commit 32d8464997546f720580d3f9d4ef8cac1a557a83
author Tamas Ban <tamas.ban@arm.com> Thu Jul 11 08:25:11 2019 +0100
committer Tamas Ban <tamas.ban@arm.com> Fri Sep 06 06:59:34 2019 +0000
tree 52db99fb783c82409d9ddd29779b1650689c0b7f
parent 5db575304df2ddcabaf27ff62ec6ce07542e13ea

Boot: Add hardware key handling to signing script

Add an optional command line parameter to image signing script
to distinguish where the public key is stored for image
authentication: embedded in MCUBoot or in the image manifest.

Change-Id: I75542e2ee7138e8b2e3891c78293283c0839e81b
Signed-off-by: Tamas Ban <tamas.ban@arm.com>

bl2/ext/mcuboot/scripts/imgtool_lib/image.py

diff --git a/bl2/ext/mcuboot/scripts/imgtool_lib/image.py b/bl2/ext/mcuboot/scripts/imgtool_lib/image.py
index f64ad4c..cb97a35 100644
--- a/bl2/ext/mcuboot/scripts/imgtool_lib/image.py
+++ b/bl2/ext/mcuboot/scripts/imgtool_lib/image.py
@@ -36,6 +36,7 @@
         'RAM_LOAD':              0x0000020, }
 TLV_VALUES = {
         'KEYHASH': 0x01,
+        'KEY'    : 0x02,
         'SHA256' : 0x10,
         'RSA2048': 0x20,
         'RSA3072': 0x23,
@@ -152,7 +153,13 @@
         full_size = (TLV_INFO_SIZE + len(tlv.buf) + TLV_HEADER_SIZE
                      + PAYLOAD_DIGEST_SIZE)
         if key is not None:
-            full_size += (TLV_HEADER_SIZE + KEYHASH_SIZE
+            pub = key.get_public_bytes()
+            if key.get_public_key_format() == 'hash':
+                tlv_key_data_size = KEYHASH_SIZE
+            else:
+                tlv_key_data_size = len(pub)
+
+            full_size += (TLV_HEADER_SIZE + tlv_key_data_size
                           + TLV_HEADER_SIZE + key.sig_len())
         tlv_header = struct.pack('HH', TLV_INFO_MAGIC, full_size)
         self.payload += tlv_header + bytes(tlv.buf)
@@ -164,11 +171,13 @@
         tlv.add('SHA256', digest)
 
         if key is not None:
-            pub = key.get_public_bytes()
-            sha = hashlib.sha256()
-            sha.update(pub)
-            pubbytes = sha.digest()
-            tlv.add('KEYHASH', pubbytes)
+            if key.get_public_key_format() == 'hash':
+                sha = hashlib.sha256()
+                sha.update(pub)
+                pubbytes = sha.digest()
+                tlv.add('KEYHASH', pubbytes)
+            else:
+                tlv.add('KEY', pub)
 
             sig = key.sign(self.payload)
             tlv.add(key.sig_tlv(), sig)

bl2/ext/mcuboot/scripts/imgtool_lib/keys.py

diff --git a/bl2/ext/mcuboot/scripts/imgtool_lib/keys.py b/bl2/ext/mcuboot/scripts/imgtool_lib/keys.py
index f17f173..b652d90 100644
--- a/bl2/ext/mcuboot/scripts/imgtool_lib/keys.py
+++ b/bl2/ext/mcuboot/scripts/imgtool_lib/keys.py
@@ -43,13 +43,17 @@
             namedtype.NamedType('publicExponent', univ.Integer()))
 
 class RSAutil():
-    def __init__(self, key):
+    def __init__(self, key, public_key_format='hash'):
         """Construct an RSA key with the given key data"""
         self.key = key
+        self.public_key_format = public_key_format
 
     def key_size(self):
         return self.key.n.bit_length()
 
+    def get_public_key_format(self):
+        return self.public_key_format
+
     @staticmethod
     def generate(key_size=2048):
         if key_size not in RSA_KEY_SIZES:
@@ -104,11 +108,11 @@
         assert len(signature) == self.sig_len()
         return signature
 
-def load(path):
+def load(path, public_key_format='hash'):
     with open(path, 'rb') as f:
         pem = f.read()
     try:
         key = RSA.importKey(pem)
-        return RSAutil(key)
+        return RSAutil(key, public_key_format)
     except ValueError:
         raise Exception("Unsupported RSA key file")