[PATCH] mkimage: use environment variable MKIMAGE_SIGN_PIN to set pin for OpenSSL Engine
This patch adds the possibility to pass the PIN the OpenSSL Engine used during signing via the environment variable MKIMAGE_SIGN_PIN. This follows the approach used during kernel module signing ("KBUILD_SIGN_PIN") or UBIFS image signing ("MKIMAGE_SIGN_PIN").
Signed-off-by: Marc Kleine-Budde mkl@pengutronix.de --- doc/uImage.FIT/signature.txt | 4 ++-- lib/rsa/rsa-sign.c | 11 +++++++++++ 2 files changed, 13 insertions(+), 2 deletions(-)
diff --git a/doc/uImage.FIT/signature.txt b/doc/uImage.FIT/signature.txt index 7cb1c15e5e15..61a72db3c74f 100644 --- a/doc/uImage.FIT/signature.txt +++ b/doc/uImage.FIT/signature.txt @@ -533,8 +533,8 @@ Generic engine key ids: or "<key-name-hint>"
-As mkimage does not at this time support prompting for passwords HSM may need -key preloading wrapper to be used when invoking mkimage. +In order to set the pin in the HSM, an environment variable "MKIMAGE_SIGN_PIN" +can be specified.
The following examples use the Nitrokey Pro using pkcs11 engine. Instructions for other devices may vary. diff --git a/lib/rsa/rsa-sign.c b/lib/rsa/rsa-sign.c index f4ed11e74a4a..49abec6c83fb 100644 --- a/lib/rsa/rsa-sign.c +++ b/lib/rsa/rsa-sign.c @@ -338,6 +338,7 @@ static int rsa_init(void)
static int rsa_engine_init(const char *engine_id, ENGINE **pe) { + const char *key_pass; ENGINE *e; int ret;
@@ -362,10 +363,20 @@ static int rsa_engine_init(const char *engine_id, ENGINE **pe) goto err_set_rsa; }
+ key_pass = getenv("MKIMAGE_SIGN_PIN"); + if (key_pass) { + if (!ENGINE_ctrl_cmd_string(e, "PIN", key_pass, 0)) { + fprintf(stderr, "Couldn't set PIN\n"); + ret = -1; + goto err_set_pin; + } + } + *pe = e;
return 0;
+err_set_pin: err_set_rsa: ENGINE_finish(e); err_engine_init:
On Fri, Jul 23, 2021 at 10:17:50PM +0200, Marc Kleine-Budde wrote:
This patch adds the possibility to pass the PIN the OpenSSL Engine used during signing via the environment variable MKIMAGE_SIGN_PIN. This follows the approach used during kernel module signing ("KBUILD_SIGN_PIN") or UBIFS image signing ("MKIMAGE_SIGN_PIN").
Signed-off-by: Marc Kleine-Budde mkl@pengutronix.de
Applied to u-boot/master, thanks!
Hi Marc,
On 7/23/21 3:17 PM, Marc Kleine-Budde wrote:
This patch adds the possibility to pass the PIN the OpenSSL Engine used during signing via the environment variable MKIMAGE_SIGN_PIN. This follows the approach used during kernel module signing ("KBUILD_SIGN_PIN") or UBIFS image signing ("MKIMAGE_SIGN_PIN").
I think the preferred approach would have been to add a flag to mkimage, similar to "-N => openssl engine to use for signing". Environment variables are rarely used to talk to tools, and not very intuitive. I can only really think of NO_SDL=1 being used by u-boot.
Since this patch already made it, I hope you have the bandwidth to look at converting this to a mkimage flag.
Alex
Signed-off-by: Marc Kleine-Budde mkl@pengutronix.de
doc/uImage.FIT/signature.txt | 4 ++-- lib/rsa/rsa-sign.c | 11 +++++++++++ 2 files changed, 13 insertions(+), 2 deletions(-)
diff --git a/doc/uImage.FIT/signature.txt b/doc/uImage.FIT/signature.txt index 7cb1c15e5e15..61a72db3c74f 100644 --- a/doc/uImage.FIT/signature.txt +++ b/doc/uImage.FIT/signature.txt @@ -533,8 +533,8 @@ Generic engine key ids: or "<key-name-hint>"
-As mkimage does not at this time support prompting for passwords HSM may need -key preloading wrapper to be used when invoking mkimage. +In order to set the pin in the HSM, an environment variable "MKIMAGE_SIGN_PIN" +can be specified.
The following examples use the Nitrokey Pro using pkcs11 engine. Instructions for other devices may vary. diff --git a/lib/rsa/rsa-sign.c b/lib/rsa/rsa-sign.c index f4ed11e74a4a..49abec6c83fb 100644 --- a/lib/rsa/rsa-sign.c +++ b/lib/rsa/rsa-sign.c @@ -338,6 +338,7 @@ static int rsa_init(void)
static int rsa_engine_init(const char *engine_id, ENGINE **pe) {
- const char *key_pass; ENGINE *e; int ret;
@@ -362,10 +363,20 @@ static int rsa_engine_init(const char *engine_id, ENGINE **pe) goto err_set_rsa; }
key_pass = getenv("MKIMAGE_SIGN_PIN");
if (key_pass) {
if (!ENGINE_ctrl_cmd_string(e, "PIN", key_pass, 0)) {fprintf(stderr, "Couldn't set PIN\n");ret = -1;goto err_set_pin;}}
*pe = e;
return 0;
+err_set_pin: err_set_rsa: ENGINE_finish(e); err_engine_init:
participants (3)
-
Alex G. -
Marc Kleine-Budde -
Tom Rini