diff mbox series

[meta-swupdate] Allow unique IV per image to encrypt

Message ID 20240614133535.504340-1-viacheslav.volkov.1@gmail.com
State New
Headers show
Series [meta-swupdate] Allow unique IV per image to encrypt | expand

Commit Message

Viacheslav Volkov June 14, 2024, 1:35 p.m. UTC 
To use unique random IV for an image to encrypt:

  1) In sw-description file use swupdate_get_IV() to initialize "ivt" value,
     for example:

       filename = "rootfs-image.ubifs";
       encrypted = true;
       ivt = "$swupdate_get_IV(rootfs-image.ubifs)";

  2) In SWU image recipe overwrite default swupdate_get_IV():

       def swupdate_get_IV(d, s, filename):
           return swupdate_get_unique_IV(d, s, filename)

To use predefined/hardcoded IV for some/all images to encrypt:

  3) In SWU image recipe set additionally:

       SWUPDATE_IV[sw-description] = "662c7e7ef64f987d6f039ff116ad1f26"
       SWUPDATE_IV[rootfs-image.ubifs] = "e972109190c1b1b0c60615480d9f3a05"

Signed-off-by: Viacheslav Volkov <viacheslav.volkov.1@gmail.com>
---
 classes-recipe/swupdate-common.bbclass |  3 +++
 classes-recipe/swupdate-lib.bbclass    | 14 ++++++++++++++
 2 files changed, 17 insertions(+)
diff mbox series

Patch

diff --git a/classes-recipe/swupdate-common.bbclass b/classes-recipe/swupdate-common.bbclass
index ad3c0a0..e476e6a 100644
--- a/classes-recipe/swupdate-common.bbclass
+++ b/classes-recipe/swupdate-common.bbclass
@@ -179,6 +179,7 @@  def prepare_sw_description(d):
         bb.note("Encryption of sw-description")
         shutil.copyfile(os.path.join(s, 'sw-description'), os.path.join(s, 'sw-description.plain'))
         key,iv = swupdate_extract_keys(d.getVar('SWUPDATE_AES_FILE', True))
+        iv = swupdate_get_IV(d, s, 'sw-description')
         swupdate_encrypt_file(os.path.join(s, 'sw-description.plain'), os.path.join(s, 'sw-description'), key, iv)
 
     signing = d.getVar('SWUPDATE_SIGNING', True)
@@ -249,6 +250,7 @@  def swupdate_add_src_uri(d, list_for_cpio):
                 bb.note("Encryption requested for %s" %(filename))
                 if not key or not iv:
                     bb.fatal("Encryption required, but no key found")
+                iv = swupdate_get_IV(d, s, filename)
                 swupdate_encrypt_file(local, dst, key, iv)
             else:
                 shutil.copyfile(local, dst)
@@ -265,6 +267,7 @@  def add_image_to_swu(d, deploydir, imagename, s, encrypt, list_for_cpio):
     if encrypt == '1':
         key,iv = swupdate_extract_keys(d.getVar('SWUPDATE_AES_FILE', True))
         bb.note("Encryption requested for %s" %(imagename))
+        iv = swupdate_get_IV(d, s, imagename)
         swupdate_encrypt_file(src, dst, key, iv)
     else:
         shutil.copyfile(src, dst)
diff --git a/classes-recipe/swupdate-lib.bbclass b/classes-recipe/swupdate-lib.bbclass
index 14a2a08..ae8c093 100644
--- a/classes-recipe/swupdate-lib.bbclass
+++ b/classes-recipe/swupdate-lib.bbclass
@@ -40,6 +40,20 @@  def swupdate_get_sha256(d, s, filename):
             m.update(data)
     return m.hexdigest()
 
+def swupdate_get_IV(d, s, filename):
+    # By default preserve original behavior: use IV from SWUPDATE_AES_FILE.
+    key,iv = swupdate_extract_keys(d.getVar('SWUPDATE_AES_FILE', True))
+    return iv
+
+def swupdate_get_unique_IV(d, s, filename):
+    # New behavior: use unique random IV for each filename.
+    from secrets import token_hex
+    iv = d.getVarFlag("SWUPDATE_IV", filename, True)
+    if not iv:
+        iv = token_hex(16)
+        d.setVarFlag("SWUPDATE_IV", filename, iv)
+    return iv
+
 def swupdate_get_size(d, s, filename):
     import os