From patchwork Fri Jun 14 13:35:00 2024 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Viacheslav Volkov X-Patchwork-Id: 1947932 X-Patchwork-Delegate: sbabic@denx.de Return-Path: X-Original-To: incoming@patchwork.ozlabs.org Delivered-To: patchwork-incoming@legolas.ozlabs.org Authentication-Results: legolas.ozlabs.org; dkim=pass (2048-bit key; unprotected) header.d=googlegroups.com header.i=@googlegroups.com header.a=rsa-sha256 header.s=20230601 header.b=pJ78n72X; dkim=pass (2048-bit key; unprotected) header.d=gmail.com header.i=@gmail.com header.a=rsa-sha256 header.s=20230601 header.b=NxSI9yNW; dkim-atps=neutral Authentication-Results: legolas.ozlabs.org; spf=pass (sender SPF authorized) smtp.mailfrom=googlegroups.com (client-ip=2607:f8b0:4864:20::f3c; helo=mail-qv1-xf3c.google.com; envelope-from=swupdate+bncbchotdh53inrbxmpwgzqmgqea5wigdi@googlegroups.com; receiver=patchwork.ozlabs.org) Received: from mail-qv1-xf3c.google.com (mail-qv1-xf3c.google.com [IPv6:2607:f8b0:4864:20::f3c]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature ECDSA (secp384r1) server-digest SHA384) (No client certificate requested) by legolas.ozlabs.org (Postfix) with ESMTPS id 4W10jh6RSbz20Pb for ; Fri, 14 Jun 2024 23:38:47 +1000 (AEST) Received: by mail-qv1-xf3c.google.com with SMTP id 6a1803df08f44-6b077edfe04sf20998756d6.0 for ; Fri, 14 Jun 2024 06:38:47 -0700 (PDT) ARC-Seal: i=2; a=rsa-sha256; t=1718372318; cv=pass; d=google.com; s=arc-20160816; b=WgYAIX5b29esZ8BRCuEjCW+7fYlZBu97ZEZ6PAdyQOxLddtdgXWakUJ4mkD+URa6hL wl5OqU3MMUj3keU77ez9ObcNvytgWaQk2Y+ih8tIONGBuwGyPsYJzdjez3Q86zJf/d5o 5Pa6R5WyXWO4NIXnTn379H3Yb8235P0Hs1TS1z37VxYoscnP6S9CGakG+o2+b3SDrKTu oa+WA0xmbIPvmHPvbraswQghE9HL9dCaReFErA4k7Cy04eO/szDFCxVyjGqvgwFKfnJD Pseynr0R1CINWhaEXvC/fsjds/2AqMhL9jc0XX8X4V+0OzXRnMrVIFnOcjxInkZIVGWv BpPA== ARC-Message-Signature: i=2; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816; h=list-unsubscribe:list-subscribe:list-archive:list-help:list-post :list-id:mailing-list:precedence:mime-version:message-id:date :subject:cc:to:from:sender:dkim-signature:dkim-signature; bh=QojcFmGYVdthO9Pk7OuQWGCxVTgGlXGALicoxQs1S54=; fh=r67+A9Swer3eAxADwt+hYfKR2TkGH5xUtL1/MG6rxVc=; b=yIOPK1oM05BuQkWKxzgV/0DTulGLXFKyE2i61jiszV4YuR+P4O8te+P5j4UQZfoTIc 5x3Pxwk8vbZXz9t17gZS7lCspf0Pa2bQvNZqSxuFtzJBZMtyKJZKuKgsrZRA1MVGcIcG 1t4zfnBniiJsojQuJB4Pc1cLr4CPfwFjlA7PpF0EPJ7TbM1NZ4c9VxeiISJcJfV47C5N AEE2jUZdgOydNo54Ffv7TYWTooxaMDK6fObCxrx3DXOFOeVxYJHCzj7x5JxVyD1gJgbR 49Acts7chUBMYwcUPfsCOXW9wiMwA543Bt9OTrEXb/Dks2k7dMy2E0hDbK1l4dDPYK/q tEsg==; darn=patchwork.ozlabs.org ARC-Authentication-Results: i=2; gmr-mx.google.com; dkim=pass header.i=@gmail.com header.s=20230601 header.b=HUKxGMIV; spf=pass (google.com: domain of viacheslav.volkov.1@gmail.com designates 2a00:1450:4864:20::331 as permitted sender) smtp.mailfrom=viacheslav.volkov.1@gmail.com; dmarc=pass (p=NONE sp=QUARANTINE dis=NONE) header.from=gmail.com DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=googlegroups.com; s=20230601; t=1718372318; x=1718977118; darn=patchwork.ozlabs.org; h=list-unsubscribe:list-subscribe:list-archive:list-help:list-post :list-id:mailing-list:precedence:x-original-authentication-results :x-original-sender:mime-version:message-id:date:subject:cc:to:from :sender:from:to:cc:subject:date:message-id:reply-to; bh=QojcFmGYVdthO9Pk7OuQWGCxVTgGlXGALicoxQs1S54=; b=pJ78n72X5el/SFG7wNravR/+iOC42jDET3pWE5hvbAN8doCO3XJhahcQQHYZlkHakk NaBc/++22srCo6URYezA4TTKIbhXqa4lP9RQQL6IyHAitMCW2ciLZFW2lE4BR/QiLJEj 6vMe56gx/OSKA23dFmCm6XWP73yBXL43+bpsmk2KoR82N+JPvvAmE1HQyBS+QmZgGM6r 7w3awdniaqcoeAH8UesZ2LQbd0kjKAeXyc8Ez09db485SsBYcCGdoTpNWTp8gknBsmOF i9goPP660yzo/NYrSZZlyzhCAdyyzaSiEdNJCXm84/oyxJWAH5yHkvfmq9YFb/xKADe9 erUg== DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20230601; t=1718372318; x=1718977118; darn=patchwork.ozlabs.org; h=list-unsubscribe:list-subscribe:list-archive:list-help:list-post :list-id:mailing-list:precedence:x-original-authentication-results :x-original-sender:mime-version:message-id:date:subject:cc:to:from :from:to:cc:subject:date:message-id:reply-to; bh=QojcFmGYVdthO9Pk7OuQWGCxVTgGlXGALicoxQs1S54=; b=NxSI9yNW1Sr8br2tS5ycumA3GYowMQNp1tDWa3Ah5Cxu++W7KRX11AFWURGarpKyiz Z0XvMTB5bgIRr3KboyjchPD3nEuTqGgKXUJuQSXzxehOygaMfu1TkVBdD1/Xwo/gcrmw MgvIuKm/vp3KhLAfIOqHEr0EaZH9rUUjt68hz82ZzGSa8lHzrLbvSlK+cHfgYbnmoS05 0REFmC/QEMMtYLHKZ0WUpUqMXGhKcfoNY6gQziBcTF/DsC8qwkK+X6C2qQ4CBTDCOY3L V12a0bDM9/tGxOrzBIwzj5gk2R/2K+bQdaYH+4PICnM68akKfJH0vjbk73nTvBlPwEHk Q/IA== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20230601; t=1718372318; x=1718977118; h=list-unsubscribe:list-subscribe:list-archive:list-help:list-post :list-id:mailing-list:precedence:x-original-authentication-results :x-original-sender:mime-version:message-id:date:subject:cc:to:from :x-beenthere:x-gm-message-state:sender:from:to:cc:subject:date :message-id:reply-to; bh=QojcFmGYVdthO9Pk7OuQWGCxVTgGlXGALicoxQs1S54=; b=NhgGjy5jVeXFAR4kCTFAFrXXEq5aDplravBsV9YXqXx0KpbnoN0wTSeUJYxCrxzx1Z EJcJpUkstYTII2Quvp6cXrdHpv/ggKYvXHtoKoL+FvlHpRZMwV7pmPGuo7Zlyg/YpKXF rvtcIYKtv5OdFH2nxfzaoQXWiU9Odh2PlPWZNxvGT1+mVBazx3AeEXDEOgiwd0aUq6o+ 8A/RFCZzp03dfXB0eKcRFnMuNNhgOg8qG/7nj2nZgLGmnVH/mh6+hG575NAe+J//rhys ouqNvCyhA575u+M1rmw0IiKRLW+VF6Hur4br8WjSg0V+aNt3oeJICM5aiwFEmoKbweur B8Zw== Sender: swupdate@googlegroups.com X-Forwarded-Encrypted: i=2; AJvYcCWietQH0V+tUC06AQnKwi1ZZ1W2EIf0BDtI8DMWWzMJEojCc8HbTw15+Oei17kylTmqKfSAnqekqs5FM6tq6vBKmA2t6Cr/uyvVLJPZhA== X-Gm-Message-State: AOJu0YyDu/XVSCl6BjB2LwnYvLRHfJDkGxkb4afZM/owMBcGUcp2Go7Y vjfC+RjQ7O8MFM+EUNL3IlMPBctQGJ4F+ONgJLBHhZZ+OiHZMZMy X-Google-Smtp-Source: AGHT+IECNX/w0q6uffXv4gi0ksHnFKpUgonOgnfpw30IX8378NEwBIw+o/EEay9vXCRbc8gDKghx9g== X-Received: by 2002:a0c:ca93:0:b0:6a0:cf48:5196 with SMTP id 6a1803df08f44-6b2afd97a62mr25747566d6.54.1718372317999; Fri, 14 Jun 2024 06:38:37 -0700 (PDT) X-BeenThere: swupdate@googlegroups.com Received: by 2002:a05:6214:568c:b0:6a0:7a41:267 with SMTP id 6a1803df08f44-6b2a351ced9ls28646796d6.2.-pod-prod-06-us; Fri, 14 Jun 2024 06:38:36 -0700 (PDT) X-Received: by 2002:a05:6214:5989:b0:6b0:8f4c:11df with SMTP id 6a1803df08f44-6b2afd16db0mr1214186d6.1.1718372316713; Fri, 14 Jun 2024 06:38:36 -0700 (PDT) Received: by 2002:a05:620a:b45:b0:795:48dd:de1d with SMTP id af79cd13be357-7983623170dms85a; Fri, 14 Jun 2024 06:35:45 -0700 (PDT) X-Received: by 2002:a05:6512:74f:b0:52c:95d3:8f6a with SMTP id 2adb3069b0e04-52ca6e6e369mr2084085e87.30.1718372143418; Fri, 14 Jun 2024 06:35:43 -0700 (PDT) ARC-Seal: i=1; a=rsa-sha256; t=1718372143; cv=none; d=google.com; s=arc-20160816; b=BRSCe2K7yXAFlVFlRC/b3gajt0cFt2isBs8s600BPRPKq6xw1hhG4HRjsp3Qg4aWR7 7qg1fa6iOrQkleaIMmNBJqmI6PLpLR0S0n2xEMQQ0929RXdpV0LdjcYKHjOGk7516QFz KB5hDWntLkmz3lzzfVF7Nz3cCPZj4D+qsPziuhrOgiHMCFzdYIXADus7oCa3i3sNTD0M V3Ktt/gW+7hvOKKSdShayjWraq2H2qltGrcRmNR8f9sdfd0PEEJhd6Qc5HR3wDVXfi5h Mtkiij7KwGVpAuFODVxbsnaJrqZ8zdlBhCI0wnZTv+Bn/nUZrKQTtXupC3J47usljr5p pRvg== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816; h=content-transfer-encoding:mime-version:message-id:date:subject:cc :to:from:dkim-signature; bh=bs17sQBgmorxyHfhcyGPCkudYWBajaVBSnEu4KhRdjQ=; fh=K/SysJ3Y4a/i6MQZTZy6Nd6mf0xgBJPYlw64FyY6j+g=; b=Q1hIxPF4SLiF/SdFFq7KoqQu/r7/XgXzHaCfysq83dpiYB0nxEa/FLh1kMVtQUmg1+ eL04n3advDeAG39ROneu/VMJp22vJ+oxhKZ2uVKZrHTWGRtWIsZL9RZENQW5nJk6W8po xxAmI3NIxFhC0HxqrR2IgQ0C42izGk3hqU+AwKsWLDxVioPiGNY4eZNIf0uhSX3n3HMa wnnLCd8MgZ42CHpJ25PBbjwIPXG57w2dKH89mV7ub1iMvf/AkGqVPCLejDV40PAeUBuZ DlbWVOjpVn1/91o6Y0Lq/5tQc0SYqT64iVmcTnkKMey/EaA8u0NCi6tK0QP6J4Pg0wun pypQ==; dara=google.com ARC-Authentication-Results: i=1; gmr-mx.google.com; dkim=pass header.i=@gmail.com header.s=20230601 header.b=HUKxGMIV; spf=pass (google.com: domain of viacheslav.volkov.1@gmail.com designates 2a00:1450:4864:20::331 as permitted sender) smtp.mailfrom=viacheslav.volkov.1@gmail.com; dmarc=pass (p=NONE sp=QUARANTINE dis=NONE) header.from=gmail.com Received: from mail-wm1-x331.google.com (mail-wm1-x331.google.com. [2a00:1450:4864:20::331]) by gmr-mx.google.com with ESMTPS id 2adb3069b0e04-52ca28851cdsi74281e87.13.2024.06.14.06.35.43 for (version=TLS1_3 cipher=TLS_AES_128_GCM_SHA256 bits=128/128); Fri, 14 Jun 2024 06:35:43 -0700 (PDT) Received-SPF: pass (google.com: domain of viacheslav.volkov.1@gmail.com designates 2a00:1450:4864:20::331 as permitted sender) client-ip=2a00:1450:4864:20::331; Received: by mail-wm1-x331.google.com with SMTP id 5b1f17b1804b1-4230366ad7bso16708575e9.1 for ; Fri, 14 Jun 2024 06:35:43 -0700 (PDT) X-Received: by 2002:a05:600c:138c:b0:422:902b:73bc with SMTP id 5b1f17b1804b1-42304820c79mr33642595e9.13.1718372142188; Fri, 14 Jun 2024 06:35:42 -0700 (PDT) Received: from localhost.localdomain ([178.134.179.97]) by smtp.googlemail.com with ESMTPSA id 5b1f17b1804b1-42286fe9230sm97831815e9.17.2024.06.14.06.35.41 (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256); Fri, 14 Jun 2024 06:35:41 -0700 (PDT) From: Viacheslav Volkov To: swupdate@googlegroups.com Cc: Viacheslav Volkov Subject: [swupdate] [meta-swupdate][PATCH] Allow unique IV per image to encrypt Date: Fri, 14 Jun 2024 17:35:00 +0400 Message-ID: <20240614133535.504340-1-viacheslav.volkov.1@gmail.com> X-Mailer: git-send-email 2.45.2 MIME-Version: 1.0 X-Original-Sender: viacheslav.volkov.1@gmail.com X-Original-Authentication-Results: gmr-mx.google.com; dkim=pass header.i=@gmail.com header.s=20230601 header.b=HUKxGMIV; spf=pass (google.com: domain of viacheslav.volkov.1@gmail.com designates 2a00:1450:4864:20::331 as permitted sender) smtp.mailfrom=viacheslav.volkov.1@gmail.com; dmarc=pass (p=NONE sp=QUARANTINE dis=NONE) header.from=gmail.com Precedence: list Mailing-list: list swupdate@googlegroups.com; contact swupdate+owners@googlegroups.com List-ID: X-Google-Group-Id: 605343134186 List-Post: , List-Help: , List-Archive: , List-Unsubscribe: , To use unique random IV for an image to encrypt: 1) In sw-description file use swupdate_get_IV() to initialize "ivt" value, for example: filename = "rootfs-image.ubifs"; encrypted = true; ivt = "$swupdate_get_IV(rootfs-image.ubifs)"; 2) In SWU image recipe overwrite default swupdate_get_IV(): def swupdate_get_IV(d, s, filename): return swupdate_get_unique_IV(d, s, filename) To use predefined/hardcoded IV for some/all images to encrypt: 3) In SWU image recipe set additionally: SWUPDATE_IV[sw-description] = "662c7e7ef64f987d6f039ff116ad1f26" SWUPDATE_IV[rootfs-image.ubifs] = "e972109190c1b1b0c60615480d9f3a05" Signed-off-by: Viacheslav Volkov --- classes-recipe/swupdate-common.bbclass | 3 +++ classes-recipe/swupdate-lib.bbclass | 14 ++++++++++++++ 2 files changed, 17 insertions(+) diff --git a/classes-recipe/swupdate-common.bbclass b/classes-recipe/swupdate-common.bbclass index ad3c0a0..e476e6a 100644 --- a/classes-recipe/swupdate-common.bbclass +++ b/classes-recipe/swupdate-common.bbclass @@ -179,6 +179,7 @@ def prepare_sw_description(d): bb.note("Encryption of sw-description") shutil.copyfile(os.path.join(s, 'sw-description'), os.path.join(s, 'sw-description.plain')) key,iv = swupdate_extract_keys(d.getVar('SWUPDATE_AES_FILE', True)) + iv = swupdate_get_IV(d, s, 'sw-description') swupdate_encrypt_file(os.path.join(s, 'sw-description.plain'), os.path.join(s, 'sw-description'), key, iv) signing = d.getVar('SWUPDATE_SIGNING', True) @@ -249,6 +250,7 @@ def swupdate_add_src_uri(d, list_for_cpio): bb.note("Encryption requested for %s" %(filename)) if not key or not iv: bb.fatal("Encryption required, but no key found") + iv = swupdate_get_IV(d, s, filename) swupdate_encrypt_file(local, dst, key, iv) else: shutil.copyfile(local, dst) @@ -265,6 +267,7 @@ def add_image_to_swu(d, deploydir, imagename, s, encrypt, list_for_cpio): if encrypt == '1': key,iv = swupdate_extract_keys(d.getVar('SWUPDATE_AES_FILE', True)) bb.note("Encryption requested for %s" %(imagename)) + iv = swupdate_get_IV(d, s, imagename) swupdate_encrypt_file(src, dst, key, iv) else: shutil.copyfile(src, dst) diff --git a/classes-recipe/swupdate-lib.bbclass b/classes-recipe/swupdate-lib.bbclass index 14a2a08..ae8c093 100644 --- a/classes-recipe/swupdate-lib.bbclass +++ b/classes-recipe/swupdate-lib.bbclass @@ -40,6 +40,20 @@ def swupdate_get_sha256(d, s, filename): m.update(data) return m.hexdigest() +def swupdate_get_IV(d, s, filename): + # By default preserve original behavior: use IV from SWUPDATE_AES_FILE. + key,iv = swupdate_extract_keys(d.getVar('SWUPDATE_AES_FILE', True)) + return iv + +def swupdate_get_unique_IV(d, s, filename): + # New behavior: use unique random IV for each filename. + from secrets import token_hex + iv = d.getVarFlag("SWUPDATE_IV", filename, True) + if not iv: + iv = token_hex(16) + d.setVarFlag("SWUPDATE_IV", filename, iv) + return iv + def swupdate_get_size(d, s, filename): import os