diff options
author | Steffen Trumtrar <s.trumtrar@pengutronix.de> | 2016-02-17 11:54:09 +0100 |
---|---|---|
committer | Sascha Hauer <s.hauer@pengutronix.de> | 2019-04-12 11:58:39 +0200 |
commit | 6f91b9b1994fff3a627633b8883b9ea3fc3acef1 (patch) | |
tree | 4121e97842292edcd00823b9d7e4a8be36d25d52 /commands | |
parent | 4b4dc564f46d2179dbf7e40f6434ec0664ed7c53 (diff) | |
download | barebox-6f91b9b1994fff3a627633b8883b9ea3fc3acef1.tar.gz barebox-6f91b9b1994fff3a627633b8883b9ea3fc3acef1.tar.xz |
lib: add blobgen framework
This adds a framework for en/decrypting data blobs. Some SoCs have
support for hardware crypto engines that can en/decrypt using keys
that a tied to the SoC and are visible for the crypto hardware only.
With this patch it's possible to encrypt confidential data using
these keys and to decrypt it later for usage.
Signed-off-by: Steffen Trumtrar <s.trumtrar@pengutronix.de>
Signed-off-by: Sascha Hauer <s.hauer@pengutronix.de>
Diffstat (limited to 'commands')
-rw-r--r-- | commands/Kconfig | 10 | ||||
-rw-r--r-- | commands/Makefile | 1 | ||||
-rw-r--r-- | commands/blobgen.c | 122 |
3 files changed, 133 insertions, 0 deletions
diff --git a/commands/Kconfig b/commands/Kconfig index 4f5d84ac18..039fd7d1ac 100644 --- a/commands/Kconfig +++ b/commands/Kconfig @@ -1964,6 +1964,16 @@ config CMD_BAREBOX_UPDATE -y autom. use 'yes' when asking confirmations -f LEVEL set force level +config CMD_BLOBGEN + bool + select BLOBGEN + prompt "blobgen" + help + Provides the "blobgen" command. This command encrypts and decrypts + plaintext to/from blobs. This is done with hardware crypto engines, + so this command is only useful when you also enable a blobgen capable + driver. + config CMD_FIRMWARELOAD bool select FIRMWARE diff --git a/commands/Makefile b/commands/Makefile index 358671bb5b..e69fb5046f 100644 --- a/commands/Makefile +++ b/commands/Makefile @@ -84,6 +84,7 @@ obj-$(CONFIG_CMD_LINUX_EXEC) += linux_exec.o obj-$(CONFIG_CMD_AUTOMOUNT) += automount.o obj-$(CONFIG_CMD_GLOBAL) += global.o obj-$(CONFIG_CMD_DMESG) += dmesg.o +obj-$(CONFIG_CMD_BLOBGEN) += blobgen.o obj-$(CONFIG_CMD_BASENAME) += basename.o obj-$(CONFIG_CMD_HAB) += hab.o obj-$(CONFIG_CMD_DIRNAME) += dirname.o diff --git a/commands/blobgen.c b/commands/blobgen.c new file mode 100644 index 0000000000..49107d037c --- /dev/null +++ b/commands/blobgen.c @@ -0,0 +1,122 @@ +// SPDX-License-Identifier: GPL-2.0 +#include <common.h> +#include <command.h> +#include <getopt.h> +#include <blobgen.h> +#include <environment.h> + +static int do_blobgen(int argc, char *argv[]) +{ + bool do_encrypt = false, do_decrypt = false; + int opt; + const char *varname = NULL; + const char *modifier = NULL; + const char *blobdev = NULL; + struct blobgen *bg; + int plainsize; + int ret; + const char *message = NULL; + + while ((opt = getopt(argc, argv, "edm:V:b:")) > 0) { + switch (opt) { + case 'e': + do_encrypt = true; + break; + case 'd': + do_decrypt = true; + break; + case 'm': + modifier = optarg; + break; + case 'V': + varname = optarg; + break; + case 'b': + blobdev = optarg; + break; + } + } + + if (!varname) { + printf("varname not specified\n"); + return -EINVAL; + } + + if (!modifier) { + printf("Modifier not specified\n"); + return -EINVAL; + } + + bg = blobgen_get(blobdev); + if (!bg) { + printf("blobdev \"%s\" not found\n", blobdev); + return -ENOENT; + } + + if (do_encrypt && do_decrypt) { + printf("Both encrypt and decrypt given\n"); + return -EINVAL; + } + + if (!do_encrypt && !do_decrypt) { + printf("Specify either -e or -d option\n"); + return -EINVAL; + } + + if (argc > optind) { + message = argv[optind]; + } else { + printf("No message to %scrypt provided\n", + do_encrypt ? "en" : "de"); + return -EINVAL; + } + + if (do_encrypt) { + ret = blob_encrypt_to_env(bg, modifier, message, strlen(message), + varname); + if (ret) + return ret; + } + + if (do_decrypt) { + void *plain; + char *str; + + ret = blob_decrypt_from_base64(bg, modifier, message, &plain, + &plainsize); + if (ret) + return ret; + + str = malloc(plainsize + 1); + if (!str) + return -ENOMEM; + + memcpy(str, plain, plainsize); + str[plainsize] = 0; + + setenv(varname, str); + free(plain); + free(str); + } + + return 0; +} + +BAREBOX_CMD_HELP_START(blobgen) +BAREBOX_CMD_HELP_TEXT("This command utilizes hardware crypto engines to en/decrypt") +BAREBOX_CMD_HELP_TEXT("data blobs.") +BAREBOX_CMD_HELP_TEXT("Options:") +BAREBOX_CMD_HELP_OPT("-e\t", "encrypt") +BAREBOX_CMD_HELP_OPT("-d\t", "decrypt") +BAREBOX_CMD_HELP_OPT("-m <modifier>", "Set modifier") +BAREBOX_CMD_HELP_OPT("-V <varname>", "specify variable name to set with the result") +BAREBOX_CMD_HELP_OPT("-b <blobdev>", "specify blob device to use") +BAREBOX_CMD_HELP_END + +BAREBOX_CMD_START(blobgen) + .cmd = do_blobgen, + BAREBOX_CMD_DESC("en/decrypt blobs") + BAREBOX_CMD_OPTS("[-edmVb] <plaintext/ciphertext>") + BAREBOX_CMD_GROUP(CMD_GRP_HWMANIP) + BAREBOX_CMD_HELP(cmd_blobgen_help) +BAREBOX_CMD_END |