@@ -179,6 +179,7 @@ def prepare_sw_description(d):
bb.note("Encryption of sw-description")
shutil.copyfile(os.path.join(s, 'sw-description'), os.path.join(s, 'sw-description.plain'))
key,iv = swupdate_extract_keys(d.getVar('SWUPDATE_AES_FILE', True))
+ iv = swupdate_get_IV(d, s, 'sw-description')
swupdate_encrypt_file(os.path.join(s, 'sw-description.plain'), os.path.join(s, 'sw-description'), key, iv)
signing = d.getVar('SWUPDATE_SIGNING', True)
@@ -249,6 +250,7 @@ def swupdate_add_src_uri(d, list_for_cpio):
bb.note("Encryption requested for %s" %(filename))
if not key or not iv:
bb.fatal("Encryption required, but no key found")
+ iv = swupdate_get_IV(d, s, filename)
swupdate_encrypt_file(local, dst, key, iv)
else:
shutil.copyfile(local, dst)
@@ -265,6 +267,7 @@ def add_image_to_swu(d, deploydir, imagename, s, encrypt, list_for_cpio):
if encrypt == '1':
key,iv = swupdate_extract_keys(d.getVar('SWUPDATE_AES_FILE', True))
bb.note("Encryption requested for %s" %(imagename))
+ iv = swupdate_get_IV(d, s, imagename)
swupdate_encrypt_file(src, dst, key, iv)
else:
shutil.copyfile(src, dst)
@@ -40,6 +40,20 @@ def swupdate_get_sha256(d, s, filename):
m.update(data)
return m.hexdigest()
+def swupdate_get_IV(d, s, filename):
+ # By default preserve original behavior: use IV from SWUPDATE_AES_FILE.
+ key,iv = swupdate_extract_keys(d.getVar('SWUPDATE_AES_FILE', True))
+ return iv
+
+def swupdate_get_unique_IV(d, s, filename):
+ # New behavior: use unique random IV for each filename.
+ from secrets import token_hex
+ iv = d.getVarFlag("SWUPDATE_IV", filename, True)
+ if not iv:
+ iv = token_hex(16)
+ d.setVarFlag("SWUPDATE_IV", filename, iv)
+ return iv
+
def swupdate_get_size(d, s, filename):
import os
To use unique random IV for an image to encrypt: 1) In sw-description file use swupdate_get_IV() to initialize "ivt" value, for example: filename = "rootfs-image.ubifs"; encrypted = true; ivt = "$swupdate_get_IV(rootfs-image.ubifs)"; 2) In SWU image recipe overwrite default swupdate_get_IV(): def swupdate_get_IV(d, s, filename): return swupdate_get_unique_IV(d, s, filename) To use predefined/hardcoded IV for some/all images to encrypt: 3) In SWU image recipe set additionally: SWUPDATE_IV[sw-description] = "662c7e7ef64f987d6f039ff116ad1f26" SWUPDATE_IV[rootfs-image.ubifs] = "e972109190c1b1b0c60615480d9f3a05" Signed-off-by: Viacheslav Volkov <viacheslav.volkov.1@gmail.com> --- classes-recipe/swupdate-common.bbclass | 3 +++ classes-recipe/swupdate-lib.bbclass | 14 ++++++++++++++ 2 files changed, 17 insertions(+)