On Wed, 20 Nov 2024 at 03:09, Paul HENRYS <[email protected]> wrote: > > Test the property 'fit,keys-directory' which, when a cipher node is > present, encrypts the data stored in the FIT. > > Signed-off-by: Paul HENRYS <[email protected]> > --- > Changes for v3: > - Write out IV in full for clarity as requested > - Do not replace the null byte but use fdt_util.GetString() instead > - Adapt the tests for the FIT data encryption to create a file with the > content > of the AES key in the working directory and pass the path to binman > > tools/binman/ftest.py | 45 +++++++++++++++ > tools/binman/test/343_fit_encrypt_data.dts | 53 ++++++++++++++++++ > .../test/344_fit_encrypt_data_no_key.dts | 53 ++++++++++++++++++ > tools/binman/test/aes256.bin | Bin 0 -> 32 bytes > 4 files changed, 151 insertions(+) > create mode 100644 tools/binman/test/343_fit_encrypt_data.dts > create mode 100644 tools/binman/test/344_fit_encrypt_data_no_key.dts > create mode 100644 tools/binman/test/aes256.bin
Reviewed-by: Simon Glass <[email protected]> > > diff --git a/tools/binman/ftest.py b/tools/binman/ftest.py > index adab65e579..b19b0cc5b3 100644 > --- a/tools/binman/ftest.py > +++ b/tools/binman/ftest.py > @@ -7900,5 +7900,50 @@ fdt fdtmap Extract the > devicetree blob from the fdtmap > extra_indirs=[test_subdir])[0] > > > + def testSimpleFitEncryptedData(self): > + """Test an image with a FIT containing data to be encrypted""" > + data = tools.read_file(self.TestFile("aes256.bin")) > + self._MakeInputFile("keys/aes256.bin", data) > + > + keys_subdir = os.path.join(self._indir, "keys") > + data = self._DoReadFileDtb( > + '343_fit_encrypt_data.dts', > + extra_indirs=[keys_subdir])[0] > + > + fit = fdt.Fdt.FromData(data) > + fit.Scan() > + > + # Extract the encrypted data and the Initialization Vector from the > FIT > + node = fit.GetNode('/images/u-boot') > + subnode = fit.GetNode('/images/u-boot/cipher') > + data_size_unciphered = > int.from_bytes(fit.GetProps(node)['data-size-unciphered'].bytes, > + byteorder='big') > + self.assertEqual(data_size_unciphered, len(U_BOOT_NODTB_DATA)) > + > + # Retrieve the key name from the FIT removing any null byte > + key_name = > fit.GetProps(subnode)['key-name-hint'].bytes.replace(b'\x00', b'') > + with open(self.TestFile(key_name.decode('ascii') + '.bin'), 'rb') as > file: > + key = file.read() > + iv = fit.GetProps(subnode)['iv'].bytes.hex() > + enc_data = fit.GetProps(node)['data'].bytes > + outdir = tools.get_output_dir() > + enc_data_file = os.path.join(outdir, 'encrypted_data.bin') > + tools.write_file(enc_data_file, enc_data) > + data_file = os.path.join(outdir, 'data.bin') > + > + # Decrypt the encrypted data from the FIT and compare the data > + tools.run('openssl', 'enc', '-aes-256-cbc', '-nosalt', '-d', '-in', > + enc_data_file, '-out', data_file, '-K', key.hex(), '-iv', > iv) > + with open(data_file, 'r') as file: > + dec_data = file.read() > + self.assertEqual(U_BOOT_NODTB_DATA, dec_data.encode('ascii')) > + > + def testSimpleFitEncryptedDataMissingKey(self): > + """Test an image with a FIT containing data to be encrypted but with > a missing key""" > + with self.assertRaises(ValueError) as e: > + self._DoReadFile('344_fit_encrypt_data_no_key.dts') > + > + self.assertIn("Filename 'aes256.bin' not found in input path", > str(e.exception)) > + > if __name__ == "__main__": > unittest.main() > diff --git a/tools/binman/test/343_fit_encrypt_data.dts > b/tools/binman/test/343_fit_encrypt_data.dts > new file mode 100644 > index 0000000000..90e504979b > --- /dev/null > +++ b/tools/binman/test/343_fit_encrypt_data.dts > @@ -0,0 +1,53 @@ > +// SPDX-License-Identifier: GPL-2.0+ > + > +/dts-v1/; > + > +/ { > + #address-cells = <1>; > + #size-cells = <1>; > + > + binman { > + fit { > + fit,keys-directory; > + description = "Test a FIT with encrypted data"; > + #address-cells = <1>; > + > + images { > + u-boot { > + description = "U-Boot"; > + type = "firmware"; > + arch = "arm64"; > + os = "U-Boot"; > + compression = "none"; > + load = <00000000>; > + entry = <00000000>; > + cipher { > + algo = "aes256"; > + key-name-hint = "aes256"; > + }; > + u-boot-nodtb { > + }; > + }; > + fdt-1 { > + description = "Flattened Device Tree > blob"; > + type = "flat_dt"; > + arch = "arm64"; > + compression = "none"; > + cipher { > + algo = "aes256"; > + key-name-hint = "aes256"; > + }; > + }; > + }; > + > + configurations { > + default = "conf-1"; > + conf-1 { > + description = "Boot U-Boot with FDT > blob"; > + firmware = "u-boot"; > + fdt = "fdt-1"; > + }; > + }; > + }; > + }; > +}; > diff --git a/tools/binman/test/344_fit_encrypt_data_no_key.dts > b/tools/binman/test/344_fit_encrypt_data_no_key.dts > new file mode 100644 > index 0000000000..90e504979b > --- /dev/null > +++ b/tools/binman/test/344_fit_encrypt_data_no_key.dts > @@ -0,0 +1,53 @@ > +// SPDX-License-Identifier: GPL-2.0+ > + > +/dts-v1/; > + > +/ { > + #address-cells = <1>; > + #size-cells = <1>; > + > + binman { > + fit { > + fit,keys-directory; > + description = "Test a FIT with encrypted data"; > + #address-cells = <1>; > + > + images { > + u-boot { > + description = "U-Boot"; > + type = "firmware"; > + arch = "arm64"; > + os = "U-Boot"; > + compression = "none"; > + load = <00000000>; > + entry = <00000000>; > + cipher { > + algo = "aes256"; > + key-name-hint = "aes256"; > + }; > + u-boot-nodtb { > + }; > + }; > + fdt-1 { > + description = "Flattened Device Tree > blob"; > + type = "flat_dt"; > + arch = "arm64"; > + compression = "none"; > + cipher { > + algo = "aes256"; > + key-name-hint = "aes256"; > + }; > + }; > + }; > + > + configurations { > + default = "conf-1"; > + conf-1 { > + description = "Boot U-Boot with FDT > blob"; > + firmware = "u-boot"; > + fdt = "fdt-1"; > + }; > + }; > + }; > + }; > +}; > diff --git a/tools/binman/test/aes256.bin b/tools/binman/test/aes256.bin > new file mode 100644 > index > 0000000000000000000000000000000000000000..09b8bf6254ada5c084039f32916bc7d30233bb2c > GIT binary patch > literal 32 > ncmXpsGBz<aGq<obNK8sjNli=7$jr*l$<50zC@d;2DJ=s4pC}7U > > literal 0 > HcmV?d00001 > > -- > 2.43.0 [..]
