imgtool: Add --public-key-format option to imgtool
The --public-key-format option can be used to distinguish where
the public key is stored for image authentication. It can be embedded
in MCUboot or by selecting 'full' it can be in the image manifest.
The source of this change:
https://review.trustedfirmware.org/c/trusted-firmware-m/+/1579
Change-Id: If658dff8147cfce2f27bfc0209ecf0d6d9cb2a73
Signed-off-by: David Vincze <david.vincze@linaro.org>
diff --git a/scripts/imgtool/image.py b/scripts/imgtool/image.py
index 644a028..bd681c7 100644
--- a/scripts/imgtool/image.py
+++ b/scripts/imgtool/image.py
@@ -54,6 +54,7 @@
TLV_VALUES = {
'KEYHASH': 0x01,
+ 'PUBKEY': 0x02,
'SHA256': 0x10,
'RSA2048': 0x20,
'ECDSA224': 0x21,
@@ -259,7 +260,8 @@
format=PublicFormat.UncompressedPoint)
return cipherkey, ciphermac, pubk
- def create(self, key, enckey, dependencies=None, sw_type=None):
+ def create(self, key, public_key_format, enckey, dependencies=None,
+ sw_type=None):
self.enckey = enckey
# Calculate the hash of the public key
@@ -360,7 +362,10 @@
tlv.add('SHA256', digest)
if key is not None:
- tlv.add('KEYHASH', pubbytes)
+ if public_key_format == 'hash':
+ tlv.add('KEYHASH', pubbytes)
+ else:
+ tlv.add('PUBKEY', pub)
# `sign` expects the full image payload (sha256 done internally),
# while `sign_digest` expects only the digest of the payload
diff --git a/scripts/imgtool/main.py b/scripts/imgtool/main.py
index fa15200..47d5811 100755
--- a/scripts/imgtool/main.py
+++ b/scripts/imgtool/main.py
@@ -265,14 +265,17 @@
@click.option('-v', '--version', callback=validate_version, required=True)
@click.option('--align', type=click.Choice(['1', '2', '4', '8']),
required=True)
+@click.option('--public-key-format', type=click.Choice(['hash', 'full']),
+ default='hash', help='In what format to add the public key to '
+ 'the image manifest: full key or hash of the key.')
@click.option('-k', '--key', metavar='filename')
@click.command(help='''Create a signed or unsigned image\n
INFILE and OUTFILE are parsed as Intel HEX if the params have
.hex extension, otherwise binary format is used''')
-def sign(key, align, version, pad_sig, header_size, pad_header, slot_size, pad, confirm,
- max_sectors, overwrite_only, endian, encrypt, infile, outfile,
- dependencies, load_addr, hex_addr, erased_val, save_enctlv,
- security_counter, boot_record):
+def sign(key, public_key_format, align, version, pad_sig, header_size,
+ pad_header, slot_size, pad, confirm, max_sectors, overwrite_only,
+ endian, encrypt, infile, outfile, dependencies, load_addr, hex_addr,
+ erased_val, save_enctlv, security_counter, boot_record):
img = image.Image(version=decode_version(version), header_size=header_size,
pad_header=pad_header, pad=pad, confirm=confirm,
align=int(align), slot_size=slot_size,
@@ -295,7 +298,7 @@
if pad_sig and hasattr(key, 'pad_sig'):
key.pad_sig = True
- img.create(key, enckey, dependencies, boot_record)
+ img.create(key, public_key_format, enckey, dependencies, boot_record)
img.save(outfile, hex_addr)