Message ID | 20190318110817.10099-1-sbabic@denx.de |
---|---|
State | Changes Requested |
Headers | show |
Series | [meta-swupdate] Add class to encrypt (AES-CBC) an artifact | expand |
Hi Stefano, Thanks for posting this, it works for me. I suggest the following: - Update the README to explain how this would be used including the expected format of the AES file. - Change SWU_AES_FILE variable name to SWUPDATE_AES_FILE to be consistent with naming for other Yocto variables. - Perhaps add a zero length to the key/iv/salt variables in swu_encrypt_file to help pick up an incorrect file format in SWU_AES_FILE. Regards Austin
On 29/03/19 06:31, austin.phillips via swupdate wrote: > Hi Stefano, > > Thanks for posting this, it works for me. Ok - you can reply to the patches adding your "Tested-by". > > I suggest the following: > - Update the README to explain how this would be used including the expected format of the AES file. Sure > - Change SWU_AES_FILE variable name to SWUPDATE_AES_FILE to be consistent with naming for other Yocto variables. Agree > - Perhaps add a zero length to the key/iv/salt variables in swu_encrypt_file to help pick up an incorrect file format in SWU_AES_FILE. > I will send a V2. Best regards, Stefano Babic
diff --git a/classes/swupdate-enc.bbclass b/classes/swupdate-enc.bbclass new file mode 100644 index 0000000..3136f8e --- /dev/null +++ b/classes/swupdate-enc.bbclass @@ -0,0 +1,22 @@ +# +# The key must be generated as described in doc +# with +# openssl enc -aes-256-cbc -k <PASSPHRASE> -P -md sha1 +# The file is in the format +# salt= +# key= +# iv= +# parameters: $1 = input file, $2 = output file +swu_encrypt_file() { + input=$1 + output=$2 + key=`cat ${SWU_AES_FILE} | grep ^key | cut -d '=' -f 2` + iv=`cat ${SWU_AES_FILE} | grep ^iv | cut -d '=' -f 2` + salt=`cat ${SWU_AES_FILE} | grep ^salt | cut -d '=' -f 2` + openssl enc -aes-256-cbc -in ${input} -out ${output} -K ${key} -iv ${iv} -S ${salt} +} + +CONVERSIONTYPES += "enc" + +CONVERSION_DEPENDS_enc = "openssl-native coreutils-native" +CONVERSION_CMD_enc="swu_encrypt_file ${IMAGE_NAME}${IMAGE_NAME_SUFFIX}.${type} ${IMAGE_NAME}${IMAGE_NAME_SUFFIX}.${type}.enc"
This add a new conversion type (enc) to encrypt during the build an artifact. Add to your image recipe : IMAGE_FSTYPES += ".enc" SWUpdate supports encription of compressed images. You can add the FSTYPE to your last filesystem type, for example ".ext4.gz.enc" is a valid value. Signed-off-by: Stefano Babic <sbabic@denx.de> --- classes/swupdate-enc.bbclass | 22 ++++++++++++++++++++++ 1 file changed, 22 insertions(+) create mode 100644 classes/swupdate-enc.bbclass