From: Marc Kleine-Budde Date: Fri, 23 Jul 2021 20:17:50 +0000 (+0200) Subject: mkimage: use environment variable MKIMAGE_SIGN_PIN to set pin for OpenSSL Engine X-Git-Url: http://git.dujemihanovic.xyz/?a=commitdiff_plain;h=62b27a561c2868d95445905ad554297e43cc0f2b;p=u-boot.git mkimage: use environment variable MKIMAGE_SIGN_PIN to set pin for OpenSSL Engine This patch adds the possibility to pass the PIN the OpenSSL Engine used during signing via the environment variable MKIMAGE_SIGN_PIN. This follows the approach used during kernel module signing ("KBUILD_SIGN_PIN") or UBIFS image signing ("MKIMAGE_SIGN_PIN"). Signed-off-by: Marc Kleine-Budde --- diff --git a/doc/uImage.FIT/signature.txt b/doc/uImage.FIT/signature.txt index 7cb1c15e5e..61a72db3c7 100644 --- a/doc/uImage.FIT/signature.txt +++ b/doc/uImage.FIT/signature.txt @@ -533,8 +533,8 @@ Generic engine key ids: or "" -As mkimage does not at this time support prompting for passwords HSM may need -key preloading wrapper to be used when invoking mkimage. +In order to set the pin in the HSM, an environment variable "MKIMAGE_SIGN_PIN" +can be specified. The following examples use the Nitrokey Pro using pkcs11 engine. Instructions for other devices may vary. diff --git a/lib/rsa/rsa-sign.c b/lib/rsa/rsa-sign.c index c64deac31f..085dc89bf7 100644 --- a/lib/rsa/rsa-sign.c +++ b/lib/rsa/rsa-sign.c @@ -338,6 +338,7 @@ static int rsa_init(void) static int rsa_engine_init(const char *engine_id, ENGINE **pe) { + const char *key_pass; ENGINE *e; int ret; @@ -362,10 +363,20 @@ static int rsa_engine_init(const char *engine_id, ENGINE **pe) goto err_set_rsa; } + key_pass = getenv("MKIMAGE_SIGN_PIN"); + if (key_pass) { + if (!ENGINE_ctrl_cmd_string(e, "PIN", key_pass, 0)) { + fprintf(stderr, "Couldn't set PIN\n"); + ret = -1; + goto err_set_pin; + } + } + *pe = e; return 0; +err_set_pin: err_set_rsa: ENGINE_finish(e); err_engine_init: