You are viewing a plain text version of this content. The canonical link for it is here.
Posted to commits@mynewt.apache.org by ut...@apache.org on 2019/10/22 15:15:57 UTC
[mynewt-newt] branch master updated: Add support for hardware
encryption features
This is an automated email from the ASF dual-hosted git repository.
utzig pushed a commit to branch master
in repository https://gitbox.apache.org/repos/asf/mynewt-newt.git
The following commit(s) were added to refs/heads/master by this push:
new 98fa82b Add support for hardware encryption features
98fa82b is described below
commit 98fa82b3cb6aa4a5befd942488dc91cea781aaa7
Author: Andy Gross <an...@juul.com>
AuthorDate: Thu Oct 10 15:45:30 2019 -0500
Add support for hardware encryption features
This patch adds a number of features to support the use of hardware
stored encryption keys. Specifically, options to denote header padding,
image padding, hw key index, and AES-256-CTR encryption were added.
Images created using the hw encryption keys will result in two additional
TLV types being appended to the image. The first is a TLV that is used to
store the nonce used for the AES-256-CTR. The second is a TLV that contains
the hw key index being used to decrypt the image.
Signed-off-by: Andy Gross <an...@juul.com>
---
go.mod | 2 +-
go.sum | 4 ++++
newt/cli/image_cmds.go | 19 ++++++++++++++++---
newt/cli/run_cmds.go | 4 ++--
newt/imgprod/imgprod.go | 19 ++++++++++++++++---
newt/imgprod/v1.go | 8 ++++++--
6 files changed, 45 insertions(+), 11 deletions(-)
diff --git a/go.mod b/go.mod
index ffb4d95..153c2d0 100644
--- a/go.mod
+++ b/go.mod
@@ -4,7 +4,7 @@ go 1.13
require (
github.com/NickBall/go-aes-key-wrap v0.0.0-20170929221519-1c3aa3e4dfc5
- github.com/apache/mynewt-artifact v0.0.5
+ github.com/apache/mynewt-artifact v0.0.8
github.com/kardianos/osext v0.0.0-20190222173326-2bc1f35cddc0
github.com/kballard/go-shellquote v0.0.0-20180428030007-95032a82bc51
github.com/sirupsen/logrus v1.4.2
diff --git a/go.sum b/go.sum
index 85ff05b..bc067d3 100644
--- a/go.sum
+++ b/go.sum
@@ -7,6 +7,10 @@ github.com/apache/mynewt-artifact v0.0.3 h1:760wpGruGSOPjslEo0fgs9PYJ58IAvyjuJqn
github.com/apache/mynewt-artifact v0.0.3/go.mod h1:vFUd47t74KPQMzSBhQ2qp5Hc7D29OU/Tl3xHtFwN3k8=
github.com/apache/mynewt-artifact v0.0.5 h1:MfKbb7wILRUr/Q4UA4AxTkKVDNikyGwzcy2ZXmoS5XI=
github.com/apache/mynewt-artifact v0.0.5/go.mod h1:vFUd47t74KPQMzSBhQ2qp5Hc7D29OU/Tl3xHtFwN3k8=
+github.com/apache/mynewt-artifact v0.0.6 h1:VvIdyo61Im7bvE5EGxByM6NzTaKkoqGQL3t17vyzjfQ=
+github.com/apache/mynewt-artifact v0.0.6/go.mod h1:vFUd47t74KPQMzSBhQ2qp5Hc7D29OU/Tl3xHtFwN3k8=
+github.com/apache/mynewt-artifact v0.0.8 h1:as5qSDTT5httEM1IclQM4XgoF9Wn/lTqeoJxV/PvZFw=
+github.com/apache/mynewt-artifact v0.0.8/go.mod h1:vFUd47t74KPQMzSBhQ2qp5Hc7D29OU/Tl3xHtFwN3k8=
github.com/armon/consul-api v0.0.0-20180202201655-eb2c6b5be1b6/go.mod h1:grANhF5doyWs3UAsr3K4I6qtAmlQcZDesFNEHPZAzj8=
github.com/coreos/etcd v3.3.10+incompatible/go.mod h1:uF7uidLiAD3TWHmW31ZFd/JWoc32PjwdhPthX9715RE=
github.com/coreos/go-etcd v2.0.0+incompatible/go.mod h1:Jez6KQU2B/sWsbdaef3ED8NzMklzPG4d5KIOhIy30Tk=
diff --git a/newt/cli/image_cmds.go b/newt/cli/image_cmds.go
index 7e7f3f2..9c70bf7 100644
--- a/newt/cli/image_cmds.go
+++ b/newt/cli/image_cmds.go
@@ -36,6 +36,9 @@ import (
var useV1 bool
var useV2 bool
var encKeyFilename string
+var encKeyIndex int
+var hdrPad int
+var imagePad int
// @return keys, key ID, error
func parseKeyArgs(args []string) ([]sec.PrivSignKey, uint8, error) {
@@ -131,9 +134,11 @@ func createImageRunCmd(cmd *cobra.Command, args []string) {
}
if useV1 {
- err = imgprod.ProduceAllV1(b, ver, keys, encKeyFilename)
+ err = imgprod.ProduceAllV1(b, ver, keys, encKeyFilename, encKeyIndex,
+ hdrPad, imagePad)
} else {
- err = imgprod.ProduceAll(b, ver, keys, encKeyFilename)
+ err = imgprod.ProduceAll(b, ver, keys, encKeyFilename, encKeyIndex,
+ hdrPad, imagePad)
}
if err != nil {
NewtUsage(nil, err)
@@ -164,6 +169,8 @@ func AddImageCommands(cmd *cobra.Command) {
createImageHelpEx += " newt create-image my_target1 1.3.0.3 private.pem\n"
createImageHelpEx +=
" newt create-image -2 my_target1 1.3.0.3 private-1.pem private-2.pem\n"
+ createImageHelpEx += " newt create-image my_target1 1.3.0.3 -H 3 -e " +
+ "aes_key\n\n"
createImageCmd := &cobra.Command{
Use: "create-image <target-name> <version> [signing-key-1] " +
@@ -186,7 +193,13 @@ func AddImageCommands(cmd *cobra.Command) {
createImageCmd.PersistentFlags().BoolVarP(&useV2,
"2", "2", false, "Use new image header format (default)")
createImageCmd.PersistentFlags().StringVarP(&encKeyFilename,
- "encrypt", "e", "", "Encrypt image using this public key")
+ "encrypt", "e", "", "Encrypt image using this key")
+ createImageCmd.PersistentFlags().IntVarP(&encKeyIndex,
+ "hw-stored-key", "H", -1, "Hardware stored key index")
+ createImageCmd.PersistentFlags().IntVarP(&hdrPad,
+ "pad-header", "p", 0, "Pad header to this length")
+ createImageCmd.PersistentFlags().IntVarP(&imagePad,
+ "pad-image", "i", 0, "Pad image to this length")
cmd.AddCommand(createImageCmd)
AddTabCompleteFn(createImageCmd, targetList)
diff --git a/newt/cli/run_cmds.go b/newt/cli/run_cmds.go
index f2e4696..19cdfd4 100644
--- a/newt/cli/run_cmds.go
+++ b/newt/cli/run_cmds.go
@@ -105,9 +105,9 @@ func runRunCmd(cmd *cobra.Command, args []string) {
}
if useV1 {
- err = imgprod.ProduceAllV1(b, ver, keys, "")
+ err = imgprod.ProduceAllV1(b, ver, keys, "", -1, -1, -1)
} else {
- err = imgprod.ProduceAll(b, ver, keys, "")
+ err = imgprod.ProduceAll(b, ver, keys, "", -1, -1, -1)
}
if err != nil {
NewtUsage(nil, err)
diff --git a/newt/imgprod/imgprod.go b/newt/imgprod/imgprod.go
index 93519fc..d784b58 100644
--- a/newt/imgprod/imgprod.go
+++ b/newt/imgprod/imgprod.go
@@ -44,9 +44,12 @@ type ImageProdOpts struct {
AppDstFilename string
AppHexFilename string
EncKeyFilename string
+ EncKeyIndex int
Version image.ImageVersion
SigKeys []sec.PrivSignKey
BaseAddr int
+ HdrPad int
+ ImagePad int
DummyC *toolchain.Compiler
}
@@ -95,6 +98,7 @@ func produceLoader(opts ImageProdOpts) (ProducedImage, error) {
igo := image.ImageCreateOpts{
SrcBinFilename: opts.LoaderSrcFilename,
SrcEncKeyFilename: opts.EncKeyFilename,
+ SrcEncKeyIndex: opts.EncKeyIndex,
Version: opts.Version,
SigKeys: opts.SigKeys,
}
@@ -137,9 +141,12 @@ func produceApp(opts ImageProdOpts, loaderHash []byte) (ProducedImage, error) {
igo := image.ImageCreateOpts{
SrcBinFilename: opts.AppSrcFilename,
SrcEncKeyFilename: opts.EncKeyFilename,
+ SrcEncKeyIndex: opts.EncKeyIndex,
Version: opts.Version,
SigKeys: opts.SigKeys,
LoaderHash: loaderHash,
+ HdrPad: opts.HdrPad,
+ ImagePad: opts.ImagePad,
}
ri, err := image.GenerateImage(igo)
@@ -256,7 +263,8 @@ func ProduceManifest(opts manifest.ManifestCreateOpts) error {
}
func OptsFromTgtBldr(b *builder.TargetBuilder, ver image.ImageVersion,
- sigKeys []sec.PrivSignKey, encKeyFilename string) (ImageProdOpts, error) {
+ sigKeys []sec.PrivSignKey, encKeyFilename string, encKeyIndex int,
+ hdrPad int, imagePad int) (ImageProdOpts, error) {
// This compiler is just used for converting .img files to .hex files, so
// dummy paths are OK.
@@ -274,10 +282,13 @@ func OptsFromTgtBldr(b *builder.TargetBuilder, ver image.ImageVersion,
AppDstFilename: b.AppBuilder.AppImgPath(),
AppHexFilename: b.AppBuilder.AppHexPath(),
EncKeyFilename: encKeyFilename,
+ EncKeyIndex: encKeyIndex,
Version: ver,
SigKeys: sigKeys,
DummyC: c,
BaseAddr: baseAddr,
+ HdrPad: hdrPad,
+ ImagePad: imagePad,
}
if b.LoaderBuilder != nil {
@@ -290,9 +301,11 @@ func OptsFromTgtBldr(b *builder.TargetBuilder, ver image.ImageVersion,
}
func ProduceAll(t *builder.TargetBuilder, ver image.ImageVersion,
- sigKeys []sec.PrivSignKey, encKeyFilename string) error {
+ sigKeys []sec.PrivSignKey, encKeyFilename string, encKeyIndex int,
+ hdrPad int, imagePad int) error {
- popts, err := OptsFromTgtBldr(t, ver, sigKeys, encKeyFilename)
+ popts, err := OptsFromTgtBldr(t, ver, sigKeys, encKeyFilename, encKeyIndex,
+ hdrPad, imagePad)
if err != nil {
return err
}
diff --git a/newt/imgprod/v1.go b/newt/imgprod/v1.go
index e426ef9..aa1f887 100644
--- a/newt/imgprod/v1.go
+++ b/newt/imgprod/v1.go
@@ -50,6 +50,7 @@ func produceLoaderV1(opts ImageProdOpts) (ProducedImageV1, error) {
igo := image.ImageCreateOpts{
SrcBinFilename: opts.LoaderSrcFilename,
SrcEncKeyFilename: opts.EncKeyFilename,
+ SrcEncKeyIndex: opts.EncKeyIndex,
Version: opts.Version,
SigKeys: opts.SigKeys,
}
@@ -101,6 +102,7 @@ func produceAppV1(opts ImageProdOpts,
igo := image.ImageCreateOpts{
SrcBinFilename: opts.AppSrcFilename,
SrcEncKeyFilename: opts.EncKeyFilename,
+ SrcEncKeyIndex: opts.EncKeyIndex,
Version: opts.Version,
SigKeys: opts.SigKeys,
LoaderHash: loaderHash,
@@ -206,9 +208,11 @@ func ProduceImagesV1(opts ImageProdOpts) (ProducedImageSetV1, error) {
}
func ProduceAllV1(t *builder.TargetBuilder, ver image.ImageVersion,
- sigKeys []sec.PrivSignKey, encKeyFilename string) error {
+ sigKeys []sec.PrivSignKey, encKeyFilename string, encKeyIndex int,
+ hdrPad int, imagePad int) error {
- popts, err := OptsFromTgtBldr(t, ver, sigKeys, encKeyFilename)
+ popts, err := OptsFromTgtBldr(t, ver, sigKeys, encKeyFilename, encKeyIndex,
+ hdrPad, imagePad)
if err != nil {
return err
}