A key generation utility for STM32MP SOCs.
This package does not provide an explicit method of generating ECDSA keys. Keys can be generated with the openssl package:
$ openssl ecparam -name prime256v1 -genkey -out <private_key.pem>
$ openssl ec -in <private_key.pem> -pubout -out <public_key.pem>
In order to be used by the STM32MP secure boot, the public key must be hashed. The ecdsa-sha256.py is provided for this purpose:
$ ./ecdsa-sha256.py --public-key=<public_key.pem> --binhash-file=<hash.bin>
STM32 images can be checked and signed with stm32-sign.py. Note that images must already have an STM32 header (e.g. u-boot-spl.stm32).
$ ./stm32-sign.py --help
$ ./stm32-sign.py --key-file <public_key.pem> --verify <image.stm32>
To sign an STM32 image:
$ ./stm32-sign.py --key-file <private_key.pem> --sign <image.stm32> --output <image-signed.stm32>
The hash generation can be tested with tests/test_keyhash.sh. This tool compares the output of the key hashing utility to the official STM tool. It marks failing hashes for further analysis.
$ tests/test_keyhash.sh
It can be massaged with the following environment variables:
- STM_KEYGEN_BIN - Location STM32MP_KeyGen_CLI binary
- KEYHASH_BIN - Location of ecdsa-sha256.py tool