Djam/u-boot
1
0
Fork 0
mirror of https://github.com/u-boot/u-boot.git synced 2025-05-08 10:39:08 +00:00
Code Issues Projects Releases Packages Wiki Activity Actions

mkimage: Add support for signing with pkcs11

Browse source 
Add support for signing with the pkcs11 engine. This allows FIT images
to be signed with keys securely stored on a smartcard, hardware security
module, etc without exposing the keys.

Support for other engines can be added in the future by modifying
rsa_engine_get_pub_key() and rsa_engine_get_priv_key() to construct
correct key_id strings.

Signed-off-by: George McCollister <george.mccollister@gmail.com>
This commit is contained in:
George McCollister 2017-01-06 13:14:17 -06:00 committed by Tom Rini
parent b1c6a54a53
commit f1ca1fdebf
7 changed files with 408 additions and 28 deletions
Download patch file Download diff file Expand all files Collapse all files

30
tools/image-host.c
View file

@ -149,7 +149,7 @@ static int fit_image_write_sig(void *fit, int noffset, uint8_t *value,
static int fit_image_setup_sig(struct image_sign_info *info,
const char *keydir, void *fit, const char *image_name,
int noffset, const char *require_keys)
int noffset, const char *require_keys, const char *engine_id)
{
const char *node_name;
char *algo_name;
@ -170,6 +170,7 @@ static int fit_image_setup_sig(struct image_sign_info *info,
info->checksum = image_get_checksum_algo(algo_name);
info->crypto = image_get_crypto_algo(algo_name);
info->require_keys = require_keys;
info->engine_id = engine_id;
if (!info->checksum || !info->crypto) {
printf("Unsupported signature algorithm (%s) for '%s' signature node in '%s' image node\n",
algo_name, node_name, image_name);
@ -194,12 +195,13 @@ static int fit_image_setup_sig(struct image_sign_info *info,
* @size: size of data in bytes
* @comment: Comment to add to signature nodes
* @require_keys: Mark all keys as 'required'
* @engine_id: Engine to use for signing
* @return 0 if ok, -1 on error
*/
static int fit_image_process_sig(const char *keydir, void *keydest,
void *fit, const char *image_name,
int noffset, const void *data, size_t size,
const char *comment, int require_keys)
const char *comment, int require_keys, const char *engine_id)
{
struct image_sign_info info;
struct image_region region;
@ -209,7 +211,7 @@ static int fit_image_process_sig(const char *keydir, void *keydest,
int ret;
if (fit_image_setup_sig(&info, keydir, fit, image_name, noffset,
require_keys ? "image" : NULL))
require_keys ? "image" : NULL, engine_id))
return -1;
node_name = fit_get_name(fit, noffset, NULL);
@ -288,11 +290,12 @@ static int fit_image_process_sig(const char *keydir, void *keydest,
* @image_noffset: Requested component image node
* @comment: Comment to add to signature nodes
* @require_keys: Mark all keys as 'required'
* @engine_id: Engine to use for signing
* @return: 0 on success, <0 on failure
*/
int fit_image_add_verification_data(const char *keydir, void *keydest,
void *fit, int image_noffset, const char *comment,
int require_keys)
int require_keys, const char *engine_id)
{
const char *image_name;
const void *data;
@ -329,7 +332,7 @@ int fit_image_add_verification_data(const char *keydir, void *keydest,
strlen(FIT_SIG_NODENAME))) {
ret = fit_image_process_sig(keydir, keydest,
fit, image_name, noffset, data, size,
comment, require_keys);
comment, require_keys, engine_id);
}
if (ret)
return ret;
@ -569,7 +572,8 @@ static int fit_config_get_data(void *fit, int conf_noffset, int noffset,
static int fit_config_process_sig(const char *keydir, void *keydest,
void *fit, const char *conf_name, int conf_noffset,
int noffset, const char *comment, int require_keys)
int noffset, const char *comment, int require_keys,
const char *engine_id)
{
struct image_sign_info info;
const char *node_name;
@ -587,7 +591,7 @@ static int fit_config_process_sig(const char *keydir, void *keydest,
return -1;
if (fit_image_setup_sig(&info, keydir, fit, conf_name, noffset,
require_keys ? "conf" : NULL))
require_keys ? "conf" : NULL, engine_id))
return -1;
ret = info.crypto->sign(&info, region, region_count, &value,
@ -635,7 +639,7 @@ static int fit_config_process_sig(const char *keydir, void *keydest,
static int fit_config_add_verification_data(const char *keydir, void *keydest,
void *fit, int conf_noffset, const char *comment,
int require_keys)
int require_keys, const char *engine_id)
{
const char *conf_name;
int noffset;
@ -654,7 +658,7 @@ static int fit_config_add_verification_data(const char *keydir, void *keydest,
strlen(FIT_SIG_NODENAME))) {
ret = fit_config_process_sig(keydir, keydest,
fit, conf_name, conf_noffset, noffset, comment,
require_keys);
require_keys, engine_id);
}
if (ret)
return ret;
@ -664,7 +668,8 @@ static int fit_config_add_verification_data(const char *keydir, void *keydest,
}
int fit_add_verification_data(const char *keydir, void *keydest, void *fit,
const char *comment, int require_keys)
const char *comment, int require_keys,
const char *engine_id)
{
int images_noffset, confs_noffset;
int noffset;
@ -687,7 +692,7 @@ int fit_add_verification_data(const char *keydir, void *keydest, void *fit,
* i.e. component image node.
*/
ret = fit_image_add_verification_data(keydir, keydest,
fit, noffset, comment, require_keys);
fit, noffset, comment, require_keys, engine_id);
if (ret)
return ret;
}
@ -710,7 +715,8 @@ int fit_add_verification_data(const char *keydir, void *keydest, void *fit,
noffset = fdt_next_subnode(fit, noffset)) {
ret = fit_config_add_verification_data(keydir, keydest,
fit, noffset, comment,
require_keys);
require_keys,
engine_id);
if (ret)
return ret;
}