imgtool: Add clear image generation with encryption capability

Create an option to generate a clear image with encryption capability
that can be installed on a primary slot. Since image has encryption
capability image can be swapped encrypted in secondary slot

Signed-off-by: Michel Jaouen <michel.jaouen@st.com>
This commit is contained in:
Michel Jaouen 2022-01-07 16:48:58 +01:00 committed by Fabio Utzig
parent c9ac802a99
commit d09aa6b4f9
2 changed files with 15 additions and 10 deletions

View File

@ -305,7 +305,7 @@ class Image():
return cipherkey, ciphermac, pubk return cipherkey, ciphermac, pubk
def create(self, key, public_key_format, enckey, dependencies=None, def create(self, key, public_key_format, enckey, dependencies=None,
sw_type=None, custom_tlvs=None, encrypt_keylen=128): sw_type=None, custom_tlvs=None, encrypt_keylen=128, clear=False):
self.enckey = enckey self.enckey = enckey
# Calculate the hash of the public key # Calculate the hash of the public key
@ -472,13 +472,14 @@ class Image():
else: else:
tlv.add('ENCX25519', enctlv) tlv.add('ENCX25519', enctlv)
nonce = bytes([0] * 16) if not clear:
cipher = Cipher(algorithms.AES(plainkey), modes.CTR(nonce), nonce = bytes([0] * 16)
backend=default_backend()) cipher = Cipher(algorithms.AES(plainkey), modes.CTR(nonce),
encryptor = cipher.encryptor() backend=default_backend())
img = bytes(self.payload[self.header_size:]) encryptor = cipher.encryptor()
self.payload[self.header_size:] = \ img = bytes(self.payload[self.header_size:])
encryptor.update(img) + encryptor.finalize() self.payload[self.header_size:] = \
encryptor.update(img) + encryptor.finalize()
self.payload += prot_tlv.get() self.payload += prot_tlv.get()
self.payload += tlv.get() self.payload += tlv.get()

View File

@ -254,6 +254,10 @@ class BasedIntParamType(click.ParamType):
type=click.Choice(['128','256']), type=click.Choice(['128','256']),
help='When encrypting the image using AES, select a 128 bit or ' help='When encrypting the image using AES, select a 128 bit or '
'256 bit key len.') '256 bit key len.')
@click.option('-c', '--clear', required=False, is_flag=True, default=False,
help='Output a non-encrypted image with encryption capabilities,'
'so it can be installed in the primary slot, and encrypted '
'when swapped to the secondary.')
@click.option('-e', '--endian', type=click.Choice(['little', 'big']), @click.option('-e', '--endian', type=click.Choice(['little', 'big']),
default='little', help="Select little or big endian") default='little', help="Select little or big endian")
@click.option('--overwrite-only', default=False, is_flag=True, @click.option('--overwrite-only', default=False, is_flag=True,
@ -303,7 +307,7 @@ def sign(key, public_key_format, align, version, pad_sig, header_size,
pad_header, slot_size, pad, confirm, max_sectors, overwrite_only, pad_header, slot_size, pad, confirm, max_sectors, overwrite_only,
endian, encrypt_keylen, encrypt, infile, outfile, dependencies, endian, encrypt_keylen, encrypt, infile, outfile, dependencies,
load_addr, hex_addr, erased_val, save_enctlv, security_counter, load_addr, hex_addr, erased_val, save_enctlv, security_counter,
boot_record, custom_tlv, rom_fixed, max_align): boot_record, custom_tlv, rom_fixed, max_align, clear):
if confirm: if confirm:
# Confirmed but non-padded images don't make much sense, because # Confirmed but non-padded images don't make much sense, because
@ -350,7 +354,7 @@ def sign(key, public_key_format, align, version, pad_sig, header_size,
custom_tlvs[tag] = value.encode('utf-8') custom_tlvs[tag] = value.encode('utf-8')
img.create(key, public_key_format, enckey, dependencies, boot_record, img.create(key, public_key_format, enckey, dependencies, boot_record,
custom_tlvs, int(encrypt_keylen)) custom_tlvs, int(encrypt_keylen), clear)
img.save(outfile, hex_addr) img.save(outfile, hex_addr)