Add imgtool support for encrypted image creation
Adds a new flag to imgtool, -E/--encrypt which accepts a public rsa-2048
key file that will be used to encrypt the image.
The encryption method uses AES-128-CTR to encrypt the image data (ignores
the header and TLVs), using a random key that is itself encrypted using
RSA-2048-OAEP and added to the generated image as a new TLV.
Signed-off-by: Fabio Utzig <utzig@apache.org>
diff --git a/scripts/imgtool.py b/scripts/imgtool.py
index 76ed130..61122b4 100755
--- a/scripts/imgtool.py
+++ b/scripts/imgtool.py
@@ -114,6 +114,8 @@
@click.argument('outfile')
@click.argument('infile')
+@click.option('-E', '--encrypt', metavar='filename',
+ help='Encrypt image using the provided public key')
@click.option('-e', '--endian', type=click.Choice(['little', 'big']),
default='little', help="Select little or big endian")
@click.option('--overwrite-only', default=False, is_flag=True,
@@ -133,15 +135,23 @@
@click.option('-k', '--key', metavar='filename')
@click.command(help='Create a signed or unsigned image')
def sign(key, align, version, header_size, pad_header, slot_size, pad,
- max_sectors, overwrite_only, endian, infile, outfile):
+ max_sectors, overwrite_only, endian, encrypt, infile, outfile):
img = image.Image.load(infile, version=decode_version(version),
header_size=header_size, pad_header=pad_header,
pad=pad, align=int(align), slot_size=slot_size,
max_sectors=max_sectors,
overwrite_only=overwrite_only,
- endian=endian)
+ endian=endian,
+ encrypt=encrypt)
key = load_key(key) if key else None
- img.sign(key)
+ enckey = load_key(encrypt) if encrypt else None
+ if enckey:
+ if not isinstance(enckey, (keys.RSA2048, keys.RSA2048Public)):
+ raise Exception("Encryption only available with RSA")
+ if key and not isinstance(key, (keys.RSA2048, keys.RSA2048Public)):
+ raise Exception("Encryption with sign only available with RSA")
+ if key or enckey:
+ img.create(key, enckey)
if pad:
img.pad_to(slot_size)