Currently, when one wants to use an OpenSSL engine to sign a FIT image,
one needs to pass a keydir (via -k) to mkimage which will then be
prepended to the value of the key-name-hint before being passed as
key_id argument to the OpenSSL Engine API, or pass a keyfile (via -G) to
mkimage.
My OpenSSL engine only has "slots" which are not mapped like
directories, so using keydir is not proper, though I could simply have
-k '' I guess but this won't work currently with binman anyway.
Additionally, passing a keyfile (-G) when using an engine doesn't make
sense as the key is stored in the engine.
Let simply allow FIT images be signed if both keydir and keyfile are
missing but an engine is to be used.
The keyname member is already filled by looking at key-name-hint
property in the FIT and passed to the engine, which is exactly what is
needed here.
Reviewed-by: Wolfgang Wallner <wolfgang.wallner@br-automation.com>
Reviewed-by: Simon Glass <sjg@chromium.org>
Signed-off-by: Quentin Schulz <quentin.schulz@cherry.de>
static int fit_estimate_hash_sig_size(struct image_tool_params *params, const char *fname)
{
- bool signing = IMAGE_ENABLE_SIGN && (params->keydir || params->keyfile);
+ bool signing = IMAGE_ENABLE_SIGN &&
+ (params->keydir || params->keyfile || params->engine_id);
struct stat sbuf;
void *fdt;
int fd;
strlen(FIT_HASH_NODENAME))) {
ret = fit_image_process_hash(fit, image_name, noffset,
data, size);
- } else if (IMAGE_ENABLE_SIGN && (keydir || keyfile) &&
+ } else if (IMAGE_ENABLE_SIGN && (keydir || keyfile || engine_id) &&
!strncmp(node_name, FIT_SIG_NODENAME,
strlen(FIT_SIG_NODENAME))) {
ret = fit_image_process_sig(keydir, keyfile, keydest,
}
/* If there are no keys, we can't sign configurations */
- if (!IMAGE_ENABLE_SIGN || !(keydir || keyfile))
+ if (!IMAGE_ENABLE_SIGN || !(keydir || keyfile || engine_id))
return 0;
/* Find configurations parent node offset */
projects / thirdparty / u-boot.git / commitdiff
