DaBs · February 13, 2025 10:14
diff --git a/mcuboot-fix-sig-script.patch b/mcuboot-fix-sig-script.patch
 diff --git a/mcuboot/scripts/imgtool/image.py b/mcuboot/scripts/imgtool/image.py
 index 3de8357a..2107239d 100644
 --- a/mcuboot/scripts/imgtool/image.py
 +++ b/mcuboot/scripts/imgtool/image.py
 @@ -25,6 +25,8 @@ from .boot_record import create_sw_component_data
 import click
 from enum import Enum
 from intelhex import IntelHex
 +import subprocess
 +import base64
 import hashlib
 import struct
 import os.path
 @@ -317,7 +319,7 @@ class Image():
 
     def create(self, key, public_key_format, enckey, dependencies=None,
                sw_type=None, custom_tlvs=None, encrypt_keylen=128, clear=False,
 -               fixed_sig=None, pub_key=None, vector_to_sign=None):
 +               fixed_sig=None, pub_key=None, vector_to_sign=None, fixed_sig_script=None):
         self.enckey = enckey
 
         # Check what hashing algorithm should be used
 @@ -471,7 +473,16 @@ class Image():
             else:
                 tlv.add('PUBKEY', pub)
 
 -            if key is not None and fixed_sig is None:
 +            if fixed_sig_script is not None:
 +                # Call fixed signature script with payload and digest to get signature
 +                # The script should return the signature in binary format
 +                digest_base64 = base64.b64encode(digest).decode('ascii')
 +                print(os.path.basename(__file__) + ": call fixed signature script with digest and input file")
 +                result = subprocess.run([fixed_sig_script, digest_base64], stdout=subprocess.PIPE, check=True, input=self.payload)
 +                stdout = result.stdout
 +                self.signature = base64.b64decode(stdout.decode('ascii'))
 +                tlv.add(pub_key.sig_tlv(), self.signature)
 +            elif key is not None and fixed_sig is None:
                 # `sign` expects the full image payload (hashing done
                 # internally), while `sign_digest` expects only the digest
                 # of the payload
 diff --git a/mcuboot/scripts/imgtool/main.py b/mcuboot/scripts/imgtool/main.py
 index e24c9a08..3a81bc31 100755
 --- a/mcuboot/scripts/imgtool/main.py
 +++ b/mcuboot/scripts/imgtool/main.py
 @@ -394,6 +394,8 @@ class BasedIntParamType(click.ParamType):
               'the signature calculated using the public key')
 @click.option('--fix-sig-pubkey', metavar='filename',
               help='public key relevant to fixed signature')
 [email protected]('--fix-sig-script', metavar='filename',
 +              help='script to generate fixed signature')
 @click.option('--sig-out', metavar='filename',
               help='Path to the file to which signature will be written. '
               'The image signature will be encoded as base64 formatted string')
 @@ -409,7 +411,7 @@ def sign(key, public_key_format, align, version, pad_sig, header_size,
          endian, encrypt_keylen, encrypt, infile, outfile, dependencies,
          load_addr, hex_addr, erased_val, save_enctlv, security_counter,
          boot_record, custom_tlv, rom_fixed, max_align, clear, fix_sig,
 -         fix_sig_pubkey, sig_out, vector_to_sign):
 +         fix_sig_pubkey, fix_sig_script, sig_out, vector_to_sign):
 
     if confirm:
         # Confirmed but non-padded images don't make much sense, because
 @@ -463,20 +465,21 @@ def sign(key, public_key_format, align, version, pad_sig, header_size,
     baked_signature = None
     pub_key = None
 
 -    if raw_signature is not None:
 +    if raw_signature is not None or fix_sig_script is not None:
         if fix_sig_pubkey is None:
             raise click.UsageError(
                 'public key of the fixed signature is not specified')
 
         pub_key = load_key(fix_sig_pubkey)
 
 -        baked_signature = {
 -            'value': raw_signature
 -        }
 +        if raw_signature is not None:
 +            baked_signature = {
 +                'value': raw_signature
 +            }
 
     img.create(key, public_key_format, enckey, dependencies, boot_record,
                custom_tlvs, int(encrypt_keylen), clear, baked_signature,
 -               pub_key, vector_to_sign)
 +               pub_key, vector_to_sign, fix_sig_script)
     img.save(outfile, hex_addr)
 
     if sig_out is not None:
	diff --git a/mcuboot/scripts/imgtool/image.py b/mcuboot/scripts/imgtool/image.py
	index 3de8357a..2107239d 100644
	--- a/mcuboot/scripts/imgtool/image.py
	+++ b/mcuboot/scripts/imgtool/image.py
	@@ -25,6 +25,8 @@ from .boot_record import create_sw_component_data
	import click
	from enum import Enum
	from intelhex import IntelHex
	+import subprocess
	+import base64
	import hashlib
	import struct
	import os.path
	@@ -317,7 +319,7 @@ class Image():

	def create(self, key, public_key_format, enckey, dependencies=None,
	sw_type=None, custom_tlvs=None, encrypt_keylen=128, clear=False,
	- fixed_sig=None, pub_key=None, vector_to_sign=None):
	+ fixed_sig=None, pub_key=None, vector_to_sign=None, fixed_sig_script=None):
	self.enckey = enckey

	# Check what hashing algorithm should be used
	@@ -471,7 +473,16 @@ class Image():
	else:
	tlv.add('PUBKEY', pub)

	- if key is not None and fixed_sig is None:
	+ if fixed_sig_script is not None:
	+ # Call fixed signature script with payload and digest to get signature
	+ # The script should return the signature in binary format
	+ digest_base64 = base64.b64encode(digest).decode('ascii')
	+ print(os.path.basename(__file__) + ": call fixed signature script with digest and input file")
	+ result = subprocess.run([fixed_sig_script, digest_base64], stdout=subprocess.PIPE, check=True, input=self.payload)
	+ stdout = result.stdout
	+ self.signature = base64.b64decode(stdout.decode('ascii'))
	+ tlv.add(pub_key.sig_tlv(), self.signature)
	+ elif key is not None and fixed_sig is None:
	# `sign` expects the full image payload (hashing done
	# internally), while `sign_digest` expects only the digest
	# of the payload
	diff --git a/mcuboot/scripts/imgtool/main.py b/mcuboot/scripts/imgtool/main.py
	index e24c9a08..3a81bc31 100755
	--- a/mcuboot/scripts/imgtool/main.py
	+++ b/mcuboot/scripts/imgtool/main.py
	@@ -394,6 +394,8 @@ class BasedIntParamType(click.ParamType):
	'the signature calculated using the public key')
	@click.option('--fix-sig-pubkey', metavar='filename',
	help='public key relevant to fixed signature')
	[email protected]('--fix-sig-script', metavar='filename',
	+ help='script to generate fixed signature')
	@click.option('--sig-out', metavar='filename',
	help='Path to the file to which signature will be written. '
	'The image signature will be encoded as base64 formatted string')
	@@ -409,7 +411,7 @@ def sign(key, public_key_format, align, version, pad_sig, header_size,
	endian, encrypt_keylen, encrypt, infile, outfile, dependencies,
	load_addr, hex_addr, erased_val, save_enctlv, security_counter,
	boot_record, custom_tlv, rom_fixed, max_align, clear, fix_sig,
	- fix_sig_pubkey, sig_out, vector_to_sign):
	+ fix_sig_pubkey, fix_sig_script, sig_out, vector_to_sign):

	if confirm:
	# Confirmed but non-padded images don't make much sense, because
	@@ -463,20 +465,21 @@ def sign(key, public_key_format, align, version, pad_sig, header_size,
	baked_signature = None
	pub_key = None

	- if raw_signature is not None:
	+ if raw_signature is not None or fix_sig_script is not None:
	if fix_sig_pubkey is None:
	raise click.UsageError(
	'public key of the fixed signature is not specified')

	pub_key = load_key(fix_sig_pubkey)

	- baked_signature = {
	- 'value': raw_signature
	- }
	+ if raw_signature is not None:
	+ baked_signature = {
	+ 'value': raw_signature
	+ }

	img.create(key, public_key_format, enckey, dependencies, boot_record,
	custom_tlvs, int(encrypt_keylen), clear, baked_signature,
	- pub_key, vector_to_sign)
	+ pub_key, vector_to_sign, fix_sig_script)
	img.save(outfile, hex_addr)

	if sig_out is not None: