From: Paul HENRYS <[email protected]> This test is added to work on issue currently faced with binman. Binman calls multiple times mkimage and thus generates the FIT multiple times and the last call happens after the preload header has been generated. When encrypting the image with a random IV or if the timestamp in the FIT has changed between the 2 last calls of mkimage, the preload header would not sign the correct data leading to a corrupted image.
Signed-off-by: Paul HENRYS <[email protected]> --- tools/binman/ftest.py | 17 +++++ .../test/336_pre_load_fit_encrypted.dts | 63 +++++++++++++++++++ 2 files changed, 80 insertions(+) create mode 100644 tools/binman/test/336_pre_load_fit_encrypted.dts diff --git a/tools/binman/ftest.py b/tools/binman/ftest.py index fa174900014..6f3b5dc0d26 100644 --- a/tools/binman/ftest.py +++ b/tools/binman/ftest.py @@ -5870,6 +5870,23 @@ fdt fdtmap Extract the devicetree blob from the fdtmap data = self._DoReadFileDtb('236_pre_load_invalid_key.dts', entry_args=entry_args) + def testPreLoadEncryptedFit(self): + """Test an encrypted FIT image with a pre-load header""" + entry_args = { + 'pre-load-key-path': os.path.join(self._binman_dir, 'test'), + } + data = self._DoReadFileDtb( + '336_pre_load_fit_encrypted.dts', entry_args=entry_args, + extra_indirs=[os.path.join(self._binman_dir, 'test')])[0] + + image_fname = tools.get_output_filename('image.bin') + is_signed = self._CheckPreload(image_fname, self.TestFile("dev.key")) + + self.assertEqual(PRE_LOAD_MAGIC, data[:len(PRE_LOAD_MAGIC)]) + self.assertEqual(PRE_LOAD_VERSION, data[4:4 + len(PRE_LOAD_VERSION)]) + self.assertEqual(PRE_LOAD_HDR_SIZE, data[8:8 + len(PRE_LOAD_HDR_SIZE)]) + self.assertEqual(is_signed, True) + def _CheckSafeUniqueNames(self, *images): """Check all entries of given images for unsafe unique names""" for image in images: diff --git a/tools/binman/test/336_pre_load_fit_encrypted.dts b/tools/binman/test/336_pre_load_fit_encrypted.dts new file mode 100644 index 00000000000..f5e9bf9426c --- /dev/null +++ b/tools/binman/test/336_pre_load_fit_encrypted.dts @@ -0,0 +1,63 @@ +// SPDX-License-Identifier: GPL-2.0+ + +/dts-v1/; + +/ { + #address-cells = <1>; + #size-cells = <1>; + + binman { + pre-load { + content = <&image>; + algo-name = "sha256,rsa2048"; + key-name = "dev.key"; + header-size = <4096>; + version = <0x11223344>; + }; + + image: fit { + fit,encrypt; + description = "Test a FIT with encrypted data and signed with a preload"; + #address-cells = <1>; + + images { + u-boot { + description = "U-Boot"; + type = "firmware"; + arch = "arm64"; + os = "U-Boot"; + compression = "none"; + load = <00000000>; + entry = <00000000>; + cipher { + algo = "aes256"; + key-name-hint = "aes256"; + }; + u-boot-nodtb { + }; + }; + fdt-1 { + description = "Flattened Device Tree blob"; + type = "flat_dt"; + arch = "arm64"; + compression = "none"; + cipher { + algo = "aes256"; + key-name-hint = "aes256"; + }; + u-boot-dtb { + }; + }; + }; + + configurations { + default = "conf-1"; + conf-1 { + description = "Boot U-Boot with FDT blob"; + firmware = "u-boot"; + fdt = "fdt-1"; + }; + }; + }; + }; +}; -- 2.25.1
