* [PATCH] scripte: mxsimage: Allow unencrypted images
@ 2018-06-18 13:35 Sascha Hauer
2018-06-18 13:39 ` Roland Hieber
0 siblings, 1 reply; 2+ messages in thread
From: Sascha Hauer @ 2018-06-18 13:35 UTC (permalink / raw)
To: Barebox List; +Cc: rhi
Normally MXS SoCs only allow to boot images which have been
encrypted with a zero key. If the ENABLE_UNENCTRYPTED_BOOT fuse
is blown then the SoC also allows to boot unencrypted images.
Add an option to the mxsimage tool to generate such images.
Signed-off-by: Sascha Hauer <s.hauer@pengutronix.de>
---
scripts/mxsimage.c | 53 +++++++++++++++++++++++++++++-----------------
1 file changed, 33 insertions(+), 20 deletions(-)
diff --git a/scripts/mxsimage.c b/scripts/mxsimage.c
index 5c2c3079de..8a63d76939 100644
--- a/scripts/mxsimage.c
+++ b/scripts/mxsimage.c
@@ -337,6 +337,7 @@ struct sb_image_ctx {
/* Image configuration */
unsigned int verbose_boot:1;
unsigned int silent_dump:1;
+ unsigned int encrypted:1;
const char *input_filename;
const char *output_filename;
const char *cfg_filename;
@@ -484,6 +485,12 @@ static int sb_aes_crypt(struct sb_image_ctx *ictx, uint8_t *in_data,
int ret, outlen;
uint8_t *outbuf;
+ if (!ictx->encrypted) {
+ if (out_data && in_data != out_data)
+ memcpy(out_data, in_data, in_len);
+ return 0;
+ }
+
outbuf = malloc(in_len);
if (!outbuf)
return -ENOMEM;
@@ -645,7 +652,8 @@ static int sb_encrypt_image(struct sb_image_ctx *ictx)
* Key dictionary.
*/
sb_aes_reinit(ictx, 1);
- sb_encrypt_key_dictionary_key(ictx);
+ if (ictx->encrypted)
+ sb_encrypt_key_dictionary_key(ictx);
/*
* Section tags.
@@ -1609,10 +1617,10 @@ static int sb_prefill_image_header(struct sb_image_ctx *ictx)
hdr->timestamp_us = sb_get_timestamp() * 1000000;
/* FIXME -- add proper config option */
- hdr->flags = ictx->verbose_boot ? SB_IMAGE_FLAG_VERBOSE : 0,
+ hdr->flags = ictx->verbose_boot ? SB_IMAGE_FLAG_VERBOSE : 0;
/* FIXME -- We support only default key */
- hdr->key_count = 1;
+ hdr->key_count = ictx->encrypted ? 1 : 0;
return 0;
}
@@ -2450,7 +2458,7 @@ static int sb_build_image(struct sb_image_ctx *ictx)
/* Calculate image size. */
uint32_t size = sizeof(*sb_header) +
ictx->sect_count * sizeof(struct sb_sections_header) +
- sizeof(*sb_dict_key) + sizeof(ictx->digest);
+ sizeof(*sb_dict_key) * sb_header->key_count + sizeof(ictx->digest);
sctx = ictx->sect_head;
while (sctx) {
@@ -2473,8 +2481,10 @@ static int sb_build_image(struct sb_image_ctx *ictx)
sctx = sctx->sect;
};
- memcpy(iptr, sb_dict_key, sizeof(*sb_dict_key));
- iptr += sizeof(*sb_dict_key);
+ if (ictx->encrypted) {
+ memcpy(iptr, sb_dict_key, sizeof(*sb_dict_key));
+ iptr += sizeof(*sb_dict_key);
+ }
sctx = ictx->sect_head;
while (sctx) {
@@ -2516,27 +2526,20 @@ static int sb_build_image(struct sb_image_ctx *ictx)
return 0;
}
-static int mxsimage_generate(const char *configfile, const char *imagefile)
+static int mxsimage_generate(struct sb_image_ctx *ctx)
{
int ret;
- struct sb_image_ctx ctx;
-
- memset(&ctx, 0, sizeof(ctx));
- ctx.cfg_filename = configfile;
- ctx.output_filename = imagefile;
- ctx.verbose_boot = 1;
-
- ret = sb_build_tree_from_cfg(&ctx);
+ ret = sb_build_tree_from_cfg(ctx);
if (ret)
goto fail;
- ret = sb_encrypt_image(&ctx);
+ ret = sb_encrypt_image(ctx);
if (!ret)
- ret = sb_build_image(&ctx);
+ ret = sb_build_image(ctx);
fail:
- sb_free_image(&ctx);
+ sb_free_image(ctx);
return ret;
}
@@ -2546,8 +2549,12 @@ int main(int argc, char *argv[])
int ret;
int opt;
char *configfile = NULL, *outfile = NULL, *verify = NULL;
+ struct sb_image_ctx ctx = {
+ .encrypted = 1,
+ .verbose_boot = 1,
+ };
- while ((opt = getopt(argc, argv, "p:b:c:o:v:")) != -1) {
+ while ((opt = getopt(argc, argv, "p:b:c:o:v:u")) != -1) {
switch (opt) {
case 'p':
prepfile = optarg;
@@ -2564,6 +2571,9 @@ int main(int argc, char *argv[])
case 'v':
verify = optarg;
break;
+ case 'u':
+ ctx.encrypted = 0;
+ break;
default:
exit(1);
}
@@ -2587,7 +2597,10 @@ int main(int argc, char *argv[])
exit(1);
}
- ret = mxsimage_generate(configfile, outfile);
+ ctx.cfg_filename = configfile;
+ ctx.output_filename = outfile;
+
+ ret = mxsimage_generate(&ctx);
if (ret)
exit(1);
--
2.17.1
_______________________________________________
barebox mailing list
barebox@lists.infradead.org
http://lists.infradead.org/mailman/listinfo/barebox
^ permalink raw reply [flat|nested] 2+ messages in thread
* Re: [PATCH] scripte: mxsimage: Allow unencrypted images
2018-06-18 13:35 [PATCH] scripte: mxsimage: Allow unencrypted images Sascha Hauer
@ 2018-06-18 13:39 ` Roland Hieber
0 siblings, 0 replies; 2+ messages in thread
From: Roland Hieber @ 2018-06-18 13:39 UTC (permalink / raw)
To: Sascha Hauer; +Cc: Barebox List
In the subject: s/scripte/scripts/.
Otherwise:
Tested-by: Roland Hieber <r.hieber@pengutronix.de>
On Mon, Jun 18, 2018 at 03:35:51PM +0200, Sascha Hauer wrote:
> Normally MXS SoCs only allow to boot images which have been
> encrypted with a zero key. If the ENABLE_UNENCTRYPTED_BOOT fuse
> is blown then the SoC also allows to boot unencrypted images.
> Add an option to the mxsimage tool to generate such images.
>
> Signed-off-by: Sascha Hauer <s.hauer@pengutronix.de>
> ---
> scripts/mxsimage.c | 53 +++++++++++++++++++++++++++++-----------------
> 1 file changed, 33 insertions(+), 20 deletions(-)
>
> diff --git a/scripts/mxsimage.c b/scripts/mxsimage.c
> index 5c2c3079de..8a63d76939 100644
> --- a/scripts/mxsimage.c
> +++ b/scripts/mxsimage.c
> @@ -337,6 +337,7 @@ struct sb_image_ctx {
> /* Image configuration */
> unsigned int verbose_boot:1;
> unsigned int silent_dump:1;
> + unsigned int encrypted:1;
> const char *input_filename;
> const char *output_filename;
> const char *cfg_filename;
> @@ -484,6 +485,12 @@ static int sb_aes_crypt(struct sb_image_ctx *ictx, uint8_t *in_data,
> int ret, outlen;
> uint8_t *outbuf;
>
> + if (!ictx->encrypted) {
> + if (out_data && in_data != out_data)
> + memcpy(out_data, in_data, in_len);
> + return 0;
> + }
> +
> outbuf = malloc(in_len);
> if (!outbuf)
> return -ENOMEM;
> @@ -645,7 +652,8 @@ static int sb_encrypt_image(struct sb_image_ctx *ictx)
> * Key dictionary.
> */
> sb_aes_reinit(ictx, 1);
> - sb_encrypt_key_dictionary_key(ictx);
> + if (ictx->encrypted)
> + sb_encrypt_key_dictionary_key(ictx);
>
> /*
> * Section tags.
> @@ -1609,10 +1617,10 @@ static int sb_prefill_image_header(struct sb_image_ctx *ictx)
> hdr->timestamp_us = sb_get_timestamp() * 1000000;
>
> /* FIXME -- add proper config option */
> - hdr->flags = ictx->verbose_boot ? SB_IMAGE_FLAG_VERBOSE : 0,
> + hdr->flags = ictx->verbose_boot ? SB_IMAGE_FLAG_VERBOSE : 0;
>
> /* FIXME -- We support only default key */
> - hdr->key_count = 1;
> + hdr->key_count = ictx->encrypted ? 1 : 0;
>
> return 0;
> }
> @@ -2450,7 +2458,7 @@ static int sb_build_image(struct sb_image_ctx *ictx)
> /* Calculate image size. */
> uint32_t size = sizeof(*sb_header) +
> ictx->sect_count * sizeof(struct sb_sections_header) +
> - sizeof(*sb_dict_key) + sizeof(ictx->digest);
> + sizeof(*sb_dict_key) * sb_header->key_count + sizeof(ictx->digest);
>
> sctx = ictx->sect_head;
> while (sctx) {
> @@ -2473,8 +2481,10 @@ static int sb_build_image(struct sb_image_ctx *ictx)
> sctx = sctx->sect;
> };
>
> - memcpy(iptr, sb_dict_key, sizeof(*sb_dict_key));
> - iptr += sizeof(*sb_dict_key);
> + if (ictx->encrypted) {
> + memcpy(iptr, sb_dict_key, sizeof(*sb_dict_key));
> + iptr += sizeof(*sb_dict_key);
> + }
>
> sctx = ictx->sect_head;
> while (sctx) {
> @@ -2516,27 +2526,20 @@ static int sb_build_image(struct sb_image_ctx *ictx)
> return 0;
> }
>
> -static int mxsimage_generate(const char *configfile, const char *imagefile)
> +static int mxsimage_generate(struct sb_image_ctx *ctx)
> {
> int ret;
> - struct sb_image_ctx ctx;
> -
> - memset(&ctx, 0, sizeof(ctx));
>
> - ctx.cfg_filename = configfile;
> - ctx.output_filename = imagefile;
> - ctx.verbose_boot = 1;
> -
> - ret = sb_build_tree_from_cfg(&ctx);
> + ret = sb_build_tree_from_cfg(ctx);
> if (ret)
> goto fail;
>
> - ret = sb_encrypt_image(&ctx);
> + ret = sb_encrypt_image(ctx);
> if (!ret)
> - ret = sb_build_image(&ctx);
> + ret = sb_build_image(ctx);
>
> fail:
> - sb_free_image(&ctx);
> + sb_free_image(ctx);
>
> return ret;
> }
> @@ -2546,8 +2549,12 @@ int main(int argc, char *argv[])
> int ret;
> int opt;
> char *configfile = NULL, *outfile = NULL, *verify = NULL;
> + struct sb_image_ctx ctx = {
> + .encrypted = 1,
> + .verbose_boot = 1,
> + };
>
> - while ((opt = getopt(argc, argv, "p:b:c:o:v:")) != -1) {
> + while ((opt = getopt(argc, argv, "p:b:c:o:v:u")) != -1) {
> switch (opt) {
> case 'p':
> prepfile = optarg;
> @@ -2564,6 +2571,9 @@ int main(int argc, char *argv[])
> case 'v':
> verify = optarg;
> break;
> + case 'u':
> + ctx.encrypted = 0;
> + break;
> default:
> exit(1);
> }
> @@ -2587,7 +2597,10 @@ int main(int argc, char *argv[])
> exit(1);
> }
>
> - ret = mxsimage_generate(configfile, outfile);
> + ctx.cfg_filename = configfile;
> + ctx.output_filename = outfile;
> +
> + ret = mxsimage_generate(&ctx);
> if (ret)
> exit(1);
>
> --
> 2.17.1
>
>
--
Roland Hieber | r.hieber@pengutronix.de |
Pengutronix e.K. | https://www.pengutronix.de/ |
Peiner Str. 6-8, 31137 Hildesheim | Phone: +49-5121-206917-5086 |
Amtsgericht Hildesheim, HRA 2686 | Fax: +49-5121-206917-5555 |
_______________________________________________
barebox mailing list
barebox@lists.infradead.org
http://lists.infradead.org/mailman/listinfo/barebox
^ permalink raw reply [flat|nested] 2+ messages in thread
end of thread, other threads:[~2018-06-18 13:39 UTC | newest]
Thread overview: 2+ messages (download: mbox.gz / follow: Atom feed)
-- links below jump to the message on this page --
2018-06-18 13:35 [PATCH] scripte: mxsimage: Allow unencrypted images Sascha Hauer
2018-06-18 13:39 ` Roland Hieber
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox