TrustedFirmware Git Browser
Code Review Sign In
review.trustedfirmware.org / mirror / mcuboot / c894d0479442e064e3a04b27e0e1548c48ba1c9d^! / . / scripts / imgtool / main.py
commitc894d0479442e064e3a04b27e0e1548c48ba1c9d[log] [tgz]
authorDominik Ermel <dominik.ermel@nordicsemi.no>Thu Aug 22 14:58:15 2024 +0000
committerJamie <40387179+nordicjm@users.noreply.github.com>Tue Oct 01 13:09:44 2024 +0100
treeb687e92797452d4ceb623493547cb3b467aa2447
parent3a195f2207d5eadf45a5c989a870e91aff020d86 [diff] [blame]
imgtool: Add support for calculating SHA512

The adds support for hashing image with SHA512, to allow
SHA512-ED25519-SHA512 signature.

To support above --sha parameter has been added that can take value:
 auto, 256, 384, 512
to select sha, where auto brings the default behaviour, or current,
behaviour. The sha provided here is tested against key so not all
combinations are supported.

Signed-off-by: Dominik Ermel <dominik.ermel@nordicsemi.no>

diff --git a/scripts/imgtool/main.py b/scripts/imgtool/main.py
index cc2cf9c..848fd31 100755
--- a/scripts/imgtool/main.py
+++ b/scripts/imgtool/main.py

@@ -72,6 +72,7 @@
     'x25519':     gen_x25519,
 }
 valid_formats = ['openssl', 'pkcs8']
+valid_sha = [ 'auto', '256', '384', '512' ]
 
 
 def load_signature(sigfile):
@@ -401,6 +402,9 @@
 @click.option('--sig-out', metavar='filename',
               help='Path to the file to which signature will be written. '
               'The image signature will be encoded as base64 formatted string')
+@click.option('--sha', 'user_sha', type=click.Choice(valid_sha), default='auto',
+              help='selected sha algorithm to use; defaults to "auto" which is 256 if '
+              'no cryptographic signature is used, or default for signature type')
 @click.option('--vector-to-sign', type=click.Choice(['payload', 'digest']),
               help='send to OUTFILE the payload or payload''s digest instead '
               'of complied image. These data can be used for external image '
@@ -413,7 +417,7 @@
          endian, encrypt_keylen, encrypt, infile, outfile, dependencies,
          load_addr, hex_addr, erased_val, save_enctlv, security_counter,
          boot_record, custom_tlv, rom_fixed, max_align, clear, fix_sig,
-         fix_sig_pubkey, sig_out, vector_to_sign, non_bootable):
+         fix_sig_pubkey, sig_out, user_sha, vector_to_sign, non_bootable):
 
     if confirm:
         # Confirmed but non-padded images don't make much sense, because
@@ -481,7 +485,7 @@
 
     img.create(key, public_key_format, enckey, dependencies, boot_record,
                custom_tlvs, int(encrypt_keylen), clear, baked_signature,
-               pub_key, vector_to_sign)
+               pub_key, vector_to_sign, user_sha)
     img.save(outfile, hex_addr)
 
     if sig_out is not None: