summaryrefslogtreecommitdiff
path: root/tools/env/fw_env.c
diff options
context:
space:
mode:
authorMarek Vasut <marex@denx.de>2014-03-05 19:59:52 +0100
committerTom Rini <trini@ti.com>2014-03-21 16:44:08 -0400
commita8a752c084031905940129f8a6ba303925e0fac9 (patch)
tree1a1eac4b3b6e06d449c8ef88c209e1d338631f09 /tools/env/fw_env.c
parenta4223b746db5c2db2e1a1d4f0bb20e30484b1667 (diff)
downloadu-boot-imx-a8a752c084031905940129f8a6ba303925e0fac9.zip
u-boot-imx-a8a752c084031905940129f8a6ba303925e0fac9.tar.gz
u-boot-imx-a8a752c084031905940129f8a6ba303925e0fac9.tar.bz2
env: Implement support for AES encryption into fw_* tools
Implement support for encrypting/decrypting the environment block into the tools/env/fw_* tools. The cipher used is AES 128 CBC and the implementation depends solely on components internal to U-Boot. To allow building against the internal AES library, the library did need minor adjustments to not include U-Boot's headers which are not wanted to be included and define missing types. Signed-off-by: Marek Vasut <marex@denx.de>
Diffstat (limited to 'tools/env/fw_env.c')
-rw-r--r--tools/env/fw_env.c129
1 files changed, 127 insertions, 2 deletions
diff --git a/tools/env/fw_env.c b/tools/env/fw_env.c
index d228cc3..fba4c8c 100644
--- a/tools/env/fw_env.c
+++ b/tools/env/fw_env.c
@@ -31,6 +31,10 @@
#include "fw_env.h"
+#include <aes.h>
+
+#define DIV_ROUND_UP(n, d) (((n) + (d) - 1) / (d))
+
#define WHITESPACE(c) ((c == '\t') || (c == ' '))
#define min(x, y) ({ \
@@ -98,6 +102,11 @@ static struct environment environment = {
.flag_scheme = FLAG_NONE,
};
+/* Is AES encryption used? */
+static int aes_flag;
+static uint8_t aes_key[AES_KEY_LENGTH] = { 0 };
+static int env_aes_cbc_crypt(char *data, const int enc);
+
static int HaveRedundEnv = 0;
static unsigned char active_flag = 1;
@@ -120,6 +129,10 @@ static inline ulong getenvsize (void)
if (HaveRedundEnv)
rc -= sizeof (char);
+
+ if (aes_flag)
+ rc &= ~(AES_KEY_LENGTH - 1);
+
return rc;
}
@@ -191,6 +204,36 @@ char *fw_getdefenv(char *name)
return NULL;
}
+static int parse_aes_key(char *key)
+{
+ char tmp[5] = { '0', 'x', 0, 0, 0 };
+ unsigned long ul;
+ int i;
+
+ if (strnlen(key, 64) != 32) {
+ fprintf(stderr,
+ "## Error: '-a' option requires 16-byte AES key\n");
+ return -1;
+ }
+
+ for (i = 0; i < 16; i++) {
+ tmp[2] = key[0];
+ tmp[3] = key[1];
+ errno = 0;
+ ul = strtoul(tmp, NULL, 16);
+ if (errno) {
+ fprintf(stderr,
+ "## Error: '-a' option requires valid AES key\n");
+ return -1;
+ }
+ aes_key[i] = ul & 0xff;
+ key += 2;
+ }
+ aes_flag = 1;
+
+ return 0;
+}
+
/*
* Print the current definition of one, or more, or all
* environment variables
@@ -201,6 +244,19 @@ int fw_printenv (int argc, char *argv[])
int i, n_flag;
int rc = 0;
+ if (argc >= 2 && strcmp(argv[1], "-a") == 0) {
+ if (argc < 3) {
+ fprintf(stderr,
+ "## Error: '-a' option requires AES key\n");
+ return -1;
+ }
+ rc = parse_aes_key(argv[2]);
+ if (rc)
+ return rc;
+ argv += 2;
+ argc -= 2;
+ }
+
if (fw_env_open())
return -1;
@@ -266,6 +322,16 @@ int fw_printenv (int argc, char *argv[])
int fw_env_close(void)
{
+ int ret;
+ if (aes_flag) {
+ ret = env_aes_cbc_crypt(environment.data, 1);
+ if (ret) {
+ fprintf(stderr,
+ "Error: can't encrypt env for flash\n");
+ return ret;
+ }
+ }
+
/*
* Update CRC
*/
@@ -413,7 +479,7 @@ int fw_env_write(char *name, char *value)
*/
int fw_setenv(int argc, char *argv[])
{
- int i;
+ int i, rc;
size_t len;
char *name;
char *value = NULL;
@@ -423,6 +489,24 @@ int fw_setenv(int argc, char *argv[])
return -1;
}
+ if (strcmp(argv[1], "-a") == 0) {
+ if (argc < 3) {
+ fprintf(stderr,
+ "## Error: '-a' option requires AES key\n");
+ return -1;
+ }
+ rc = parse_aes_key(argv[2]);
+ if (rc)
+ return rc;
+ argv += 2;
+ argc -= 2;
+ }
+
+ if (argc < 2) {
+ errno = EINVAL;
+ return -1;
+ }
+
if (fw_env_open()) {
fprintf(stderr, "Error: environment not initialized\n");
return -1;
@@ -900,6 +984,28 @@ static int flash_flag_obsolete (int dev, int fd, off_t offset)
return rc;
}
+/* Encrypt or decrypt the environment before writing or reading it. */
+static int env_aes_cbc_crypt(char *payload, const int enc)
+{
+ uint8_t *data = (uint8_t *)payload;
+ const int len = getenvsize();
+ uint8_t key_exp[AES_EXPAND_KEY_LENGTH];
+ uint32_t aes_blocks;
+
+ /* First we expand the key. */
+ aes_expand_key(aes_key, key_exp);
+
+ /* Calculate the number of AES blocks to encrypt. */
+ aes_blocks = DIV_ROUND_UP(len, AES_KEY_LENGTH);
+
+ if (enc)
+ aes_cbc_encrypt_blocks(key_exp, data, data, aes_blocks);
+ else
+ aes_cbc_decrypt_blocks(key_exp, data, data, aes_blocks);
+
+ return 0;
+}
+
static int flash_write (int fd_current, int fd_target, int dev_target)
{
int rc;
@@ -923,6 +1029,7 @@ static int flash_write (int fd_current, int fd_target, int dev_target)
fprintf(stderr, "Writing new environment at 0x%lx on %s\n",
DEVOFFSET (dev_target), DEVNAME (dev_target));
#endif
+
rc = flash_write_buf(dev_target, fd_target, environment.image,
CUR_ENVSIZE, DEVOFFSET(dev_target),
DEVTYPE(dev_target));
@@ -981,8 +1088,10 @@ static int flash_read (int fd)
rc = flash_read_buf(dev_current, fd, environment.image, CUR_ENVSIZE,
DEVOFFSET (dev_current), mtdinfo.type);
+ if (rc != CUR_ENVSIZE)
+ return -1;
- return (rc != CUR_ENVSIZE) ? -1 : 0;
+ return 0;
}
static int flash_io (int mode)
@@ -1075,6 +1184,8 @@ int fw_env_open(void)
unsigned char flag1;
void *addr1;
+ int ret;
+
struct env_image_single *single;
struct env_image_redundant *redundant;
@@ -1109,6 +1220,13 @@ int fw_env_open(void)
return -1;
crc0 = crc32 (0, (uint8_t *) environment.data, ENV_SIZE);
+
+ if (aes_flag) {
+ ret = env_aes_cbc_crypt(environment.data, 0);
+ if (ret)
+ return ret;
+ }
+
crc0_ok = (crc0 == *environment.crc);
if (!HaveRedundEnv) {
if (!crc0_ok) {
@@ -1159,6 +1277,13 @@ int fw_env_open(void)
}
crc1 = crc32 (0, (uint8_t *) redundant->data, ENV_SIZE);
+
+ if (aes_flag) {
+ ret = env_aes_cbc_crypt(redundant->data, 0);
+ if (ret)
+ return ret;
+ }
+
crc1_ok = (crc1 == redundant->crc);
flag1 = redundant->flags;