def _decode_blob(self, encryption_params_blob, l1_key_blob, debug_dir):
# validate magic number
string_offset = 0
string_end = EncryptionParameters.FIELD_LEN_BYTES.MAGIC_FLD
found_magic_num = struct.unpack_from('I', encryption_params_blob[string_offset: string_end])[0]
if found_magic_num != self.MAGIC_NUM:
raise RuntimeError("Image's encryption parameters has invalid magic number: \"{0}\".".format(hex(found_magic_num)))
string_offset = EncryptionParameters.ENCRYPTION_PARAMS_HEADER_LEN_BYTES + EncryptionParameters.ENCRYPTION_PARAMS_SECTION_HDR_LEN_BYTES
string_end = string_offset + EncryptionParameters.ENCRYPTION_PARAMS_SECTION_BDY_LEN_BYTES
eps_body1 = EncryptionParamsSectionBody(enc_param_section_body_blob=encryption_params_blob[string_offset:string_end], image_id_bitmap=None, l1_key=l1_key_blob, debug_dir=debug_dir)
self.l3_image_iv = eps_body1.get_image_iv()
self.l3_key = eps_body1.get_l3_key()
def _decode_blob(self, encryption_params_blob, l1_key_blob, debug_dir):
# Decode Encryption Parameter Info Header
string_offset = 0
string_end = EncryptionParameters.ENCRYPTION_PARAMS_HEADER_LEN_BYTES
EncryptionParamsHeader(encryption_params_blob[string_offset:string_end])
# Decode Encryption Parameter Section skipping Encryption Parameters Section Header
string_offset = string_end + EncryptionParameters.ENCRYPTION_PARAMS_SECTION_HDR_LEN_BYTES
string_end = string_offset + EncryptionParameters.ENCRYPTION_PARAMS_SECTION_BDY_LEN_BYTES
eps = EncryptionParamsSectionBody(self.major_version,
self.minor_version,
self.image_id,
l1_key=l1_key_blob,
enc_param_section_body_blob=encryption_params_blob[string_offset:string_end],
validating=self.validating,
debug_dir=debug_dir)
self.l3_image_iv = eps.get_image_iv()
self.l3_key = eps.get_l3_key()
def _decode_encryption_parameters_blob(self, encryption_params_blob, l1_key_blob):
string_offset = 0
string_end = EncryptionParameters.ENCRYPTION_PARAMS_HEADER_LEN_BYTES
encryption_params_hdr = EncryptionParamsHeader(encryption_params_blob[string_offset:string_end])
string_offset = string_end
string_end += EncryptionParameters.ENCRYPTION_PARAMS_SECTION_HDR_LEN_BYTES
eps_hdr1 = EncryptionParamsSectionHdr(encryption_params_blob[string_offset:string_end], None, 1, 1)
string_offset = string_end
string_end += EncryptionParameters.ENCRYPTION_PARAMS_SECTION_BDY_LEN_BYTES
eps_body1 = EncryptionParamsSectionBody(enc_param_section_body_blob=encryption_params_blob[string_offset:string_end], image_id_bitmap=None, l1_key_blob=l1_key_blob)
self.l3_image_iv = eps_body1.get_image_iv()
self.l3_key = eps_body1.get_l3_key()
def _generate_new_encryption_params_blob(self):
self.l1_key = self._get_l1_key()
self.l2_key = self._get_l2_key()
self.l3_key = self._get_l3_key()
encryption_params_hdr = EncryptionParamsHeader()
encryption_params_hdr.add_encryption_param_section()
eps_hdr1 = EncryptionParamsSectionHdr(None, None, 1, 0)
eps_body1 = EncryptionParamsSectionBody(l1_key_blob=self.l1_key,
image_id_bitmap=self.image_id)
self.encryption_params_blob = encryption_params_hdr.get_header_blob() + \
eps_hdr1.get_header_blob() + \
eps_body1.get_binary_blob()
self.l3_image_iv = eps_body1.get_image_iv()
self.l3_key = eps_body1.get_l3_key()
logger.debug("Encryption Params: \n" +
hexdump(self.encryption_params_blob))
logger.debug("L1 Key: \n" + hexdump(self.l1_key))
return self.encryption_params_blob, self.l1_key
def _generate_new_blob(self,
config,
debug_dir,
encrypted_segments_indices=None):
self.enc_key_prov_is_qti = False
if self.key_service.using_encrypted_key_provider():
# UIE_key value was set to an encrypted key provider value. ex: "encrypted_qti" or "encrypted_oem"
logger.info(
"Attempting to retrieve encrypted L2, encrypted L3, and clear L3 keys from encrypted key provider..."
)
self.l1_key = None
self.l2_key = None
# get the encrypted key provider
from sectools.features.isc.encryption_service.unified import get_encrypted_key_provider
encrypted_key_provider_class = get_encrypted_key_provider(
self.key_service.get_encrypted_key_provider_id())
self.enc_key_prov_is_qti = encrypted_key_provider_class.is_qti()
if self.enc_key_prov_is_qti:
sa = config.signing_attributes
encrypted_key_provider = encrypted_key_provider_class(
sa.UIE_capability, sa.UIE_server_url,
sa.UIE_server_cert_path)
else:
encrypted_key_provider = encrypted_key_provider_class()
# get the encrypted keys and clear l3 key from the encrypted key provider
self.encrypted_l2 = encrypted_key_provider.get_encrypted_l2_key()
self.encrypted_l3 = encrypted_key_provider.get_encrypted_l3_key()
self.l3_key = encrypted_key_provider.get_clear_l3_key()
logger.info(
"Encrypted L2, encrypted L3, and clear L3 keys were successfully retrieved from encrypted key provider."
)
logger.debug("Encrypted L2 Key: \n" + hexdump(self.encrypted_l2))
logger.debug("Encrypted L3 Key: \n" + hexdump(self.encrypted_l3))
elif self.key_service.get_l1_key(
) is not None and self.key_service.get_l2_key(
) is None and self.key_service.get_l3_key(
) is None and self.key_service.no_enc_keys_provided():
# only l1 key is provided locally. l2 and l3 keys will be set to randomly generated values
logger.info(
"Clear L1 key was provided locally but clear L2 and clear L3 keys were not. Generating random values for clear L2 and clear L3 keys..."
)
self.l1_key = self.key_service.get_l1_key()
self.l2_key = key_service_module.KeyService.get_new_random_clear_key(
)
self.l3_key = key_service_module.KeyService.get_new_random_clear_key(
)
logger.debug("L1 Key: \n" + hexdump(self.l1_key))
logger.debug("L2 Key: \n" + hexdump(self.l2_key))
logger.debug("L3 Key: \n" + hexdump(self.l3_key))
self.encrypted_l2 = None
self.encrypted_l3 = None
elif self.key_service.all_clear_keys_provided(
) and self.key_service.no_enc_keys_provided():
# all 3 clear keys are provided locally
logger.info(
"Clear L1 key, clear L2 key, and clear L3 keys were provided locally."
)
self.l1_key = self.key_service.get_l1_key()
self.l2_key = self.key_service.get_l2_key()
self.l3_key = self.key_service.get_l3_key()
logger.debug("L1 Key: \n" + hexdump(self.l1_key))
logger.debug("L2 Key: \n" + hexdump(self.l2_key))
logger.debug("L3 Key: \n" + hexdump(self.l3_key))
self.encrypted_l2 = None
self.encrypted_l3 = None
elif self.key_service.all_enc_keys_provided(
) and self.key_service.get_l3_key(
) is not None and self.key_service.get_l1_key(
) is None and self.key_service.get_l2_key() is None:
# encrypted l2, encrypted l3, and clear l3 are provided locally
logger.info(
"Encrypted L2 key, encrypted L3 key, and clear L3 keys were provided locally."
)
self.l1_key = None
self.l2_key = None
self.l3_key = self.key_service.get_l3_key()
self.encrypted_l2 = self.key_service.get_encrypted_l2_key()
self.encrypted_l3 = self.key_service.get_encrypted_l3_key()
logger.debug("Encrypted L2 Key: \n" + hexdump(self.encrypted_l2))
logger.debug("Encrypted L3 Key: \n" + hexdump(self.encrypted_l3))
logger.debug("L3 Key: \n" + hexdump(self.l3_key))
else:
raise EncryptionParameters.InvalidKeyComboException(
"The found key configuration is not allowed.\n \
Supported configurations: \n \
#1 clear L1 key \n \
#2 clear L1, L2, and L3 key \n \
#3 encrypted L2, encrypted L3, and clear L3 key \n \
#4 specify an encrypted key provider.\n \
If required files are provided, ensure that the corresponding config file \n \
contains the correct METACONFIG tags and values.")
encryption_params_hdr = EncryptionParamsHeader()
encryption_params_hdr.add_encryption_param_section()
eps_hdr = EncryptionParamsSectionHdr(
None, None,
1 if config.signing_attributes.UIE_root_key_type is None else
config.signing_attributes.UIE_root_key_type, 0)
eps_body = EncryptionParamsSectionBody(
self.major_version,
self.minor_version,
self.image_id,
l1_key=self.l1_key,
l2_key=self.l2_key,
l3_key=self.l3_key,
enc_l2_key=self.encrypted_l2,
enc_l3_key=self.encrypted_l3,
enc_key_prov_is_qti=self.enc_key_prov_is_qti,
debug_dir=debug_dir,
encrypted_segments_indices=encrypted_segments_indices)
self.l3_image_iv = eps_body.get_image_iv()
self.encryption_params_blob = encryption_params_hdr.get_header_blob() + \
eps_hdr.get_header_blob() + \
eps_body.get_binary_blob()
logger.debug("Encryption Params: \n" +
hexdump(self.encryption_params_blob))
return self.encryption_params_blob, self.l1_key