From: Rasmus Villemoes <ravi@prevas.dk>
To: "Rosenschild, Klaus" <Klaus.Rosenschild@hilti.com>
Cc: "u-boot@lists.denx.de" <u-boot@lists.denx.de>
Subject: Re: secure boot, mkimage with external signing server
Date: Tue, 21 Jan 2025 10:28:51 +0100 [thread overview]
Message-ID: <878qr4wm5o.fsf@prevas.dk> (raw)
In-Reply-To: <VI1PR07MB9972D12CDEDF3ADFF7D81B2AF7E72@VI1PR07MB9972.eurprd07.prod.outlook.com> (Klaus Rosenschild's message of "Mon, 20 Jan 2025 17:43:19 +0000")
On Mon, Jan 20 2025, "Rosenschild, Klaus" <Klaus.Rosenschild@hilti.com> wrote:
> Hello,
> I have a question regarding the signing of a FIT image using mkimage. I already contacted DENX, they referred me to this mailing list.
>
> mkimage supports the creation of a signed FIT image. To do this, we need to have an appropriate .its file and pass the private key as a parameter to the mkimage command:
> mkimage -f fitImage-sign.its -k keys/ fitImage-signed
>
> However, this approach does not work in our setup, as we do not have access to the private key.
> The private key resides on an HSM (Hardware security module) that is not directly accessible for us. We can invoke signing related functions via an external signing server that takes a sha256 hash as input and returns the signed hash.
> Then we need to add the signed hash to the FIT image.
>
You may want to look into using an openssl pkcs11 module interfacing
with that HSM. Then use appropriate openssl configuration (set
OPENSSL_CONF env variable) and pass "-N pkcs11" and "-G <some pkcs11
URI>" to mkimage. This is something we've done in a number of cases with
a Yubi HSM.
Rasmus
next prev parent reply other threads:[~2025-01-21 9:29 UTC|newest]
Thread overview: 7+ messages / expand[flat|nested] mbox.gz Atom feed top
[not found] <VI1PR07MB9972394B8A364AC9A18495F6F7192@VI1PR07MB9972.eurprd07.prod.outlook.com>
[not found] ` <VI1PR07MB9972E22550B1514AD604D399F7192@VI1PR07MB9972.eurprd07.prod.outlook.com>
2025-01-20 17:43 ` secure boot, mkimage with external signing server Rosenschild, Klaus
2025-01-21 9:28 ` Rasmus Villemoes [this message]
2025-01-21 17:47 ` AW: " Rosenschild, Klaus
2025-01-22 21:13 ` Rosenschild, Klaus
2025-01-22 23:27 ` Rasmus Villemoes
2025-01-23 9:00 ` AW: " Rosenschild, Klaus
2025-01-25 17:11 ` Simon Glass
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=878qr4wm5o.fsf@prevas.dk \
--to=ravi@prevas.dk \
--cc=Klaus.Rosenschild@hilti.com \
--cc=u-boot@lists.denx.de \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox