Allow unique IV per image to encrypt

To use unique random IV for an image to encrypt:

  1) In sw-description file use swupdate_get_IV() to initialize "ivt" value,
     for example:

       filename = "rootfs-image.ubifs";
       encrypted = true;
       ivt = "$swupdate_get_IV(rootfs-image.ubifs)";

  2) In SWU image recipe overwrite default swupdate_get_IV():

       def swupdate_get_IV(d, s, filename):
           return swupdate_get_unique_IV(d, s, filename)

To use predefined/hardcoded IV for some/all images to encrypt:

  3) In SWU image recipe set additionally:

       SWUPDATE_IV[sw-description] = "662c7e7ef64f987d6f039ff116ad1f26"
       SWUPDATE_IV[rootfs-image.ubifs] = "e972109190c1b1b0c60615480d9f3a05"

Signed-off-by: Viacheslav Volkov <viacheslav.volkov.1@gmail.com>

classes-recipe/swupdate-common.bbclass

@@ -179,6 +179,7 @@ def prepare_sw_description(d):
         bb.note("Encryption of sw-description")
         shutil.copyfile(os.path.join(s, 'sw-description'), os.path.join(s, 'sw-description.plain'))
         key,iv = swupdate_extract_keys(d.getVar('SWUPDATE_AES_FILE'))
+        iv = swupdate_get_IV(d, s, 'sw-description')
         swupdate_encrypt_file(os.path.join(s, 'sw-description.plain'), os.path.join(s, 'sw-description'), key, iv)
 
     signing = d.getVar('SWUPDATE_SIGNING')
@@ -249,6 +250,7 @@ def swupdate_add_src_uri(d, list_for_cpio):
                 bb.note("Encryption requested for %s" %(filename))
                 if not key or not iv:
                     bb.fatal("Encryption required, but no key found")
+                iv = swupdate_get_IV(d, s, filename)
                 swupdate_encrypt_file(local, dst, key, iv)
             else:
                 shutil.copyfile(local, dst)
@@ -265,6 +267,7 @@ def add_image_to_swu(d, deploydir, imagename, s, encrypt, list_for_cpio):
     if encrypt == '1':
         key,iv = swupdate_extract_keys(d.getVar('SWUPDATE_AES_FILE'))
         bb.note("Encryption requested for %s" %(imagename))
+        iv = swupdate_get_IV(d, s, imagename)
         swupdate_encrypt_file(src, dst, key, iv)
     else:
         shutil.copyfile(src, dst)

classes-recipe/swupdate-lib.bbclass

@@ -40,6 +40,20 @@ def swupdate_get_sha256(d, s, filename):
             m.update(data)
     return m.hexdigest()
 
+def swupdate_get_IV(d, s, filename):
+    # By default preserve original behavior: use IV from SWUPDATE_AES_FILE.
+    key,iv = swupdate_extract_keys(d.getVar('SWUPDATE_AES_FILE', True))
+    return iv
+
+def swupdate_get_unique_IV(d, s, filename):
+    # New behavior: use unique random IV for each filename.
+    from secrets import token_hex
+    iv = d.getVarFlag("SWUPDATE_IV", filename, True)
+    if not iv:
+        iv = token_hex(16)
+        d.setVarFlag("SWUPDATE_IV", filename, iv)
+    return iv
+
 def swupdate_get_size(d, s, filename):
     import os