diff options
author | George McCollister <george.mccollister@gmail.com> | 2017-01-06 22:14:17 +0300 |
---|---|---|
committer | Tom Rini <trini@konsulko.com> | 2017-01-15 00:47:13 +0300 |
commit | f1ca1fdebf1cde1c37c91b3d85f8b7af111112ea (patch) | |
tree | b34c5ae6c177400ed6ed5524266cd2912138a292 /include/image.h | |
parent | b1c6a54a534d2579db1375039a45572fe38d0ce8 (diff) | |
download | u-boot-f1ca1fdebf1cde1c37c91b3d85f8b7af111112ea.tar.xz |
mkimage: Add support for signing with pkcs11
Add support for signing with the pkcs11 engine. This allows FIT images
to be signed with keys securely stored on a smartcard, hardware security
module, etc without exposing the keys.
Support for other engines can be added in the future by modifying
rsa_engine_get_pub_key() and rsa_engine_get_priv_key() to construct
correct key_id strings.
Signed-off-by: George McCollister <george.mccollister@gmail.com>
Diffstat (limited to 'include/image.h')
-rw-r--r-- | include/image.h | 5 |
1 files changed, 4 insertions, 1 deletions
diff --git a/include/image.h b/include/image.h index 05376783fb..6207d62d3c 100644 --- a/include/image.h +++ b/include/image.h @@ -965,6 +965,7 @@ int fit_set_timestamp(void *fit, int noffset, time_t timestamp); * @fit: Pointer to the FIT format image header * @comment: Comment to add to signature nodes * @require_keys: Mark all keys as 'required' + * @engine_id: Engine to use for signing * * Adds hash values for all component images in the FIT blob. * Hashes are calculated for all component images which have hash subnodes @@ -977,7 +978,8 @@ int fit_set_timestamp(void *fit, int noffset, time_t timestamp); * libfdt error code, on failure */ int fit_add_verification_data(const char *keydir, void *keydest, void *fit, - const char *comment, int require_keys); + const char *comment, int require_keys, + const char *engine_id); int fit_image_verify(const void *fit, int noffset); int fit_config_verify(const void *fit, int conf_noffset); @@ -1057,6 +1059,7 @@ struct image_sign_info { const void *fdt_blob; /* FDT containing public keys */ int required_keynode; /* Node offset of key to use: -1=any */ const char *require_keys; /* Value for 'required' property */ + const char *engine_id; /* Engine to use for signing */ }; #endif /* Allow struct image_region to always be defined for rsa.h */ |