I was able to create the fuse blobs and signed/images using a regular openssl generated rsa key. I need to use a key generated by HSM for production. How do I go about creating these blobs?
For the fuse blobs, we need only the hash of the public key and do not need access to the private key portion. I see that the odmfuse.sh script has an option -H (HASHFILE) to input a hash. This is not shown in the help options. I computed the SHA256 hash of the modulus of the public key and found that it doesn’t match with the computed hash. There seems to be something else added to the data over which the hash is computed. Could you please provide details so that I could compute the hash and provide that to the script?
For the script to sign and encrypt images, there isn’t such an option. We need to use the HSM to do the signature. Hence we need something like having the scripts to generate the data to sign, then we need to separately sign using the HSM. Then once this is done, another script should combine all these signatures together and make the images.
Please let me know how I can go about creating fuse blobs and signed/encrypted images using the HSM (Hardware Security Module)