Hi Philippe,
On Fri, Sep 11, 2020 at 2:08 AM Philippe REYNES
wrote:
>
> Hi Patrick,
>
> Sorry for the late answer, I was very busy in the beginning of september
No problem at all. I have a product deadline at the end of September
rapidly approaching so I am also extremely busy at the moment.
>
On Tue, Aug 25, 2020 at 1:57 AM Philippe REYNES
wrote:
>
> I agree that IV should be set in the FIT.
>
> So in the dts, we may have:
> cipher {
> algo = "aes256";
> key-name-hint = "aeskey";
> iv = "aesiv";
> };
> or (I propose) :
>
back before proposing any patches for the
> > remaining issues.
> >
> > On Fri, Jul 24, 2020 at 12:06 PM Patrick Oppenlander
> > wrote:
> >>
> >> Issue #1
> >>
> >>
> >> Currently, mkimage treats the IV in the same ma
Hi Simon & Philippe,
I've been thinking about this some more and have added a few points
below. I will need feedback before proposing any patches for the
remaining issues.
On Fri, Jul 24, 2020 at 12:06 PM Patrick Oppenlander
wrote:
>
> Issue #1
>
>
> Currently,
On Fri, Jul 31, 2020 at 12:59 AM Philippe REYNES
wrote:
>
> Hi Patrick,
>
>
> > From: Patrick Oppenlander
> >
> > This patch addresses issue #2 for signed configurations.
> >
> > -8<-
>
> This "line" will be included
From: Patrick Oppenlander
The external data is located after the mmapped FDT pointed to by
'old_fdt', not in the newly created FDT we are importing into at 'fdt'.
Signed-off-by: Patrick Oppenlander
---
tools/fit_image.c | 4 ++--
1 file changed, 2 insertions(+), 2 deleti
From: Patrick Oppenlander
This patch addresses issue #2 for signed configurations.
-8<-
Including the image cipher properties in the configuration signature
prevents an attacker from modifying cipher, key or iv properties.
Signed-off-by: Patrick Oppenlander
---
tools/image-hos
From: Patrick Oppenlander
Previously, mkimage -F could be run multiple times causing already
ciphered image data to be ciphered again.
Signed-off-by: Patrick Oppenlander
---
tools/image-host.c | 15 ++-
1 file changed, 14 insertions(+), 1 deletion(-)
diff --git a/tools/image
The v2 series addresses review comments from Philippe Reynes:
* Use FIT_CIPHER_NODENAME instead of hard coding "cipher"
* Simplify handling of FDT_ERR_NOSPACE
* Simplify detection of previously ciphered data
The last two points are possible as I overlooked that the retry loop
handling ENOSPC in fi
From: Patrick Oppenlander
Previously mkimage would process any node matching the regex cipher.*
and apply the ciphers to the image data in the order they appeared in
the FDT. This meant that data could be inadvertently ciphered multiple
times.
Switch to processing a single cipher node which
From: Patrick Oppenlander
Also replace fdt_delprop/fdt_setprop with fdt_setprop as fdt_setprop can
replace an existing property value.
Signed-off-by: Patrick Oppenlander
---
tools/image-host.c | 19 ++-
1 file changed, 10 insertions(+), 9 deletions(-)
diff --git a/tools/image
On Thu, Jul 30, 2020 at 3:17 AM Philippe REYNES
wrote:
>
> As for the second patch, I think that the loop is not an issue because
> it always start with "fresh/clean" value (using a backup file).
>
> So I am not sure that changes in this function are needed.
>
OK, I overlooked this.
I will resub
On Thu, Jul 30, 2020 at 1:02 AM Philippe REYNES
wrote:
>
> Hi Patrick
>
> > From: Patrick Oppenlander
> >
> > This meant that the order of operations had to change. If we replace the
> > data property first then fail to add the data-size-unciphered property
&g
On Fri, Jul 24, 2020 at 12:06 PM Patrick Oppenlander
wrote:
>
> Hi,
>
> I recently posted some patches to the list [1], [2], [3] to address
> some issues with the cipher support in mkimage. Hopefully someone gets
> a chance to review these patches as I think mkimage is a bit bro
Hi,
I recently posted some patches to the list [1], [2], [3] to address
some issues with the cipher support in mkimage. Hopefully someone gets
a chance to review these patches as I think mkimage is a bit broken
without them.
While considering using U-Boot cipher support in a product I work on,
I
From: Patrick Oppenlander
Previously, mkimage -F could be run multiple times causing already
ciphered image data to be ciphered again.
Signed-off-by: Patrick Oppenlander
---
tools/image-host.c | 47 +++---
1 file changed, 32 insertions(+), 15 deletions
From: Patrick Oppenlander
Previously mkimage would process any node matching the regex cipher.*
and apply the ciphers to the image data in the order they appeared in
the FDT. This meant that data could be inadvertently ciphered multiple
times.
Switch to processing a single cipher node which
From: Patrick Oppenlander
This meant that the order of operations had to change. If we replace the
data property first then fail to add the data-size-unciphered property
the data will be ciphered again when retrying.
Signed-off-by: Patrick Oppenlander
---
tools/image-host.c | 19
From: Patrick Oppenlander
Linux distributions generally use the "make defconfig && make tools-all"
recipe to generate a uboot-tools (or similar) package.
This patch enables FIT cipher support in the default mkimage build.
Signed-off-by: Patrick Oppenlander
---
configs/san
19 matches
Mail list logo
