[PATCH v3 1/3] aes: Allow to store randomly generated IV in the FIT

Wed Nov 20 14:35:47 CET 2024

Hi Paul,

On Wed, 20 Nov 2024 at 03:09, Paul HENRYS
<paul.henrys_ext at softathome.com> wrote:
>
> When the initialisation vector is randomly generated, its value shall be
> stored in the FIT together with the encrypted data. The changes allow to
> store the IV in the FIT also in the case where the key is not stored in
> the DTB but retrieved somewhere else at runtime.
>
> Signed-off-by: Paul HENRYS <paul.henrys_ext at softathome.com>
> ---
>  lib/aes/aes-encrypt.c | 7 +++++++
>  tools/image-host.c    | 2 +-
>  2 files changed, 8 insertions(+), 1 deletion(-)
>

I see that struct cipher_algo does not have a function comment for
add_cipher_data(), so it is not clear that keydest can be NULL, etc.
Can you please add one?

Otherwise this seems good to me.

> diff --git a/lib/aes/aes-encrypt.c b/lib/aes/aes-encrypt.c
> index e74e35eaa2..90e1407b4f 100644
> --- a/lib/aes/aes-encrypt.c
> +++ b/lib/aes/aes-encrypt.c
> @@ -84,6 +84,13 @@ int image_aes_add_cipher_data(struct image_cipher_info *info, void *keydest,
>         char name[128];
>         int ret = 0;
>
> +       if (!keydest && !info->ivname) {
> +               /* At least, store the IV in the FIT image */
> +               ret = fdt_setprop(fit, node_noffset, "iv",
> +                                 info->iv, info->cipher->iv_len);
> +               goto done;
> +       }
> +
>         /* Either create or overwrite the named cipher node */
>         parent = fdt_subnode_offset(keydest, 0, FIT_CIPHER_NODENAME);
>         if (parent == -FDT_ERR_NOTFOUND) {
> diff --git a/tools/image-host.c b/tools/image-host.c
> index 5e01b853c5..16389bd488 100644
> --- a/tools/image-host.c
> +++ b/tools/image-host.c
> @@ -535,7 +535,7 @@ fit_image_process_cipher(const char *keydir, void *keydest, void *fit,
>          * size values
>          * And, if needed, write the iv in the FIT file
>          */
> -       if (keydest) {
> +       if (keydest || (!keydest && !info.ivname)) {
>                 ret = info.cipher->add_cipher_data(&info, keydest, fit, node_noffset);
>                 if (ret) {
>                         fprintf(stderr,
> --
> 2.43.0
>

[..]

Regards,
SImon