Hi Quentin, From: Quentin Schulz <[email protected]> > This adds support for using an OpenSSL engine for signing a FIT image. > To use it, one should set the fit,sign-engine property at the FIT node > level with the engine to use. This will in turn call mkimage with the -N > option. > > The key-name-hint property in the signature node will be used verbatim > as key_id in OpenSSL engine API. > > We could somehow still decide to pass some keys_dir to mkimage when > signing with an engine is enabled (mkimage does support that!), > unfortunately binman resolves key paths absolutely. I don't believe an > OpenSSL engine will happen to have the exact same key_id than the path > to the encryption key, so fit,encrypt and fit,sign-engine cannot > cohabit. > > The public key (with .crt extension) is still required if it needs to be > embedded in the SPL DTB for example. > > Signed-off-by: Quentin Schulz <[email protected]> > --- > tools/binman/entries.rst | 22 +++++++++++++++++++--- > tools/binman/etype/fit.py | 41 +++++++++++++++++++++++++++++++++++++---- > 2 files changed, 56 insertions(+), 7 deletions(-)
Reviewed-by: Wolfgang Wallner <[email protected]> Tested-by: Wolfgang Wallner <[email protected]> Test case: Signed FIT image with U-Boot Proper booted from SPL sha256,rsa2048, openSSL with a PKCS11 library using the engine API fit,sign-engine = "pkcs11"; key-name-hint = "pkcs11:<pkcs11-id> Regards, Wolfgang
