lib: add blobgen framework

This adds a framework for en/decrypting data blobs. Some SoCs have
support for hardware crypto engines that can en/decrypt using keys
that a tied to the SoC and are visible for the crypto hardware only.
With this patch it's possible to encrypt confidential data using
these keys and to decrypt it later for usage.

Signed-off-by: Steffen Trumtrar <s.trumtrar@pengutronix.de>
Signed-off-by: Sascha Hauer <s.hauer@pengutronix.de>

1 files changed, 122 insertions, 0 deletions

diff --git a/commands/blobgen.c b/commands/blobgen.c
new file mode 100644
index 0000000000..49107d037c
--- /dev/null
+++ b/commands/blobgen.c
@@ -0,0 +1,122 @@
+// SPDX-License-Identifier: GPL-2.0
+#include <common.h>
+#include <command.h>
+#include <getopt.h>
+#include <blobgen.h>
+#include <environment.h>
+
+static int do_blobgen(int argc, char *argv[])
+{
+	bool do_encrypt = false, do_decrypt = false;
+	int opt;
+	const char *varname = NULL;
+	const char *modifier = NULL;
+	const char *blobdev = NULL;
+	struct blobgen *bg;
+	int plainsize;
+	int ret;
+	const char *message = NULL;
+
+	while ((opt = getopt(argc, argv, "edm:V:b:")) > 0) {
+		switch (opt) {
+		case 'e':
+			do_encrypt = true;
+			break;
+		case 'd':
+			do_decrypt = true;
+			break;
+		case 'm':
+			modifier = optarg;
+			break;
+		case 'V':
+			varname = optarg;
+			break;
+		case 'b':
+			blobdev = optarg;
+			break;
+		}
+	}
+
+	if (!varname) {
+		printf("varname not specified\n");
+		return -EINVAL;
+	}
+
+	if (!modifier) {
+		printf("Modifier not specified\n");
+		return -EINVAL;
+	}
+
+	bg = blobgen_get(blobdev);
+	if (!bg) {
+		printf("blobdev \"%s\" not found\n", blobdev);
+		return -ENOENT;
+	}
+
+	if (do_encrypt && do_decrypt) {
+		printf("Both encrypt and decrypt given\n");
+		return -EINVAL;
+	}
+
+	if (!do_encrypt && !do_decrypt) {
+		printf("Specify either -e or -d option\n");
+		return -EINVAL;
+	}
+
+	if (argc > optind) {
+		message = argv[optind];
+	} else {
+		printf("No message to %scrypt provided\n",
+		       do_encrypt ? "en" : "de");
+		return -EINVAL;
+	}
+
+	if (do_encrypt) {
+		ret = blob_encrypt_to_env(bg, modifier, message, strlen(message),
+					  varname);
+		if (ret)
+			return ret;
+	}
+
+	if (do_decrypt) {
+		void *plain;
+		char *str;
+
+		ret = blob_decrypt_from_base64(bg, modifier, message, &plain,
+					    &plainsize);
+		if (ret)
+			return ret;
+
+		str = malloc(plainsize + 1);
+		if (!str)
+			return -ENOMEM;
+
+		memcpy(str, plain, plainsize);
+		str[plainsize] = 0;
+
+		setenv(varname, str);
+		free(plain);
+		free(str);
+	}
+
+	return 0;
+}
+
+BAREBOX_CMD_HELP_START(blobgen)
+BAREBOX_CMD_HELP_TEXT("This command utilizes hardware crypto engines to en/decrypt")
+BAREBOX_CMD_HELP_TEXT("data blobs.")
+BAREBOX_CMD_HELP_TEXT("Options:")
+BAREBOX_CMD_HELP_OPT("-e\t", "encrypt")
+BAREBOX_CMD_HELP_OPT("-d\t", "decrypt")
+BAREBOX_CMD_HELP_OPT("-m <modifier>", "Set modifier")
+BAREBOX_CMD_HELP_OPT("-V <varname>", "specify variable name to set with the result")
+BAREBOX_CMD_HELP_OPT("-b <blobdev>", "specify blob device to use")
+BAREBOX_CMD_HELP_END
+
+BAREBOX_CMD_START(blobgen)
+	.cmd	= do_blobgen,
+	BAREBOX_CMD_DESC("en/decrypt blobs")
+	BAREBOX_CMD_OPTS("[-edmVb] <plaintext/ciphertext>")
+	BAREBOX_CMD_GROUP(CMD_GRP_HWMANIP)
+	BAREBOX_CMD_HELP(cmd_blobgen_help)
+BAREBOX_CMD_END