Hello Jan,
I believe the documentation at [1] has some issues and should be revised. Please refer to the output of:
sign_encrypt.py --help sign_encrypt.py digest --help sign_encrypt.py stitch --help
The script can be found in optee_os/scripts. From the help text and my recollection if all this, here are some commands that should hopefully help (untested):
- To generate the digest (<UUID>.dig) you use "sign_encrypt.py digest": $ sign_encrypt.py digest --uuid <UUID> --in path/to/<UUID>.stripped.elf --key path/to/<your-public-key>.pem --dig <UUID>.dig
- Then you sign the digest with the HSM using pkcs11-tool: $ pkcs11-tool --id <your-key-id> -s --login -m RSA-PKCS-PSS --hash-algorithm SHA256 --mgf MGF1-SHA256 --input-file <UUID>.dig | base64
<UUID>.sig
- Finally to create the signed TA you use "sign_encrypt.py stitch" $ sign_encrypt.py stitch --uuid <UUID> --in path/to/<UUID>.stripped.elf --key <your-public-key>.pem --sig <UUID>.sig --out <UUID>.ta
Make sure OP-TEE is built with "make TA_PBLIC_KEY=<your-public-key>.pem" as documented in mk/config.mk.
[1] https://optee.readthedocs.io/en/latest/building/trusted_applications.html#of...
HTH,