Digi
/
meta-digi
1
0
Fork 0
Code Issues Pull Requests Packages Projects Releases Wiki Activity
meta-digi/meta-digi-arm/dynamic-layers/stm-st-stm32mp/recipes-bsp/trusted-firmware-a/tf-a-tools/0001-tools-allow-to-use-a-r...

127 lines
4.4 KiB
Diff
Raw Blame History

From 204cde3bd45f634e3699a42ed8f865a8385743a5 Mon Sep 17 00:00:00 2001
From: Christophe Priouzeau <christophe.priouzeau@foss.st.com>
Date: Mon, 28 Nov 2022 12:16:38 +0100
Subject: [PATCH] tools: allow to use a root key password from command line
By defining the ROT_KEY_PWD, user is able to define the private
root key password. Useful for build system management.
Signed-off-by: Lionel Debieve <lionel.debieve@st.com>
---
make_helpers/tbbr/tbbr_tools.mk | 2 ++
tools/cert_create/include/key.h | 2 +-
tools/cert_create/src/key.c | 4 ++--
tools/cert_create/src/main.c | 13 +++++++++++--
4 files changed, 16 insertions(+), 5 deletions(-)
diff --git a/make_helpers/tbbr/tbbr_tools.mk b/make_helpers/tbbr/tbbr_tools.mk
index 5ef2d852e..147159b1a 100644
--- a/make_helpers/tbbr/tbbr_tools.mk
+++ b/make_helpers/tbbr/tbbr_tools.mk
@@ -25,6 +25,7 @@
# KEY_SIZE
# ROT_KEY
# PROT_KEY
+# ROT_KEY_PWD
# PLAT_KEY
# SWD_ROT_KEY
# CORE_SWD_KEY
@@ -74,6 +75,7 @@ $(if ${HASH_ALG},$(eval $(call CERT_ADD_CMD_OPT,${HASH_ALG},--hash-alg,FWU_)))
$(if ${ROT_KEY},$(eval $(call CERT_ADD_CMD_OPT,${ROT_KEY},--rot-key)))
$(if ${ROT_KEY},$(eval $(call CERT_ADD_CMD_OPT,${ROT_KEY},--rot-key,FWU_)))
$(if ${PROT_KEY},$(eval $(call CERT_ADD_CMD_OPT,${PROT_KEY},--prot-key)))
+$(if ${ROT_KEY_PWD},$(eval $(call CERT_ADD_CMD_OPT,${ROT_KEY_PWD},--rot-key-pwd)))
$(if ${PLAT_KEY},$(eval $(call CERT_ADD_CMD_OPT,${PLAT_KEY},--plat-key)))
$(if ${SWD_ROT_KEY},$(eval $(call CERT_ADD_CMD_OPT,${SWD_ROT_KEY},--swd-rot-key)))
$(if ${CORE_SWD_KEY},$(eval $(call CERT_ADD_CMD_OPT,${CORE_SWD_KEY},--core-swd-key)))
diff --git a/tools/cert_create/include/key.h b/tools/cert_create/include/key.h
index 312575b44..ed3654b08 100644
--- a/tools/cert_create/include/key.h
+++ b/tools/cert_create/include/key.h
@@ -74,7 +74,7 @@ key_t *key_get_by_opt(const char *opt);
int key_new(key_t *key);
#endif
int key_create(key_t *key, int type, int key_bits);
-int key_load(key_t *key, unsigned int *err_code);
+int key_load(key_t *key, char *rot_key_pwd, unsigned int *err_code);
int key_store(key_t *key);
void key_cleanup(void);
diff --git a/tools/cert_create/src/key.c b/tools/cert_create/src/key.c
index 487777b67..c8f5357be 100644
--- a/tools/cert_create/src/key.c
+++ b/tools/cert_create/src/key.c
@@ -189,7 +189,7 @@ int key_create(key_t *key, int type, int key_bits)
return 0;
}
-int key_load(key_t *key, unsigned int *err_code)
+int key_load(key_t *key, char *rot_key_pwd, unsigned int *err_code)
{
FILE *fp;
EVP_PKEY *k;
@@ -198,7 +198,7 @@ int key_load(key_t *key, unsigned int *err_code)
/* Load key from file */
fp = fopen(key->fn, "r");
if (fp) {
- k = PEM_read_PrivateKey(fp, &key->key, NULL, NULL);
+ k = PEM_read_PrivateKey(fp, &key->key, NULL, rot_key_pwd);
fclose(fp);
if (k) {
*err_code = KEY_ERR_NONE;
diff --git a/tools/cert_create/src/main.c b/tools/cert_create/src/main.c
index 2ab6bcfd9..90bb82ba8 100644
--- a/tools/cert_create/src/main.c
+++ b/tools/cert_create/src/main.c
@@ -292,6 +292,10 @@ static const cmd_opt_t common_cmd_opt[] = {
{ "print-cert", no_argument, NULL, 'p' },
"Print the certificates in the standard output"
}
+ ,{
+ { "rot-key-pwd", required_argument, NULL, 'r' },
+ "Password for the root key"
+ },
};
int main(int argc, char *argv[])
@@ -310,6 +314,7 @@ int main(int argc, char *argv[])
unsigned char md[SHA512_DIGEST_LENGTH];
unsigned int md_len;
const EVP_MD *md_info;
+ char *rot_key_pw = NULL;
NOTICE("CoT Generation Tool: %s\n", build_msg);
NOTICE("Target platform: %s\n", platform_msg);
@@ -347,7 +352,7 @@ int main(int argc, char *argv[])
while (1) {
/* getopt_long stores the option index here. */
- c = getopt_long(argc, argv, "a:b:hknps:", cmd_opt, &opt_idx);
+ c = getopt_long(argc, argv, "a:b:hknpr:s:", cmd_opt, &opt_idx);
/* Detect the end of the options. */
if (c == -1) {
@@ -381,6 +386,10 @@ int main(int argc, char *argv[])
case 'p':
print_cert = 1;
break;
+ case 'r':
+ rot_key_pw = malloc(sizeof(char) * strlen(optarg));
+ strncpy(rot_key_pw, optarg, strlen(optarg));
+ break;
case 's':
hash_alg = get_hash_alg(optarg);
if (hash_alg < 0) {
@@ -441,7 +450,7 @@ int main(int argc, char *argv[])
#endif
/* First try to load the key from disk */
- if (key_load(&keys[i], &err_code)) {
+ if (key_load(&keys[i], rot_key_pw, &err_code)) {
/* Key loaded successfully */
continue;
}
--
2.25.1
Reference in New Issue View Git Blame Copy Permalink