raspberrypi/rpi-eeprom
1
0
Fork 0
mirror of https://github.com/raspberrypi/rpi-eeprom.git synced 2026-01-20 21:13:36 +08:00
Code Issues Packages Projects Releases Wiki Activity
774 Commits 7 Branches 36 Tags
8fb396f650f38f98f42db0ed936abb59d2c331cf
Commit Graph

9 Commits

Author SHA1 Message Date
Tim Gover
914dd0f73f rpi-sign-bootcode: Add optional callout to HSM wrapper script from PKCS#1 v1.5 signature 2025-04-07 09:51:17 +01:00
Rasmus Villemoes
3a16bd016f rpi-eeprom-digest: support specifying keys via PKCS#11 URI 
In production setups, it is quite normal that the private key does not
exist as a file in the file system, but is kept inside some HSM,
remote signing service or similar, and only accessed via some pkcs#11
interface; moreover, by design, the private key _cannot_ be extracted
from the HSM or signing service.

In such a case, the user will have set OPENSSL_CONF to some
configuration file setting up the appropriate engine, and the "key" is
simply the pkcs#11 URI, e.g. "pkcs11:model=foo;object=bar".

In order to support this use case, automatically infer the appropriate
options to pass to openssl-dgst if "${KEY}" begins with
"pkcs11:". Doing this at the top level avoids duplicating the logic in
both writeSig and verifySig. While here, this also adds a sanity check
that -v can only be used while also providing a (public) key to check
against.

This drops the -keyform argument in the non-pkcs#11 case, as openssl
automatically infers the type, and this then in fact allows one to use
a private key in e.g. DER format.

Signed-off-by: Rasmus Villemoes <ravi@prevas.dk>
 2025-03-06 16:04:38 +00:00
Rasmus Villemoes
c6b8de409d rpi-eeprom-digest: honour SOURCE_DATE_EPOCH 
If used in a build environment that sets SOURCE_DATE_EPOCH, we should
honour that in order to generate reproducible binaries.

See https://reproducible-builds.org/specs/source-date-epoch/ .
 2024-11-08 09:48:14 +00:00
Tim Gover
d2979963b3 rpi-eeprom-digest: Fix help text regarding secure-boot support 2024-07-29 14:11:24 +01:00
Tim Gover
14f05613b4 tools: rpi-eeprom-digest: Improve docs for secure-boot 
Make it clearer that rpi-eeprom-digest is used create optionally
signed hashes for binary files.

For secure-boot the update-pieeprom.sh wrapper must be used
because only the boot configuration is signed by the customer
key rather than the entire SPI flash image.
 2024-03-27 14:45:28 +00:00
Tim Gover
9269d78320 Align rpi-eeprom-digest with usbboot 2022-11-07 09:37:15 +00:00
Tim Gover
eb3bb76a81 rpi-eeprom-digest: Update from usbboot for the verify option 
Sync to the version from usbboot in order to add support for
the verify option. This provides a command line interface for
verifying a .sig file (with RSA) against a public key in .PEM
format.
 2022-11-03 11:48:54 +00:00
Tim Gover
86eee571e2 rpi-eeprom-digest: Don't require xxd/openssl unless RSA signing is requested. 2021-12-01 21:34:19 +00:00
Tim Gover
86cc791879 rpi-eeprom-digest: Import script from rapsberrypi/usbboot 
Update rpi-eeprom to use the common .sig generator script from usbboot.
 2021-11-13 15:47:50 +00:00