Distinguish partial {en|de}crypt from full
When we calculate a build's SHA256, we provide two inputs to the hash
function:
1. Image header
2. Unencrypted image body
The image header contains an "encrypted" flag
(`IMAGE_F_ENCRYPTED`). This has an interesting implication: when we
decrypt a build, its hash is no longer valid.
There are two use cases for decrypting an image:
1. Create an unencrypted version of the image.
For this use case, the decrypted image should be well formed and usable
as an unencrypted image.
2. Re-sign an image with a new key.
For this use case, the procedure typically looks like this:
a. Start with a signed and encrypted image.
b. Decrypt image (`imgmod image decrypt`).
c. Remove signature TLVs (`imgmod image rmsigs`).
d. Re-sign image (`imgmod image sign`).
e. Re-encrypt image (`imgmod image encrypt`).
In this use case, it is critical that step b (decrypt) does *not* clear
the `IMAGE_F_ENCRYPTED` flag from the image header. This flag must
remain set so that the signature produced in step d is valid.
So we need two sets of {en|de}crypt commands:
* Full
* Partial
The "full" versions apply to use case 1.
The "partial" versions apply to use case 2.
The old commands (`image encrypt`, `image decrypt`) are the partial
versions. These remain unchanged.
The new commands (`image encryptfull` `image decryptfull`) are the full
versions.
2 files changed