mkimage: Add support for signing with pkcs11

Add support for signing with the pkcs11 engine. This allows FIT images to be signed with keys securely stored on a smartcard, hardware security module, etc without exposing the keys. Support for other engines can be added in the future by modifying rsa_engine_get_pub_key() and rsa_engine_get_priv_key() to construct correct key_id strings. Signed-off-by: George McCollister <george.mccollister@gmail.com>
2025-11-02 11:26:41 +01:00 · 2017-01-06 13:14:17 -06:00
parent b1c6a54a53
commit f1ca1fdebf
7 changed files with 408 additions and 28 deletions
--- a/tools/imagetool.h
+++ b/tools/imagetool.h
@@ -76,6 +76,7 @@ struct image_tool_params {
 	bool external_data;	/* Store data outside the FIT */
 	bool quiet;		/* Don't output text in normal operation */
 	unsigned int external_offset;	/* Add padding to external data */
+	const char *engine_id;	/* Engine to use for signing */
 };

 /*