[PATCH v7 0/3] binman: Add support for externally encrypted blobs

christian.taedcke-oss at weidmueller.com christian.taedcke-oss at weidmueller.com
Mon Jul 24 08:53:40 CEST 2023 

From: Christian Taedcke <christian.taedcke at weidmueller.com>

This series adds the functionality to handle externally encrypted
blobs to binman. It includes the functionality itself and the
corresponding unit tests.

The following block shows an example on how to use this functionality.
In the device tree that is parsed by binman a new node encrypted is
used:

/ {
	binman {
		filename = "u-boot.itb";
		fit {
			...
			images {
				some-bitstream {
					...
					image_bitstream: blob-ext {
						filename = "bitstream.bin";
					};
					encrypted {
						content = <&image_bitstream>;
						algo = "aes256-gcm";
						iv-filename = "bitstream.bin.iv";
						key-filename = "bitstream.bin.key";
					};
...

This results in an generated fit image containing the following
information:

\ {
	images {
	       ...
	       some-bitstream {
			...
			data = [...]
			cipher {
				algo = "aes256-gcm";
				key = <0x...>;
				iv = <0x...>;
			};
		};
...

I tried to rename the added entry to cipher or ciphered, but it did
not work. The issue is that the 'cipher' node is added as a special
section, so it appears in the created device tree.
So any etype that starts with 'cipher' is not evaluated at all,
because it is a special section, see etype/section.py methods
IsSpecialSubnode() and ReadEntries().

Changes in v7:
- add revieved-by to all commits
- rebase on master

Changes in v6:
- fix documentation of encrypted etype

Changes in v5:
- add comments to test functions
- encrypted entry now inherits from Entry
- remove unnecessary methods ObtainContents and ProcessContents

Changes in v4:
- fix failing test testEncryptedKeyFile

Changes in v3:
- rebase on u-boot-dm/mkim-working
- remove unnecessary test testEncryptedNoContent
- update doc for functions ObtainContents and ProcessContents
- update entries.rst
- wrap some lines at 80 cols

Changes in v2:
- adapt tests for changed entry implementation
- add entry documentation
- remove global /cipher node
- replace key-name-hint with key-source property

Christian Taedcke (3):
  binman: Add support for externally encrypted blobs
  binman: Allow cipher node as special section
  binman: Add tests for etype encrypted

 tools/binman/entries.rst                      |  86 +++++++++++
 tools/binman/etype/encrypted.py               | 138 ++++++++++++++++++
 tools/binman/etype/section.py                 |   2 +-
 tools/binman/ftest.py                         |  58 ++++++++
 tools/binman/test/291_encrypted_no_algo.dts   |  15 ++
 .../test/292_encrypted_invalid_iv_file.dts    |  18 +++
 .../binman/test/293_encrypted_missing_key.dts |  23 +++
 .../binman/test/294_encrypted_key_source.dts  |  24 +++
 tools/binman/test/295_encrypted_key_file.dts  |  24 +++
 9 files changed, 387 insertions(+), 1 deletion(-)
 create mode 100644 tools/binman/etype/encrypted.py
 create mode 100644 tools/binman/test/291_encrypted_no_algo.dts
 create mode 100644 tools/binman/test/292_encrypted_invalid_iv_file.dts
 create mode 100644 tools/binman/test/293_encrypted_missing_key.dts
 create mode 100644 tools/binman/test/294_encrypted_key_source.dts
 create mode 100644 tools/binman/test/295_encrypted_key_file.dts

-- 
2.34.1

More information about the U-Boot mailing list