mirror of
https://github.com/AsahiLinux/u-boot
synced 2024-11-28 15:41:40 +00:00
fit: cipher: aes: allow to store the IV in the FIT image
Binaries may be encrypted in a FIT image with AES. This algo needs a key and an IV (Initialization Vector). The IV is provided in a file (pointer by iv-name-hint in the ITS file) when building the ITB file. This commits adds provide an alternative way to manage the IV. If the property iv-name-hint is not provided in the ITS file, the tool mkimage will generate an random IV and store it in the FIT image. Signed-off-by: Philippe Reynes <philippe.reynes@softathome.com>
This commit is contained in:
parent
34ca77c1e1
commit
a6982a6f76
4 changed files with 72 additions and 19 deletions
|
@ -1463,7 +1463,7 @@ struct cipher_algo {
|
|||
unsigned char **cipher, int *cipher_len);
|
||||
|
||||
int (*add_cipher_data)(struct image_cipher_info *info,
|
||||
void *keydest);
|
||||
void *keydest, void *fit, int node_noffset);
|
||||
|
||||
int (*decrypt)(struct image_cipher_info *info,
|
||||
const void *cipher, size_t cipher_len,
|
||||
|
|
|
@ -13,7 +13,8 @@
|
|||
int image_aes_encrypt(struct image_cipher_info *info,
|
||||
const unsigned char *data, int size,
|
||||
unsigned char **cipher, int *cipher_len);
|
||||
int image_aes_add_cipher_data(struct image_cipher_info *info, void *keydest);
|
||||
int image_aes_add_cipher_data(struct image_cipher_info *info, void *keydest,
|
||||
void *fit, int node_noffset);
|
||||
#else
|
||||
int image_aes_encrypt(struct image_cipher_info *info,
|
||||
const unsigned char *data, int size,
|
||||
|
@ -22,7 +23,8 @@ int image_aes_encrypt(struct image_cipher_info *info,
|
|||
return -ENXIO;
|
||||
}
|
||||
|
||||
int image_aes_add_cipher_data(struct image_cipher_info *info, void *keydest)
|
||||
int image_aes_add_cipher_data(struct image_cipher_info *info, void *keydest,
|
||||
void *fit, int node_noffset)
|
||||
{
|
||||
return -ENXIO;
|
||||
}
|
||||
|
|
|
@ -74,7 +74,8 @@ int image_aes_encrypt(struct image_cipher_info *info,
|
|||
return ret;
|
||||
}
|
||||
|
||||
int image_aes_add_cipher_data(struct image_cipher_info *info, void *keydest)
|
||||
int image_aes_add_cipher_data(struct image_cipher_info *info, void *keydest,
|
||||
void *fit, int node_noffset)
|
||||
{
|
||||
int parent, node;
|
||||
char name[128];
|
||||
|
@ -97,8 +98,13 @@ int image_aes_add_cipher_data(struct image_cipher_info *info, void *keydest)
|
|||
goto done;
|
||||
|
||||
/* Either create or overwrite the named key node */
|
||||
snprintf(name, sizeof(name), "key-%s-%s-%s",
|
||||
info->name, info->keyname, info->ivname);
|
||||
if (info->ivname)
|
||||
snprintf(name, sizeof(name), "key-%s-%s-%s",
|
||||
info->name, info->keyname, info->ivname);
|
||||
else
|
||||
snprintf(name, sizeof(name), "key-%s-%s",
|
||||
info->name, info->keyname);
|
||||
|
||||
node = fdt_subnode_offset(keydest, parent, name);
|
||||
if (node == -FDT_ERR_NOTFOUND) {
|
||||
node = fdt_add_subnode(keydest, parent, name);
|
||||
|
@ -116,9 +122,17 @@ int image_aes_add_cipher_data(struct image_cipher_info *info, void *keydest)
|
|||
ret = node;
|
||||
}
|
||||
|
||||
if (!ret)
|
||||
if (ret)
|
||||
goto done;
|
||||
|
||||
if (info->ivname)
|
||||
/* Store the IV in the u-boot device tree */
|
||||
ret = fdt_setprop(keydest, node, "iv",
|
||||
info->iv, info->cipher->iv_len);
|
||||
else
|
||||
/* Store the IV in the FIT image */
|
||||
ret = fdt_setprop(fit, node_noffset, "iv",
|
||||
info->iv, info->cipher->iv_len);
|
||||
|
||||
if (!ret)
|
||||
ret = fdt_setprop(keydest, node, "key",
|
||||
|
|
|
@ -320,6 +320,36 @@ err:
|
|||
return ret;
|
||||
}
|
||||
|
||||
static int get_random_data(void *data, int size)
|
||||
{
|
||||
unsigned char *tmp = data;
|
||||
struct timespec date;
|
||||
int i, ret = 0;
|
||||
|
||||
if (!tmp) {
|
||||
printf("%s: pointer data is NULL\n", __func__);
|
||||
ret = -1;
|
||||
goto out;
|
||||
}
|
||||
|
||||
ret = clock_gettime(CLOCK_MONOTONIC, &date);
|
||||
if (ret < 0) {
|
||||
printf("%s: clock_gettime has failed (err=%d, str=%s)\n",
|
||||
__func__, ret, strerror(ret));
|
||||
goto out;
|
||||
}
|
||||
|
||||
srand(date.tv_nsec);
|
||||
|
||||
for (i = 0; i < size; i++) {
|
||||
*tmp = rand() & 0xff;
|
||||
tmp++;
|
||||
}
|
||||
|
||||
out:
|
||||
return ret;
|
||||
}
|
||||
|
||||
static int fit_image_setup_cipher(struct image_cipher_info *info,
|
||||
const char *keydir, void *fit,
|
||||
const char *image_name, int image_noffset,
|
||||
|
@ -345,13 +375,13 @@ static int fit_image_setup_cipher(struct image_cipher_info *info,
|
|||
goto out;
|
||||
}
|
||||
|
||||
/* Read the IV name */
|
||||
/*
|
||||
* Read the IV name
|
||||
*
|
||||
* If this property is not provided then mkimage will generate
|
||||
* a random IV and store it in the FIT image
|
||||
*/
|
||||
info->ivname = fdt_getprop(fit, noffset, "iv-name-hint", NULL);
|
||||
if (!info->ivname) {
|
||||
printf("Can't get iv name for cipher in image '%s'\n",
|
||||
image_name);
|
||||
goto out;
|
||||
}
|
||||
|
||||
info->fit = fit;
|
||||
info->node_noffset = noffset;
|
||||
|
@ -377,17 +407,23 @@ static int fit_image_setup_cipher(struct image_cipher_info *info,
|
|||
if (ret < 0)
|
||||
goto out;
|
||||
|
||||
/* Read the IV in the file */
|
||||
snprintf(filename, sizeof(filename), "%s/%s%s",
|
||||
info->keydir, info->ivname, ".bin");
|
||||
info->iv = malloc(info->cipher->iv_len);
|
||||
if (!info->iv) {
|
||||
printf("Can't allocate memory for iv\n");
|
||||
ret = -1;
|
||||
goto out;
|
||||
}
|
||||
ret = fit_image_read_data(filename, (unsigned char *)info->iv,
|
||||
info->cipher->iv_len);
|
||||
|
||||
if (info->ivname) {
|
||||
/* Read the IV in the file */
|
||||
snprintf(filename, sizeof(filename), "%s/%s%s",
|
||||
info->keydir, info->ivname, ".bin");
|
||||
ret = fit_image_read_data(filename, (unsigned char *)info->iv,
|
||||
info->cipher->iv_len);
|
||||
} else {
|
||||
/* Generate an ramdom IV */
|
||||
ret = get_random_data((void *)info->iv, info->cipher->iv_len);
|
||||
}
|
||||
|
||||
out:
|
||||
return ret;
|
||||
|
@ -453,9 +489,10 @@ fit_image_process_cipher(const char *keydir, void *keydest, void *fit,
|
|||
* Write the public key into the supplied FDT file; this might fail
|
||||
* several times, since we try signing with successively increasing
|
||||
* size values
|
||||
* And, if needed, write the iv in the FIT file
|
||||
*/
|
||||
if (keydest) {
|
||||
ret = info.cipher->add_cipher_data(&info, keydest);
|
||||
ret = info.cipher->add_cipher_data(&info, keydest, fit, node_noffset);
|
||||
if (ret) {
|
||||
printf("Failed to add verification data for cipher '%s' in image '%s'\n",
|
||||
info.keyname, image_name);
|
||||
|
|
Loading…
Reference in a new issue