~funderscore blog cgit wiki get in touch
aboutsummaryrefslogtreecommitdiff
blob: 53d0e76bab7c4ec64ad7a000d1a0c96abaa82e9b (plain)
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
# SPDX-License-Identifier: GPL-2.0+
# Copyright 2023 Weidmüller Interface GmbH & Co. KG
# Written by Christian Taedcke <christian.taedcke@weidmueller.com>
#
# Entry-type module for cipher information of encrypted blobs/binaries
#

from binman.etype.collection import Entry
from dtoc import fdt_util
from u_boot_pylib import tools

# This is imported if needed
state = None


class Entry_encrypted(Entry):
    """Externally built encrypted binary blob

    This entry provides the functionality to include information about how to
    decrypt an encrypted binary. This information is added to the
    resulting device tree by adding a new cipher node in the entry's parent
    node (i.e. the binary).

    The key that must be used to decrypt the binary is either directly embedded
    in the device tree or indirectly by specifying a key source. The key source
    can be used as an id of a key that is stored in an external device.

    Using an embedded key
    ~~~~~~~~~~~~~~~~~~~~~

    This is an example using an embedded key::

        blob-ext {
            filename = "encrypted-blob.bin";
        };

        encrypted {
            algo = "aes256-gcm";
            iv-filename = "encrypted-blob.bin.iv";
            key-filename = "encrypted-blob.bin.key";
        };

    This entry generates the following device tree structure form the example
    above::

        data = [...]
        cipher {
            algo = "aes256-gcm";
            key = <0x...>;
            iv = <0x...>;
        };

    The data property is generated by the blob-ext etype, the cipher node and
    its content is generated by this etype.

    Using an external key
    ~~~~~~~~~~~~~~~~~~~~~

    Instead of embedding the key itself into the device tree, it is also
    possible to address an externally stored key by specifying a 'key-source'
    instead of the 'key'::

        blob-ext {
            filename = "encrypted-blob.bin";
        };

        encrypted {
            algo = "aes256-gcm";
            iv-filename = "encrypted-blob.bin.iv";
            key-source = "external-key-id";
        };

    This entry generates the following device tree structure form the example
    above::

        data = [...]
        cipher {
            algo = "aes256-gcm";
            key-source = "external-key-id";
            iv = <0x...>;
        };

    Properties
    ~~~~~~~~~~

    Properties / Entry arguments:
        - algo: The encryption algorithm. Currently no algorithm is supported
                out-of-the-box. Certain algorithms will be added in future
                patches.
        - iv-filename: The name of the file containing the initialization
                       vector (in short iv). See
                       https://en.wikipedia.org/wiki/Initialization_vector
        - key-filename: The name of the file containing the key. Either
                        key-filename or key-source must be provided.
        - key-source: The key that should be used. Either key-filename or
                      key-source must be provided.
    """

    def __init__(self, section, etype, node):
        # Put this here to allow entry-docs and help to work without libfdt
        global state
        from binman import state

        super().__init__(section, etype, node)
        self.required_props = ['algo', 'iv-filename']
        self._algo = None
        self._iv_filename = None
        self._key_name_hint = None
        self._key_filename = None

    def ReadNode(self):
        super().ReadNode()

        self._algo = fdt_util.GetString(self._node, 'algo')
        self._iv_filename = fdt_util.GetString(self._node, 'iv-filename')
        self._key_filename = fdt_util.GetString(self._node, 'key-filename')
        self._key_source = fdt_util.GetString(self._node, 'key-source')

        if self._key_filename is None and self._key_source is None:
            self.Raise("Provide either 'key-filename' or 'key-source'")

    def gen_entries(self):
        super().gen_entries()

        iv_filename = tools.get_input_filename(self._iv_filename)
        iv = tools.read_file(iv_filename, binary=True)

        cipher_node = state.AddSubnode(self._node.parent, "cipher")
        cipher_node.AddString("algo", self._algo)
        cipher_node.AddData("iv", iv)

        if self._key_filename:
            key_filename = tools.get_input_filename(self._key_filename)
            key = tools.read_file(key_filename, binary=True)
            cipher_node.AddData("key", key)

        if self._key_source:
            cipher_node.AddString("key-source", self._key_source)