Gitiles
Code Review Sign In
git01.mediatek.com / filogic / atf / 06b5cdba9327215e0c98d3883188525ca6657d6c^! / . / tools / cert_create / src / dualroot / cot.c
commit06b5cdba9327215e0c98d3883188525ca6657d6c[log] [tgz]
authorRobin van der Gracht <robin@protonic.nl>Tue Sep 12 11:16:23 2023 +0200
committerRobin van der Gracht <robin@protonic.nl>Thu Sep 21 13:27:25 2023 +0200
tree6e290505fc336f0fc344d5799ebb322142c26e50
parentb2013baa9b179b7882256dad6beab7d6da9b056b [diff] [blame]
feat(cert-create): add pkcs11 engine support

Add pkcs11 engine support which allows using keys that are securely
stored on a HSM or TPM. To use this feature the user has to supply
an RFC 7512 compliant PKCS11 URI to a key instead of a file as an
argument to one of the key options. This change is fully backwards
compatible.

This change makes use of the openssl engine API which is deprecated
since openssl 3.0 and will most likely be removed in version 4. So
pkcs11 support will have to be updated to the openssl provider API
in the near future.

Signed-off-by: Robin van der Gracht <robin@protonic.nl>
Change-Id: If96725988ca62c5613ec59123943bf15922f5d1f

diff --git a/tools/cert_create/src/dualroot/cot.c b/tools/cert_create/src/dualroot/cot.c
index 4dd4cf0..81a7d75 100644
--- a/tools/cert_create/src/dualroot/cot.c
+++ b/tools/cert_create/src/dualroot/cot.c

@@ -540,42 +540,42 @@
 	[ROT_KEY] = {
 		.id = ROT_KEY,
 		.opt = "rot-key",
-		.help_msg = "Root Of Trust key (input/output file)",
+		.help_msg = "Root Of Trust key file or PKCS11 URI",
 		.desc = "Root Of Trust key"
 	},
 
 	[TRUSTED_WORLD_KEY] = {
 		.id = TRUSTED_WORLD_KEY,
 		.opt = "trusted-world-key",
-		.help_msg = "Trusted World key (input/output file)",
+		.help_msg = "Trusted World key file or PKCS11 URI",
 		.desc = "Trusted World key"
 	},
 
 	[SCP_FW_CONTENT_CERT_KEY] = {
 		.id = SCP_FW_CONTENT_CERT_KEY,
 		.opt = "scp-fw-key",
-		.help_msg = "SCP Firmware Content Certificate key (input/output file)",
+		.help_msg = "SCP Firmware Content Certificate key file or PKCS11 URI",
 		.desc = "SCP Firmware Content Certificate key"
 	},
 
 	[SOC_FW_CONTENT_CERT_KEY] = {
 		.id = SOC_FW_CONTENT_CERT_KEY,
 		.opt = "soc-fw-key",
-		.help_msg = "SoC Firmware Content Certificate key (input/output file)",
+		.help_msg = "SoC Firmware Content Certificate key file or PKCS11 URI",
 		.desc = "SoC Firmware Content Certificate key"
 	},
 
 	[TRUSTED_OS_FW_CONTENT_CERT_KEY] = {
 		.id = TRUSTED_OS_FW_CONTENT_CERT_KEY,
 		.opt = "tos-fw-key",
-		.help_msg = "Trusted OS Firmware Content Certificate key (input/output file)",
+		.help_msg = "Trusted OS Firmware Content Certificate key file or PKCS11 URI",
 		.desc = "Trusted OS Firmware Content Certificate key"
 	},
 
 	[PROT_KEY] = {
 		.id = PROT_KEY,
 		.opt = "prot-key",
-		.help_msg = "Platform Root of Trust key",
+		.help_msg = "Platform Root of Trust key file or PKCS11 URI",
 		.desc = "Platform Root of Trust key"
 	},
 };