[PATCH v4 0/3] binman: Add support for externally encrypted blobs

christian.taedcke-oss at weidmueller.com christian.taedcke-oss at weidmueller.com
Mon Jul 10 11:25:51 CEST 2023


From: Christian Taedcke <christian.taedcke at weidmueller.com>

This series adds the functionality to handle externally encrypted
blobs to binman. It includes the functionality itself and the
corresponding unit tests.

The following block shows an example on how to use this functionality.
In the device tree that is parsed by binman a new node encrypted is
used:

/ {
	binman {
		filename = "u-boot.itb";
		fit {
			...
			images {
				some-bitstream {
					...
					image_bitstream: blob-ext {
						filename = "bitstream.bin";
					};
					encrypted {
						content = <&image_bitstream>;
						algo = "aes256-gcm";
						iv-filename = "bitstream.bin.iv";
						key-filename = "bitstream.bin.key";
					};
...

This results in an generated fit image containing the following
information:

\ {
	images {
	       ...
	       some-bitstream {
			...
			data = [...]
			cipher {
				algo = "aes256-gcm";
				key = <0x...>;
				iv = <0x...>;
			};
		};
...

Changes in v4:
- fix failing test testEncryptedKeyFile

Changes in v3:
- rebase on u-boot-dm/mkim-working
- remove unnecessary test testEncryptedNoContent
- update doc for functions ObtainContents and ProcessContents
- update entries.rst
- wrap some lines at 80 cols

Changes in v2:
- adapt tests for changed entry implementation
- add entry documentation
- remove global /cipher node
- replace key-name-hint with key-source property

Christian Taedcke (3):
  binman: Add support for externally encrypted blobs
  binman: Allow cipher node as special section
  binman: Add tests for etype encrypted

 tools/binman/entries.rst                      |  88 ++++++++++
 tools/binman/etype/encrypted.py               | 157 ++++++++++++++++++
 tools/binman/etype/section.py                 |   2 +-
 tools/binman/ftest.py                         |  53 ++++++
 tools/binman/test/291_encrypted_no_algo.dts   |  19 +++
 .../test/292_encrypted_invalid_iv_file.dts    |  23 +++
 .../binman/test/293_encrypted_missing_key.dts |  28 ++++
 .../binman/test/294_encrypted_key_source.dts  |  29 ++++
 tools/binman/test/295_encrypted_key_file.dts  |  29 ++++
 9 files changed, 427 insertions(+), 1 deletion(-)
 create mode 100644 tools/binman/etype/encrypted.py
 create mode 100644 tools/binman/test/291_encrypted_no_algo.dts
 create mode 100644 tools/binman/test/292_encrypted_invalid_iv_file.dts
 create mode 100644 tools/binman/test/293_encrypted_missing_key.dts
 create mode 100644 tools/binman/test/294_encrypted_key_source.dts
 create mode 100644 tools/binman/test/295_encrypted_key_file.dts

-- 
2.34.1



More information about the U-Boot mailing list