Hi Paul,
On Mon, 5 Aug 2024 at 07:35, Paul HENRYS paul.henrys_ext@softathome.com wrote:
Test the property 'fit,keys-directory' which, when a cipher node is present, encrypts the data stored in the FIT.
Signed-off-by: Paul HENRYS paul.henrys_ext@softathome.com
tools/binman/ftest.py | 39 +++++++++++++ tools/binman/test/326_fit_encrypt_data.dts | 53 ++++++++++++++++++ .../test/327_fit_encrypt_data_no_key.dts | 53 ++++++++++++++++++ tools/binman/test/aes256.bin | Bin 0 -> 32 bytes 4 files changed, 145 insertions(+) create mode 100644 tools/binman/test/326_fit_encrypt_data.dts create mode 100644 tools/binman/test/327_fit_encrypt_data_no_key.dts create mode 100644 tools/binman/test/aes256.bin
Looks OK but for nits
diff --git a/tools/binman/ftest.py b/tools/binman/ftest.py index 93f3d22cf57..64b7d0231de 100644 --- a/tools/binman/ftest.py +++ b/tools/binman/ftest.py @@ -7691,5 +7691,44 @@ fdt fdtmap Extract the devicetree blob from the fdtmap self.assertIsNone(dtb.GetNode('/node/other-node'))
- def testSimpleFitEncryptedData(self):
"""Test an image with a FIT containing data to be encrypted"""data = self._DoReadFile('326_fit_encrypt_data.dts')fit = fdt.Fdt.FromData(data)fit.Scan()# Extract the encrypted data and the IV from the FIT
Please write out IV in full for clarity.
node = fit.GetNode('/images/u-boot')subnode = fit.GetNode('/images/u-boot/cipher')data_size_unciphered = int.from_bytes(fit.GetProps(node)['data-size-unciphered'].bytes,byteorder='big')self.assertEqual(data_size_unciphered, len(U_BOOT_NODTB_DATA))# Retrieve the key name from the FIT removing any null bytekey_name = fit.GetProps(subnode)['key-name-hint'].bytes.replace(b'\x00', b'')
Why do you need to replace the nul byte? Could you use this?
fdt_util.GetString(subnode, 'key-name-hint')
with open(self.TestFile(key_name.decode('ascii') + '.bin'), 'rb') as file:key = file.read()
tools.read_file(filename)
below also
iv = fit.GetProps(subnode)['iv'].bytes.hex()enc_data = fit.GetProps(node)['data'].bytesoutdir = tools.get_output_dir()enc_data_file = os.path.join(outdir, 'encrypted_data.bin')tools.write_file(enc_data_file, enc_data)data_file = os.path.join(outdir, 'data.bin')# Decrypt the encrypted data from the FIT and compare the datatools.run('openssl', 'enc', '-aes-256-cbc', '-nosalt', '-d', '-in',enc_data_file, '-out', data_file, '-K', key.hex(), '-iv', iv)with open(data_file, 'r') as file:dec_data = file.read()self.assertEqual(U_BOOT_NODTB_DATA, dec_data.encode('ascii'))- def testSimpleFitEncryptedDataMissingKey(self):
"""Test an image with a FIT containing data to be encrypted but with a missing key"""with self.assertRaises(ValueError) as e:self._DoReadFile('327_fit_encrypt_data_no_key.dts')self.assertIn("Can't open file ./aes256.bin (err=2 => No such file or directory)", str(e.exception))if __name__ == "__main__": unittest.main() diff --git a/tools/binman/test/326_fit_encrypt_data.dts b/tools/binman/test/326_fit_encrypt_data.dts new file mode 100644 index 00000000000..3cd890063cd --- /dev/null +++ b/tools/binman/test/326_fit_encrypt_data.dts @@ -0,0 +1,53 @@ +// SPDX-License-Identifier: GPL-2.0+
+/dts-v1/;
+/ {
#address-cells = <1>;#size-cells = <1>;binman {fit {fit,keys-directory = "tools/binman/test";description = "Test a FIT with encrypted data";#address-cells = <1>;images {u-boot {description = "U-Boot";type = "firmware";arch = "arm64";os = "U-Boot";compression = "none";load = <00000000>;entry = <00000000>;cipher {algo = "aes256";key-name-hint = "aes256";};u-boot-nodtb {};};fdt-1 {description = "Flattened Device Tree blob";type = "flat_dt";arch = "arm64";compression = "none";cipher {algo = "aes256";key-name-hint = "aes256";};};};configurations {default = "conf-1";conf-1 {description = "Boot U-Boot with FDT blob";firmware = "u-boot";fdt = "fdt-1";};};};};+}; diff --git a/tools/binman/test/327_fit_encrypt_data_no_key.dts b/tools/binman/test/327_fit_encrypt_data_no_key.dts new file mode 100644 index 00000000000..b92cd2e4bd6 --- /dev/null +++ b/tools/binman/test/327_fit_encrypt_data_no_key.dts @@ -0,0 +1,53 @@ +// SPDX-License-Identifier: GPL-2.0+
+/dts-v1/;
+/ {
#address-cells = <1>;#size-cells = <1>;binman {fit {fit,keys-directory = ".";description = "Test a FIT with encrypted data";#address-cells = <1>;images {u-boot {description = "U-Boot";type = "firmware";arch = "arm64";os = "U-Boot";compression = "none";load = <00000000>;entry = <00000000>;cipher {algo = "aes256";key-name-hint = "aes256";};u-boot-nodtb {};};fdt-1 {description = "Flattened Device Tree blob";type = "flat_dt";arch = "arm64";compression = "none";cipher {algo = "aes256";key-name-hint = "aes256";};};};configurations {default = "conf-1";conf-1 {description = "Boot U-Boot with FDT blob";firmware = "u-boot";fdt = "fdt-1";};};};};+}; diff --git a/tools/binman/test/aes256.bin b/tools/binman/test/aes256.bin new file mode 100644 index 0000000000000000000000000000000000000000..09b8bf6254ada5c084039f32916bc7d30233bb2c GIT binary patch literal 32 ncmXpsGBz<aGq<obNK8sjNli=7$jr*l$<50zC@d;2DJ=s4pC}7U
literal 0 HcmV?d00001
-- 2.25.1
-- This message and any attachments herein are confidential, intended solely for the addressees and are SoftAtHome’s ownership. Any unauthorized use or dissemination is prohibited. If you are not the intended addressee of this message, please cancel it immediately and inform the sender.
Regards, Simon