Skip to content

Commit

Permalink
sign_encrypt.py: fix bugs in 'verify' and 'display' with encrypted TA
Browse files Browse the repository at this point in the history 
Fix the following bugs:
- The display command displays an incorrect tag value.
- The verify command requires --enc_key for encrypted TA,
  but an error occurs when --enc_key option is used.

Signed-off-by: Sungmin Han <[email protected]>
  • Loading branch information
@meeneemaru
meeneemaru committed Jan 8, 2025
1 parent 44f8cfa commit 980c264
Showing 1 changed file with 15 additions and 11 deletions.
26 changes: 15 additions & 11 deletions scripts/sign_encrypt.py
View file
Original file line number Diff line number Diff line change
Expand Up @@ -266,6 +266,7 @@ def assign_default_value(parsed, attr, func):
arg_add_uuid(parser_verify)
arg_add_in(parser_verify)
arg_add_key(parser_verify)
arg_add_enc_key(parser_verify)

parser_display = subparsers.add_parser(
'display', prog=parser.prog + ' display',
Expand Down Expand Up @@ -505,9 +506,9 @@ def parse(self):
offs += EHDR_SIZE
[enc_algo, flags, nonce_len,
tag_len] = struct.unpack('<IIHH', self.ehdr)
if enc_value not in enc_tee_alg.values():
if enc_algo not in enc_tee_alg.values():
raise Exception('Unrecognized encrypt algorithm: 0x{:08x}'
.format(enc_value))
.format(enc_algo))
if nonce_len != 12:
raise Exception("Unexpected nonce len: {}"
.format(nonce_len))
Expand All @@ -516,8 +517,10 @@ def parse(self):

if tag_len != 16:
raise Exception("Unexpected tag len: {}".format(tag_len))
self.tag = self.inf[-tag_len:]
self.ciphertext = self.inf[offs:-tag_len]
self.tag = self.inf[offs:offs + tag_len]
offs += tag_len

self.ciphertext = self.inf[offs:]
if len(self.ciphertext) != img_size:
raise Exception("Unexpected ciphertext size: ",
"got {}, expected {}"
Expand Down Expand Up @@ -598,7 +601,7 @@ def display_ta():

if enc_algo not in enc_tee_alg.values():
raise Exception('Unrecognized encrypt algorithm: 0x{:08x}'
.format(enc_value))
.format(enc_algo))

flags_name = 'Unkown'
if flags in enc_key_type.values():
Expand All @@ -617,18 +620,19 @@ def display_ta():
print(' tag_size: {} (bytes)'.format(tag_len))
if tag_len != TAG_SIZE:
raise Exception("Unexpected tag len: {}".format(tag_len))
tag = self.inf[-tag_len:]
tag = self.inf[offs:offs+tag_len]
print(' tag: {}'
.format(binascii.hexlify(tag).decode('ascii')))
ciphertext = self.inf[offs:-tag_len]
offs += tag_len

ciphertext = self.inf[offs:]
print(' TA offset: {} (0x{:x}) bytes'.format(offs, offs))
print(' TA size: {} (0x{:x}) bytes'
.format(len(ciphertext), len(ciphertext)))
if len(ciphertext) != img_size:
raise Exception("Unexpected ciphertext size: ",
"got {}, expected {}"
.format(len(ciphertext), img_size))
offs += tag_len
else:
img = self.inf[offs:]
print(' TA offset: {} (0x{:x}) bytes'.format(offs, offs))
Expand Down Expand Up @@ -717,11 +721,11 @@ def display_ta():
else:
raise Exception("Unsupported image type: {}".format(img_type))

def decrypt_ta(enc_key):
def decrypt_ta(self, enc_key):
from cryptography.hazmat.primitives.ciphers.aead import AESGCM

cipher = AESGCM(bytes.fromhex(enc_key))
self.img = cipher.decrypt(self.nonce, self.ciphertext, None)
self.img = cipher.decrypt(self.nonce, self.ciphertext + self.tag, None)

def __get_padding(self):
from cryptography.hazmat.primitives.asymmetric import padding
Expand Down Expand Up @@ -911,7 +915,7 @@ def command_verify(args):
next_uuid))
if hasattr(image, 'ciphertext'):
if args.enc_key is None:
logger.error('--enc_key needed to decrypt TA')
logger.error('--enc-key needed to decrypt TA')
sys.exit(1)
image.decrypt_ta(args.enc_key)
image.verify_signature()
Expand Down

0 comments on commit 980c264

Please sign in to comment.