From 72316b820d4bdbf3d75a0ae7e13f1c3bc8e6ac29 Mon Sep 17 00:00:00 2001
From: Michael Brown <mcb30@ipxe.org>
Date: Thu, 29 Aug 2024 14:00:34 +0100
Subject: [image] Add the "imgdecrypt" command

Add the "imgdecrypt" command that can be used to decrypt a detached
encrypted data image using a cipher key obtained from a separate CMS
envelope image.  For example:

  # Create non-detached encrypted CMS messages
  #
  openssl cms -encrypt -binary -aes-256-gcm -recip client.crt \
              -in vmlinuz -outform DER -out vmlinuz.cms
  openssl cms -encrypt -binary -aes-256-gcm -recip client.crt \
              -in initrd.img -outform DER -out initrd.img.cms

  # Detach data from envelopes (using iPXE's contrib/crypto/cmsdetach)
  #
  cmsdetach vmlinuz.cms -d vmlinuz.dat -e vmlinuz.env
  cmsdetach initrd.img.cms -d initrd.img.dat -e initrd.img.env

and then within iPXE:

  #!ipxe
  imgfetch http://192.168.0.1/vmlinuz.dat
  imgfetch http://192.168.0.1/initrd.img.dat
  imgdecrypt vmlinuz.dat    http://192.168.0.1/vmlinuz.env
  imgdecrypt initrd.img.dat http://192.168.0.1/initrd.img.env
  boot vmlinuz

Signed-off-by: Michael Brown <mcb30@ipxe.org>
---
 src/include/usr/imgcrypt.h | 17 +++++++++++++++++
 1 file changed, 17 insertions(+)
 create mode 100644 src/include/usr/imgcrypt.h

(limited to 'src/include/usr/imgcrypt.h')

diff --git a/src/include/usr/imgcrypt.h b/src/include/usr/imgcrypt.h
new file mode 100644
index 000000000..c9408c75f
--- /dev/null
+++ b/src/include/usr/imgcrypt.h
@@ -0,0 +1,17 @@
+#ifndef _USR_IMGCRYPT_H
+#define _USR_IMGCRYPT_H
+
+/** @file
+ *
+ * Image encryption management
+ *
+ */
+
+FILE_LICENCE ( GPL2_OR_LATER_OR_UBDL );
+
+#include <ipxe/image.h>
+
+extern int imgdecrypt ( struct image *image, struct image *envelope,
+			const char *name );
+
+#endif /* _USR_IMGCRYPT_H */
-- 
cgit