tools: verify HSM signature based on provided public key

karalabe · timg236 · commit ed6dc56bc40d · 2025-07-17T17:17:06.000+01:00
If using an HSM, the public key is not derived, rather taken as an
input parameter. In that case, however, it can happen that the user
specifies a mismatching pubkey. This PR adds a check to make sure
the pubkey belongs to the signature before embedding it further.
diff --git a/tools/update-pieeprom.sh b/tools/update-pieeprom.sh
@@ -94,6 +94,9 @@ update_eeprom() {
            rpi-eeprom-digest \
               -i "${config}" -o "${TMP_CONFIG_SIG}" \
               -H "${HSM_WRAPPER}" || die "Failed to sign EEPROM config using HSM"
+           rpi-eeprom-digest \
+              -i "${config}" -v "${TMP_CONFIG_SIG}" \
+              -k "$public_pem_file" || die "Failed to verify EEPROM config signed by HSM"
         else
            rpi-eeprom-digest \
               -i "${config}" -o "${TMP_CONFIG_SIG}" \
