diff options
| author | Paul HENRYS <paul.henrys_ext@softathome.com> | 2024-11-25 18:47:15 +0100 |
|---|---|---|
| committer | Tom Rini <trini@konsulko.com> | 2024-12-19 09:10:34 -0600 |
| commit | 79d7b11102e31f3b92afff1c94dd9fe1a8b9a9e4 (patch) | |
| tree | 98b54533b077c73263c49227af6dbe38e0500faf | |
| parent | 337bfdce5aa52637b482b182db959b9bb058f4b7 (diff) | |
aes: Allow to store randomly generated IV in the FIT
When the initialisation vector is randomly generated, its value shall be
stored in the FIT together with the encrypted data. The changes allow to
store the IV in the FIT also in the case where the key is not stored in
the DTB but retrieved somewhere else at runtime.
Signed-off-by: Paul HENRYS <paul.henrys_ext@softathome.com>
Reviewed-by: Simon Glass <sjg@chromium.org>
| -rw-r--r-- | include/image.h | 15 | ||||
| -rw-r--r-- | lib/aes/aes-encrypt.c | 7 | ||||
| -rw-r--r-- | tools/image-host.c | 2 |
3 files changed, 23 insertions, 1 deletions
diff --git a/include/image.h b/include/image.h index 9be5acd8158..cfe3c971a36 100644 --- a/include/image.h +++ b/include/image.h @@ -1788,6 +1788,21 @@ struct cipher_algo { const unsigned char *data, int data_len, unsigned char **cipher, int *cipher_len); + /** + * add_cipher_data() - Add cipher data to the FIT and device tree + * + * This is used to add the ciphered data to the FIT and other cipher + * related information (key and initialization vector) to a device tree. + * + * @info: Pointer to image cipher information. + * @keydest: Pointer to a device tree where the key and IV can be + * stored. keydest can be NULL when the key is retrieved at + * runtime by another mean. + * @fit: Pointer to the FIT image. + * @node_noffset: Offset where the cipher information are stored in the + * FIT. + * return: 0 on success, a negative error code otherwise. + */ int (*add_cipher_data)(struct image_cipher_info *info, void *keydest, void *fit, int node_noffset); diff --git a/lib/aes/aes-encrypt.c b/lib/aes/aes-encrypt.c index e74e35eaa28..90e1407b4f0 100644 --- a/lib/aes/aes-encrypt.c +++ b/lib/aes/aes-encrypt.c @@ -84,6 +84,13 @@ int image_aes_add_cipher_data(struct image_cipher_info *info, void *keydest, char name[128]; int ret = 0; + if (!keydest && !info->ivname) { + /* At least, store the IV in the FIT image */ + ret = fdt_setprop(fit, node_noffset, "iv", + info->iv, info->cipher->iv_len); + goto done; + } + /* Either create or overwrite the named cipher node */ parent = fdt_subnode_offset(keydest, 0, FIT_CIPHER_NODENAME); if (parent == -FDT_ERR_NOTFOUND) { diff --git a/tools/image-host.c b/tools/image-host.c index 5e01b853c50..16389bd4880 100644 --- a/tools/image-host.c +++ b/tools/image-host.c @@ -535,7 +535,7 @@ fit_image_process_cipher(const char *keydir, void *keydest, void *fit, * size values * And, if needed, write the iv in the FIT file */ - if (keydest) { + if (keydest || (!keydest && !info.ivname)) { ret = info.cipher->add_cipher_data(&info, keydest, fit, node_noffset); if (ret) { fprintf(stderr, |