[nrf noup] scripts: imgtool: pretended encryption flag

allows to set encryption flags and TLV's without applying encryption. Signed-off-by: Mateusz Michalek <[email protected]>
nrfconnect · Feb 10, 2025 · 72552b5 · 72552b5
1 parent 3a25855
commit 72552b5
Show file tree

Hide file tree

Showing 2 changed files with 11 additions and 7 deletions.
diff --git a/scripts/imgtool/image.py b/scripts/imgtool/image.py
@@ -259,7 +259,7 @@ def __init__(self, version=None, header_size=IMAGE_HEADER_SIZE,
                  overwrite_only=False, endian="little", load_addr=0,
                  rom_fixed=None, erased_val=None, save_enctlv=False,
                  security_counter=None, max_align=None,
-                 non_bootable=False):
+                 non_bootable=False, skip_encryption=False):
 
         if load_addr and rom_fixed:
             raise click.UsageError("Can not set rom_fixed and load_addr at the same time")
@@ -288,6 +288,7 @@ def __init__(self, version=None, header_size=IMAGE_HEADER_SIZE,
         self.enctlv_len = 0
         self.max_align = max(DEFAULT_MAX_ALIGN, align) if max_align is None else int(max_align)
         self.non_bootable = non_bootable
+        self.skip_encryption = skip_encryption
 
         if self.max_align == DEFAULT_MAX_ALIGN:
             self.boot_magic = bytes([
@@ -685,10 +686,11 @@ def create(self, key, public_key_format, enckey, dependencies=None,
                 nonce = bytes([0] * 16)
                 cipher = Cipher(algorithms.AES(plainkey), modes.CTR(nonce),
                                 backend=default_backend())
-                encryptor = cipher.encryptor()
-                img = bytes(self.payload[self.header_size:])
-                self.payload[self.header_size:] = \
-                    encryptor.update(img) + encryptor.finalize()
+                if not self.skip_encryption:
+                    encryptor = cipher.encryptor()
+                    img = bytes(self.payload[self.header_size:])
+                    self.payload[self.header_size:] = \
+                        encryptor.update(img) + encryptor.finalize()
 
         self.payload += prot_tlv.get()
         self.payload += tlv.get()

diff --git a/scripts/imgtool/main.py b/scripts/imgtool/main.py
@@ -370,6 +370,8 @@ def convert(self, value, param, ctx):
               help='Enable image compression using specified type. '
                    'Will fall back without image compression automatically '
                    'if the compression increases the image size.')
+@click.option('--skip-encryption', default=False, is_flag=True,
+              help='Set encryption flags and TLV\'s without applying encryption.')
 @click.option('-c', '--clear', required=False, is_flag=True, default=False,
               help='Output a non-encrypted image with encryption capabilities,'
                    'so it can be installed in the primary slot, and encrypted '
@@ -449,7 +451,7 @@ def sign(key, public_key_format, align, version, pad_sig, header_size,
          dependencies, load_addr, hex_addr, erased_val, save_enctlv,
          security_counter, boot_record, custom_tlv, rom_fixed, max_align,
          clear, fix_sig, fix_sig_pubkey, sig_out, user_sha, is_pure,
-         vector_to_sign, non_bootable):
+         vector_to_sign, non_bootable, skip_encryption):
 
     if confirm:
         # Confirmed but non-padded images don't make much sense, because
@@ -462,7 +464,7 @@ def sign(key, public_key_format, align, version, pad_sig, header_size,
                       endian=endian, load_addr=load_addr, rom_fixed=rom_fixed,
                       erased_val=erased_val, save_enctlv=save_enctlv,
                       security_counter=security_counter, max_align=max_align,
-                      non_bootable=non_bootable)
+                      non_bootable=non_bootable, skip_encryption=skip_encryption)
     compression_tlvs = {}
     img.load(infile)
     key = load_key(key) if key else None