commit 32d8464997546f720580d3f9d4ef8cac1a557a83
author Tamas Ban <tamas.ban@arm.com> Thu Jul 11 08:25:11 2019 +0100
committer Tamas Ban <tamas.ban@arm.com> Fri Sep 06 06:59:34 2019 +0000
tree 52db99fb783c82409d9ddd29779b1650689c0b7f
parent 5db575304df2ddcabaf27ff62ec6ce07542e13ea

Boot: Add hardware key handling to signing script

Add an optional command line parameter to image signing script
to distinguish where the public key is stored for image
authentication: embedded in MCUBoot or in the image manifest.

Change-Id: I75542e2ee7138e8b2e3891c78293283c0839e81b
Signed-off-by: Tamas Ban <tamas.ban@arm.com>

bl2/ext/mcuboot/scripts/imgtool_lib/image.py

diff --git a/bl2/ext/mcuboot/scripts/imgtool_lib/image.py b/bl2/ext/mcuboot/scripts/imgtool_lib/image.py
index f64ad4c..cb97a35 100644
--- a/bl2/ext/mcuboot/scripts/imgtool_lib/image.py
+++ b/bl2/ext/mcuboot/scripts/imgtool_lib/image.py
@@ -36,6 +36,7 @@
         'RAM_LOAD':              0x0000020, }
 TLV_VALUES = {
         'KEYHASH': 0x01,
+        'KEY'    : 0x02,
         'SHA256' : 0x10,
         'RSA2048': 0x20,
         'RSA3072': 0x23,
@@ -152,7 +153,13 @@
         full_size = (TLV_INFO_SIZE + len(tlv.buf) + TLV_HEADER_SIZE
                      + PAYLOAD_DIGEST_SIZE)
         if key is not None:
-            full_size += (TLV_HEADER_SIZE + KEYHASH_SIZE
+            pub = key.get_public_bytes()
+            if key.get_public_key_format() == 'hash':
+                tlv_key_data_size = KEYHASH_SIZE
+            else:
+                tlv_key_data_size = len(pub)
+
+            full_size += (TLV_HEADER_SIZE + tlv_key_data_size
                           + TLV_HEADER_SIZE + key.sig_len())
         tlv_header = struct.pack('HH', TLV_INFO_MAGIC, full_size)
         self.payload += tlv_header + bytes(tlv.buf)
@@ -164,11 +171,13 @@
         tlv.add('SHA256', digest)
 
         if key is not None:
-            pub = key.get_public_bytes()
-            sha = hashlib.sha256()
-            sha.update(pub)
-            pubbytes = sha.digest()
-            tlv.add('KEYHASH', pubbytes)
+            if key.get_public_key_format() == 'hash':
+                sha = hashlib.sha256()
+                sha.update(pub)
+                pubbytes = sha.digest()
+                tlv.add('KEYHASH', pubbytes)
+            else:
+                tlv.add('KEY', pub)
 
             sig = key.sign(self.payload)
             tlv.add(key.sig_tlv(), sig)