This is an automated email from the ASF dual-hosted git repository. agross pushed a commit to branch master in repository https://gitbox.apache.org/repos/asf/mynewt-artifact.git
The following commit(s) were added to refs/heads/master by this push: new 92f2b52 image: Support legacy TLV values via option new 4bdb75b Merge pull request #30 from agross-korg/support-legacy-tlvs 92f2b52 is described below commit 92f2b5253a7df492a6329c88e14a5ae67ff8d1cd Author: Andy Gross <andy.gr...@juul.com> AuthorDate: Wed Nov 18 10:56:30 2020 -0600 image: Support legacy TLV values via option This patch adds a legacy TLV option for using the legacy values for AES_NONCE and SECRET_ID. This allows newer newt tools to build usable application images for systems which cannot support the new TLVs on boot. Signed-off-by: Andy Gross <andy.gr...@juul.com> --- image/create.go | 40 ++++++++++++++++++++++++++++++---------- image/image.go | 14 +++++++++++--- 2 files changed, 41 insertions(+), 13 deletions(-) diff --git a/image/create.go b/image/create.go index 176c085..129baaa 100644 --- a/image/create.go +++ b/image/create.go @@ -49,6 +49,7 @@ type ImageCreator struct { HeaderSize int InitialHash []byte Bootable bool + UseLegacyTLV bool } type ImageCreateOpts struct { @@ -61,6 +62,7 @@ type ImageCreateOpts struct { LoaderHash []byte HdrPad int ImagePad int + UseLegacyTLV bool } type ECDSASig struct { @@ -103,12 +105,20 @@ func sigTlvType(key sec.PrivSignKey) uint8 { } // GenerateHWKeyIndexTLV creates a hardware key index TLV. -func GenerateHWKeyIndexTLV(secretIndex uint32) (ImageTlv, error) { +func GenerateHWKeyIndexTLV(secretIndex uint32, useLegacyTLV bool) (ImageTlv, error) { + var tlvType uint8 id := make([]byte, 4) binary.LittleEndian.PutUint32(id, secretIndex) + + if useLegacyTLV { + tlvType = IMAGE_TLV_SECRET_ID_LEGACY + } else { + tlvType = IMAGE_TLV_SECRET_ID + } + return ImageTlv{ Header: ImageTlvHdr{ - Type: IMAGE_TLV_SECRET_ID, + Type: tlvType, Pad: 0, Len: uint16(len(id)), }, @@ -117,10 +127,18 @@ func GenerateHWKeyIndexTLV(secretIndex uint32) (ImageTlv, error) { } // GenerateNonceTLV creates a nonce TLV given a nonce. -func GenerateNonceTLV(nonce []byte) (ImageTlv, error) { +func GenerateNonceTLV(nonce []byte, useLegacyTLV bool) (ImageTlv, error) { + var tlvType uint8 + + if useLegacyTLV { + tlvType = IMAGE_TLV_AES_NONCE_LEGACY + } else { + tlvType = IMAGE_TLV_AES_NONCE + } + return ImageTlv{ Header: ImageTlvHdr{ - Type: IMAGE_TLV_AES_NONCE, + Type: tlvType, Pad: 0, Len: uint16(len(nonce)), }, @@ -154,17 +172,17 @@ func GenerateEncTlv(cipherSecret []byte) (ImageTlv, error) { // GenerateEncTlv creates an encryption-secret TLV given a secret. func GenerateSectionTlv(section Section) (ImageTlv, error) { - data := make([]byte, 8 + len(section.Name)) + data := make([]byte, 8+len(section.Name)) binary.LittleEndian.PutUint32(data[0:], uint32(section.Offset)) binary.LittleEndian.PutUint32(data[4:], uint32(section.Size)) copy(data[8:], section.Name) - return ImageTlv { + return ImageTlv{ Header: ImageTlvHdr{ Type: IMAGE_TLV_SECTION, - Pad: 0, - Len: uint16(len(data)), + Pad: 0, + Len: uint16(len(data)), }, Data: data, }, nil @@ -337,6 +355,7 @@ func GenerateImage(opts ImageCreateOpts) (Image, error) { ic.SigKeys = opts.SigKeys ic.HWKeyIndex = opts.SrcEncKeyIndex ic.Sections = opts.Sections + ic.UseLegacyTLV = opts.UseLegacyTLV if opts.LoaderHash != nil { ic.InitialHash = opts.LoaderHash @@ -509,13 +528,14 @@ func (ic *ImageCreator) Create() (Image, error) { } if ic.HWKeyIndex >= 0 { - tlv, err := GenerateHWKeyIndexTLV(uint32(ic.HWKeyIndex)) + tlv, err := GenerateHWKeyIndexTLV(uint32(ic.HWKeyIndex), + ic.UseLegacyTLV) if err != nil { return img, err } img.ProtTlvs = append(img.ProtTlvs, tlv) - tlv, err = GenerateNonceTLV(ic.Nonce) + tlv, err = GenerateNonceTLV(ic.Nonce, ic.UseLegacyTLV) if err != nil { return img, err } diff --git a/image/image.go b/image/image.go index 7defa38..9aa775f 100644 --- a/image/image.go +++ b/image/image.go @@ -750,9 +750,15 @@ func DecryptHw(img Image, secret []byte) (Image, error) { tlvs := dup.FindProtTlvs(IMAGE_TLV_AES_NONCE) if len(tlvs) != 1 { - return dup, errors.Errorf( - "failed to decrypt hw-encrypted image: "+ - "wrong count of AES nonce TLVs; have=%d want=1", len(tlvs)) + // try to find legacy TLV + tlvs := dup.FindProtTlvs(IMAGE_TLV_AES_NONCE_LEGACY) + + if len(tlvs) != 1 { + + return dup, errors.Errorf( + "failed to decrypt hw-encrypted image: "+ + "wrong count of AES nonce TLVs; have=%d want=1", len(tlvs)) + } } nonce := tlvs[0].Data @@ -778,6 +784,8 @@ func DecryptHwFull(img Image, secret []byte) (Image, error) { img.RemoveProtTlvsWithType(IMAGE_TLV_AES_NONCE) img.RemoveProtTlvsWithType(IMAGE_TLV_SECRET_ID) + img.RemoveProtTlvsWithType(IMAGE_TLV_AES_NONCE_LEGACY) + img.RemoveProtTlvsWithType(IMAGE_TLV_SECRET_ID_LEGACY) return img, nil }