Skip to content

Validate encrypted content before writing it to RAM #159

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Closed
ahasztag wants to merge 1 commit into from
Closed

Validate encrypted content before writing it to RAM #159

Changes from all commits
Commits
Show all changes
1 commit
Select commit
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
34 changes: 8 additions & 26 deletions ncs/app_envelope_encrypted.yaml.jinja2
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -82,23 +82,8 @@ SUIT_Envelope_Tagged:
{%- else %}
suit-parameter-uri: '#{{ application['name'] }}'
{%- endif %}
suit-parameter-image-digest:
suit-digest-algorithm-id: cose-alg-sha-256
suit-digest-bytes:
file: {{ application['encryption_artifacts_dir'] }}/encrypted_content.bin
- suit-directive-fetch:
- suit-send-record-failure
- suit-directive-try-each:
- - suit-condition-image-match:
- suit-send-record-success
- suit-send-record-failure
- suit-send-sysinfo-success
- suit-send-sysinfo-failure
- - suit-condition-image-match:
- suit-send-record-success
- suit-send-record-failure
- suit-send-sysinfo-success
- suit-send-sysinfo-failure
- suit-directive-set-component-index: 0
- suit-directive-override-parameters:
suit-parameter-source-component: 1
Expand Down Expand Up @@ -136,19 +121,16 @@ SUIT_Envelope_Tagged:
suit-digest-algorithm-id: cose-alg-sha-256
suit-digest-bytes:
file: {{ application['encryption_artifacts_dir'] }}/encrypted_content.bin
suit-parameter-encryption-info:
Copy link
Collaborator

@SylwesterKonczyk SylwesterKonczyk Jan 8, 2025

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

  • What is a meaning of line 120 (setting parameter-image-digest)?

  • Why in case of suit-candidate-verification (line 119) just that URI is considered:
    suit-parameter-uri: '#{{ application['name'] }}'

    ... while, in case of suit-install (line 81), also that one is considered:
    suit-parameter-uri: '{{ application['config']['CONFIG_SUIT_IMAGE_DFU_CACHE_URI'] }}'

file: {{ application['encryption_artifacts_dir'] }}/suit_encryption_info.bin
# This fetch directive is used to verify the tag and the AAD of the received encrypted image
# The target "CAND_IMG" behaves like a /dev/null device and all the data is discarded.
# This way even if the encrypted content is incorrect, the contents of the target memory
# will not be affected.
# Note that no digest checking is required on the encrypted content itself, as checking the tag
# and the AAD verifies the integrity of the content.
- suit-directive-fetch:
- suit-send-record-failure
- suit-directive-try-each:
- - suit-condition-image-match:
- suit-send-record-success
- suit-send-record-failure
- suit-send-sysinfo-success
- suit-send-sysinfo-failure
- - suit-condition-image-match:
- suit-send-record-success
- suit-send-record-failure
- suit-send-sysinfo-success
- suit-send-sysinfo-failure

suit-manifest-component-id:
- INSTLD_MFST
Expand Down
Loading