查看“Signing tool”的源代码

<noinclude>
{{ClonedFrom | stm32mpu}}
</noinclude>
==Purpose==
STM32MP Signing Tool is a key tool that guarantees a secure platform, it ensures the signing of binary images using ECC keys generated by [[KeyGen tool]]. The signed binary images are used during the [[STM32MP15 secure boot]] sequence that supports a trusted boot chain; this action ensures an authentication and integrity check of the loaded images .

==STM32MP Signing Tool overview==
The STM32MP Signing Tool software generates a signed binary file from:
:* Binary image file : contains the binary data to be programmed for the STM32MP1 Series device.
:* Public key file: contains the generated ECC public key in PEM format (generated with the [[KeyGen tool]]).
:* Private key file: contains the encrypted ECC private key in PEM format (generated with the [[KeyGen tool]]).

If the image entry is an .stm32 file that already contains header and info, it is also possible to generate a signed binary file from the given .stm32 file with the batch file mode.
In that case, the parameters Entry point of image, Load address of image, and Image version are not mandatory.

Signing tool usage block diagram:
[[File:signingTool.png|800px|center|link=]]

==STM32MP Signing Tool install==
This section describes the requirements and procedure to use the STM32MP Signing Tool software.
===Linux install===
The STM32MP Signing Tool is tested on Ubuntu 14.04 and 16.04 32-bit and 64-bit and should work on any distribution.

To install the STM32MP Signing Tool, the installation of [[STM32CubeProgrammer]] is needed.

To run the STM32MP Signing Tool, launch the ./STM32MP_SigningTool_CLI.

===Windows install===
To install the STM32MP Signing Tool, the installation of [[STM32CubeProgrammer]] is needed.

To run it, launch the executable STM32MP_SigningTool_CLI.exe.

==Command line options==
Available options are:<br>
* --binary-image   -bin 
::Description : binary image file path<br>
::Syntax : -bin <File_Path><br>
* --public-key     -pubk
::Description : public key file path<br>
::Syntax : -pubk <File_Path><br>
*--private-key    -prvk
::Description : private key file path<br>
::Syntax : -prvk <File_Path><br>
*--password     -pwd
::Description : password of the private key<br>
::Syntax : -pwd <Password><br>
*--load-address   -la 
::Description : load address of image<br>
::Syntax : -la <Load_Address><br>
*--entry-point    -ep 
::Description : image entry point<br>
::Syntax : -ep <Entry_Point><br>
*--image-version  -iv
::Description : image version, Default is 0<br>
::Syntax : -iv <Version><br>
*--algorithm      -a
::Description : used algorithm : 1. (P-256 NIST) 2. (Brainpool 256), 1- P256NIST is the default algorithm<br>
::Syntax : -a <AlgoNbr><br>
* --option-flags   -of
::Description : option flags of image, default is 0<br>
::Syntax : -of <Option_Flags><br>
* --output         -o
::Description : output file path<br>
::Syntax : -o <Output_File_Path><br>
* --silent         -s
::Description : silent mode, no prompt messages<br>
::Syntax : -s<br>
* --binary-type    -type
::Description : identify binary file<br>
::Syntax : --binary-type  <type><br>

==STM32MP Signing Tool usage examples==
This section presents some examples of how to use the STM32MP Signing Tool software.

===Example 1:===

<pre>./STM32AP_SigningTool_CLI -bin /home/User/BinaryFile.bin –pubk /home/user/publicKey.pem –prvk /home/user/privateKey.pem –iv 5 –pwd azerty –la 0x20000000 –ep 0x08000000</pre>
The default algorithm is selected (prime256v1) and the option flags value is 0 (default value).
The signed output binary file (BinaryFile_Signed.bin) is created in the folder /home/user/

===Example 2:===

<pre>./STM32AP_SigningTool_CLI -bin /home/User/Folder1/BinaryFile.bin –pubk /home/user/publicKey.pem –prvk /home/user/privateKey.pem –iv 5 –pwd azerty –s –la 0x20000000 –ep 0x08000000 –a 2 –o /home/user/Folder2/Folder3/signedFile.bin</pre>
BrainpoolP256t1 algorithm is selected in this example.

===Example 3:===
<pre>./STM32AP_SigningTool_CLI -bin /home/User/Folder1/BinaryFile.stm32 –pubk /home/user/publicKey.pem –prvk /home/user/privateKey.pem –pwd azerty -t <type> –o /home/user/Folder2/Folder3/signedFile.bin</pre>

If the image entry is an .stm32 file that already contains header and info the only mandatory options are: public key, private key, password and Binary type.

{{ReviewsComments|MCC: can we have the most simple command as example:
STM32MP_SigningTool_CLI -bin /home/User/BinaryFile.bin -pubk /home/User/STM32AP_KeyGen/publicKey.pem -prvk /home/User/STM32AP_KeyGen/privateKey.pem -pwd azerty

be careful, copy paste of examples command lines to  linux terminal does not work (wrong characters issue)

can we get also explanation on where to find the following values as parameters iv, load_address, entry_point
}}

==Standalone mode==
When executing the STM32MP Signing Tool in standalone mode, an absolute path must be entered at first, then enter the password must be entered twice for confirmation.<br>
After specifying one of the two algorithms, enter the image version, image entry point, image load address, and finally the option flags value.<br>
By pressing enter, the output file path proposed by default is selected; if desired, a different output file path can be specified. <br>

<noinclude>
[[Category:Signing tool]]
{{PublicationRequestId | 10546 | 2019-02-04 | JulisaD}}
</noinclude>