From patchwork Thu Nov 26 13:51:45 2020 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Stefano Babic X-Patchwork-Id: 1406685 Return-Path: X-Original-To: incoming@patchwork.ozlabs.org Delivered-To: patchwork-incoming@bilbo.ozlabs.org Authentication-Results: ozlabs.org; spf=pass (sender SPF authorized) smtp.mailfrom=googlegroups.com (client-ip=2a00:1450:4864:20::33e; helo=mail-wm1-x33e.google.com; envelope-from=swupdate+bncbcxploxj6ikrb5xf736qkgqe5bnpw4q@googlegroups.com; receiver=) Authentication-Results: ozlabs.org; dmarc=none (p=none dis=none) header.from=denx.de Authentication-Results: ozlabs.org; dkim=pass (2048-bit key; unprotected) header.d=googlegroups.com header.i=@googlegroups.com header.a=rsa-sha256 header.s=20161025 header.b=aqnhsnv0; dkim-atps=neutral Received: from mail-wm1-x33e.google.com (mail-wm1-x33e.google.com [IPv6:2a00:1450:4864:20::33e]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature RSA-PSS (4096 bits) server-digest SHA256) (No client certificate requested) by ozlabs.org (Postfix) with ESMTPS id 4ChfM32hG5z9sVL for ; Fri, 27 Nov 2020 00:51:55 +1100 (AEDT) Received: by mail-wm1-x33e.google.com with SMTP id l5sf21714wmi.4 for ; Thu, 26 Nov 2020 05:51:55 -0800 (PST) ARC-Seal: i=2; a=rsa-sha256; t=1606398711; cv=pass; d=google.com; s=arc-20160816; b=EtQgiCaqbKYD3N//KkHEXyRaiFy97fgUgqxa2ygB6LbEYDYB/1DicxfJFRdIqozukT c2Ki0HRMxrrUE1rWJsow5y9DBPsa/rg+k9MfKCU5mrUtMCTajtLgD+NvZ/8l75caLQ9i SfNoeQIdlwqm94UN+CGBSB1GNmkPQvyVjmX1hPDln+SHGKqlQRZ6ubmKA3CmXXUlSybF WJnn6RvmrIkmff44LQCZJd7601czgZOc4mqyrRMNoqQeQFeSRcNpPh/zHZVH77odF7cR gn9aeCfQZMxJhQSSqOmnst2u7b0M+cjXFNQIJ33UKDizdHo62Rc0ZqFn1RiFAzx8Tksu D1Sw== ARC-Message-Signature: i=2; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816; h=list-unsubscribe:list-subscribe:list-archive:list-help:list-post :list-id:mailing-list:precedence:mime-version:message-id:date :subject:cc:to:from:sender:dkim-signature; bh=eX+k//nhLpSruoN4nTVIlql7iW+n4nAturrzr0uhqQU=; b=xRjmlkM15JG6g3mCfnzAY6IvUaqiU0YeNZiqVxFZzQALtJJevdqR8I3HqPtDjN7pMw zl5D/jd2yoSz5NYSaF82ellUHgGUu5Q+KPcLTozzen/Gu/llzoumArQqv/vAEHVgrw5v ESZHrT4E8RXpxHRFe6qP6/ZU90S8/hljKMSlyTV7Ajb9KwjiqjSNp8N4lRoFEbOvNsD/ 95U2EmDMhSlTVPhE9G9POHW5+5KgvLOfzUGj6pMa2Oa6jD8zH4eciGyTkzWUDUU9WgHA P8UFRoO68zOTWKAenndG5G6bD5zSKMgtiajys5k5IDZ4pGOjTdszbTIE+0rs0UVnWoBG Gs+A== ARC-Authentication-Results: i=2; gmr-mx.google.com; spf=neutral (google.com: 212.18.0.10 is neither permitted nor denied by best guess record for domain of sbabic@denx.de) smtp.mailfrom=sbabic@denx.de DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=googlegroups.com; s=20161025; h=sender:from:to:cc:subject:date:message-id:mime-version :x-original-sender:x-original-authentication-results:precedence :mailing-list:list-id:list-post:list-help:list-archive :list-subscribe:list-unsubscribe; bh=eX+k//nhLpSruoN4nTVIlql7iW+n4nAturrzr0uhqQU=; b=aqnhsnv0t67cwY84qk/HvHKzu6CwX5/4TQ7ny1n9APY1NABoZowG+p2VshE74h4RcR pn1wXOKJDc2/f6RuGBfcr9EKHR64zxeih5wg/sjk7esHkSusdUqKfLTbvE+vXVqRsbum 6NojFwLXDMwl/jJcLsAXu1HKhlmAoyqJNhbiqCfiQGGda3PS3CRhCMQxr0emH+2rgefe Bm/mEC11iVNLw5zhJM2URl3GZtDRm5RIe16Rjx7fO6fodC/YsTq8DLRI/IXgRHjg1yJE 3ZHMSpG8g0r43w9Gxvf89llFAzev3cqx6LBJ6ZJYPC7MfRdDUY3qtdjP5/heAHWefM+W WOsA== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=sender:x-gm-message-state:from:to:cc:subject:date:message-id :mime-version:x-original-sender:x-original-authentication-results :precedence:mailing-list:list-id:x-spam-checked-in-group:list-post :list-help:list-archive:list-subscribe:list-unsubscribe; bh=eX+k//nhLpSruoN4nTVIlql7iW+n4nAturrzr0uhqQU=; b=YToW4KsaQcWZcvJRlpUSRewVaB2WvEMjEgEe1CywOoT+oUs67FlLLs0jxZq6kzM2/w 2Izofj/mE0kupltzCy5aq6jjED5YkE/XKBb7nJDEojG0zn/bcKCjeyvn12fM+IoWhKmJ enxtLRYDqrm3B6u842wdceMQ/oIE4qBn7Q5zyQptYtTgWYVVxVwP5GMu65YQUE5lTtcI WJWJA8wcQROS71LdAEndGE47hAfWQAwzi442bT1AOB6tlz1r/EIzLThR7GImQdtgo7IS WqbsEfmNy1X1siiyTHKwTYaBXHoayHTR7HNtSdRIjoV0jznikJM3Z/it6vmaNMqx/Ivk SJmQ== Sender: swupdate@googlegroups.com X-Gm-Message-State: AOAM530Rj9TGsB+S94NRGmwrxsqe9DwVjs+6PuCHVOlSNN7IfhJpoUuF TLzZeaIgrXGeilBuFzoYr2c= X-Google-Smtp-Source: ABdhPJyYvMktZjkoBfLwK8ANgbO8xmFeXgoyYX5WbY9U7MiSbDH7zIEUVPkNbgRfSE3YSGqT1D4faQ== X-Received: by 2002:a5d:6186:: with SMTP id j6mr4047237wru.359.1606398711325; Thu, 26 Nov 2020 05:51:51 -0800 (PST) X-BeenThere: swupdate@googlegroups.com Received: by 2002:adf:aa87:: with SMTP id h7ls2521824wrc.2.gmail; Thu, 26 Nov 2020 05:51:50 -0800 (PST) X-Received: by 2002:adf:9287:: with SMTP id 7mr3993665wrn.370.1606398710295; Thu, 26 Nov 2020 05:51:50 -0800 (PST) ARC-Seal: i=1; a=rsa-sha256; t=1606398710; cv=none; d=google.com; s=arc-20160816; b=qVf0ofCCUNjVXgQv8gWSU7eTaAgDxE7YGeXh3g+WX7CGedjA21XVCj2Tu9FYTUTHU+ ItL2YqJZj/FZ0Xa/UfvZIoCPO4VnxXMNXYl7AckDRIgJUzFi6/cUx+2aFxvRL5l85Rap LPcZ5LsAdnI4I22Uj5JtoQHSkTXiHpU9a748DpNntmu1lSaiuUhjJ0IkK/xJsErLaEUr QJYMGOCmnAngWZdtNJN/4yVB45zo1pZE5if+IKu4PUOznO/RfPI3rbmvmVcdjm5Kg9lH Hyn2Acd7qjXX7VOFnyey2r5xy+feGRsnLmhZ5m4bXI5+10g9MfkihFZIN0wjjFWArMf/ 93+Q== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816; h=content-transfer-encoding:mime-version:message-id:date:subject:cc :to:from; bh=ARersQzg72oMV42d0SgGwsJ/4hj+k0yyE9u5546quEM=; b=bTknOvJjCcCDqivZQQiTRKpgoshov5NgdOfr3PB7IHcpWI7EMiSB5LOIHXJpiWps58 vPhV3qS05To2Ue2qTNMFbMvrLrpqMXFDBANgEAXsd7aZljWRW83W59+1oCyuKSRyeiK9 yJUr7/FjTW04eMBqaMkda+Gap3M3F9rrzE7H3nj1vN0ZtaB3WBWPscInA3HfHGBC0I05 OpLgKyfc8F9qrghwkSxCJ35o8QG51AWromRFcId0bxQ9tbe+adKkQFqBx/TCzNS00Fu+ vJI5pFwUIPhTYUmrRRyRA456BqnWr2bdtaC/0xl9IPtk6vG6kmGhd/8IAe6ZW3tekLZ+ P/+A== ARC-Authentication-Results: i=1; gmr-mx.google.com; spf=neutral (google.com: 212.18.0.10 is neither permitted nor denied by best guess record for domain of sbabic@denx.de) smtp.mailfrom=sbabic@denx.de Received: from mail-out.m-online.net (mail-out.m-online.net. [212.18.0.10]) by gmr-mx.google.com with ESMTPS id w65si192680wmg.1.2020.11.26.05.51.50 for (version=TLS1_2 cipher=ECDHE-ECDSA-AES128-GCM-SHA256 bits=128/128); Thu, 26 Nov 2020 05:51:50 -0800 (PST) Received-SPF: neutral (google.com: 212.18.0.10 is neither permitted nor denied by best guess record for domain of sbabic@denx.de) client-ip=212.18.0.10; Received: from frontend01.mail.m-online.net (unknown [192.168.8.182]) by mail-out.m-online.net (Postfix) with ESMTP id 4ChfLt0gdBz1rvxj; Thu, 26 Nov 2020 14:51:50 +0100 (CET) Received: from localhost (dynscan1.mnet-online.de [192.168.6.70]) by mail.m-online.net (Postfix) with ESMTP id 4ChfLt0P2Dz1sBst; Thu, 26 Nov 2020 14:51:50 +0100 (CET) X-Virus-Scanned: amavisd-new at mnet-online.de Received: from mail.mnet-online.de ([192.168.8.182]) by localhost (dynscan1.mail.m-online.net [192.168.6.70]) (amavisd-new, port 10024) with ESMTP id y9f9Jo0eOBx8; Thu, 26 Nov 2020 14:51:49 +0100 (CET) Received: from babic.homelinux.org (host-88-217-136-221.customer.m-online.net [88.217.136.221]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by mail.mnet-online.de (Postfix) with ESMTPS; Thu, 26 Nov 2020 14:51:49 +0100 (CET) Received: from localhost (mail.babic.homelinux.org [127.0.0.1]) by babic.homelinux.org (Postfix) with ESMTP id 914F54540796; Thu, 26 Nov 2020 14:51:48 +0100 (CET) X-Virus-Scanned: Debian amavisd-new at babic.homelinux.org Received: from babic.homelinux.org ([IPv6:::1]) by localhost (mail.babic.homelinux.org [IPv6:::1]) (amavisd-new, port 10024) with ESMTP id VJHt-VnGtOWM; Thu, 26 Nov 2020 14:51:46 +0100 (CET) Received: from paperino.arri.de (paperino.fritz.box [192.168.178.64]) by babic.homelinux.org (Postfix) with ESMTP id C8E0D454029D; Thu, 26 Nov 2020 14:51:45 +0100 (CET) From: Stefano Babic To: swupdate@googlegroups.com Cc: Stefano Babic Subject: [swupdate] [meta-swupdate] swupdate: encrypt artefact when building SWU Date: Thu, 26 Nov 2020 14:51:45 +0100 Message-Id: <20201126135145.72571-1-sbabic@denx.de> X-Mailer: git-send-email 2.25.1 MIME-Version: 1.0 X-Original-Sender: sbabic@denx.de X-Original-Authentication-Results: gmr-mx.google.com; spf=neutral (google.com: 212.18.0.10 is neither permitted nor denied by best guess record for domain of sbabic@denx.de) smtp.mailfrom=sbabic@denx.de Precedence: list Mailing-list: list swupdate@googlegroups.com; contact swupdate+owners@googlegroups.com List-ID: X-Spam-Checked-In-Group: swupdate@googlegroups.com X-Google-Group-Id: 605343134186 List-Post: , List-Help: , List-Archive: , List-Unsubscribe: , Add support to swupdate.bbclass to encrypt artefacts before packing them into the SWU. This guarantees that all artefacts are encrypted with the same key. Signed-off-by: Stefano Babic --- classes/swupdate-common.bbclass | 38 +++++++++++++++++++++++++++++++++ classes/swupdate.bbclass | 21 ++++++++++++++---- 2 files changed, 55 insertions(+), 4 deletions(-) diff --git a/classes/swupdate-common.bbclass b/classes/swupdate-common.bbclass index c0b302a..17c7916 100644 --- a/classes/swupdate-common.bbclass +++ b/classes/swupdate-common.bbclass @@ -18,6 +18,36 @@ def swupdate_get_sha256(s, filename): m.update(data) return m.hexdigest() +def swupdate_extract_keys(keyfile): + try: + keys = open(keyfile) + except IOError: + bb.fatal("Failed to open file with keys %s" % (keyfile)) + lines = keys.read() + keys.close() + lines = lines.splitlines(True) + for line in lines: + line = line.replace('\n', '') + kv = line.split('=') + if kv[0] == 'salt': + salt = kv[1] + if kv[0] == 'key': + key = kv[1] + if kv[0] == 'iv' or kv[0] == 'iv ': + iv = kv[1] + return key,iv,salt + +def swupdate_encrypt_file(f, out, key, ivt, salt): + cmd = "openssl enc -aes-256-cbc -in '%s' -out '%s' -K '%s' -iv '%s' -S '%s'" % ( + f, + out, + key, + ivt, + salt) + if os.system(cmd) != 0: + bb.fatal("Failed to encrypt %s" % (f)) + + def swupdate_write_sha256(s, filename, hash): write_lines = [] @@ -66,6 +96,7 @@ def swupdate_expand_bitbake_variables(d, s): f.write(line) def prepare_sw_description(d, s, list_for_cpio): + import shutil swupdate_expand_bitbake_variables(d, s) @@ -74,6 +105,13 @@ def prepare_sw_description(d, s, list_for_cpio): hash = swupdate_get_sha256(s, file) swupdate_write_sha256(s, file, hash) + encrypt = d.getVar('SWUPDATE_ENCRYPT_SWDESC', True) + if encrypt: + bb.note("Encryption of sw-description") + shutil.copyfile(os.path.join(s, 'sw-description'), os.path.join(s, 'sw-description.plain')) + key,iv,salt = swupdate_extract_keys(d.getVar('SWUPDATE_AES_FILE', True)) + swupdate_encrypt_file(os.path.join(s, 'sw-description.plain'), os.path.join(s, 'sw-description'), key, iv, salt) + signing = d.getVar('SWUPDATE_SIGNING', True) if signing == "1": bb.warn('SWUPDATE_SIGNING = "1" is deprecated, falling back to "RSA". It is advised to set it to "RSA" if using RSA signing.') diff --git a/classes/swupdate.bbclass b/classes/swupdate.bbclass index c0cb7f9..b94955c 100644 --- a/classes/swupdate.bbclass +++ b/classes/swupdate.bbclass @@ -100,16 +100,28 @@ python do_swuimage () { local = fetch.localpath(url) filename = os.path.basename(local) if (filename != 'sw-description') and (os.path.isfile(local)): - shutil.copyfile(local, os.path.join(s, "%s" % filename )) + encrypted = (d.getVarFlag("SWUPDATE_IMAGES_ENCRYPTED", filename, True) or "") + key,iv,salt = swupdate_extract_keys(d.getVar('SWUPDATE_AES_FILE', True)) + dst = os.path.join(s, "%s" % filename ) + if encrypted == '1': + bb.note("Encryption requested for %s" %(filename)) + swupdate_encrypt_file(local, dst, key, iv, salt) + else: + shutil.copyfile(local, dst) list_for_cpio.append(filename) - def add_image_to_swu(deploydir, imagename, s): + def add_image_to_swu(deploydir, imagename, s, encrypt): src = os.path.join(deploydir, imagename) if not os.path.isfile(src): return False target_imagename = os.path.basename(imagename) # allow images in subfolders of DEPLOY_DIR_IMAGE dst = os.path.join(s, target_imagename) - shutil.copyfile(src, dst) + if encrypt == '1': + key,iv,salt = swupdate_extract_keys(d.getVar('SWUPDATE_AES_FILE', True)) + bb.note("Encryption requested for %s" %(imagename)) + swupdate_encrypt_file(src, dst, key, iv, salt) + else: + shutil.copyfile(src, dst) list_for_cpio.append(target_imagename) return True @@ -118,6 +130,7 @@ python do_swuimage () { imgdeploydir = d.getVar('IMGDEPLOYDIR', True) for image in images: fstypes = (d.getVarFlag("SWUPDATE_IMAGES_FSTYPES", image, True) or "").split() + encrypted = (d.getVarFlag("SWUPDATE_IMAGES_ENCRYPTED", image, True) or "") if fstypes: noappend_machine = d.getVarFlag("SWUPDATE_IMAGES_NOAPPEND_MACHINE", image, True) if noappend_machine == False: # Search for a file explicitely with MACHINE @@ -129,7 +142,7 @@ python do_swuimage () { for fstype in fstypes: image_found = False for imagebase in imagebases: - image_found = add_image_to_swu(deploydir, imagebase + fstype, s) + image_found = add_image_to_swu(deploydir, imagebase + fstype, s, encrypted) if image_found: break if not image_found: