[PATCH v3 3/3] tools: binman: Add tests for FIT with data encrypted by mkimage
Paul HENRYS
paul.henrys_ext at softathome.com
Wed Nov 20 11:09:11 CET 2024
Test the property 'fit,keys-directory' which, when a cipher node is
present, encrypts the data stored in the FIT.
Signed-off-by: Paul HENRYS <paul.henrys_ext at softathome.com>
---
Changes for v3:
- Write out IV in full for clarity as requested
- Do not replace the null byte but use fdt_util.GetString() instead
- Adapt the tests for the FIT data encryption to create a file with the content
of the AES key in the working directory and pass the path to binman
tools/binman/ftest.py | 45 +++++++++++++++
tools/binman/test/343_fit_encrypt_data.dts | 53 ++++++++++++++++++
.../test/344_fit_encrypt_data_no_key.dts | 53 ++++++++++++++++++
tools/binman/test/aes256.bin | Bin 0 -> 32 bytes
4 files changed, 151 insertions(+)
create mode 100644 tools/binman/test/343_fit_encrypt_data.dts
create mode 100644 tools/binman/test/344_fit_encrypt_data_no_key.dts
create mode 100644 tools/binman/test/aes256.bin
diff --git a/tools/binman/ftest.py b/tools/binman/ftest.py
index adab65e579..b19b0cc5b3 100644
--- a/tools/binman/ftest.py
+++ b/tools/binman/ftest.py
@@ -7900,5 +7900,50 @@ fdt fdtmap Extract the devicetree blob from the fdtmap
extra_indirs=[test_subdir])[0]
+ def testSimpleFitEncryptedData(self):
+ """Test an image with a FIT containing data to be encrypted"""
+ data = tools.read_file(self.TestFile("aes256.bin"))
+ self._MakeInputFile("keys/aes256.bin", data)
+
+ keys_subdir = os.path.join(self._indir, "keys")
+ data = self._DoReadFileDtb(
+ '343_fit_encrypt_data.dts',
+ extra_indirs=[keys_subdir])[0]
+
+ fit = fdt.Fdt.FromData(data)
+ fit.Scan()
+
+ # Extract the encrypted data and the Initialization Vector from the FIT
+ node = fit.GetNode('/images/u-boot')
+ subnode = fit.GetNode('/images/u-boot/cipher')
+ data_size_unciphered = int.from_bytes(fit.GetProps(node)['data-size-unciphered'].bytes,
+ byteorder='big')
+ self.assertEqual(data_size_unciphered, len(U_BOOT_NODTB_DATA))
+
+ # Retrieve the key name from the FIT removing any null byte
+ key_name = fit.GetProps(subnode)['key-name-hint'].bytes.replace(b'\x00', b'')
+ with open(self.TestFile(key_name.decode('ascii') + '.bin'), 'rb') as file:
+ key = file.read()
+ iv = fit.GetProps(subnode)['iv'].bytes.hex()
+ enc_data = fit.GetProps(node)['data'].bytes
+ outdir = tools.get_output_dir()
+ enc_data_file = os.path.join(outdir, 'encrypted_data.bin')
+ tools.write_file(enc_data_file, enc_data)
+ data_file = os.path.join(outdir, 'data.bin')
+
+ # Decrypt the encrypted data from the FIT and compare the data
+ tools.run('openssl', 'enc', '-aes-256-cbc', '-nosalt', '-d', '-in',
+ enc_data_file, '-out', data_file, '-K', key.hex(), '-iv', iv)
+ with open(data_file, 'r') as file:
+ dec_data = file.read()
+ self.assertEqual(U_BOOT_NODTB_DATA, dec_data.encode('ascii'))
+
+ def testSimpleFitEncryptedDataMissingKey(self):
+ """Test an image with a FIT containing data to be encrypted but with a missing key"""
+ with self.assertRaises(ValueError) as e:
+ self._DoReadFile('344_fit_encrypt_data_no_key.dts')
+
+ self.assertIn("Filename 'aes256.bin' not found in input path", str(e.exception))
+
if __name__ == "__main__":
unittest.main()
diff --git a/tools/binman/test/343_fit_encrypt_data.dts b/tools/binman/test/343_fit_encrypt_data.dts
new file mode 100644
index 0000000000..90e504979b
--- /dev/null
+++ b/tools/binman/test/343_fit_encrypt_data.dts
@@ -0,0 +1,53 @@
+// SPDX-License-Identifier: GPL-2.0+
+
+/dts-v1/;
+
+/ {
+ #address-cells = <1>;
+ #size-cells = <1>;
+
+ binman {
+ fit {
+ fit,keys-directory;
+ description = "Test a FIT with encrypted data";
+ #address-cells = <1>;
+
+ images {
+ u-boot {
+ description = "U-Boot";
+ type = "firmware";
+ arch = "arm64";
+ os = "U-Boot";
+ compression = "none";
+ load = <00000000>;
+ entry = <00000000>;
+ cipher {
+ algo = "aes256";
+ key-name-hint = "aes256";
+ };
+ u-boot-nodtb {
+ };
+ };
+ fdt-1 {
+ description = "Flattened Device Tree blob";
+ type = "flat_dt";
+ arch = "arm64";
+ compression = "none";
+ cipher {
+ algo = "aes256";
+ key-name-hint = "aes256";
+ };
+ };
+ };
+
+ configurations {
+ default = "conf-1";
+ conf-1 {
+ description = "Boot U-Boot with FDT blob";
+ firmware = "u-boot";
+ fdt = "fdt-1";
+ };
+ };
+ };
+ };
+};
diff --git a/tools/binman/test/344_fit_encrypt_data_no_key.dts b/tools/binman/test/344_fit_encrypt_data_no_key.dts
new file mode 100644
index 0000000000..90e504979b
--- /dev/null
+++ b/tools/binman/test/344_fit_encrypt_data_no_key.dts
@@ -0,0 +1,53 @@
+// SPDX-License-Identifier: GPL-2.0+
+
+/dts-v1/;
+
+/ {
+ #address-cells = <1>;
+ #size-cells = <1>;
+
+ binman {
+ fit {
+ fit,keys-directory;
+ description = "Test a FIT with encrypted data";
+ #address-cells = <1>;
+
+ images {
+ u-boot {
+ description = "U-Boot";
+ type = "firmware";
+ arch = "arm64";
+ os = "U-Boot";
+ compression = "none";
+ load = <00000000>;
+ entry = <00000000>;
+ cipher {
+ algo = "aes256";
+ key-name-hint = "aes256";
+ };
+ u-boot-nodtb {
+ };
+ };
+ fdt-1 {
+ description = "Flattened Device Tree blob";
+ type = "flat_dt";
+ arch = "arm64";
+ compression = "none";
+ cipher {
+ algo = "aes256";
+ key-name-hint = "aes256";
+ };
+ };
+ };
+
+ configurations {
+ default = "conf-1";
+ conf-1 {
+ description = "Boot U-Boot with FDT blob";
+ firmware = "u-boot";
+ fdt = "fdt-1";
+ };
+ };
+ };
+ };
+};
diff --git a/tools/binman/test/aes256.bin b/tools/binman/test/aes256.bin
new file mode 100644
index 0000000000000000000000000000000000000000..09b8bf6254ada5c084039f32916bc7d30233bb2c
GIT binary patch
literal 32
ncmXpsGBz<aGq<obNK8sjNli=7$jr*l$<50zC at d;2DJ=s4pC}7U
literal 0
HcmV?d00001
--
2.43.0
More information about the U-Boot
mailing list