AW: secure boot, mkimage with external signing server
Rosenschild, Klaus
Klaus.Rosenschild at hilti.com
Tue Jan 21 18:47:36 CET 2025
Hi Rasmus,
thank you for pointing to this option. We will also check on this option.
Best Regards
Klaus
________________________________
Von: Rasmus Villemoes <ravi at prevas.dk>
Gesendet: Dienstag, 21. Januar 2025 10:28
An: Rosenschild, Klaus <Klaus.Rosenschild at hilti.com>
Cc: u-boot at lists.denx.de <u-boot at lists.denx.de>
Betreff: Re: secure boot, mkimage with external signing server
CAUTION: This email originated from outside of Hilti. Do not click links or open attachments unless you can confirm the sender and know the content is safe.
On Mon, Jan 20 2025, "Rosenschild, Klaus" <Klaus.Rosenschild at hilti.com> wrote:
> Hello,
> I have a question regarding the signing of a FIT image using mkimage. I already contacted DENX, they referred me to this mailing list.
>
> mkimage supports the creation of a signed FIT image. To do this, we need to have an appropriate .its file and pass the private key as a parameter to the mkimage command:
> mkimage -f fitImage-sign.its -k keys/ fitImage-signed
>
> However, this approach does not work in our setup, as we do not have access to the private key.
> The private key resides on an HSM (Hardware security module) that is not directly accessible for us. We can invoke signing related functions via an external signing server that takes a sha256 hash as input and returns the signed hash.
> Then we need to add the signed hash to the FIT image.
>
You may want to look into using an openssl pkcs11 module interfacing
with that HSM. Then use appropriate openssl configuration (set
OPENSSL_CONF env variable) and pass "-N pkcs11" and "-G <some pkcs11
URI>" to mkimage. This is something we've done in a number of cases with
a Yubi HSM.
Rasmus
More information about the U-Boot
mailing list