diff options
| author | Philippe Reynes <philippe.reynes@softathome.com> | 2020-09-17 15:01:46 +0200 |
|---|---|---|
| committer | Tom Rini <trini@konsulko.com> | 2020-10-12 21:30:37 -0400 |
| commit | a6982a6f768bdcf4bd0848ff4dbe68c2fd6599fb (patch) | |
| tree | e50accdcee18fc7e01b2df722022a2d4ed64d7e9 /tools | |
| parent | 34ca77c1e113d42a63f8ae21b41ec7f9f356c1de (diff) | |
| download | u-boot-a6982a6f768bdcf4bd0848ff4dbe68c2fd6599fb.zip u-boot-a6982a6f768bdcf4bd0848ff4dbe68c2fd6599fb.tar.gz u-boot-a6982a6f768bdcf4bd0848ff4dbe68c2fd6599fb.tar.bz2 | |
fit: cipher: aes: allow to store the IV in the FIT image
Binaries may be encrypted in a FIT image with AES. This
algo needs a key and an IV (Initialization Vector). The
IV is provided in a file (pointer by iv-name-hint in the
ITS file) when building the ITB file.
This commits adds provide an alternative way to manage
the IV. If the property iv-name-hint is not provided in
the ITS file, the tool mkimage will generate an random
IV and store it in the FIT image.
Signed-off-by: Philippe Reynes <philippe.reynes@softathome.com>
Diffstat (limited to 'tools')
| -rw-r--r-- | tools/image-host.c | 61 |
1 files changed, 49 insertions, 12 deletions
diff --git a/tools/image-host.c b/tools/image-host.c index 3d52593..8886bef 100644 --- a/tools/image-host.c +++ b/tools/image-host.c @@ -320,6 +320,36 @@ err: return ret; } +static int get_random_data(void *data, int size) +{ + unsigned char *tmp = data; + struct timespec date; + int i, ret = 0; + + if (!tmp) { + printf("%s: pointer data is NULL\n", __func__); + ret = -1; + goto out; + } + + ret = clock_gettime(CLOCK_MONOTONIC, &date); + if (ret < 0) { + printf("%s: clock_gettime has failed (err=%d, str=%s)\n", + __func__, ret, strerror(ret)); + goto out; + } + + srand(date.tv_nsec); + + for (i = 0; i < size; i++) { + *tmp = rand() & 0xff; + tmp++; + } + + out: + return ret; +} + static int fit_image_setup_cipher(struct image_cipher_info *info, const char *keydir, void *fit, const char *image_name, int image_noffset, @@ -345,13 +375,13 @@ static int fit_image_setup_cipher(struct image_cipher_info *info, goto out; } - /* Read the IV name */ + /* + * Read the IV name + * + * If this property is not provided then mkimage will generate + * a random IV and store it in the FIT image + */ info->ivname = fdt_getprop(fit, noffset, "iv-name-hint", NULL); - if (!info->ivname) { - printf("Can't get iv name for cipher in image '%s'\n", - image_name); - goto out; - } info->fit = fit; info->node_noffset = noffset; @@ -377,17 +407,23 @@ static int fit_image_setup_cipher(struct image_cipher_info *info, if (ret < 0) goto out; - /* Read the IV in the file */ - snprintf(filename, sizeof(filename), "%s/%s%s", - info->keydir, info->ivname, ".bin"); info->iv = malloc(info->cipher->iv_len); if (!info->iv) { printf("Can't allocate memory for iv\n"); ret = -1; goto out; } - ret = fit_image_read_data(filename, (unsigned char *)info->iv, - info->cipher->iv_len); + + if (info->ivname) { + /* Read the IV in the file */ + snprintf(filename, sizeof(filename), "%s/%s%s", + info->keydir, info->ivname, ".bin"); + ret = fit_image_read_data(filename, (unsigned char *)info->iv, + info->cipher->iv_len); + } else { + /* Generate an ramdom IV */ + ret = get_random_data((void *)info->iv, info->cipher->iv_len); + } out: return ret; @@ -453,9 +489,10 @@ fit_image_process_cipher(const char *keydir, void *keydest, void *fit, * Write the public key into the supplied FDT file; this might fail * several times, since we try signing with successively increasing * size values + * And, if needed, write the iv in the FIT file */ if (keydest) { - ret = info.cipher->add_cipher_data(&info, keydest); + ret = info.cipher->add_cipher_data(&info, keydest, fit, node_noffset); if (ret) { printf("Failed to add verification data for cipher '%s' in image '%s'\n", info.keyname, image_name); |