On Wed, 20 Nov 2024 at 03:09, Paul HENRYS paul.henrys_ext@softathome.com wrote:
Test the property 'fit,keys-directory' which, when a cipher node is present, encrypts the data stored in the FIT.
Signed-off-by: Paul HENRYS paul.henrys_ext@softathome.com
Changes for v3:
- Write out IV in full for clarity as requested
- Do not replace the null byte but use fdt_util.GetString() instead
- Adapt the tests for the FIT data encryption to create a file with the content of the AES key in the working directory and pass the path to binman
tools/binman/ftest.py | 45 +++++++++++++++ tools/binman/test/343_fit_encrypt_data.dts | 53 ++++++++++++++++++ .../test/344_fit_encrypt_data_no_key.dts | 53 ++++++++++++++++++ tools/binman/test/aes256.bin | Bin 0 -> 32 bytes 4 files changed, 151 insertions(+) create mode 100644 tools/binman/test/343_fit_encrypt_data.dts create mode 100644 tools/binman/test/344_fit_encrypt_data_no_key.dts create mode 100644 tools/binman/test/aes256.bin
Reviewed-by: Simon Glass sjg@chromium.org
diff --git a/tools/binman/ftest.py b/tools/binman/ftest.py index adab65e579..b19b0cc5b3 100644 --- a/tools/binman/ftest.py +++ b/tools/binman/ftest.py @@ -7900,5 +7900,50 @@ fdt fdtmap Extract the devicetree blob from the fdtmap extra_indirs=[test_subdir])[0]
- def testSimpleFitEncryptedData(self):
"""Test an image with a FIT containing data to be encrypted"""data = tools.read_file(self.TestFile("aes256.bin"))self._MakeInputFile("keys/aes256.bin", data)keys_subdir = os.path.join(self._indir, "keys")data = self._DoReadFileDtb('343_fit_encrypt_data.dts',extra_indirs=[keys_subdir])[0]fit = fdt.Fdt.FromData(data)fit.Scan()# Extract the encrypted data and the Initialization Vector from the FITnode = fit.GetNode('/images/u-boot')subnode = fit.GetNode('/images/u-boot/cipher')data_size_unciphered = int.from_bytes(fit.GetProps(node)['data-size-unciphered'].bytes,byteorder='big')self.assertEqual(data_size_unciphered, len(U_BOOT_NODTB_DATA))# Retrieve the key name from the FIT removing any null bytekey_name = fit.GetProps(subnode)['key-name-hint'].bytes.replace(b'\x00', b'')with open(self.TestFile(key_name.decode('ascii') + '.bin'), 'rb') as file:key = file.read()iv = fit.GetProps(subnode)['iv'].bytes.hex()enc_data = fit.GetProps(node)['data'].bytesoutdir = tools.get_output_dir()enc_data_file = os.path.join(outdir, 'encrypted_data.bin')tools.write_file(enc_data_file, enc_data)data_file = os.path.join(outdir, 'data.bin')# Decrypt the encrypted data from the FIT and compare the datatools.run('openssl', 'enc', '-aes-256-cbc', '-nosalt', '-d', '-in',enc_data_file, '-out', data_file, '-K', key.hex(), '-iv', iv)with open(data_file, 'r') as file:dec_data = file.read()self.assertEqual(U_BOOT_NODTB_DATA, dec_data.encode('ascii'))- def testSimpleFitEncryptedDataMissingKey(self):
"""Test an image with a FIT containing data to be encrypted but with a missing key"""with self.assertRaises(ValueError) as e:self._DoReadFile('344_fit_encrypt_data_no_key.dts')self.assertIn("Filename 'aes256.bin' not found in input path", str(e.exception))if __name__ == "__main__": unittest.main() diff --git a/tools/binman/test/343_fit_encrypt_data.dts b/tools/binman/test/343_fit_encrypt_data.dts new file mode 100644 index 0000000000..90e504979b --- /dev/null +++ b/tools/binman/test/343_fit_encrypt_data.dts @@ -0,0 +1,53 @@ +// SPDX-License-Identifier: GPL-2.0+
+/dts-v1/;
+/ {
#address-cells = <1>;#size-cells = <1>;binman {fit {fit,keys-directory;description = "Test a FIT with encrypted data";#address-cells = <1>;images {u-boot {description = "U-Boot";type = "firmware";arch = "arm64";os = "U-Boot";compression = "none";load = <00000000>;entry = <00000000>;cipher {algo = "aes256";key-name-hint = "aes256";};u-boot-nodtb {};};fdt-1 {description = "Flattened Device Tree blob";type = "flat_dt";arch = "arm64";compression = "none";cipher {algo = "aes256";key-name-hint = "aes256";};};};configurations {default = "conf-1";conf-1 {description = "Boot U-Boot with FDT blob";firmware = "u-boot";fdt = "fdt-1";};};};};+}; diff --git a/tools/binman/test/344_fit_encrypt_data_no_key.dts b/tools/binman/test/344_fit_encrypt_data_no_key.dts new file mode 100644 index 0000000000..90e504979b --- /dev/null +++ b/tools/binman/test/344_fit_encrypt_data_no_key.dts @@ -0,0 +1,53 @@ +// SPDX-License-Identifier: GPL-2.0+
+/dts-v1/;
+/ {
#address-cells = <1>;#size-cells = <1>;binman {fit {fit,keys-directory;description = "Test a FIT with encrypted data";#address-cells = <1>;images {u-boot {description = "U-Boot";type = "firmware";arch = "arm64";os = "U-Boot";compression = "none";load = <00000000>;entry = <00000000>;cipher {algo = "aes256";key-name-hint = "aes256";};u-boot-nodtb {};};fdt-1 {description = "Flattened Device Tree blob";type = "flat_dt";arch = "arm64";compression = "none";cipher {algo = "aes256";key-name-hint = "aes256";};};};configurations {default = "conf-1";conf-1 {description = "Boot U-Boot with FDT blob";firmware = "u-boot";fdt = "fdt-1";};};};};+}; diff --git a/tools/binman/test/aes256.bin b/tools/binman/test/aes256.bin new file mode 100644 index 0000000000000000000000000000000000000000..09b8bf6254ada5c084039f32916bc7d30233bb2c GIT binary patch literal 32 ncmXpsGBz<aGq<obNK8sjNli=7$jr*l$<50zC@d;2DJ=s4pC}7U
literal 0 HcmV?d00001
-- 2.43.0
[..]