@@ -41,6 +41,12 @@ define_property(TARGET
4141 BRIEF_DOCS "AES key for encrypting"
4242 FULL_DOCS "AES key for encrypting"
4343)
44+ define_property (TARGET
45+ PROPERTY PICOTOOL_IVFILE
46+ INHERITED
47+ BRIEF_DOCS "IV OTP salt for encrypting"
48+ FULL_DOCS "IV OTP salt for encrypting"
49+ )
4450define_property (TARGET
4551 PROPERTY PICOTOOL_EMBED_DECRYPTION
4652 INHERITED
@@ -370,24 +376,29 @@ function(pico_embed_pt_in_binary TARGET PTFILE)
370376 )
371377endfunction ()
372378
373- # pico_encrypt_binary(TARGET AESFILE [SIGFILE <file>] [EMBED] [OTP_KEY_PAGE <page>])
379+ # pico_encrypt_binary(TARGET AESFILE IVFILE [SIGFILE <file>] [EMBED] [OTP_KEY_PAGE <page>])
374380# Encrypt the target binary with the given AES key (should be a binary
375381# file containing 128 bytes of a random key), and sign the encrypted binary.
376- # This sets PICOTOOL_AESFILE to AESFILE, and PICOTOOL_ENC_SIGFILE to SIGFILE
377- # if present, else PICOTOOL_SIGFILE.
382+ # Salts the public IV with the provided IVFILE (should be a binary file
383+ # containing 16 bytes of a random IV), to give the IV used by the encryption.
384+ # This sets PICOTOOL_AESFILE to AESFILE, PICOTOOL_IVFILE to IVFILE, and
385+ # PICOTOOL_ENC_SIGFILE to SIGFILE if specified, else PICOTOOL_SIGFILE.
378386# Optionally, use EMBED to embed a decryption stage into the encrypted binary.
379387# This sets PICOTOOL_EMBED_DECRYPTION to TRUE.
380388# Optionally, use OTP_KEY_PAGE to specify the OTP page storing the AES key.
381389# This sets PICOTOOL_OTP_KEY_PAGE to OTP_KEY_PAGE.
382- function (pico_encrypt_binary TARGET AESFILE)
390+ function (pico_encrypt_binary TARGET AESFILE IVFILE )
383391 set (options EMBED)
384392 set (oneValueArgs OTP_KEY_PAGE SIGFILE)
385393 # set(multiValueArgs )
386- cmake_parse_arguments (PARSE_ARGV 2 ENC "${options} " "${oneValueArgs} " "${multiValueArgs} " )
394+ cmake_parse_arguments (PARSE_ARGV 3 ENC "${options} " "${oneValueArgs} " "${multiValueArgs} " )
387395 picotool_check_configurable(${TARGET} )
388396 set_target_properties (${TARGET} PROPERTIES
389397 PICOTOOL_AESFILE ${AESFILE}
390398 )
399+ set_target_properties (${TARGET} PROPERTIES
400+ PICOTOOL_IVFILE ${IVFILE}
401+ )
391402
392403 if (ENC_EMBED)
393404 set_target_properties (${TARGET} PROPERTIES
@@ -512,6 +523,10 @@ function(picotool_postprocess_binary TARGET)
512523 if (picotool_aesfile)
513524 pico_add_link_depend(${TARGET} ${picotool_aesfile} )
514525 endif ()
526+ get_target_property (picotool_ivfile ${TARGET} PICOTOOL_IVFILE)
527+ if (picotool_ivfile)
528+ pico_add_link_depend(${TARGET} ${picotool_ivfile} )
529+ endif ()
515530 get_target_property (picotool_enc_sigfile ${TARGET} PICOTOOL_ENC_SIGFILE)
516531 if (picotool_enc_sigfile)
517532 pico_add_link_depend(${TARGET} ${picotool_enc_sigfile} )
@@ -551,7 +566,7 @@ function(picotool_postprocess_binary TARGET)
551566 VERBATIM )
552567 endif ()
553568 # Encryption
554- if (picotool_aesfile)
569+ if (picotool_aesfile AND picotool_ivfile )
555570 get_target_property (picotool_embed_decryption ${TARGET} PICOTOOL_EMBED_DECRYPTION)
556571 if (picotool_embed_decryption)
557572 list (APPEND picotool_encrypt_args "--embed" )
@@ -563,13 +578,13 @@ function(picotool_postprocess_binary TARGET)
563578 endif ()
564579
565580 add_custom_command (TARGET ${TARGET} POST_BUILD
566- DEPENDS ${picotool_enc_sigfile} ${picotool_aesfile}
581+ DEPENDS ${picotool_enc_sigfile} ${picotool_aesfile} ${picotool_ivfile}
567582 COMMAND picotool
568583 ARGS encrypt
569584 --quiet --hash --sign
570585 ${picotool_encrypt_args}
571586 $<TARGET_FILE:${TARGET} > $<TARGET_FILE:${TARGET} >
572- ${picotool_aesfile} ${picotool_enc_sigfile} ${otp_file}
587+ ${picotool_aesfile} ${picotool_ivfile} ${ picotool_enc_sigfile}${otp_file}
573588 COMMAND_EXPAND_LISTS
574589 VERBATIM )
575590 if (ARGC EQUAL 2)
0 commit comments