Signing tool
<securetransclude src="ProtectedTemplate:ClonedFrom" params="stm32mpu | Signing tool"></securetransclude>
目录
Purpose
STM32MP Signing Tool is a key tool that guarantees a secure platform, it ensures the signing of binary images using ECC keys generated by KeyGen tool. The signed binary images are used during the STM32MP15 secure boot sequence that supports a trusted boot chain; this action ensures an authentication and integrity check of the loaded images .
STM32MP Signing Tool overview
The STM32MP Signing Tool software generates a signed binary file from:
- Binary image file : contains the binary data to be programmed for the STM32MP1 Series device.
- Public key file: contains the generated ECC public key in PEM format (generated with the KeyGen tool).
- Private key file: contains the encrypted ECC private key in PEM format (generated with the KeyGen tool).
If the image entry is an .stm32 file that already contains header and info, it is also possible to generate a signed binary file from the given .stm32 file with the batch file mode. In that case, the parameters Entry point of image, Load address of image, and Image version are not mandatory.
Signing tool usage block diagram:
STM32MP Signing Tool install
This section describes the requirements and procedure to use the STM32MP Signing Tool software.
Linux install
The STM32MP Signing Tool is tested on Ubuntu 14.04 and 16.04 32-bit and 64-bit and should work on any distribution.
To install the STM32MP Signing Tool, the installation of STM32CubeProgrammer is needed.
To run the STM32MP Signing Tool, launch the ./STM32MP_SigningTool_CLI.
Windows install
To install the STM32MP Signing Tool, the installation of STM32CubeProgrammer is needed.
To run it, launch the executable STM32MP_SigningTool_CLI.exe.
Command line options
Available options are:
- --binary-image -bin
- Description : binary image file path
- Syntax : -bin <File_Path>
- Description : binary image file path
- --public-key -pubk
- Description : public key file path
- Syntax : -pubk <File_Path>
- Description : public key file path
- --private-key -prvk
- Description : private key file path
- Syntax : -prvk <File_Path>
- Description : private key file path
- --password -pwd
- Description : password of the private key
- Syntax : -pwd <Password>
- Description : password of the private key
- --load-address -la
- Description : load address of image
- Syntax : -la <Load_Address>
- Description : load address of image
- --entry-point -ep
- Description : image entry point
- Syntax : -ep <Entry_Point>
- Description : image entry point
- --image-version -iv
- Description : image version, Default is 0
- Syntax : -iv <Version>
- Description : image version, Default is 0
- --algorithm -a
- Description : used algorithm : 1. (P-256 NIST) 2. (Brainpool 256), 1- P256NIST is the default algorithm
- Syntax : -a <AlgoNbr>
- Description : used algorithm : 1. (P-256 NIST) 2. (Brainpool 256), 1- P256NIST is the default algorithm
- --option-flags -of
- Description : option flags of image, default is 0
- Syntax : -of <Option_Flags>
- Description : option flags of image, default is 0
- --output -o
- Description : output file path
- Syntax : -o <Output_File_Path>
- Description : output file path
- --silent -s
- Description : silent mode, no prompt messages
- Syntax : -s
- Description : silent mode, no prompt messages
- --binary-type -type
- Description : identify binary file
- Syntax : --binary-type <type>
- Description : identify binary file
STM32MP Signing Tool usage examples
This section presents some examples of how to use the STM32MP Signing Tool software.
Example 1:
./STM32AP_SigningTool_CLI -bin /home/User/BinaryFile.bin –pubk /home/user/publicKey.pem –prvk /home/user/privateKey.pem –iv 5 –pwd azerty –la 0x20000000 –ep 0x08000000
The default algorithm is selected (prime256v1) and the option flags value is 0 (default value). The signed output binary file (BinaryFile_Signed.bin) is created in the folder /home/user/
Example 2:
./STM32AP_SigningTool_CLI -bin /home/User/Folder1/BinaryFile.bin –pubk /home/user/publicKey.pem –prvk /home/user/privateKey.pem –iv 5 –pwd azerty –s –la 0x20000000 –ep 0x08000000 –a 2 –o /home/user/Folder2/Folder3/signedFile.bin
BrainpoolP256t1 algorithm is selected in this example.
Example 3:
./STM32AP_SigningTool_CLI -bin /home/User/Folder1/BinaryFile.stm32 –pubk /home/user/publicKey.pem –prvk /home/user/privateKey.pem –pwd azerty -t <type> –o /home/user/Folder2/Folder3/signedFile.bin
If the image entry is an .stm32 file that already contains header and info the only mandatory options are: public key, private key, password and Binary type.
<securetransclude src="ProtectedTemplate:ReviewsComments" params="MCC: can we have the most simple command as example: STM32MP_SigningTool_CLI -bin /home/User/BinaryFile.bin -pubk /home/User/STM32AP_KeyGen/publicKey.pem -prvk /home/User/STM32AP_KeyGen/privateKey.pem -pwd azerty
be careful, copy paste of examples command lines to linux terminal does not work (wrong characters issue)
can we get also explanation on where to find the following values as parameters iv, load_address, entry_point"></securetransclude>{{#set:Has reviews comments=true}}
Standalone mode
When executing the STM32MP Signing Tool in standalone mode, an absolute path must be entered at first, then enter the password must be entered twice for confirmation.
After specifying one of the two algorithms, enter the image version, image entry point, image load address, and finally the option flags value.
By pressing enter, the output file path proposed by default is selected; if desired, a different output file path can be specified.
<securetransclude src="ProtectedTemplate:PublicationRequestId" params="10546 | 2019-02-04 | JulisaD"></securetransclude>