mkimage: use environment variable MKIMAGE_SIGN_PIN to set pin for OpenSSL Engine

This patch adds the possibility to pass the PIN the OpenSSL Engine used during signing via the environment variable MKIMAGE_SIGN_PIN. This follows the approach used during kernel module signing ("KBUILD_SIGN_PIN") or UBIFS image signing ("MKIMAGE_SIGN_PIN"). Signed-off-by: Marc Kleine-Budde <mkl@pengutronix.de>
2021-07-23 22:17:50 +02:00 · 2021-07-23 22:17:50 +02:00 · 62b27a561c
commit 62b27a561c
parent 89795ef3b6
2 changed files with 13 additions and 2 deletions
--- a/doc/uImage.FIT/signature.txt
+++ b/doc/uImage.FIT/signature.txt
@ -533,8 +533,8 @@ Generic engine key ids:
 or
  "<key-name-hint>"

-As mkimage does not at this time support prompting for passwords HSM may need
-key preloading wrapper to be used when invoking mkimage.
+In order to set the pin in the HSM, an environment variable "MKIMAGE_SIGN_PIN"
+can be specified.

 The following examples use the Nitrokey Pro using pkcs11 engine. Instructions
 for other devices may vary.
--- a/lib/rsa/rsa-sign.c
+++ b/lib/rsa/rsa-sign.c
@ -338,6 +338,7 @@ static int rsa_init(void)

 static int rsa_engine_init(const char *engine_id, ENGINE **pe)
 {
+	const char *key_pass;
 	ENGINE *e;
 	int ret;

@ -362,10 +363,20 @@ static int rsa_engine_init(const char *engine_id, ENGINE **pe)
 		goto err_set_rsa;
 	}

+	key_pass = getenv("MKIMAGE_SIGN_PIN");
+	if (key_pass) {
+		if (!ENGINE_ctrl_cmd_string(e, "PIN", key_pass, 0)) {
+			fprintf(stderr, "Couldn't set PIN\n");
+			ret = -1;
+			goto err_set_pin;
+		}
+	}
+
 	*pe = e;

 	return 0;

+err_set_pin:
 err_set_rsa:
 	ENGINE_finish(e);
 err_engine_init: