imgtool: Add --public-key-format option to imgtool
The --public-key-format option can be used to distinguish where
the public key is stored for image authentication. It can be embedded
in MCUboot or by selecting 'full' it can be in the image manifest.
The source of this change:
https://review.trustedfirmware.org/c/trusted-firmware-m/+/1579
Change-Id: If658dff8147cfce2f27bfc0209ecf0d6d9cb2a73
Signed-off-by: David Vincze <david.vincze@linaro.org>
diff --git a/scripts/imgtool/image.py b/scripts/imgtool/image.py
index 644a028..bd681c7 100644
--- a/scripts/imgtool/image.py
+++ b/scripts/imgtool/image.py
@@ -54,6 +54,7 @@
TLV_VALUES = {
'KEYHASH': 0x01,
+ 'PUBKEY': 0x02,
'SHA256': 0x10,
'RSA2048': 0x20,
'ECDSA224': 0x21,
@@ -259,7 +260,8 @@
format=PublicFormat.UncompressedPoint)
return cipherkey, ciphermac, pubk
- def create(self, key, enckey, dependencies=None, sw_type=None):
+ def create(self, key, public_key_format, enckey, dependencies=None,
+ sw_type=None):
self.enckey = enckey
# Calculate the hash of the public key
@@ -360,7 +362,10 @@
tlv.add('SHA256', digest)
if key is not None:
- tlv.add('KEYHASH', pubbytes)
+ if public_key_format == 'hash':
+ tlv.add('KEYHASH', pubbytes)
+ else:
+ tlv.add('PUBKEY', pub)
# `sign` expects the full image payload (sha256 done internally),
# while `sign_digest` expects only the digest of the payload