From f1ca1fdebf1cde1c37c91b3d85f8b7af111112ea Mon Sep 17 00:00:00 2001 From: George McCollister Date: Fri, 6 Jan 2017 13:14:17 -0600 Subject: mkimage: Add support for signing with pkcs11 Add support for signing with the pkcs11 engine. This allows FIT images to be signed with keys securely stored on a smartcard, hardware security module, etc without exposing the keys. Support for other engines can be added in the future by modifying rsa_engine_get_pub_key() and rsa_engine_get_priv_key() to construct correct key_id strings. Signed-off-by: George McCollister --- include/image.h | 5 ++++- 1 file changed, 4 insertions(+), 1 deletion(-) (limited to 'include') diff --git a/include/image.h b/include/image.h index 0537678..6207d62 100644 --- a/include/image.h +++ b/include/image.h @@ -965,6 +965,7 @@ int fit_set_timestamp(void *fit, int noffset, time_t timestamp); * @fit: Pointer to the FIT format image header * @comment: Comment to add to signature nodes * @require_keys: Mark all keys as 'required' + * @engine_id: Engine to use for signing * * Adds hash values for all component images in the FIT blob. * Hashes are calculated for all component images which have hash subnodes @@ -977,7 +978,8 @@ int fit_set_timestamp(void *fit, int noffset, time_t timestamp); * libfdt error code, on failure */ int fit_add_verification_data(const char *keydir, void *keydest, void *fit, - const char *comment, int require_keys); + const char *comment, int require_keys, + const char *engine_id); int fit_image_verify(const void *fit, int noffset); int fit_config_verify(const void *fit, int conf_noffset); @@ -1057,6 +1059,7 @@ struct image_sign_info { const void *fdt_blob; /* FDT containing public keys */ int required_keynode; /* Node offset of key to use: -1=any */ const char *require_keys; /* Value for 'required' property */ + const char *engine_id; /* Engine to use for signing */ }; #endif /* Allow struct image_region to always be defined for rsa.h */ -- cgit v1.1