summaryrefslogtreecommitdiffstats
path: root/commands
diff options
context:
space:
mode:
authorSteffen Trumtrar <s.trumtrar@pengutronix.de>2016-02-17 11:54:09 +0100
committerSascha Hauer <s.hauer@pengutronix.de>2019-04-12 11:58:39 +0200
commit6f91b9b1994fff3a627633b8883b9ea3fc3acef1 (patch)
tree4121e97842292edcd00823b9d7e4a8be36d25d52 /commands
parent4b4dc564f46d2179dbf7e40f6434ec0664ed7c53 (diff)
downloadbarebox-6f91b9b1994fff3a627633b8883b9ea3fc3acef1.tar.gz
lib: add blobgen framework
This adds a framework for en/decrypting data blobs. Some SoCs have support for hardware crypto engines that can en/decrypt using keys that a tied to the SoC and are visible for the crypto hardware only. With this patch it's possible to encrypt confidential data using these keys and to decrypt it later for usage. Signed-off-by: Steffen Trumtrar <s.trumtrar@pengutronix.de> Signed-off-by: Sascha Hauer <s.hauer@pengutronix.de>
Diffstat (limited to 'commands')
-rw-r--r--commands/Kconfig10
-rw-r--r--commands/Makefile1
-rw-r--r--commands/blobgen.c122
3 files changed, 133 insertions, 0 deletions
diff --git a/commands/Kconfig b/commands/Kconfig
index 4f5d84a..039fd7d 100644
--- a/commands/Kconfig
+++ b/commands/Kconfig
@@ -1964,6 +1964,16 @@ config CMD_BAREBOX_UPDATE
-y autom. use 'yes' when asking confirmations
-f LEVEL set force level
+config CMD_BLOBGEN
+ bool
+ select BLOBGEN
+ prompt "blobgen"
+ help
+ Provides the "blobgen" command. This command encrypts and decrypts
+ plaintext to/from blobs. This is done with hardware crypto engines,
+ so this command is only useful when you also enable a blobgen capable
+ driver.
+
config CMD_FIRMWARELOAD
bool
select FIRMWARE
diff --git a/commands/Makefile b/commands/Makefile
index 358671b..e69fb50 100644
--- a/commands/Makefile
+++ b/commands/Makefile
@@ -84,6 +84,7 @@ obj-$(CONFIG_CMD_LINUX_EXEC) += linux_exec.o
obj-$(CONFIG_CMD_AUTOMOUNT) += automount.o
obj-$(CONFIG_CMD_GLOBAL) += global.o
obj-$(CONFIG_CMD_DMESG) += dmesg.o
+obj-$(CONFIG_CMD_BLOBGEN) += blobgen.o
obj-$(CONFIG_CMD_BASENAME) += basename.o
obj-$(CONFIG_CMD_HAB) += hab.o
obj-$(CONFIG_CMD_DIRNAME) += dirname.o
diff --git a/commands/blobgen.c b/commands/blobgen.c
new file mode 100644
index 0000000..49107d0
--- /dev/null
+++ b/commands/blobgen.c
@@ -0,0 +1,122 @@
+// SPDX-License-Identifier: GPL-2.0
+#include <common.h>
+#include <command.h>
+#include <getopt.h>
+#include <blobgen.h>
+#include <environment.h>
+
+static int do_blobgen(int argc, char *argv[])
+{
+ bool do_encrypt = false, do_decrypt = false;
+ int opt;
+ const char *varname = NULL;
+ const char *modifier = NULL;
+ const char *blobdev = NULL;
+ struct blobgen *bg;
+ int plainsize;
+ int ret;
+ const char *message = NULL;
+
+ while ((opt = getopt(argc, argv, "edm:V:b:")) > 0) {
+ switch (opt) {
+ case 'e':
+ do_encrypt = true;
+ break;
+ case 'd':
+ do_decrypt = true;
+ break;
+ case 'm':
+ modifier = optarg;
+ break;
+ case 'V':
+ varname = optarg;
+ break;
+ case 'b':
+ blobdev = optarg;
+ break;
+ }
+ }
+
+ if (!varname) {
+ printf("varname not specified\n");
+ return -EINVAL;
+ }
+
+ if (!modifier) {
+ printf("Modifier not specified\n");
+ return -EINVAL;
+ }
+
+ bg = blobgen_get(blobdev);
+ if (!bg) {
+ printf("blobdev \"%s\" not found\n", blobdev);
+ return -ENOENT;
+ }
+
+ if (do_encrypt && do_decrypt) {
+ printf("Both encrypt and decrypt given\n");
+ return -EINVAL;
+ }
+
+ if (!do_encrypt && !do_decrypt) {
+ printf("Specify either -e or -d option\n");
+ return -EINVAL;
+ }
+
+ if (argc > optind) {
+ message = argv[optind];
+ } else {
+ printf("No message to %scrypt provided\n",
+ do_encrypt ? "en" : "de");
+ return -EINVAL;
+ }
+
+ if (do_encrypt) {
+ ret = blob_encrypt_to_env(bg, modifier, message, strlen(message),
+ varname);
+ if (ret)
+ return ret;
+ }
+
+ if (do_decrypt) {
+ void *plain;
+ char *str;
+
+ ret = blob_decrypt_from_base64(bg, modifier, message, &plain,
+ &plainsize);
+ if (ret)
+ return ret;
+
+ str = malloc(plainsize + 1);
+ if (!str)
+ return -ENOMEM;
+
+ memcpy(str, plain, plainsize);
+ str[plainsize] = 0;
+
+ setenv(varname, str);
+ free(plain);
+ free(str);
+ }
+
+ return 0;
+}
+
+BAREBOX_CMD_HELP_START(blobgen)
+BAREBOX_CMD_HELP_TEXT("This command utilizes hardware crypto engines to en/decrypt")
+BAREBOX_CMD_HELP_TEXT("data blobs.")
+BAREBOX_CMD_HELP_TEXT("Options:")
+BAREBOX_CMD_HELP_OPT("-e\t", "encrypt")
+BAREBOX_CMD_HELP_OPT("-d\t", "decrypt")
+BAREBOX_CMD_HELP_OPT("-m <modifier>", "Set modifier")
+BAREBOX_CMD_HELP_OPT("-V <varname>", "specify variable name to set with the result")
+BAREBOX_CMD_HELP_OPT("-b <blobdev>", "specify blob device to use")
+BAREBOX_CMD_HELP_END
+
+BAREBOX_CMD_START(blobgen)
+ .cmd = do_blobgen,
+ BAREBOX_CMD_DESC("en/decrypt blobs")
+ BAREBOX_CMD_OPTS("[-edmVb] <plaintext/ciphertext>")
+ BAREBOX_CMD_GROUP(CMD_GRP_HWMANIP)
+ BAREBOX_CMD_HELP(cmd_blobgen_help)
+BAREBOX_CMD_END