Message ID | 20190402144450.31305-1-sbabic@denx.de |
---|---|
State | Accepted |
Headers | show |
Series | [V2] Add class to encrypt (AES-CBC) an artifact | expand |
On Wednesday, 3 April 2019 01:44:57 UTC+11, Stefano Babic wrote: > This add a new conversion type (enc) to encrypt during the build an > artifact. > > Add to your image recipe : > > IMAGE_FSTYPES += ".enc" > > SWUpdate supports encription of compressed images. You can add the > FSTYPE to your last filesystem type, for example ".ext4.gz.enc" is a > valid value. > > Signed-off-by: Stefano Babic <sbabic@denx.de> > --- > classes/swupdate-enc.bbclass | 25 +++++++++++++++++++++++++ > 1 file changed, 25 insertions(+) > create mode 100644 classes/swupdate-enc.bbclass > > diff --git a/classes/swupdate-enc.bbclass b/classes/swupdate-enc.bbclass > new file mode 100644 > index 0000000..5e3fe79 > --- /dev/null > +++ b/classes/swupdate-enc.bbclass > @@ -0,0 +1,25 @@ > +# > +# The key must be generated as described in doc > +# with > +# openssl enc -aes-256-cbc -k <PASSPHRASE> -P -md sha1 > +# The file is in the format > +# salt= > +# key= > +# iv= > +# parameters: $1 = input file, $2 = output file > +swu_encrypt_file() { > + input=$1 > + output=$2 > + key=`cat ${SWUPDATE_AES_FILE} | grep ^key | cut -d '=' -f 2` > + iv=`cat ${SWUPDATE_AES_FILE} | grep ^iv | cut -d '=' -f 2` > + salt=`cat ${SWUPDATE_AES_FILE} | grep ^salt | cut -d '=' -f 2` > + if [ -z ${salt} ] || [ -z ${key} ] || [ -z {iv} ];then > + bbfatal "SWUPDATE_AES_FILE=$SWUPDATE_AES_FILE does not contain valid keys" > + fi > + openssl enc -aes-256-cbc -in ${input} -out ${output} -K ${key} -iv ${iv} -S ${salt} > +} > + > +CONVERSIONTYPES += "enc" > + > +CONVERSION_DEPENDS_enc = "openssl-native coreutils-native" > +CONVERSION_CMD_enc="swu_encrypt_file ${IMAGE_NAME}${IMAGE_NAME_SUFFIX}.${type} ${IMAGE_NAME}${IMAGE_NAME_SUFFIX}.${type}.enc" > -- > 2.17.1 Tested-by: Austin Phillips <austin.phillips@planetinnovation.com.au> Regards, Austin
diff --git a/classes/swupdate-enc.bbclass b/classes/swupdate-enc.bbclass new file mode 100644 index 0000000..5e3fe79 --- /dev/null +++ b/classes/swupdate-enc.bbclass @@ -0,0 +1,25 @@ +# +# The key must be generated as described in doc +# with +# openssl enc -aes-256-cbc -k <PASSPHRASE> -P -md sha1 +# The file is in the format +# salt= +# key= +# iv= +# parameters: $1 = input file, $2 = output file +swu_encrypt_file() { + input=$1 + output=$2 + key=`cat ${SWUPDATE_AES_FILE} | grep ^key | cut -d '=' -f 2` + iv=`cat ${SWUPDATE_AES_FILE} | grep ^iv | cut -d '=' -f 2` + salt=`cat ${SWUPDATE_AES_FILE} | grep ^salt | cut -d '=' -f 2` + if [ -z ${salt} ] || [ -z ${key} ] || [ -z {iv} ];then + bbfatal "SWUPDATE_AES_FILE=$SWUPDATE_AES_FILE does not contain valid keys" + fi + openssl enc -aes-256-cbc -in ${input} -out ${output} -K ${key} -iv ${iv} -S ${salt} +} + +CONVERSIONTYPES += "enc" + +CONVERSION_DEPENDS_enc = "openssl-native coreutils-native" +CONVERSION_CMD_enc="swu_encrypt_file ${IMAGE_NAME}${IMAGE_NAME_SUFFIX}.${type} ${IMAGE_NAME}${IMAGE_NAME_SUFFIX}.${type}.enc"
This add a new conversion type (enc) to encrypt during the build an artifact. Add to your image recipe : IMAGE_FSTYPES += ".enc" SWUpdate supports encription of compressed images. You can add the FSTYPE to your last filesystem type, for example ".ext4.gz.enc" is a valid value. Signed-off-by: Stefano Babic <sbabic@denx.de> --- classes/swupdate-enc.bbclass | 25 +++++++++++++++++++++++++ 1 file changed, 25 insertions(+) create mode 100644 classes/swupdate-enc.bbclass