imgtool: Add clear image generation with encryption capability
Create an option to generate a clear image with encryption capability that can be installed on a primary slot. Since image has encryption capability image can be swapped encrypted in secondary slot Signed-off-by: Michel Jaouen <michel.jaouen@st.com>
This commit is contained in:
parent
c9ac802a99
commit
d09aa6b4f9
|
@ -305,7 +305,7 @@ class Image():
|
||||||
return cipherkey, ciphermac, pubk
|
return cipherkey, ciphermac, pubk
|
||||||
|
|
||||||
def create(self, key, public_key_format, enckey, dependencies=None,
|
def create(self, key, public_key_format, enckey, dependencies=None,
|
||||||
sw_type=None, custom_tlvs=None, encrypt_keylen=128):
|
sw_type=None, custom_tlvs=None, encrypt_keylen=128, clear=False):
|
||||||
self.enckey = enckey
|
self.enckey = enckey
|
||||||
|
|
||||||
# Calculate the hash of the public key
|
# Calculate the hash of the public key
|
||||||
|
@ -472,13 +472,14 @@ class Image():
|
||||||
else:
|
else:
|
||||||
tlv.add('ENCX25519', enctlv)
|
tlv.add('ENCX25519', enctlv)
|
||||||
|
|
||||||
nonce = bytes([0] * 16)
|
if not clear:
|
||||||
cipher = Cipher(algorithms.AES(plainkey), modes.CTR(nonce),
|
nonce = bytes([0] * 16)
|
||||||
backend=default_backend())
|
cipher = Cipher(algorithms.AES(plainkey), modes.CTR(nonce),
|
||||||
encryptor = cipher.encryptor()
|
backend=default_backend())
|
||||||
img = bytes(self.payload[self.header_size:])
|
encryptor = cipher.encryptor()
|
||||||
self.payload[self.header_size:] = \
|
img = bytes(self.payload[self.header_size:])
|
||||||
encryptor.update(img) + encryptor.finalize()
|
self.payload[self.header_size:] = \
|
||||||
|
encryptor.update(img) + encryptor.finalize()
|
||||||
|
|
||||||
self.payload += prot_tlv.get()
|
self.payload += prot_tlv.get()
|
||||||
self.payload += tlv.get()
|
self.payload += tlv.get()
|
||||||
|
|
|
@ -254,6 +254,10 @@ class BasedIntParamType(click.ParamType):
|
||||||
type=click.Choice(['128','256']),
|
type=click.Choice(['128','256']),
|
||||||
help='When encrypting the image using AES, select a 128 bit or '
|
help='When encrypting the image using AES, select a 128 bit or '
|
||||||
'256 bit key len.')
|
'256 bit key len.')
|
||||||
|
@click.option('-c', '--clear', required=False, is_flag=True, default=False,
|
||||||
|
help='Output a non-encrypted image with encryption capabilities,'
|
||||||
|
'so it can be installed in the primary slot, and encrypted '
|
||||||
|
'when swapped to the secondary.')
|
||||||
@click.option('-e', '--endian', type=click.Choice(['little', 'big']),
|
@click.option('-e', '--endian', type=click.Choice(['little', 'big']),
|
||||||
default='little', help="Select little or big endian")
|
default='little', help="Select little or big endian")
|
||||||
@click.option('--overwrite-only', default=False, is_flag=True,
|
@click.option('--overwrite-only', default=False, is_flag=True,
|
||||||
|
@ -303,7 +307,7 @@ def sign(key, public_key_format, align, version, pad_sig, header_size,
|
||||||
pad_header, slot_size, pad, confirm, max_sectors, overwrite_only,
|
pad_header, slot_size, pad, confirm, max_sectors, overwrite_only,
|
||||||
endian, encrypt_keylen, encrypt, infile, outfile, dependencies,
|
endian, encrypt_keylen, encrypt, infile, outfile, dependencies,
|
||||||
load_addr, hex_addr, erased_val, save_enctlv, security_counter,
|
load_addr, hex_addr, erased_val, save_enctlv, security_counter,
|
||||||
boot_record, custom_tlv, rom_fixed, max_align):
|
boot_record, custom_tlv, rom_fixed, max_align, clear):
|
||||||
|
|
||||||
if confirm:
|
if confirm:
|
||||||
# Confirmed but non-padded images don't make much sense, because
|
# Confirmed but non-padded images don't make much sense, because
|
||||||
|
@ -350,7 +354,7 @@ def sign(key, public_key_format, align, version, pad_sig, header_size,
|
||||||
custom_tlvs[tag] = value.encode('utf-8')
|
custom_tlvs[tag] = value.encode('utf-8')
|
||||||
|
|
||||||
img.create(key, public_key_format, enckey, dependencies, boot_record,
|
img.create(key, public_key_format, enckey, dependencies, boot_record,
|
||||||
custom_tlvs, int(encrypt_keylen))
|
custom_tlvs, int(encrypt_keylen), clear)
|
||||||
img.save(outfile, hex_addr)
|
img.save(outfile, hex_addr)
|
||||||
|
|
||||||
|
|
||||||
|
|
Loading…
Reference in New Issue