir, keydest,
fit, conf_name, conf_noffset, noffset, comment,
- require_keys);
+ require_keys, engine_id);
}
if (ret)
return ret;
@@ -664,7 +668,8 @@ static int fit_config_add_verification_data(const char *keydir, void *keydest,
}
int fit_add_verification_data(const char *keydir, void *keydest, void *fit,
- const char *comment, int require_keys)
+ const char *comment, int require_keys,
+ const char *engine_id)
{
int images_noffset, confs_noffset;
int noffset;
@@ -687,7 +692,7 @@ int fit_add_verification_data(const char *keydir, void *keydest, void *fit,
* i.e. component image node.
*/
ret = fit_image_add_verification_data(keydir, keydest,
- fit, noffset, comment, require_keys);
+ fit, noffset, comment, require_keys, engine_id);
if (ret)
return ret;
}
@@ -710,7 +715,8 @@ int fit_add_verification_data(const char *keydir, void *keydest, void *fit,
noffset = fdt_next_subnode(fit, noffset)) {
ret = fit_config_add_verification_data(keydir, keydest,
fit, noffset, comment,
- require_keys);
+ require_keys,
+ engine_id);
if (ret)
return ret;
}
diff --git a/tools/imagetool.h b/tools/imagetool.h
index 15c2a0c..a8d5054 100644
--- a/tools/imagetool.h
+++ b/tools/imagetool.h
@@ -76,6 +76,7 @@ struct image_tool_params {
bool external_data; /* Store data outside the FIT */
bool quiet; /* Don't output text in normal operation */
unsigned int external_offset; /* Add padding to external data */
+ const char *engine_id; /* Engine to use for signing */
};
/*
diff --git a/tools/mkimage.c b/tools/mkimage.c
index f48135f..b0c98f6 100644
--- a/tools/mkimage.c
+++ b/tools/mkimage.c
@@ -98,14 +98,15 @@ static void usage(const char *msg)
" -i => input filename for ramdisk file\n");
#ifdef CONFIG_FIT_SIGNATURE
fprintf(stderr,
- "Signing / verified boot options: [-E] [-k keydir] [-K dtb] [ -c <comment>] [-p addr] [-r]\n"
+ "Signing / verified boot options: [-E] [-k keydir] [-K dtb] [ -c <comment>] [-p addr] [-r] [-N engine]\n"
" -E => place data outside of the FIT structure\n"
" -k => set directory containing private keys\n"
" -K => write public keys to this .dtb file\n"
" -c => add comment in signature node\n"
" -F => re-sign existing FIT image\n"
" -p => place external data at a static position\n"
- " -r => mark keys used as 'required' in dtb\n");
+ " -r => mark keys used as 'required' in dtb\n"
+ " -N => engine to use for signing (pkcs11)\n");
#else
fprintf(stderr,
"Signing / verified boot not supported (CONFIG_FIT_SIGNATURE undefined)\n");
@@ -143,7 +144,7 @@ static void process_args(int argc, char **argv)
int opt;
while ((opt = getopt(argc, argv,
- "a:A:b:c:C:d:D:e:Ef:Fk:i:K:ln:p:O:rR:qsT:vVx")) != -1) {
+ "a:A:b:c:C:d:D:e:Ef:Fk:i:K:ln:N:p:O:rR:qsT:vVx")) != -1) {
switch (opt) {
case 'a':
params.addr = strtoull(optarg, &ptr, 16);
@@ -224,6 +225,9 @@ static void process_args(int argc, char **argv)
case 'n':
params.imagename = optarg;
break;
+ case 'N':
+ params.engine_id = optarg;
+ break;
case 'O':
params.os = genimg_get_os_id(optarg);
if (params.os < 0) {