From 62b27a561c2868d95445905ad554297e43cc0f2b Mon Sep 17 00:00:00 2001
From: Marc Kleine-Budde <mkl@pengutronix.de>
Date: Fri, 23 Jul 2021 22:17:50 +0200
Subject: [PATCH] mkimage: use environment variable MKIMAGE_SIGN_PIN to set pin
 for OpenSSL Engine

This patch adds the possibility to pass the PIN the OpenSSL Engine
used during signing via the environment variable MKIMAGE_SIGN_PIN.
This follows the approach used during kernel module
signing ("KBUILD_SIGN_PIN") or UBIFS image
signing ("MKIMAGE_SIGN_PIN").

Signed-off-by: Marc Kleine-Budde <mkl@pengutronix.de>
---
 doc/uImage.FIT/signature.txt |  4 ++--
 lib/rsa/rsa-sign.c           | 11 +++++++++++
 2 files changed, 13 insertions(+), 2 deletions(-)

diff --git a/doc/uImage.FIT/signature.txt b/doc/uImage.FIT/signature.txt
index 7cb1c15e5e..61a72db3c7 100644
--- a/doc/uImage.FIT/signature.txt
+++ b/doc/uImage.FIT/signature.txt
@@ -533,8 +533,8 @@ Generic engine key ids:
 or
   "<key-name-hint>"
 
-As mkimage does not at this time support prompting for passwords HSM may need
-key preloading wrapper to be used when invoking mkimage.
+In order to set the pin in the HSM, an environment variable "MKIMAGE_SIGN_PIN"
+can be specified.
 
 The following examples use the Nitrokey Pro using pkcs11 engine. Instructions
 for other devices may vary.
diff --git a/lib/rsa/rsa-sign.c b/lib/rsa/rsa-sign.c
index c64deac31f..085dc89bf7 100644
--- a/lib/rsa/rsa-sign.c
+++ b/lib/rsa/rsa-sign.c
@@ -338,6 +338,7 @@ static int rsa_init(void)
 
 static int rsa_engine_init(const char *engine_id, ENGINE **pe)
 {
+	const char *key_pass;
 	ENGINE *e;
 	int ret;
 
@@ -362,10 +363,20 @@ static int rsa_engine_init(const char *engine_id, ENGINE **pe)
 		goto err_set_rsa;
 	}
 
+	key_pass = getenv("MKIMAGE_SIGN_PIN");
+	if (key_pass) {
+		if (!ENGINE_ctrl_cmd_string(e, "PIN", key_pass, 0)) {
+			fprintf(stderr, "Couldn't set PIN\n");
+			ret = -1;
+			goto err_set_pin;
+		}
+	}
+
 	*pe = e;
 
 	return 0;
 
+err_set_pin:
 err_set_rsa:
 	ENGINE_finish(e);
 err_engine_init:
-- 
2.39.5