[PATCH v2 0/3] binman: Add support for externally encrypted blobs

christian.taedcke-oss at weidmueller.com christian.taedcke-oss at weidmueller.com
Tue Jul 4 11:03:30 CEST 2023 

From: Christian Taedcke <christian.taedcke at weidmueller.com>

This series adds the functionality to handle externally encrypted
blobs to binman. It includes the functionality itself and the
corresponding unit tests.

The following block shows an example on how to use this functionality.
In the device tree that is parsed by binman a new node encrypted is
used:

/ {
	binman {
		filename = "u-boot.itb";
		fit {
			...
			images {
				some-bitstream {
					...
					image_bitstream: blob-ext {
						filename = "bitstream.bin";
					};
					encrypted {
						content = <&image_bitstream>;
						algo = "aes256-gcm";
						iv-filename = "bitstream.bin.iv";
						key-filename = "bitstream.bin.key";
					};
...

This results in an generated fit image containing the following
information:

\ {
	images {
	       ...
	       some-bitstream {
			...
			data = [...]
			cipher {
				algo = "aes256-gcm";
				key = <0x...>;
				iv = <0x...>;
			};
		};
...

Changes in v2:
- remove global /cipher node
- replace key-name-hint with key-source property
- add entry documentation
- adapt tests for changed entry implementation

Christian Taedcke (3):
  binman: Add support for externally encrypted blobs
  binman: Allow cipher node as special section
  binman: Add tests for etype encrypted

 tools/binman/etype/encrypted.py               | 149 ++++++++++++++++++
 tools/binman/etype/section.py                 |   2 +-
 tools/binman/ftest.py                         |  52 ++++++
 .../binman/test/282_encrypted_no_content.dts  |  15 ++
 tools/binman/test/283_encrypted_no_algo.dts   |  19 +++
 .../test/284_encrypted_invalid_iv_file.dts    |  23 +++
 .../binman/test/285_encrypted_missing_key.dts |  28 ++++
 .../binman/test/286_encrypted_key_source.dts  |  29 ++++
 tools/binman/test/287_encrypted_key_file.dts  |  29 ++++
 9 files changed, 345 insertions(+), 1 deletion(-)
 create mode 100644 tools/binman/etype/encrypted.py
 create mode 100644 tools/binman/test/282_encrypted_no_content.dts
 create mode 100644 tools/binman/test/283_encrypted_no_algo.dts
 create mode 100644 tools/binman/test/284_encrypted_invalid_iv_file.dts
 create mode 100644 tools/binman/test/285_encrypted_missing_key.dts
 create mode 100644 tools/binman/test/286_encrypted_key_source.dts
 create mode 100644 tools/binman/test/287_encrypted_key_file.dts

-- 
2.34.1

More information about the U-Boot mailing list