Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Add support for creating self-decrypting binaries #2315

Open
wants to merge 5 commits into
base: develop
Choose a base branch
from
Open

Add support for creating self-decrypting binaries #2315

wants to merge 5 commits into from

Conversation

will-v-pi
Copy link
Contributor

@will-v-pi will-v-pi commented Feb 24, 2025
edited
Loading

This adds extra functionality to the pico_encrypt_binary function to allow creating self-decrypting binaries, including specifying the OTP page to use for the AES key.

pico_encrypt_binary(hello_encrypted
    ${CMAKE_CURRENT_LIST_DIR}/privateaes.bin
    ${CMAKE_CURRENT_LIST_DIR}/ivsalt.bin
    EMBED
    OTP_KEY_PAGE 29)

The main non-backwards-compatible change is the addition of a new IV salt bin file which is required and must be passed as the second argument. This will break any uses of pico_encrypt_binary, and has been added for security purposes, as we now salt the public IV with a salt stored in OTP.

The other non-backwards-compatible change it that if you previously called:

pico_encrypt_binary(my_target my_aesfile.bin my_sigfile.pem)

you now need to call

pico_encrypt_binary(my_target my_aesfile.bin my_iv_salt.bin SIGFILE my_sigfile.pem)

due to the new argument parsing. I think that this is fine, because the only time you'd pass a separated SIGFILE to pico_encrypt_binary is when you're using a different signing key for the binary vs the encrypted blob, which is not a common use case.

This PR requires use of the picotool encrypted-shares branch (raspberrypi/picotool#207), so should be merged after that.

@will-v-pi
Add pico_create_decrypting_binary function
77bbcb3 
For now, this function embeds the decrypting bootloader, but probably better to integrate (or replace) existing pico_encrypt_binary function
@will-v-pi
Add EMBED and OTP_KEY_PAGE arguments to pico_encrypt_binary function
5d43e53
@will-v-pi
Support passing otp_file to picotool encrypt
737d2a4
@will-v-pi will-v-pi added this to the 2.1.2 milestone Feb 24, 2025
@will-v-pi will-v-pi requested a review from kilograham February 24, 2025 15:21
@will-v-pi will-v-pi mentioned this pull request Feb 24, 2025
Open
@will-v-pi will-v-pi marked this pull request as ready for review February 26, 2025 13:00
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@kilograham kilograham Awaiting requested review from kilograham

At least 1 approving review is required to merge this pull request.

Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
2.1.2
Development

Successfully merging this pull request may close these issues.
1 participant
@will-v-pi