[swugenerator 1/3] fix: add missing `decrypted-size` entry
25 views
Skip to first unread message
Pratik Manvar
Jul 30, 2025, 9:52:24 AM7/30/25
to swup...@googlegroups.com, Pratik Manvar
From: Pratik Manvar <pratik...@ifm.com>
The decrypted-size field is required when flashing encrypted images
to the MTD partition on NOR flash.
This attribute is also required to handle the UBI Volumes. Due to a
limit in the Linux kernel API for UBI volumes, the size reserved to
be written on disk should be declared before actually writing anything.
Signed-off-by: Pratik Manvar <pratik...@ifm.com>
---
swugenerator/generator.py | 3 +++
1 file changed, 3 insertions(+)
diff --git a/swugenerator/generator.py b/swugenerator/generator.py
index 628dffe..1721aef 100644
--- a/swugenerator/generator.py
+++ b/swugenerator/generator.py
@@ -201,6 +201,9 @@ class SWUGenerator:
entry["ivt"] = iv
new.ivt = iv
+ entry.setdefault("properties", {}) \
+ .update({ "decrypted-size": str(new.getsize()) })
+
self.artifacts.append(new)
else:
logging.debug("Artifact %s already stored", entry["filename"])
--
2.25.1
The decrypted-size field is required when flashing encrypted images
to the MTD partition on NOR flash.
This attribute is also required to handle the UBI Volumes. Due to a
limit in the Linux kernel API for UBI volumes, the size reserved to
be written on disk should be declared before actually writing anything.
Signed-off-by: Pratik Manvar <pratik...@ifm.com>
---
swugenerator/generator.py | 3 +++
1 file changed, 3 insertions(+)
diff --git a/swugenerator/generator.py b/swugenerator/generator.py
index 628dffe..1721aef 100644
--- a/swugenerator/generator.py
+++ b/swugenerator/generator.py
@@ -201,6 +201,9 @@ class SWUGenerator:
entry["ivt"] = iv
new.ivt = iv
+ entry.setdefault("properties", {}) \
+ .update({ "decrypted-size": str(new.getsize()) })
+
self.artifacts.append(new)
else:
logging.debug("Artifact %s already stored", entry["filename"])
--
2.25.1
Pratik Manvar
Jul 30, 2025, 9:52:52 AM7/30/25
to swup...@googlegroups.com, Pratik Manvar
From: Pratik Manvar <pratik...@ifm.com>
The PKCS11 signing option uses `pkcs11-tool` for archive signing. This
tool supports additional argunments such as `--slot` and `--id` along
with `--module` and `--pin`.
This commit enhance the PKCS#11 signing to support up to five parameters:
- PIN argument remains mandatory.
- Add the slot and id as optional parameters along with module.
The new format for the signing option is:
`PKCS11,<pin>[,<module>,<slot>,<id>]`
swugenerator/main.py | 17 ++++++++++-------
swugenerator/swu_sign.py | 6 +++++-
2 files changed, 15 insertions(+), 8 deletions(-)
diff --git a/swugenerator/main.py b/swugenerator/main.py
index cf66a13..ed0c94f 100644
--- a/swugenerator/main.py
+++ b/swugenerator/main.py
@@ -102,7 +102,7 @@ def parse_signing_option(
CMS,<private key>,<certificate used to sign>
RSA,<private key>,<file with password>
RSA,<private key>
- PKCS11,<pin>[,<module>]
+ PKCS11,<pin>[,<module>,<slot>,<id>]
CUSTOM,<custom command>
Args:
@@ -143,12 +143,15 @@ def parse_signing_option(
# Format : RSA,<private key>
return SWUSignRSA(sign_parms[1], None)
if cmd == "PKCS11":
- # Format : PKCS11,<pin>[,<module>]
- if len(sign_parms) not in (2, 3) or not all(sign_parms[0:2]):
- raise InvalidSigningOption("PKCS11 requires pin and optional module path")
+ # Format : PKCS11,<pin>[,<module>,<slot>,<id>]
+ if len(sign_parms) not in range(2, 6) or not all(sign_parms[0:2]):
+ raise InvalidSigningOption("PKCS11 requires pin and optional parameters such as module path, slot or id")
pin = sign_parms[1]
- module = sign_parms[2] if len(sign_parms) == 3 else None
- return SWUSignPKCS11(pin, module)
+ module = sign_parms[2] if len(sign_parms) > 2 else None
+ slot = sign_parms[3] if len(sign_parms) > 3 else None
+ obj_id = sign_parms[4] if len(sign_parms) > 4 else None
+
+ return SWUSignPKCS11(pin, module, slot, obj_id)
if cmd == "CUSTOM":
# Format : CUSTOM,<custom command>
if len(sign_parms) < 2 or not all(sign_parms):
@@ -271,7 +274,7 @@ def parse_args(args: List[str]) -> None:
-g, --engine ENGINE OpenSSL engine to use for signing (e.g., pkcs11)
-f, --keyform KEYFORM Key format to use for signing (e.g., engine)
RSA,<private key>,<file with password if any>
- PKCS11,<pin>[,<module>]
+ PKCS11,<pin>[,<module>,<slot>,<id>]
CUSTOM,<custom command> """
),
)
diff --git a/swugenerator/swu_sign.py b/swugenerator/swu_sign.py
index 992c5fd..437a0a5 100644
--- a/swugenerator/swu_sign.py
+++ b/swugenerator/swu_sign.py
@@ -113,12 +113,16 @@ class SWUSignCustom(SWUSign):
# Note: tested with Nitrokey HSM
class SWUSignPKCS11(SWUSign):
- def __init__(self, pin, module=None):
+ def __init__(self, pin, module=None, slot=None, obj_id=None):
super().__init__()
self.type = "PKCS11"
self.custom = []
if module:
self.custom.extend(["--module", module])
+ if slot:
+ self.custom.extend(["--slot", slot])
+ if obj_id:
+ self.custom.extend(["--id", obj_id])
self.custom.extend(["--pin", pin])
def prepare_cmd(self, sw_desc_in, sw_desc_sig):
--
2.25.1
The PKCS11 signing option uses `pkcs11-tool` for archive signing. This
tool supports additional argunments such as `--slot` and `--id` along
with `--module` and `--pin`.
This commit enhance the PKCS#11 signing to support up to five parameters:
- PIN argument remains mandatory.
- Add the slot and id as optional parameters along with module.
The new format for the signing option is:
`PKCS11,<pin>[,<module>,<slot>,<id>]`
swugenerator/main.py | 17 ++++++++++-------
swugenerator/swu_sign.py | 6 +++++-
2 files changed, 15 insertions(+), 8 deletions(-)
diff --git a/swugenerator/main.py b/swugenerator/main.py
index cf66a13..ed0c94f 100644
--- a/swugenerator/main.py
+++ b/swugenerator/main.py
@@ -102,7 +102,7 @@ def parse_signing_option(
CMS,<private key>,<certificate used to sign>
RSA,<private key>,<file with password>
RSA,<private key>
- PKCS11,<pin>[,<module>]
+ PKCS11,<pin>[,<module>,<slot>,<id>]
CUSTOM,<custom command>
Args:
@@ -143,12 +143,15 @@ def parse_signing_option(
# Format : RSA,<private key>
return SWUSignRSA(sign_parms[1], None)
if cmd == "PKCS11":
- # Format : PKCS11,<pin>[,<module>]
- if len(sign_parms) not in (2, 3) or not all(sign_parms[0:2]):
- raise InvalidSigningOption("PKCS11 requires pin and optional module path")
+ # Format : PKCS11,<pin>[,<module>,<slot>,<id>]
+ if len(sign_parms) not in range(2, 6) or not all(sign_parms[0:2]):
+ raise InvalidSigningOption("PKCS11 requires pin and optional parameters such as module path, slot or id")
pin = sign_parms[1]
- module = sign_parms[2] if len(sign_parms) == 3 else None
- return SWUSignPKCS11(pin, module)
+ module = sign_parms[2] if len(sign_parms) > 2 else None
+ slot = sign_parms[3] if len(sign_parms) > 3 else None
+ obj_id = sign_parms[4] if len(sign_parms) > 4 else None
+
+ return SWUSignPKCS11(pin, module, slot, obj_id)
if cmd == "CUSTOM":
# Format : CUSTOM,<custom command>
if len(sign_parms) < 2 or not all(sign_parms):
@@ -271,7 +274,7 @@ def parse_args(args: List[str]) -> None:
-g, --engine ENGINE OpenSSL engine to use for signing (e.g., pkcs11)
-f, --keyform KEYFORM Key format to use for signing (e.g., engine)
RSA,<private key>,<file with password if any>
- PKCS11,<pin>[,<module>]
+ PKCS11,<pin>[,<module>,<slot>,<id>]
CUSTOM,<custom command> """
),
)
diff --git a/swugenerator/swu_sign.py b/swugenerator/swu_sign.py
index 992c5fd..437a0a5 100644
--- a/swugenerator/swu_sign.py
+++ b/swugenerator/swu_sign.py
@@ -113,12 +113,16 @@ class SWUSignCustom(SWUSign):
# Note: tested with Nitrokey HSM
class SWUSignPKCS11(SWUSign):
- def __init__(self, pin, module=None):
+ def __init__(self, pin, module=None, slot=None, obj_id=None):
super().__init__()
self.type = "PKCS11"
self.custom = []
if module:
self.custom.extend(["--module", module])
+ if slot:
+ self.custom.extend(["--slot", slot])
+ if obj_id:
+ self.custom.extend(["--id", obj_id])
self.custom.extend(["--pin", pin])
def prepare_cmd(self, sw_desc_in, sw_desc_sig):
--
2.25.1
Pratik Manvar
Jul 30, 2025, 9:53:08 AM7/30/25
to swup...@googlegroups.com, Pratik Manvar
From: Pratik Manvar <pratik...@ifm.com>
Fix an issue where the pkcs11-tool was invoked with an empty mechanism
due to a space after `-m ` flag. This caused signing to fail with the
error "Unknown PKCS11 mechanism".
So, remove space after `-m` to fix PKCS#11 mechanism error as below.
['-m ', 'SHA256-RSA-PKCS']
['-m', 'SHA256-RSA-PKCS']
The mechanism should now correctly set to `SHA256-RSA-PKCS`.
swugenerator/swu_sign.py | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
diff --git a/swugenerator/swu_sign.py b/swugenerator/swu_sign.py
index 437a0a5..53b6727 100644
--- a/swugenerator/swu_sign.py
+++ b/swugenerator/swu_sign.py
@@ -129,7 +129,7 @@ class SWUSignPKCS11(SWUSign):
self.signcmd = [
"pkcs11-tool",
"-s",
- "-m ",
+ "-m",
"SHA256-RSA-PKCS",
"-i",
sw_desc_in,
--
2.25.1
Fix an issue where the pkcs11-tool was invoked with an empty mechanism
due to a space after `-m ` flag. This caused signing to fail with the
error "Unknown PKCS11 mechanism".
So, remove space after `-m` to fix PKCS#11 mechanism error as below.
['-m ', 'SHA256-RSA-PKCS']
['-m', 'SHA256-RSA-PKCS']
The mechanism should now correctly set to `SHA256-RSA-PKCS`.
swugenerator/swu_sign.py | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
diff --git a/swugenerator/swu_sign.py b/swugenerator/swu_sign.py
index 437a0a5..53b6727 100644
--- a/swugenerator/swu_sign.py
+++ b/swugenerator/swu_sign.py
@@ -129,7 +129,7 @@ class SWUSignPKCS11(SWUSign):
self.signcmd = [
"pkcs11-tool",
"-s",
- "-m ",
+ "-m",
"SHA256-RSA-PKCS",
"-i",
sw_desc_in,
--
2.25.1
Stefano Babic
Aug 4, 2025, 6:33:38 AM8/4/25
to Pratik Manvar, swup...@googlegroups.com, Pratik Manvar
Best regards,
Stefano Babic
Stefano Babic
Aug 4, 2025, 6:59:21 AM8/4/25
to Pratik Manvar, swup...@googlegroups.com, Pratik Manvar
On 7/30/25 15:51, Pratik Manvar wrote:
Applied to -master, thanks !
Best regards,
Stefano Babic
Stefano Babic
Aug 4, 2025, 7:05:30 AM8/4/25
to Pratik Manvar, swup...@googlegroups.com, Pratik Manvar
On 7/30/25 15:51, Pratik Manvar wrote:
Reply all
Reply to author
Forward
0 new messages