Message ID | 20230717070554.5544-1-christian.taedcke-oss@weidmueller.com |
---|---|
Headers | show
Return-Path: <u-boot-bounces@lists.denx.de> X-Original-To: incoming@patchwork.ozlabs.org Delivered-To: patchwork-incoming@legolas.ozlabs.org Authentication-Results: legolas.ozlabs.org; spf=pass (sender SPF authorized) smtp.mailfrom=lists.denx.de (client-ip=2a01:238:438b:c500:173d:9f52:ddab:ee01; helo=phobos.denx.de; envelope-from=u-boot-bounces@lists.denx.de; receiver=<UNKNOWN>) Authentication-Results: legolas.ozlabs.org; dkim=pass (1024-bit key; unprotected) header.d=weidmueller.onmicrosoft.com header.i=@weidmueller.onmicrosoft.com header.a=rsa-sha256 header.s=selector1-weidmueller-onmicrosoft-com header.b=e7a/QBAv; dkim-atps=neutral Received: from phobos.denx.de (phobos.denx.de [IPv6:2a01:238:438b:c500:173d:9f52:ddab:ee01]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature ECDSA (P-384)) (No client certificate requested) by legolas.ozlabs.org (Postfix) with ESMTPS id 4R4CmM1FtCz20FK for <incoming@patchwork.ozlabs.org>; Mon, 17 Jul 2023 17:06:11 +1000 (AEST) Received: from h2850616.stratoserver.net (localhost [IPv6:::1]) by phobos.denx.de (Postfix) with ESMTP id 3C12A865F3; Mon, 17 Jul 2023 09:06:08 +0200 (CEST) Authentication-Results: phobos.denx.de; dmarc=fail (p=none dis=none) header.from=weidmueller.com Authentication-Results: phobos.denx.de; spf=pass smtp.mailfrom=u-boot-bounces@lists.denx.de Authentication-Results: phobos.denx.de; dkim=pass (1024-bit key; unprotected) header.d=weidmueller.onmicrosoft.com header.i=@weidmueller.onmicrosoft.com header.b="e7a/QBAv"; dkim-atps=neutral Received: by phobos.denx.de (Postfix, from userid 109) id 1CE338466A; Mon, 17 Jul 2023 09:06:07 +0200 (CEST) X-Spam-Checker-Version: SpamAssassin 3.4.2 (2018-09-13) on phobos.denx.de X-Spam-Level: X-Spam-Status: No, score=-0.9 required=5.0 tests=BAYES_00,DKIM_SIGNED, DKIM_VALID,FORGED_SPF_HELO,SPF_HELO_PASS,T_SCC_BODY_TEXT_LINE, T_SPF_PERMERROR autolearn=no autolearn_force=no version=3.4.2 Received: from EUR04-VI1-obe.outbound.protection.outlook.com (mail-vi1eur04on0613.outbound.protection.outlook.com [IPv6:2a01:111:f400:fe0e::613]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by phobos.denx.de (Postfix) with ESMTPS id 66C898466A for <u-boot@lists.denx.de>; Mon, 17 Jul 2023 09:06:04 +0200 (CEST) Authentication-Results: phobos.denx.de; dmarc=pass (p=none dis=none) header.from=weidmueller.com Authentication-Results: phobos.denx.de; spf=pass smtp.mailfrom=Christian.Taedcke-oss@weidmueller.com ARC-Seal: i=1; a=rsa-sha256; s=arcselector9901; d=microsoft.com; cv=none; b=Bt6CL8Rs6Xmmbe+zhHivCqhgke0E066bNwFIKe/lEMybn0h0zqU35IJ/YFSxc2Vx1mrcpwSQBjadQPWO1IWGR1SE8aNh5dTZ0u7vGXUL0SGaTQeI0ffcufwfVFUC8iZTKhuMQKz+R0YT5U8SFdE31bjI5O2KyN6iyg7tLH2cXzcuGUUe4kG/mO9o/WargNsQMKW89sGG1FTwspcjIbavaFl7C3k0zq+wZs1xHxYm4+pDZMR2yzvQFv26c3jFf7vJQX01Sturm0kW2HTJin2U8jJz+RehTlSLXqyN3fWDMhmDU8WQhj7s4TZA5P6SnQXumDIaR8VuNduvzwK4u9l2SQ== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=microsoft.com; s=arcselector9901; h=From:Date:Subject:Message-ID:Content-Type:MIME-Version:X-MS-Exchange-AntiSpam-MessageData-ChunkCount:X-MS-Exchange-AntiSpam-MessageData-0:X-MS-Exchange-AntiSpam-MessageData-1; bh=nfrzF019Aiuj4bP5gdpZqiCaqGkvyuMOrwgbDpp6/B0=; b=RznNtwtPokKUUPtwRg54pzRnpDWqWZR50z9XMXpUUrMquIogyQKMz0sjwcF+G9p9Z7m0DqbbU2TYewbnGqe9uaRhtx7MwPg1Xqjk6lchr0Ts4co7xqRLLAzRxAWx7U6Tiv+6/zLr6beiFT1pw8q4l2A2nqtC6fCen2VLoGCdfexpPZmqlBOoswUpaEmAbAApviNamvkUW84rsRkQ4Cc9klHMl6TkrdyavAndVYRBY5MExt8YzPv1cMwOMMCIk8QTEE6BC9rVssMNrTAMuXXiETERAHDPBh/ZBoe5+u0wgpKdC8WrC1Jx0RnlB1BKSdjJ+Gn2zusLr/27/dq6xpUIkQ== ARC-Authentication-Results: i=1; mx.microsoft.com 1; spf=pass smtp.mailfrom=weidmueller.com; dmarc=pass action=none header.from=weidmueller.com; dkim=pass header.d=weidmueller.com; arc=none DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=weidmueller.onmicrosoft.com; s=selector1-weidmueller-onmicrosoft-com; h=From:Date:Subject:Message-ID:Content-Type:MIME-Version:X-MS-Exchange-SenderADCheck; bh=nfrzF019Aiuj4bP5gdpZqiCaqGkvyuMOrwgbDpp6/B0=; b=e7a/QBAvUvDpu1xSttvJ0lBr1l0wTi/1mCX+rDAyiBPI/nKKYbJ+hjAE/bxhjUYd/3R+rm5HqHm7hCzXc12se01LXgl/lq2rxY5pkfDjrpTmBN1VDM57DOGXR7jjeDJ56T2OdLNVccJHYx8pv13e8xisApdFPTi8pp/mcVDxb5g= Authentication-Results: dkim=none (message not signed) header.d=none;dmarc=none action=none header.from=weidmueller.com; Received: from AM0PR08MB4946.eurprd08.prod.outlook.com (2603:10a6:208:165::13) by PAWPR08MB9121.eurprd08.prod.outlook.com (2603:10a6:102:331::13) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384) id 15.20.6588.31; Mon, 17 Jul 2023 07:06:02 +0000 Received: from AM0PR08MB4946.eurprd08.prod.outlook.com ([fe80::a535:8289:1a68:c0bd]) by AM0PR08MB4946.eurprd08.prod.outlook.com ([fe80::a535:8289:1a68:c0bd%6]) with mapi id 15.20.6588.028; Mon, 17 Jul 2023 07:06:02 +0000 From: christian.taedcke-oss@weidmueller.com To: u-boot@lists.denx.de Cc: Christian Taedcke <christian.taedcke@weidmueller.com>, Alper Nebi Yasak <alpernebiyasak@gmail.com>, Ivan Mikhaylov <fr0st61te@gmail.com>, Jonas Karlman <jonas@kwiboo.se>, Simon Glass <sjg@chromium.org>, Stefan Herbrechtsmeier <stefan.herbrechtsmeier@weidmueller.com> Subject: [PATCH v6 0/3] binman: Add support for externally encrypted blobs Date: Mon, 17 Jul 2023 09:05:51 +0200 Message-Id: <20230717070554.5544-1-christian.taedcke-oss@weidmueller.com> X-Mailer: git-send-email 2.34.1 Content-Transfer-Encoding: 8bit Content-Type: text/plain X-ClientProxiedBy: FR0P281CA0101.DEUP281.PROD.OUTLOOK.COM (2603:10a6:d10:a9::19) To AM0PR08MB4946.eurprd08.prod.outlook.com (2603:10a6:208:165::13) MIME-Version: 1.0 X-MS-PublicTrafficType: Email X-MS-TrafficTypeDiagnostic: AM0PR08MB4946:EE_|PAWPR08MB9121:EE_ X-MS-Office365-Filtering-Correlation-Id: 0d980357-d0fc-42c8-0ea4-08db86944821 X-MS-Exchange-SenderADCheck: 1 X-MS-Exchange-AntiSpam-Relay: 0 X-Microsoft-Antispam: BCL:0; X-Microsoft-Antispam-Message-Info: iL+S1v36OiyTfGDKZJQfyhKXV2WQ3c8CBUs+sds+evXYARS375dSmbd2f24SWpeE8En11NB+8iSloU9o+6uayumF08cdCaTqU7M/D25ekW1/7iFas1acXBQwe28Gov+CPWkC5VvrzWGUrhJW0cBwMGBEoeDEDtse78sHATRprOcyG7M/Q12EyNP6qWsBvwFmFwoUGMPxXduWouzh5uqpjyqznxd6LttLj1NY9hOET+6u06+yY5oA8ViAiiWnQidigdaWRLHKDzQhzc8NV/VWm58JDVPqWvuq0/HsGczlrPxG+yZx2VThILS3mr3VmA+AnwFgNBy8ope5sBEU9+fDZ5sCb1EzjRRvX+v28vyNqvVsItxPUO9SmgSxcwd96rRQaW58pRtimQ4iwRM3SkxuCamxSDjv5Egcj0RDBF8IwDYwoButSxz6hBEuJNRq0vf/HCKD/Uo2xDs/Z+UP7anbVxl8FwKW3YvCAgchYTLRx1f1DewLaIyJIDHJMLG8mIduWgbg89tVrdjDY7Z+AMYsw1qbo2slJXhzIf1ShN7abL4CajjxOv5slY/GelobwOxc4P/PwWWkdldJQDIysbaBQSNMnHYlIA6kI0lqmwD080ep7qOl0+b/zFNcidVfFKAz X-Forefront-Antispam-Report: CIP:255.255.255.255; CTRY:; LANG:en; SCL:1; SRV:; IPV:NLI; SFV:NSPM; H:AM0PR08MB4946.eurprd08.prod.outlook.com; PTR:; CAT:NONE; SFS:(13230028)(4636009)(346002)(39860400002)(376002)(366004)(136003)(396003)(451199021)(2616005)(6666004)(478600001)(186003)(83380400001)(26005)(1076003)(6506007)(9686003)(6512007)(107886003)(6916009)(4326008)(41300700001)(8676002)(8936002)(2906002)(86362001)(316002)(6486002)(52116002)(66556008)(66946007)(66476007)(38350700002)(36756003)(38100700002)(54906003)(5660300002); DIR:OUT; SFP:1101; X-MS-Exchange-AntiSpam-MessageData-ChunkCount: 1 X-MS-Exchange-AntiSpam-MessageData-0: +m5dhhe6kZo7zW7oc3YeSwuGxk1zXF7TJ9ls9W6cWDrCfICzK7nvK3jMPLwROir0j8LOSiFMj+jgoz9Wqlh+W0colKanFpGtRBhqiLn/Hu6m4Ly785dIVOR1WLADPj+2Kbr7HXrAJzcyVKxuV6NIsr7Bka4AV0V0r2YdKWw9pczt0Defi/ue+LziUWu9In3NUECi1PQ/6t+zFiIxn3viTc2eUR+Uujnh1u+xcOcsbg5Ju0bwyGFae0wpG18ZXeS/dKEtkL6MDYZmFV1kBDkyVDyvcnBng9dFV4yxlliVQuvoPfHjy3m4Mn2W8sFGgNviNcAM8vuNZHg6eTW3i4u+vTjMU5JdM+GKkwfDIfecBMb0bEi7DTFqkQSthzQh5PBX91bt357fI30FEa8JCt4J6yqrks4RVp0cWa4CqZqV+VZ3gQyuxcAEyzwhOiJ5nuPHZB83xD9wwtzW50KMsnipe6KgqF7dJ3AeCaf6KVgesH6N1thW7oLUkdqxLfMz2LIMGzvpBPxY4UN5XTUoj2mQdyinnRRpYWTsP6XVo0jzpr+a6peRKU0Q85gmUbYNUQu/5elYJ5iGTRV3IL7FVJOfaFN6j0EzKT8f0vnc0+qZO/hHVA11crdpAKtv7BPZ0BPZFISWV7lNZQXfOO5f6W+5QyIRN3YCwvgJW7Jneu9RK5MsQhm4wWHbGrzv35QV3F84nz4R4qdgR+M1E+V66YgA3z822IFBx0Dz5YyzCNC2xJmodglQME84AWh0feHrGkB0V4imoh5OOe+OcyVH6h2r+krda0upgjsefPX4+vG117wzkQ4TGG+bgjSXKAw+VHMOh5aLn34yDCAgSsgDrXmawBJqIJADVr6tyGD3j/cG+WUcZs63BY14kF6P8/ygeWKTg5EW1ekCGGAi23DmHY77YtRzPmmv7WZn56wtZpyrtytgnnyXzIeMvjYyHiu2gTIw043iH+whR10zpzKYi1hRgAybLGQ6J0Ave7AWXVaeDPK7AD3XyQvn28NMR+PL5xy4BkqpUp9lWn0uG1CaZDHAr0DwdV+BCE6AhXYSOnqOL6JHxZtBAuiPuOUVoCWgUVg6E62vg9ryS6SeEJ1P9NNA8HjDfCzeVBc62ubS4iSkclrXdq5+cB6FYopfNIxOARNi47mYBvMvwGjYFyRz+UQh1CXMFxBSg7IlgDRnhKbpozgs8395y35iPRWeXfzCxxB0aXw3R88VLey+/MB3eWCOvP+nZqcBfKr+ZTngKDxkOL0JkCAueSpJQETJEt2cHOUp6XZXNr4uS6N0ifrFbLKvy5bUUzYzosupTBC7syYLm7AvCveSah9bS+wCTxFNv7kRLFM0ktpLWY1MV0xObnnrTZMkpvmJw0+cD/rK81vmCyrfEZ7QNe5bKKvy4ZFpcwTh2Clx4v71aQ0Pm8fyrMk9ZmJ+HYd4unaRbSkmWlHyGO9ST4THZANXlmUZDSjLJ4QeCWKJTxm01V8seNkxzaG++pzE04HCnXM/Bjgq72tyy3ILPUHFCzVDJ0Nj0+/N+mSqbe9tQM/38DGZvx9z8QNwS7yIsKY+mo5LOw5jsM+z0C1sNoxmnFIyImc/GtBjktAXzz5U/MIArWn4AO+KcBZ1OJ+KHIKcWqy6MvHjTvyt7iw= X-OriginatorOrg: weidmueller.com X-MS-Exchange-CrossTenant-Network-Message-Id: 0d980357-d0fc-42c8-0ea4-08db86944821 X-MS-Exchange-CrossTenant-AuthSource: AM0PR08MB4946.eurprd08.prod.outlook.com X-MS-Exchange-CrossTenant-AuthAs: Internal X-MS-Exchange-CrossTenant-OriginalArrivalTime: 17 Jul 2023 07:06:02.7597 (UTC) X-MS-Exchange-CrossTenant-FromEntityHeader: Hosted X-MS-Exchange-CrossTenant-Id: e4289438-1c5f-4c95-a51a-ee553b8b18ec X-MS-Exchange-CrossTenant-MailboxType: HOSTED X-MS-Exchange-CrossTenant-UserPrincipalName: xGiZKjKWOfIVefetY0gyRtbc+wg0H+G8jxhpXNYBkSnw620NUDjnwsE3Pt3G41LsmgAXX5HfslLVrYQ2sKENnROrz3x/rNBu7NvI5EADlFhiYdlvRaegq+kBtbktWx7/ X-MS-Exchange-Transport-CrossTenantHeadersStamped: PAWPR08MB9121 X-BeenThere: u-boot@lists.denx.de X-Mailman-Version: 2.1.39 Precedence: list List-Id: U-Boot discussion <u-boot.lists.denx.de> List-Unsubscribe: <https://lists.denx.de/options/u-boot>, <mailto:u-boot-request@lists.denx.de?subject=unsubscribe> List-Archive: <https://lists.denx.de/pipermail/u-boot/> List-Post: <mailto:u-boot@lists.denx.de> List-Help: <mailto:u-boot-request@lists.denx.de?subject=help> List-Subscribe: <https://lists.denx.de/listinfo/u-boot>, <mailto:u-boot-request@lists.denx.de?subject=subscribe> Errors-To: u-boot-bounces@lists.denx.de Sender: "U-Boot" <u-boot-bounces@lists.denx.de> X-Virus-Scanned: clamav-milter 0.103.8 at phobos.denx.de X-Virus-Status: Clean |
Series |
binman: Add support for externally encrypted blobs
|
expand
|
From: Christian Taedcke <christian.taedcke@weidmueller.com> This series adds the functionality to handle externally encrypted blobs to binman. It includes the functionality itself and the corresponding unit tests. The following block shows an example on how to use this functionality. In the device tree that is parsed by binman a new node encrypted is used: / { binman { filename = "u-boot.itb"; fit { ... images { some-bitstream { ... image_bitstream: blob-ext { filename = "bitstream.bin"; }; encrypted { content = <&image_bitstream>; algo = "aes256-gcm"; iv-filename = "bitstream.bin.iv"; key-filename = "bitstream.bin.key"; }; ... This results in an generated fit image containing the following information: \ { images { ... some-bitstream { ... data = [...] cipher { algo = "aes256-gcm"; key = <0x...>; iv = <0x...>; }; }; ... I tried to rename the added entry to cipher or ciphered, but it did not work. The issue is that the 'cipher' node is added as a special section, so it appears in the created device tree. So any etype that starts with 'cipher' is not evaluated at all, because it is a special section, see etype/section.py methods IsSpecialSubnode() and ReadEntries(). Changes in v6: - fix documentation of encrypted etype Changes in v5: - add comments to test functions - encrypted entry now inherits from Entry - remove unnecessary methods ObtainContents and ProcessContents Changes in v4: - fix failing test testEncryptedKeyFile Changes in v3: - rebase on u-boot-dm/mkim-working - remove unnecessary test testEncryptedNoContent - update doc for functions ObtainContents and ProcessContents - update entries.rst - wrap some lines at 80 cols Changes in v2: - adapt tests for changed entry implementation - add entry documentation - remove global /cipher node - replace key-name-hint with key-source property Christian Taedcke (3): binman: Add support for externally encrypted blobs binman: Allow cipher node as special section binman: Add tests for etype encrypted tools/binman/entries.rst | 86 +++++++++++ tools/binman/etype/encrypted.py | 138 ++++++++++++++++++ tools/binman/etype/section.py | 2 +- tools/binman/ftest.py | 58 ++++++++ tools/binman/test/291_encrypted_no_algo.dts | 15 ++ .../test/292_encrypted_invalid_iv_file.dts | 18 +++ .../binman/test/293_encrypted_missing_key.dts | 23 +++ .../binman/test/294_encrypted_key_source.dts | 24 +++ tools/binman/test/295_encrypted_key_file.dts | 24 +++ 9 files changed, 387 insertions(+), 1 deletion(-) create mode 100644 tools/binman/etype/encrypted.py create mode 100644 tools/binman/test/291_encrypted_no_algo.dts create mode 100644 tools/binman/test/292_encrypted_invalid_iv_file.dts create mode 100644 tools/binman/test/293_encrypted_missing_key.dts create mode 100644 tools/binman/test/294_encrypted_key_source.dts create mode 100644 tools/binman/test/295_encrypted_key_file.dts