From patchwork Mon Dec 4 10:05:39 2023 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Michael Glembotzki X-Patchwork-Id: 1871481 Return-Path: X-Original-To: incoming@patchwork.ozlabs.org Delivered-To: patchwork-incoming@legolas.ozlabs.org Authentication-Results: legolas.ozlabs.org; dkim=pass (2048-bit key; unprotected) header.d=googlegroups.com header.i=@googlegroups.com header.a=rsa-sha256 header.s=20230601 header.b=QtidfrPG; dkim=pass (2048-bit key; unprotected) header.d=gmail.com header.i=@gmail.com header.a=rsa-sha256 header.s=20230601 header.b=A1bxFpji; dkim-atps=neutral Authentication-Results: legolas.ozlabs.org; spf=pass (sender SPF authorized) smtp.mailfrom=googlegroups.com (client-ip=2a00:1450:4864:20::13f; helo=mail-lf1-x13f.google.com; envelope-from=swupdate+bncbdy5juxlviebbkwjw2vqmgqe6dv7zhi@googlegroups.com; receiver=patchwork.ozlabs.org) Received: from mail-lf1-x13f.google.com (mail-lf1-x13f.google.com [IPv6:2a00:1450:4864:20::13f]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature ECDSA (secp384r1) server-digest SHA384) (No client certificate requested) by legolas.ozlabs.org (Postfix) with ESMTPS id 4SkK7z0KT1z23nk for ; Mon, 4 Dec 2023 21:06:38 +1100 (AEDT) Received: by mail-lf1-x13f.google.com with SMTP id 2adb3069b0e04-50be79e7f71sf1007478e87.2 for ; Mon, 04 Dec 2023 02:06:38 -0800 (PST) ARC-Seal: i=2; a=rsa-sha256; t=1701684395; cv=pass; d=google.com; s=arc-20160816; b=f/YITZZORG5tQL91D9i0E7ddJA6Th3Ct6rrBTff0I9Y8ob5gGB51SGuAzcTUGSJI+w 9KVhz0cL71SBheh9WwPBvKq3zP3OVFyn2fT7eeg5T1OGANQV+qSTJ1MTaq3i8akT52BE 2wanMnYcG2dx4zLDEZ2j9XU33x5hSJ0Rvt+wHAXLOHvh5koNeEmkRA9Lff+fec/ajBGK NZWFFixtwVFqrIyG1SXJ/qmuDarn0Pgtzoz8PcKeU2hMP0jL7rg/WFIE8KEcHE/sqiPR +b7jqDjIBSaVYOh+0Bjte4rHaZGMyusZy/Xy2VImWK3OmpbFa/KpMrk8SEMYdtiF5yJS QGPg== ARC-Message-Signature: i=2; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816; h=list-unsubscribe:list-subscribe:list-archive:list-help:list-post :list-id:mailing-list:precedence:mime-version:references:in-reply-to :message-id:date:subject:cc:to:from:sender:dkim-signature :dkim-signature; bh=DBL1Q1gztfR0nwOp/VxFASbziwHXEiNYN7zZ87HAdR8=; fh=zydHuzCQWrku2OPQyZfraJZFcOpEXLQ/YBcu3QNiBd0=; b=zUdUqlUWpO4yHuKY0RsTykVeB2AGSAmR9rLaLwOvCocgaEtDGT3eOt13zWtYEAexaH 4r67ANU16v5EO/Kj56VUzoRX9daPXueVeHlsGvy9MnVwkM5lbmi9bBqgnUz3NHCZTKYA vp1bDUNS1ect33TquCpkgvvZss9OemiO6WoRXeKrjxmu5o117DXmVPb0sNOjSczwcYZH qX4UtGKczoSp4/ggBjCkJVRQcw2uIMMXeOC/3a365BesjIWhMifIaV0rGwOa4NbMD67z RnbIYK7jyMC5KceKgQbJ+Seh1RgnlOS44QintiziNUDnoYy5V1+G+uzLbK4TR142QAYu GddA== ARC-Authentication-Results: i=2; gmr-mx.google.com; dkim=pass header.i=@gmail.com header.s=20230601 header.b=dNv3CO73; spf=pass (google.com: domain of m.glembo@gmail.com designates 2a00:1450:4864:20::62d as permitted sender) smtp.mailfrom=m.glembo@gmail.com; dmarc=pass (p=NONE sp=QUARANTINE dis=NONE) header.from=gmail.com DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=googlegroups.com; s=20230601; t=1701684395; x=1702289195; darn=patchwork.ozlabs.org; h=list-unsubscribe:list-subscribe:list-archive:list-help:list-post :list-id:mailing-list:precedence:x-original-authentication-results :x-original-sender:mime-version:references:in-reply-to:message-id :date:subject:cc:to:from:sender:from:to:cc:subject:date:message-id :reply-to; bh=DBL1Q1gztfR0nwOp/VxFASbziwHXEiNYN7zZ87HAdR8=; b=QtidfrPGdV+HBtivBimH74P80BZJaB2SW67BymEu5fOJIiHlM60YRR+ldvG1Obdeke DcCfA7VvAqf2r1qooL/nSbDkayLY07KvvZs7l4rzvoQFiq9wTxj/s4IAB5vYOXtt2gTg n0EXSG4m3mmxh+Ng3ph03oZSWzLmhedvr2rcbl5WP4JetFwVEm014IWL1NPoEZhoP3HP vjfNhgIXuCSYmocIYTP7KgDRMdvC8Sf+M7eqcBO7cshUgYgO6wNiOwNm40rDGA0Hr0rY qfHA4N19WcwXvCkqvutRkhrUEQ2zneW8ZqjLQG5w39i48mqm8OM1lipj4H4P59kQiqfN rCPQ== DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20230601; t=1701684395; x=1702289195; darn=patchwork.ozlabs.org; h=list-unsubscribe:list-subscribe:list-archive:list-help:list-post :list-id:mailing-list:precedence:x-original-authentication-results :x-original-sender:mime-version:references:in-reply-to:message-id :date:subject:cc:to:from:from:to:cc:subject:date:message-id:reply-to; bh=DBL1Q1gztfR0nwOp/VxFASbziwHXEiNYN7zZ87HAdR8=; b=A1bxFpjildgTRKF5p5f4jInbA/nggbo2PLETC2Qo2ZYiag+IMzNt5pgQWGKWeVFLkK YIPoaAKkWHOXc+N+yetJuSrGIiIluAKLrNRv13O3MHZRl6PU5kbFgXSoh7HSpXTKyGzE 7cO3pkV3GCKFjvNSBzdUFg+TIR6rlsDenSgWM0KINnIjS0p2m6rhWEMNud15FayOGFb+ Ik/ylAR+TZykhVSCie3bxZY/Mm8ejcGyYKhhDBqo3cIGhgDaUco956mMWR2dXj7W+scX e66R/9gQeasa4ATkdDDUq5yA1D2foOMaR9iZ0yk47rgc7XIoZ5xVNeElR01+zLWlbh5R jCfg== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20230601; t=1701684395; x=1702289195; h=list-unsubscribe:list-subscribe:list-archive:list-help:list-post :x-spam-checked-in-group:list-id:mailing-list:precedence :x-original-authentication-results:x-original-sender:mime-version :references:in-reply-to:message-id:date:subject:cc:to:from :x-beenthere:x-gm-message-state:sender:from:to:cc:subject:date :message-id:reply-to; bh=DBL1Q1gztfR0nwOp/VxFASbziwHXEiNYN7zZ87HAdR8=; b=sPBeLQOl6EjllONAaPfwI7GM3Ljl3POU4Fq+v1j55HUnpHya7qA1LZxg3FxUv2z3BG bpFIgH0NEbWmAJjQMZsGH+Apu0u8hs+FAnkdKe5TR3mUzOD8iQv06FDiVTb6Ic/jAkWP 2wiSX1vDbr5ECKGFFUioQfScUUImUHARwZY8PQLjSjQt9MVKid31+nnUUAo9iGvgCiFW Hdv1Thyr5sU24cObhs47eNzU7YgiUjVecSS/yyFN+8hY5c6bi27OKxCAuCbiDPMRfpoF a0GHpD11wS/1meuk8csTxzl97MSneN0Kt4BGdXd/OirgbNmqMm2XfM/i4UAoTS5vpc2g 6p/A== Sender: swupdate@googlegroups.com X-Gm-Message-State: AOJu0YwE/CQN8PtOVA10eHaytGdsbcB7Sjmqde09eLOJHq1/5oeEY/K+ VSnHcwJXU8hTv+WhC0OlRBw= X-Google-Smtp-Source: AGHT+IHHPBYB3kxLaHT+tv4GAME6gP/Y2inxg7rkxYF8smaH72Y8gKWZfRgYiL3ZPNdzThU/dG+HKA== X-Received: by 2002:a19:ad42:0:b0:50b:fd53:1706 with SMTP id s2-20020a19ad42000000b0050bfd531706mr244410lfd.138.1701684395119; Mon, 04 Dec 2023 02:06:35 -0800 (PST) X-BeenThere: swupdate@googlegroups.com Received: by 2002:a05:6512:e95:b0:50a:aac1:d1bf with SMTP id bi21-20020a0565120e9500b0050aaac1d1bfls39596lfb.1.-pod-prod-01-eu; Mon, 04 Dec 2023 02:06:32 -0800 (PST) X-Received: by 2002:a05:6512:2347:b0:50b:d763:fe47 with SMTP id p7-20020a056512234700b0050bd763fe47mr3330753lfu.98.1701684392140; Mon, 04 Dec 2023 02:06:32 -0800 (PST) ARC-Seal: i=1; a=rsa-sha256; t=1701684392; cv=none; d=google.com; s=arc-20160816; b=NIg9Cl+87jKJQN2QPtbGb823EC4IZTYmL6pyQt0BBKvmmC9a7Whxxaj7Gj30IRngXs DIJ4AhVADj58dkNITKsxHDAyEBWXRyCJ4YP9iI5YGbij7S2taRJ427iSiQPkSqn1h/3+ LXE91ekA1J4i5cemII68Wx0fY3mThJh0+ejsJGsFCm/jsKS6tJNPBnnsH63RcVOSfzPN UH7c0DF1z/rogLvrDJ4c9u5eKYHCo9DvHvruZBL2huGDzDhsGnwho/Ge2Oxca5TscgD1 wnDbS7wCQGCgD+xPk25aJDgFp3jgpApWDqm7oVhnN9JkGWPf4MDskFMb83r0Jns7gR2h PZOA== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816; h=content-transfer-encoding:mime-version:references:in-reply-to :message-id:date:subject:cc:to:from:dkim-signature; bh=D0fITVUykwtwGQmkJriUJLGWk0GcMDObuZo1TjgMul0=; fh=zydHuzCQWrku2OPQyZfraJZFcOpEXLQ/YBcu3QNiBd0=; b=i2h1deOM/FzG4giwlTeFj+3F4V8B8xpp0SWkiMZ5bLtmDmAyCjovfJDxt39OgLO5L5 Yvkt6bTO33Nb+F68tUS8EwFzFl/47rCkY+UbQCZJYKmXpIbQTSrhhI3hOLMyIirzZRqB aEXsbjiV1tzYbsFSstN12hxHHKsjsK2m3AChl4EVFka658Du1P9NHgAiXWv9K89wU3qv rbhylaFTWxFRXj42MVd1ytAyIVlqPnjD0F/gonATegAh3Dd3w0tQzpDm63ggiaXsEIpP HhwfPZqiIMDlYRFoucHg5xEECQvgG1L3QTBj/z6lWC/Vhqy4inqE+kmfuEumtKy/9nRL 76+w== ARC-Authentication-Results: i=1; gmr-mx.google.com; dkim=pass header.i=@gmail.com header.s=20230601 header.b=dNv3CO73; spf=pass (google.com: domain of m.glembo@gmail.com designates 2a00:1450:4864:20::62d as permitted sender) smtp.mailfrom=m.glembo@gmail.com; dmarc=pass (p=NONE sp=QUARANTINE dis=NONE) header.from=gmail.com Received: from mail-ej1-x62d.google.com (mail-ej1-x62d.google.com. [2a00:1450:4864:20::62d]) by gmr-mx.google.com with ESMTPS id dw25-20020a0565122c9900b0050bfb2c1afdsi57694lfb.11.2023.12.04.02.06.32 for (version=TLS1_3 cipher=TLS_AES_128_GCM_SHA256 bits=128/128); Mon, 04 Dec 2023 02:06:32 -0800 (PST) Received-SPF: pass (google.com: domain of m.glembo@gmail.com designates 2a00:1450:4864:20::62d as permitted sender) client-ip=2a00:1450:4864:20::62d; Received: by mail-ej1-x62d.google.com with SMTP id a640c23a62f3a-a1b6d183fb8so101507566b.3 for ; Mon, 04 Dec 2023 02:06:32 -0800 (PST) X-Received: by 2002:a17:906:20d9:b0:9d4:2080:61dc with SMTP id c25-20020a17090620d900b009d4208061dcmr3093503ejc.22.1701684390968; Mon, 04 Dec 2023 02:06:30 -0800 (PST) Received: from PC-2635.irisgmbh.local (dslb-002-203-161-041.002.203.pools.vodafone-ip.de. [2.203.161.41]) by smtp.gmail.com with ESMTPSA id js22-20020a17090797d600b00a1b32663d7csm2032919ejc.102.2023.12.04.02.06.30 (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256); Mon, 04 Dec 2023 02:06:30 -0800 (PST) From: Michael Glembotzki To: swupdate@googlegroups.com Cc: Michael Glembotzki Subject: [swupdate] [V2][PATCH 07/10] swupdate: Initalize the recipient key pair for asym decryption Date: Mon, 4 Dec 2023 11:05:39 +0100 Message-ID: <20231204100620.27789-8-Michael.Glembotzki@iris-sensing.com> X-Mailer: git-send-email 2.42.0 In-Reply-To: <20231204100620.27789-1-Michael.Glembotzki@iris-sensing.com> References: <20231204100620.27789-1-Michael.Glembotzki@iris-sensing.com> MIME-Version: 1.0 X-Original-Sender: m.glembo@gmail.com X-Original-Authentication-Results: gmr-mx.google.com; dkim=pass header.i=@gmail.com header.s=20230601 header.b=dNv3CO73; spf=pass (google.com: domain of m.glembo@gmail.com designates 2a00:1450:4864:20::62d as permitted sender) smtp.mailfrom=m.glembo@gmail.com; dmarc=pass (p=NONE sp=QUARANTINE dis=NONE) header.from=gmail.com Precedence: list Mailing-list: list swupdate@googlegroups.com; contact swupdate+owners@googlegroups.com List-ID: X-Spam-Checked-In-Group: swupdate@googlegroups.com X-Google-Group-Id: 605343134186 List-Post: , List-Help: , List-Archive: , List-Unsubscribe: , Add recipient key fname to swupdate_cfg for asym decryption. Read and initalize the recip-keypair from argument -r or configuration file. Signed-off-by: Michael Glembotzki --- core/swupdate.c | 44 ++++++++++++++++++++++++++--- examples/configuration/swupdate.cfg | 3 ++ include/swupdate.h | 1 + 3 files changed, 44 insertions(+), 4 deletions(-) diff --git a/core/swupdate.c b/core/swupdate.c index 6f9938e..5e03846 100644 --- a/core/swupdate.c +++ b/core/swupdate.c @@ -101,8 +101,11 @@ static struct option long_options[] = { {"forced-signer-name", required_argument, NULL, '2'}, #endif #endif -#ifdef CONFIG_ENCRYPTED_IMAGES +#if defined(CONFIG_ENCRYPTED_IMAGES) && !defined(CONFIG_ASYM_ENCRYPTED_SW_DESCRIPTION) {"key-aes", required_argument, NULL, 'K'}, +#endif +#ifdef CONFIG_ASYM_ENCRYPTED_SW_DESCRIPTION + {"recip-keypair", required_argument, NULL, 'r'}, #endif {"loglevel", required_argument, NULL, 'l'}, {"max-version", required_argument, NULL, '3'}, @@ -162,9 +165,12 @@ static void usage(char *programname) " --ca-path : path to the Certificate Authority (PEM)\n" #endif #endif -#ifdef CONFIG_ENCRYPTED_IMAGES +#if defined(CONFIG_ENCRYPTED_IMAGES) && !defined(CONFIG_ASYM_ENCRYPTED_SW_DESCRIPTION) " -K, --key-aes : the file contains the symmetric key to be used\n" " to decrypt images\n" +#endif +#ifdef CONFIG_ASYM_ENCRYPTED_SW_DESCRIPTION + " -r, --recip-keypair : path to the recipient keypair (PEM)\n" #endif " -n, --dry-run : run SWUpdate without installing the software\n" " -N, --no-downgrading : not install a release older as \n" @@ -310,8 +316,14 @@ static int read_globals_settings(void *elem, void *data) "public-key-file", sw->publickeyfname); GET_FIELD_STRING(LIBCFG_PARSER, elem, "ca-path", sw->publickeyfname); +#if defined(CONFIG_ENCRYPTED_IMAGES) && !defined(CONFIG_ASYM_ENCRYPTED_SW_DESCRIPTION) GET_FIELD_STRING(LIBCFG_PARSER, elem, "aes-key-file", sw->aeskeyfname); +#endif +#ifdef CONFIG_ASYM_ENCRYPTED_SW_DESCRIPTION + GET_FIELD_STRING(LIBCFG_PARSER, elem, + "recip-keypair", sw->recipkeypairfname); +#endif GET_FIELD_STRING(LIBCFG_PARSER, elem, "mtd-blacklist", sw->mtdblacklist); GET_FIELD_STRING(LIBCFG_PARSER, elem, @@ -497,9 +509,12 @@ int main(int argc, char **argv) public_key_mandatory = 1; #endif #endif -#ifdef CONFIG_ENCRYPTED_IMAGES +#if defined(CONFIG_ENCRYPTED_IMAGES) && !defined(CONFIG_ASYM_ENCRYPTED_SW_DESCRIPTION) strcat(main_options, "K:"); #endif +#ifdef CONFIG_ASYM_ENCRYPTED_SW_DESCRIPTION + strcat(main_options, "r:"); +#endif memset(fname, 0, sizeof(fname)); @@ -656,12 +671,19 @@ int main(int argc, char **argv) strlcpy(swcfg.maximum_version, optarg, sizeof(swcfg.maximum_version)); break; -#ifdef CONFIG_ENCRYPTED_IMAGES +#if defined(CONFIG_ENCRYPTED_IMAGES) && !defined(CONFIG_ASYM_ENCRYPTED_SW_DESCRIPTION) case 'K': strlcpy(swcfg.aeskeyfname, optarg, sizeof(swcfg.aeskeyfname)); break; +#endif +#ifdef CONFIG_ASYM_ENCRYPTED_SW_DESCRIPTION + case 'r': + strlcpy(swcfg.recipkeypairfname, + optarg, + sizeof(swcfg.recipkeypairfname)); + break; #endif case 'N': swcfg.no_downgrading = true; @@ -842,6 +864,19 @@ int main(int argc, char **argv) mtd_set_ubiblacklist(swcfg.mtdblacklist); #endif +#ifdef CONFIG_ASYM_ENCRYPTED_SW_DESCRIPTION + if (strlen(swcfg.recipkeypairfname)) { + if (swupdate_dgst_add_recipient_keypair(&swcfg, swcfg.recipkeypairfname)) { + fprintf(stderr, + "Error: Recipient keypair cannot be initialized.\n"); + exit(EXIT_FAILURE); + } + } else { + fprintf(stderr, + "Error: SWUpdate is built for asym encrypted images, provide a recipient key pair.\n"); + exit(EXIT_FAILURE); + } +#else /* * If an AES key is passed, load it to allow * to decrypt images @@ -853,6 +888,7 @@ int main(int argc, char **argv) exit(EXIT_FAILURE); } } +#endif lua_handlers_init(); diff --git a/examples/configuration/swupdate.cfg b/examples/configuration/swupdate.cfg index 8b8a6b1..8e2c8cb 100644 --- a/examples/configuration/swupdate.cfg +++ b/examples/configuration/swupdate.cfg @@ -25,6 +25,9 @@ # aes-key-file : string # file containing the symmetric key for # image decryption +# recip-keypair : string +# file containing the key pair (private key and cert) in PEM for +# asymmetric image decryption # preupdatecmd : string # command to be executed right before the update # is installed diff --git a/include/swupdate.h b/include/swupdate.h index c1f86b3..cdfb971 100644 --- a/include/swupdate.h +++ b/include/swupdate.h @@ -57,6 +57,7 @@ struct swupdate_cfg { char output[SWUPDATE_GENERAL_STRING_SIZE]; char publickeyfname[SWUPDATE_GENERAL_STRING_SIZE]; char aeskeyfname[SWUPDATE_GENERAL_STRING_SIZE]; + char recipkeypairfname[SWUPDATE_GENERAL_STRING_SIZE]; char postupdatecmd[SWUPDATE_GENERAL_STRING_SIZE]; char preupdatecmd[SWUPDATE_GENERAL_STRING_SIZE]; char minimum_version[SWUPDATE_GENERAL_STRING_SIZE];