On Mon, Jan 20 2025, "Rosenschild, Klaus" <[email protected]> wrote:
> Hello, > I have a question regarding the signing of a FIT image using mkimage. I > already contacted DENX, they referred me to this mailing list. > > mkimage supports the creation of a signed FIT image. To do this, we need to > have an appropriate .its file and pass the private key as a parameter to the > mkimage command: > mkimage -f fitImage-sign.its -k keys/ fitImage-signed > > However, this approach does not work in our setup, as we do not have access > to the private key. > The private key resides on an HSM (Hardware security module) that is not > directly accessible for us. We can invoke signing related functions via an > external signing server that takes a sha256 hash as input and returns the > signed hash. > Then we need to add the signed hash to the FIT image. > You may want to look into using an openssl pkcs11 module interfacing with that HSM. Then use appropriate openssl configuration (set OPENSSL_CONF env variable) and pass "-N pkcs11" and "-G <some pkcs11 URI>" to mkimage. This is something we've done in a number of cases with a Yubi HSM. Rasmus
