[0/3] binman: Add support for externally encrypted blobs

Message ID	20230627073931.11204-1-christian.taedcke-oss@weidmueller.com
Headers	show Return-Path: <u-boot-bounces@lists.denx.de> From: christian.taedcke-oss@weidmueller.com To: u-boot@lists.denx.de Cc: Christian Taedcke <christian.taedcke@weidmueller.com>, Alper Nebi Yasak <alpernebiyasak@gmail.com>, Ivan Mikhaylov <fr0st61te@gmail.com>, Jonas Karlman <jonas@kwiboo.se>, Simon Glass <sjg@chromium.org>, Stefan Herbrechtsmeier <stefan.herbrechtsmeier@weidmueller.com> Subject: [PATCH 0/3] binman: Add support for externally encrypted blobs Date: Tue, 27 Jun 2023 09:39:28 +0200 Message-Id: <20230627073931.11204-1-christian.taedcke-oss@weidmueller.com> Content-Transfer-Encoding: 8bit Content-Type: text/plain MIME-Version: 1.0 Precedence: list Errors-To: u-boot-bounces@lists.denx.de Sender: "U-Boot" <u-boot-bounces@lists.denx.de>
Series	binman: Add support for externally encrypted blobs \| expand [0/3] binman: Add support for externally encrypted blobs [1/3] binman: Add support for externally encrypted blobs [2/3] binman: Allow cipher node as special section [3/3] binman: Add tests for etype encrypted

Message ID

20230627073931.11204-1-christian.taedcke-oss@weidmueller.com

Headers

From: christian.taedcke-oss@weidmueller.com
To: u-boot@lists.denx.de
Cc: Christian Taedcke <christian.taedcke@weidmueller.com>,
 Alper Nebi Yasak <alpernebiyasak@gmail.com>,
 Ivan Mikhaylov <fr0st61te@gmail.com>, Jonas Karlman <jonas@kwiboo.se>,
 Simon Glass <sjg@chromium.org>,
 Stefan Herbrechtsmeier <stefan.herbrechtsmeier@weidmueller.com>
Subject: [PATCH 0/3] binman: Add support for externally encrypted blobs
Date: Tue, 27 Jun 2023 09:39:28 +0200
Message-Id: <20230627073931.11204-1-christian.taedcke-oss@weidmueller.com>
Content-Transfer-Encoding: 8bit
Content-Type: text/plain
MIME-Version: 1.0
X-MS-Exchange-AntiSpam-MessageData-ChunkCount: 1
X-MS-Exchange-AntiSpam-MessageData-0: 
 ylvB/f++JDGmPim2zVPTRC1O1UDo23ap/S0E2t3v5ec0MqXQD0aHJLgWW2Rf2wcDhMZfjcMkxR08ceyBJHhXk7l1cZz/bjFL9isrS2zzyB8uPiKkqEFhA+AUXdjmnptrdO+Iuq6ZLOYo+NeCS/MxCjRANYRH8Cc9l6XqJgSz0w+Z9rBuh0//MCMjIYLNBnxtI5QE0nXxabEvb8dmW0wluUDygW5nDaKE6NJFyjLAh1wsv6DA4qm+HWFCvv3H2qjx+HU2IaxSnVGlLZKBARV2PhSSHn8K5bn/mhQQSXLzcvwiLszNF4Lub194/5Q8tXPo6PlYfdpbl+SnF8tuucbfuLdb9OYexi+ZoWTBlZHbOCXwyAPdmrxoeFwIIRQ8WDuzWeuMje/GnCu0bS/XG7fjSLr2vryUNNQ47FfyRbGgimStyLNVJ52cLdXHU17Trujh5f+tqw6da68x5ymXQcaQvRiSp5z9DRZxeIbrOEhfIzyf0SJ11GfRWN9W4tFonJuA2Ktjq9fkVvHfDW8wPF3xo3P+1k65CcVphePy8lMFtfFjXgZiaLyZXyekxqGByKSw8QCyJdKhtS/IAjfSgDL8Syk/yi88JAKaeXdCuis/e6FJfBrUOz0J6hG2SYM/MOlYd2wCmdaabd3P+2oaEhIQioEaoaIH/WnCfDnc3NT34oJchy1jBJ15b+dI9R6nAuC/hfLetaMH3OaOiznWyJGPeFHkbID2LJgkxmRlBbnNmEh081IIwmkjHAt45yto0xQ2T/2y2Hk7XXtRJV4RbGO83gfgMKcYOjZ1cgA3Pyxq3OOX8fFKFgTNa2E5H6PJukkCGOnUEjVGTiWN0xx5RHlzWc5BByrAYib3mRttOh9Fg8CDJEkA8L+I+E+Xy8O6AgiUx/PDF3nztF276UJveW/XpLcjv9WJOnL5JsX9nbBPl9y8fj4UQMwfQm7K5AJs413xnkRzglpZGEuvF37W1BCiVMrV5zF5UssdzmuNLiEAJxgRXwpnJKCyLBDvt+STblquyWAnyhEW78PyuS1UQEabCKJUUiyW55J3jaE1tNO/UIINdJoP7zOE2fj5RMD8shHGwmYlKHtmRRgeSilZx8bnuLfIimIGFcW2vgLAxlPF/BTJss+8j+bV6vC26pOnsfMtqyHupZVUMViKo1exgxoOybrg3BX0UK2C8nEV9McGrRhoSqdRJruVWMmlTEz2yLuLVvSLP3Z+1cfz1yzQqPd8q7oyzGtNCC2Cowq6ex+6NK+4DfxrMCLuB9vgDJGsa1IhmxSbmsYt7N9S3MwG/njm2Tu4bphJws6hHtfrOQfCbMMkbMy0YFmu0MMKZ6q60c5neukCvCg2HoVkAX9FdEe5nFIrB36VLxCjgL2C1/YIjdb8PiLvS3AYf0onz0UYLPkZBGE28jG2/IdvKFLt/LyYoHybfLCebhhAZMN8H7kiYnW/0d0ejUV49Rld+4hZi2nMmJckh6AnUmBGpyxjMVu5QaRJ1wWXvMCgEte7IacdXp/FFE/aL/lhSl/pYA3Bcxpu0J7vW5SEAheM2Vm62Ad+9DRNvq1xtpP2OYj0JAOBhrbFtE9kLSbNUUCNDAJbkrm3yZHF16xaMc27IJVNXap7jm4T1AA7LY+vOlR9wEOiRzA6EevK9DkEOnj2uOhFJRQP
X-OriginatorOrg: weidmueller.com
X-MS-Exchange-CrossTenant-Network-Message-Id: 
 90af0a23-480d-4230-5fb6-08db76e1aeb5
X-MS-Exchange-CrossTenant-AuthSource: AM0PR08MB4946.eurprd08.prod.outlook.com
X-MS-Exchange-CrossTenant-AuthAs: Internal
X-MS-Exchange-CrossTenant-OriginalArrivalTime: 27 Jun 2023 07:39:47.4990 (UTC)
X-MS-Exchange-CrossTenant-FromEntityHeader: Hosted
X-MS-Exchange-CrossTenant-Id: e4289438-1c5f-4c95-a51a-ee553b8b18ec
X-MS-Exchange-CrossTenant-MailboxType: HOSTED
X-MS-Exchange-CrossTenant-UserPrincipalName: 
 OsAV8tIAV1IVrQXGkAbGlsNOAfODmJY6ygGm+DyRUjxFqkpOkcPSk+ROuqqfVFRTgAEPfLcmBMsa94Eeu5m4PndM3Ir3Y5W/JB1+irnPbWhKQ4raUrjPuWCY8L0pvARm
X-MS-Exchange-Transport-CrossTenantHeadersStamped: DB9PR08MB6475
X-Mailman-Approved-At: Tue, 27 Jun 2023 14:10:22 +0200
X-BeenThere: u-boot@lists.denx.de
X-Mailman-Version: 2.1.39
Precedence: list
List-Id: U-Boot discussion <u-boot.lists.denx.de>
List-Unsubscribe: <https://lists.denx.de/options/u-boot>,
 <mailto:u-boot-request@lists.denx.de?subject=unsubscribe>
List-Archive: <https://lists.denx.de/pipermail/u-boot/>
List-Post: <mailto:u-boot@lists.denx.de>
List-Help: <mailto:u-boot-request@lists.denx.de?subject=help>
List-Subscribe: <https://lists.denx.de/listinfo/u-boot>,
 <mailto:u-boot-request@lists.denx.de?subject=subscribe>
Errors-To: u-boot-bounces@lists.denx.de
Sender: "U-Boot" <u-boot-bounces@lists.denx.de>
X-Virus-Scanned: clamav-milter 0.103.8 at phobos.denx.de
X-Virus-Status: Clean

Series

binman: Add support for externally encrypted blobs | expand

Message

Taedcke, Christian June 27, 2023, 7:39 a.m. UTC

From: Christian Taedcke <christian.taedcke@weidmueller.com>

This series adds the functionality to handle externally encrypted
blobs to binman. It includes the functionality itself and the
corresponding unit tests. The generated device tree structure is
similar to the structure used in the already implemented cipher node
in boot/image-cipher.c.

The following block shows an example on how to use this functionality.
In the device tree that is parsed by binman a new node encrypted is
used:

/ {
	binman {
		filename = "u-boot.itb";
		fit {
			...
			images {
				some-bitstream {
					...
					image_bitstream: blob-ext {
						filename = "bitstream.bin";
					};
					encrypted {
						content = <&image_bitstream>;
						algo = "aes256-gcm";
						key-name-hint = "keyname";
						iv-filename = "bitstream.bin.iv";
						key-filename = "bitstream.bin.key";
					};
...

This results in an generated fit image containing the following
information:

\ {
	cipher {
		key-aes256-gcm-keyname {
			key = <0x...>;
			iv = <0x...>;
		};
	};

	images {
	       ...
	       some-bitstream {
			...
			data = [...]
			cipher {
				algo = "aes256-gcm";
				key-name-hint = "keyname";
			};
		};
...


Christian Taedcke (3):
  binman: Add support for externally encrypted blobs
  binman: Allow cipher node as special section
  binman: Add tests for etype encrypted

 tools/binman/etype/encrypted.py               | 98 +++++++++++++++++++
 tools/binman/etype/section.py                 |  2 +-
 tools/binman/ftest.py                         | 69 +++++++++++++
 .../binman/test/282_encrypted_no_content.dts  | 15 +++
 tools/binman/test/283_encrypted_no_algo.dts   | 19 ++++
 .../test/284_encrypted_invalid_iv_file.dts    | 22 +++++
 tools/binman/test/285_encrypted.dts           | 29 ++++++
 tools/binman/test/286_encrypted_key_file.dts  | 30 ++++++
 .../test/287_encrypted_iv_name_hint.dts       | 30 ++++++
 9 files changed, 313 insertions(+), 1 deletion(-)
 create mode 100644 tools/binman/etype/encrypted.py
 create mode 100644 tools/binman/test/282_encrypted_no_content.dts
 create mode 100644 tools/binman/test/283_encrypted_no_algo.dts
 create mode 100644 tools/binman/test/284_encrypted_invalid_iv_file.dts
 create mode 100644 tools/binman/test/285_encrypted.dts
 create mode 100644 tools/binman/test/286_encrypted_key_file.dts
 create mode 100644 tools/binman/test/287_encrypted_iv_name_hint.dts