mkimage: Add support for signing with pkcs11
Add support for signing with the pkcs11 engine. This allows FIT images
to be signed with keys securely stored on a smartcard, hardware security
module, etc without exposing the keys.
Support for other engines can be added in the future by modifying
rsa_engine_get_pub_key() and rsa_engine_get_priv_key() to construct
correct key_id strings.
Signed-off-by: George McCollister <george.mccollister@gmail.com>
diff --git a/tools/mkimage.c b/tools/mkimage.c
index f48135f..b0c98f6 100644
--- a/tools/mkimage.c
+++ b/tools/mkimage.c
@@ -98,14 +98,15 @@
" -i => input filename for ramdisk file\n");
#ifdef CONFIG_FIT_SIGNATURE
fprintf(stderr,
- "Signing / verified boot options: [-E] [-k keydir] [-K dtb] [ -c <comment>] [-p addr] [-r]\n"
+ "Signing / verified boot options: [-E] [-k keydir] [-K dtb] [ -c <comment>] [-p addr] [-r] [-N engine]\n"
" -E => place data outside of the FIT structure\n"
" -k => set directory containing private keys\n"
" -K => write public keys to this .dtb file\n"
" -c => add comment in signature node\n"
" -F => re-sign existing FIT image\n"
" -p => place external data at a static position\n"
- " -r => mark keys used as 'required' in dtb\n");
+ " -r => mark keys used as 'required' in dtb\n"
+ " -N => engine to use for signing (pkcs11)\n");
#else
fprintf(stderr,
"Signing / verified boot not supported (CONFIG_FIT_SIGNATURE undefined)\n");
@@ -143,7 +144,7 @@
int opt;
while ((opt = getopt(argc, argv,
- "a:A:b:c:C:d:D:e:Ef:Fk:i:K:ln:p:O:rR:qsT:vVx")) != -1) {
+ "a:A:b:c:C:d:D:e:Ef:Fk:i:K:ln:N:p:O:rR:qsT:vVx")) != -1) {
switch (opt) {
case 'a':
params.addr = strtoull(optarg, &ptr, 16);
@@ -224,6 +225,9 @@
case 'n':
params.imagename = optarg;
break;
+ case 'N':
+ params.engine_id = optarg;
+ break;
case 'O':
params.os = genimg_get_os_id(optarg);
if (params.os < 0) {