[PATCH v3 3/3] tools: binman: Add tests for FIT with data encrypted by mkimage
Simon Glass
sjg at chromium.org
Wed Nov 20 14:35:49 CET 2024
On Wed, 20 Nov 2024 at 03:09, Paul HENRYS
<paul.henrys_ext at softathome.com> wrote:
>
> Test the property 'fit,keys-directory' which, when a cipher node is
> present, encrypts the data stored in the FIT.
>
> Signed-off-by: Paul HENRYS <paul.henrys_ext at softathome.com>
> ---
> Changes for v3:
> - Write out IV in full for clarity as requested
> - Do not replace the null byte but use fdt_util.GetString() instead
> - Adapt the tests for the FIT data encryption to create a file with the content
> of the AES key in the working directory and pass the path to binman
>
> tools/binman/ftest.py | 45 +++++++++++++++
> tools/binman/test/343_fit_encrypt_data.dts | 53 ++++++++++++++++++
> .../test/344_fit_encrypt_data_no_key.dts | 53 ++++++++++++++++++
> tools/binman/test/aes256.bin | Bin 0 -> 32 bytes
> 4 files changed, 151 insertions(+)
> create mode 100644 tools/binman/test/343_fit_encrypt_data.dts
> create mode 100644 tools/binman/test/344_fit_encrypt_data_no_key.dts
> create mode 100644 tools/binman/test/aes256.bin
Reviewed-by: Simon Glass <sjg at chromium.org>
>
> diff --git a/tools/binman/ftest.py b/tools/binman/ftest.py
> index adab65e579..b19b0cc5b3 100644
> --- a/tools/binman/ftest.py
> +++ b/tools/binman/ftest.py
> @@ -7900,5 +7900,50 @@ fdt fdtmap Extract the devicetree blob from the fdtmap
> extra_indirs=[test_subdir])[0]
>
>
> + def testSimpleFitEncryptedData(self):
> + """Test an image with a FIT containing data to be encrypted"""
> + data = tools.read_file(self.TestFile("aes256.bin"))
> + self._MakeInputFile("keys/aes256.bin", data)
> +
> + keys_subdir = os.path.join(self._indir, "keys")
> + data = self._DoReadFileDtb(
> + '343_fit_encrypt_data.dts',
> + extra_indirs=[keys_subdir])[0]
> +
> + fit = fdt.Fdt.FromData(data)
> + fit.Scan()
> +
> + # Extract the encrypted data and the Initialization Vector from the FIT
> + node = fit.GetNode('/images/u-boot')
> + subnode = fit.GetNode('/images/u-boot/cipher')
> + data_size_unciphered = int.from_bytes(fit.GetProps(node)['data-size-unciphered'].bytes,
> + byteorder='big')
> + self.assertEqual(data_size_unciphered, len(U_BOOT_NODTB_DATA))
> +
> + # Retrieve the key name from the FIT removing any null byte
> + key_name = fit.GetProps(subnode)['key-name-hint'].bytes.replace(b'\x00', b'')
> + with open(self.TestFile(key_name.decode('ascii') + '.bin'), 'rb') as file:
> + key = file.read()
> + iv = fit.GetProps(subnode)['iv'].bytes.hex()
> + enc_data = fit.GetProps(node)['data'].bytes
> + outdir = tools.get_output_dir()
> + enc_data_file = os.path.join(outdir, 'encrypted_data.bin')
> + tools.write_file(enc_data_file, enc_data)
> + data_file = os.path.join(outdir, 'data.bin')
> +
> + # Decrypt the encrypted data from the FIT and compare the data
> + tools.run('openssl', 'enc', '-aes-256-cbc', '-nosalt', '-d', '-in',
> + enc_data_file, '-out', data_file, '-K', key.hex(), '-iv', iv)
> + with open(data_file, 'r') as file:
> + dec_data = file.read()
> + self.assertEqual(U_BOOT_NODTB_DATA, dec_data.encode('ascii'))
> +
> + def testSimpleFitEncryptedDataMissingKey(self):
> + """Test an image with a FIT containing data to be encrypted but with a missing key"""
> + with self.assertRaises(ValueError) as e:
> + self._DoReadFile('344_fit_encrypt_data_no_key.dts')
> +
> + self.assertIn("Filename 'aes256.bin' not found in input path", str(e.exception))
> +
> if __name__ == "__main__":
> unittest.main()
> diff --git a/tools/binman/test/343_fit_encrypt_data.dts b/tools/binman/test/343_fit_encrypt_data.dts
> new file mode 100644
> index 0000000000..90e504979b
> --- /dev/null
> +++ b/tools/binman/test/343_fit_encrypt_data.dts
> @@ -0,0 +1,53 @@
> +// SPDX-License-Identifier: GPL-2.0+
> +
> +/dts-v1/;
> +
> +/ {
> + #address-cells = <1>;
> + #size-cells = <1>;
> +
> + binman {
> + fit {
> + fit,keys-directory;
> + description = "Test a FIT with encrypted data";
> + #address-cells = <1>;
> +
> + images {
> + u-boot {
> + description = "U-Boot";
> + type = "firmware";
> + arch = "arm64";
> + os = "U-Boot";
> + compression = "none";
> + load = <00000000>;
> + entry = <00000000>;
> + cipher {
> + algo = "aes256";
> + key-name-hint = "aes256";
> + };
> + u-boot-nodtb {
> + };
> + };
> + fdt-1 {
> + description = "Flattened Device Tree blob";
> + type = "flat_dt";
> + arch = "arm64";
> + compression = "none";
> + cipher {
> + algo = "aes256";
> + key-name-hint = "aes256";
> + };
> + };
> + };
> +
> + configurations {
> + default = "conf-1";
> + conf-1 {
> + description = "Boot U-Boot with FDT blob";
> + firmware = "u-boot";
> + fdt = "fdt-1";
> + };
> + };
> + };
> + };
> +};
> diff --git a/tools/binman/test/344_fit_encrypt_data_no_key.dts b/tools/binman/test/344_fit_encrypt_data_no_key.dts
> new file mode 100644
> index 0000000000..90e504979b
> --- /dev/null
> +++ b/tools/binman/test/344_fit_encrypt_data_no_key.dts
> @@ -0,0 +1,53 @@
> +// SPDX-License-Identifier: GPL-2.0+
> +
> +/dts-v1/;
> +
> +/ {
> + #address-cells = <1>;
> + #size-cells = <1>;
> +
> + binman {
> + fit {
> + fit,keys-directory;
> + description = "Test a FIT with encrypted data";
> + #address-cells = <1>;
> +
> + images {
> + u-boot {
> + description = "U-Boot";
> + type = "firmware";
> + arch = "arm64";
> + os = "U-Boot";
> + compression = "none";
> + load = <00000000>;
> + entry = <00000000>;
> + cipher {
> + algo = "aes256";
> + key-name-hint = "aes256";
> + };
> + u-boot-nodtb {
> + };
> + };
> + fdt-1 {
> + description = "Flattened Device Tree blob";
> + type = "flat_dt";
> + arch = "arm64";
> + compression = "none";
> + cipher {
> + algo = "aes256";
> + key-name-hint = "aes256";
> + };
> + };
> + };
> +
> + configurations {
> + default = "conf-1";
> + conf-1 {
> + description = "Boot U-Boot with FDT blob";
> + firmware = "u-boot";
> + fdt = "fdt-1";
> + };
> + };
> + };
> + };
> +};
> diff --git a/tools/binman/test/aes256.bin b/tools/binman/test/aes256.bin
> new file mode 100644
> index 0000000000000000000000000000000000000000..09b8bf6254ada5c084039f32916bc7d30233bb2c
> GIT binary patch
> literal 32
> ncmXpsGBz<aGq<obNK8sjNli=7$jr*l$<50zC at d;2DJ=s4pC}7U
>
> literal 0
> HcmV?d00001
>
> --
> 2.43.0
[..]
More information about the U-Boot
mailing list