Skip to content

feat: support signing with external signature #4

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Open
sebastian-bantel wants to merge 1 commit into
base: master
Choose a base branch
from
Open

feat: support signing with external signature #4

Show file tree
Hide file tree
Changes from all commits
Commits
Show all changes
1 commit
Select commit
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
53 changes: 50 additions & 3 deletions README.md
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -14,6 +14,10 @@ It uses ECDSA (Elliptic Curve Digital Signature Algorithm) to ensure the integri

- Sign/Verify firmware images with ECDSA (NIST P-256 or brainpool 256).
- Support for HSM Token (PKCS#11).
- Support for separate public key usage (private key only needed for signing).
- Two-step signing workflow for external signing (HSM, remote signing, etc.).
- Automatic DER signature format parsing (compatible with OpenSSL output).
- Generate public key hash from either private or public key.
- Currently supports only STM32MP15x MPU firmware image headers.

## Requirements
Expand Down Expand Up @@ -69,6 +73,26 @@ Sign a firmware image using the following command:
stm32mp-sign-tool -k <private_key_file> -i <image.stm32> -o <image.stm32.signed>
```

Create sha256 to sign from image

```sh
stm32mp-sign-tool -u <public_key_file> -i <image.stm32> -s <image-sha256.bin>
```

Sign image eg. with openssl

```sh
openssl pkeyutl -sign -inkey <private_key_file> -passin pass:<> -in <image-sha256.bin> -out <signature.der>
```

Apply the signature to create the signed image

```sh
stm32mp-sign-tool -u <public_key_file> -i <image.stm32> -d <signature.der> -o <image.stm32.signed>
```

The tool automatically handles both DER-encoded signatures (from OpenSSL) and raw 64-byte signatures.

### Sign a Firmware Image using a HSM Token

Generate an ECDSA key:
Expand All @@ -85,15 +109,38 @@ stm32mp-sign-tool -v -k "pkcs11:object=<KeyLabel>" -p <pin> -i <image.stm32> -o

### Generating the public key hashes

From a private key:

```sh
stm32mp-sign-tool -v -k <private_key_file> -h <hash output>
stm32mp-sign-tool -v -k <private_key_file> -h <hash_output>
```
or

From a public key:

```sh
stm32mp-sign-tool -v -k "pkcs11:object=<KeyLabel>" -p <pin> -h <hash output>
stm32mp-sign-tool -u <public_key_file> -h <hash_output>
```

Or with PKCS#11:

```sh
stm32mp-sign-tool -k "pkcs11:object=<KeyLabel>" -p <pin> -h <hash_output>
```

## Command Line Options

- `-k` - Private key file or PKCS#11 URI (required for signing)
- `-u` - Public key file
- `-p` - Passphrase or PIN for private key
- `-v` - Verbose mode
- `-i` - Input image file to sign
- `-o` - Output signed image file
- `-h` - Output file for public key hash
- `-s` - Output file for hash to sign
- `-d` - Input signature file

**Note:** The `-d` option accepts both DER-encoded signatures (standard OpenSSL output) and raw 64-byte signatures.

## License

This project is licensed under the terms of the **GNU General Public License v3 (GPLv3)**. You are free to use, modify, and distribute this software under the conditions outlined in the GPLv3 license.
Expand Down
Loading