makefiles/suit: generate password-protected key file

makefiles/suit.base.inc.mk

@@ -17,6 +17,11 @@ else
   SUIT_KEY_DIR ?= $(RIOTBASE)/keys
 endif
 
+# Enable user to encrypt private key with a password
+ifneq (,$(SUIT_SEC_PASSWORD))
+  SUIT_TOOL_ARGS += -p $(SUIT_SEC_PASSWORD)
+endif
+
 SUIT_SEC ?= $(SUIT_KEY_DIR)/$(SUIT_KEY).pem
 
 SUIT_PUB_HDR = $(BINDIR)/riotbuild/public_key.h
@@ -27,14 +32,14 @@ BUILDDEPS += $(SUIT_PUB_HDR)
 $(SUIT_SEC): $(CLEAN)
 	$(Q)echo suit: generating key in $(SUIT_KEY_DIR)
 	$(Q)mkdir -p $(SUIT_KEY_DIR)
-	$(Q)$(RIOTBASE)/dist/tools/suit/gen_key.py $(SUIT_SEC)
+	$(Q)$(RIOTBASE)/dist/tools/suit/gen_key.py $(SUIT_SEC) $(SUIT_SEC_PASSWORD)
 
 # set FORCE so switching between keys using "SUIT_KEY=foo make ..."
 # triggers a rebuild even if the new key would otherwise not (because the other
 # key's mtime is too far back).
 $(SUIT_PUB_HDR): $(SUIT_SEC) FORCE | $(CLEAN)
 	$(Q)mkdir -p $(SUIT_PUB_HDR_DIR)
-	$(Q)$(SUIT_TOOL) pubkey -f header -k $(SUIT_SEC) \
+	$(Q)$(SUIT_TOOL) pubkey $(SUIT_TOOL_ARGS) -f header -k $(SUIT_SEC) \
 	  | '$(LAZYSPONGE)' $(LAZYSPONGE_FLAGS) '$@'
 
 suit/genkey: $(SUIT_SEC)

makefiles/suit.inc.mk

@@ -53,7 +53,7 @@ $(SUIT_MANIFEST): $(SUIT_MANIFEST_PAYLOADS) $(BINDIR_SUIT)
 	$(Q)rm -f $@.tmp
 
 $(SUIT_MANIFEST_SIGNED): $(SUIT_MANIFEST) $(SUIT_SEC)
-	$(Q)$(SUIT_TOOL) sign -k $(SUIT_SEC) -m $(SUIT_MANIFEST) -o $@
+	$(Q)$(SUIT_TOOL) sign $(SUIT_TOOL_ARGS) -k $(SUIT_SEC) -m $(SUIT_MANIFEST) -o $@
 
 $(SUIT_MANIFEST_LATEST): $(SUIT_MANIFEST)
 	$(Q)ln -f -s $< $@