From patchwork Thu Apr 5 13:56:36 2018 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Vincent DEHORS X-Patchwork-Id: 895395 Return-Path: X-Original-To: incoming@patchwork.ozlabs.org Delivered-To: patchwork-incoming@bilbo.ozlabs.org Authentication-Results: ozlabs.org; spf=pass (mailfrom) smtp.mailfrom=googlegroups.com (client-ip=2a00:1450:400c:c09::237; helo=mail-wm0-x237.google.com; envelope-from=swupdate+bncbaabblowtdlakgqep4wnwzq@googlegroups.com; receiver=) Authentication-Results: ozlabs.org; dmarc=none (p=none dis=none) header.from=smile.fr Authentication-Results: ozlabs.org; dkim=pass (2048-bit key; unprotected) header.d=googlegroups.com header.i=@googlegroups.com header.b="ox4Ql8NX"; dkim-atps=neutral Received: from mail-wm0-x237.google.com (mail-wm0-x237.google.com [IPv6:2a00:1450:400c:c09::237]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by ozlabs.org (Postfix) with ESMTPS id 40H4Bq3Kk7z9s2B for ; Thu, 5 Apr 2018 23:57:06 +1000 (AEST) Received: by mail-wm0-x237.google.com with SMTP id f137sf1397248wme.5 for ; Thu, 05 Apr 2018 06:57:06 -0700 (PDT) ARC-Seal: i=2; a=rsa-sha256; t=1522936622; cv=pass; d=google.com; s=arc-20160816; b=QqoUp4B23zR/QQUVChQKCv+NX5NTknTUAwbTBBx7VnQW1+wQUpx433rT2vkb2N7GBD YHWbzSTvj7zbc2uOT0CpARgUwZkoyvGy7dblIbUfkKOH7uDVQCTxl5vjfECtv1WQNQ/l knEh3snA/gLa2LIPDEaAEYqQYcH4jkPIjAz+PTcglYW6mcyutkhfQXSxYXPG45eo9htN nJo5SPy4ccBV5axJFIUlQ5/UNn2Lnb/VUJsUUXWkHTxsXnxGLE4CjHyyCj7gpVH6T3/T JpJfb4A9J1I4Ar0UkWp8/mxA1JaH7dsK8bjzpUgMEDT3nlEu1kz2g6PQEo3MfgVBxceY yWGA== ARC-Message-Signature: i=2; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816; h=list-unsubscribe:list-subscribe:list-archive:list-help:list-post :list-id:mailing-list:precedence:mime-version:message-id:date :subject:cc:to:from:arc-authentication-results:arc-message-signature :sender:dkim-signature:arc-authentication-results; bh=b3GTrPFdSpzXJWxjRNoWJqTi92lH2BQg21dEqrG8JEI=; b=SlyVT7+6fxabv316PLZtsFuQngwf6o32vv+vVEtXAQSkAkJUrsg7P2VSQzDweNGOtk q/CBOWsI49DgTiePrGtIH22ciP+V9rJFOON5GmPIcZTr/kxHcztDkvXODSjFhVUWJjmN U5pTq93hcQDxzFw6RDsQqaJfusDKpkEVTguRrpbMIfT6GN8uHoPm0yu8RYKHH6msx4ay baD8rQaJzwSn8EyvwV2H3Z1vh6FEFuqsQDv+mbli1/Is20Isp+aL0+QB99NXb6od3Jfd HRLktl47Pol0X8A7ds5lN0QGptJlDCIzvYQUpUZXjKk/pz5p7hB1rDSjq4ZDqeNWEUWW hDcw== ARC-Authentication-Results: i=2; gmr-mx.google.com; spf=pass (google.com: best guess record for domain of vincent.dehors@smile.fr designates 91.216.209.19 as permitted sender) smtp.mailfrom=vincent.dehors@smile.fr DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=googlegroups.com; s=20161025; h=sender:from:to:cc:subject:date:message-id:mime-version :x-original-sender:x-original-authentication-results:precedence :mailing-list:list-id:list-post:list-help:list-archive :list-subscribe:list-unsubscribe; bh=b3GTrPFdSpzXJWxjRNoWJqTi92lH2BQg21dEqrG8JEI=; b=ox4Ql8NXHy/WJeGoUrN4KHmRInQv9AgSkZ58JfgpjcoEmBZ1dpR7FIc6SOr8jbNZo3 yT/v0VSc/Pu3SKm05lLDetIhBuxlCAIhvbOOShfkiWB1WPd9ziQHzzZ3SuvUPsV9ONJw xtuBsp5KJrvpV+kffgQgRSJ6CQiuMK9oQvrp/Wozq+U3WpQN49ml6/0dJvDqhI5sSQQw X3Ae9fopEQntNfMhwYrsNyp++M8bodEwRV7oIu2Dli4vlBOt6bRPcrCS1JhY//jAAaJV zWtja6yfQ0Pl2dD6DKM4dhFUHjasyN7EvJWfaHYgeYAOeDvO2zrySX5kT2CGYN2EY30X /J8Q== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=sender:x-gm-message-state:from:to:cc:subject:date:message-id :mime-version:x-original-sender:x-original-authentication-results :precedence:mailing-list:list-id:x-spam-checked-in-group:list-post :list-help:list-archive:list-subscribe:list-unsubscribe; bh=b3GTrPFdSpzXJWxjRNoWJqTi92lH2BQg21dEqrG8JEI=; b=IgLPlnz5qQ/z8tOACWWIolRERlgYczgzowu+6mVqlu/URq/Qf0uiydRkJ9vV9UcQTA rYmIe7igYmkgSvMbOsm4OXyH9mzqL797Ep1kZZ6xB8mqAf5dbYqWJwDF+N//aJlWGAPJ GsJS/p9csbdi87jXJ78zYXVOKXvzdehRsj0Ezbur67Z8rKURtFtQI9xtzA7YixeNRmbL 34zOmF0/7+9FtwPReQTVShaC+Yw2kxYZFaSJUG/SSL/Y/AOY9An4k4bKADvrYJYCirNl cnc7GBcKZIJqTsvyro5GbjAqN8bQeFvfmWysTmo7+vLeJsfam1pDjLUkSGmZbTyd/Fsy l77Q== Sender: swupdate@googlegroups.com X-Gm-Message-State: ALQs6tB51i06ErnE+k3LWIGE5+4EMF/7HaXGrTiLAkz+GikxRtCu55AA sHe+638smYq3Q5WPzmHMsqw= X-Google-Smtp-Source: AIpwx4/J89cAmoBtS1WHSV+RApHQ27QgcEAIkKF3oedjVYYp+6z5a3MhX4cnUtH+jTt2jSKREZmGKQ== X-Received: by 10.28.146.200 with SMTP id u191mr163480wmd.4.1522936621990; Thu, 05 Apr 2018 06:57:01 -0700 (PDT) X-BeenThere: swupdate@googlegroups.com Received: by 10.28.111.152 with SMTP id c24ls1219272wmi.11.canary-gmail; Thu, 05 Apr 2018 06:57:01 -0700 (PDT) X-Received: by 10.28.146.75 with SMTP id u72mr1265099wmd.18.1522936621507; Thu, 05 Apr 2018 06:57:01 -0700 (PDT) ARC-Seal: i=1; a=rsa-sha256; t=1522936621; cv=none; d=google.com; s=arc-20160816; b=RWjCMKtIFioBN2Sqj0zEiu3DZZgTm8QA7lwEJr9pDd542Qa5a/LfU08Nd2N3AYdF+5 9UMN9hG/KXAre528DsM4nDPs7p7gIq3MznmSzzvJuPZbhSbpFsLHObtSricUGlgYagXl hxZE+mezGBwivXWIbt1x51mmG0ntz2T3Fv0Y0FTRc6n3LirsrkI3s1P8uYDnKTUHaEDJ DwOYI3OfnisZVmJxXQgCvV8spO5cpakBERk6ALIIfaCX/MjvNcb/sn4safyqFUyojV14 NPjaq5U2+RJ4+GsUlPs2rJRqIuUDvQ5+X/S8Yr+s8GzAtUW3BA9B/64ZLkOojifUiPoT TnAw== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816; h=content-transfer-encoding:mime-version:message-id:date:subject:cc :to:from:arc-authentication-results; bh=/UYuWwFA8B7f/gcFka+lM9wH8dsS/sXclfthDz1ysIA=; b=N7BGXJl0psnFlp/RyS4XdYMEE+F9lwEg7WQkT8PbPO/vRVU0eMTH8AtCox3kmOd+KE SuZNUX76BIe4G3roBDd8PQvAI3CZHIekcFWoXi2oeByoPeiW+24iKK3K8dLZ9dsjdA3p 1dVB6vqTZp7jlEF+Wa5dapXSN3+cPJsQk0804IR84FB/2+AIijpd2JXKghPlvCBLfkwy lmJYAlZFBpL1ktNc2yxJ9OebWVQdBzY74YM/wxrytNOl30QkaC2fh8eeB3KCkBXfWvWb dLPiaSX1Y+dbfh8h0poTLFhFnIcxU2Kvs9WiG/lNStC2byCLcCbQCuVP61u9yc5W/dQ0 AoKg== ARC-Authentication-Results: i=1; gmr-mx.google.com; spf=pass (google.com: best guess record for domain of vincent.dehors@smile.fr designates 91.216.209.19 as permitted sender) smtp.mailfrom=vincent.dehors@smile.fr Received: from idris.smile.fr (idris.smile.fr. [91.216.209.19]) by gmr-mx.google.com with ESMTPS id n11si300390wrh.4.2018.04.05.06.57.01 for (version=TLS1_2 cipher=ECDHE-RSA-AES128-GCM-SHA256 bits=128/128); Thu, 05 Apr 2018 06:57:01 -0700 (PDT) Received-SPF: pass (google.com: best guess record for domain of vincent.dehors@smile.fr designates 91.216.209.19 as permitted sender) client-ip=91.216.209.19; Received: from localhost (localhost [127.0.0.1]) by idris.smile.fr (Postfix) with ESMTP id 7E6D81EE2465; Thu, 5 Apr 2018 15:57:00 +0200 (CEST) X-Virus-Scanned: Debian amavisd-new at smile.fr Received: from idris.smile.fr ([127.0.0.1]) by localhost (bluemind-mta.prod.vitry.intranet [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id Re59Mj88LRhi; Thu, 5 Apr 2018 15:57:00 +0200 (CEST) Received: from onizuka.router697ef0.com (unknown [46.218.172.218]) by idris.smile.fr (Postfix) with ESMTPA id 4F3FD1EE235A; Thu, 5 Apr 2018 15:57:00 +0200 (CEST) From: Vincent Dehors To: swupdate@googlegroups.com Cc: Vincent Dehors , Astree Mendoza , Christophe Barbe Subject: [swupdate] [meta-swupdate][PATCH] Support for image encryption Date: Thu, 5 Apr 2018 15:56:36 +0200 Message-Id: <20180405135636.20560-1-vincent.dehors@smile.fr> X-Mailer: git-send-email 2.11.0 MIME-Version: 1.0 X-Original-Sender: vincent.dehors@smile.fr X-Original-Authentication-Results: gmr-mx.google.com; spf=pass (google.com: best guess record for domain of vincent.dehors@smile.fr designates 91.216.209.19 as permitted sender) smtp.mailfrom=vincent.dehors@smile.fr Precedence: list Mailing-list: list swupdate@googlegroups.com; contact swupdate+owners@googlegroups.com List-ID: X-Spam-Checked-In-Group: swupdate@googlegroups.com X-Google-Group-Id: 605343134186 List-Post: , List-Help: , List-Archive: , List-Unsubscribe: , This commit allows to automatically encrypt image files by setting the following variables in bundle recipes : SWUPDATE_ENCRYPT = "AES-CBC" SWUPDATE_ENCRYPT_KEY = "[path to the symetric key]" SWUPDATE_ENCRYPT_FILES[image-name] = "1" The encryption key is the same file as described in the documentation containing hex-encoded key, iv and salt. In sw-description file, the encrypted image must have 'encrypted = true' The '.enc' extension is automatically added, so filenames in sw-description should end with ".enc" and the ones in Yocto recipe should not. Note that, with this implementation, additional files set in SRC_URI cannot be encrypted. Signed-off-by: Vincent Dehors Cc: Astree Mendoza Cc: Christophe Barbe --- classes/swupdate.bbclass | 32 ++++++++++++++++++++++++++++++++ 1 file changed, 32 insertions(+) diff --git a/classes/swupdate.bbclass b/classes/swupdate.bbclass index 02db631..570ef3e 100644 --- a/classes/swupdate.bbclass +++ b/classes/swupdate.bbclass @@ -64,6 +64,23 @@ def swupdate_getdepends(d): depstr += " " + dep + ":do_build" return depstr +def swupdate_encrypt_aes_cbc(s, clearfile, encryptedfile, encryption_key): + infile = os.path.join(s, clearfile) + outfile = os.path.join(s, encryptedfile) + + with open(encryption_key, 'r') as f: + keys_part = f.read().split(" ") + + enccmd = "openssl enc -aes-256-cbc -in '%s' -out '%s' -K '%s' -iv '%s' -S '%s'" % ( + infile, + outfile, + keys_part[0], + keys_part[1], + keys_part[2]) + + if os.system(enccmd) != 0: + bb.fatal("Failed to encrypt file %s with %s" % (clearfile, encryption_key)) + IMGDEPLOYDIR = "${WORKDIR}/deploy-${PN}-swuimage" do_swuimage[dirs] = "${TOPDIR}" @@ -96,6 +113,7 @@ python do_swuimage () { workdir = d.getVar('WORKDIR', True) images = (d.getVar('SWUPDATE_IMAGES', True) or "").split() + encryption = d.getVar('SWUPDATE_ENCRYPT', True) s = d.getVar('S', True) shutil.copyfile(os.path.join(workdir, "sw-description"), os.path.join(s, "sw-description")) fetch = bb.fetch2.Fetch([], d) @@ -134,6 +152,20 @@ python do_swuimage () { src = os.path.join(deploydir, "%s" % imagename) dst = os.path.join(s, "%s" % imagename) shutil.copyfile(src, dst) + + if encryption == "AES-CBC": + need_encryption = d.getVarFlag("SWUPDATE_ENCRYPT_FILES", image, True) + if need_encryption == "1": + encryption_key = d.getVar("SWUPDATE_ENCRYPT_KEY", True) + if not encryption_key: + bb.fatal("SWUPDATE_ENCRYPT_KEY isn't set") + if not os.path.exists(encryption_key): + bb.fatal("SWUPDATE_ENCRYPT_KEY %s doesn't exist" % (encryption_key)) + clearfile = imagename + encryptedfile = imagename + '.enc' + swupdate_encrypt_aes_cbc(s, clearfile, encryptedfile, encryption_key) + imagename = encryptedfile + list_for_cpio.append(imagename) for file in list_for_cpio: