boot: Introduce the MCUBOOT_ENC_BUILTIN_KEY option

- Introduce the MCUBOOT_ENC_BUILTIN_KEY config option for controlling the usage of builtin key-encryption keys and replacing the MCUBOOT_HW_KEY option in the image encryption module to avoid ambiguity as the latter mentioned option is meant for configuring the handling of the image verification keys, - Add encryption build configs to template file. Change-Id: Ic633d2103fb4e56d9fafdabef1fbddc3244cb795 Signed-off-by: David Vincze <david.vincze@arm.com>
mcu-tools · Aug 21, 2024 · 6071ceb · 6071ceb
1 parent ab4fb32
commit 6071ceb
Show file tree

Hide file tree

Showing 2 changed files with 30 additions and 3 deletions.
diff --git a/boot/bootutil/src/encrypted.c b/boot/bootutil/src/encrypted.c
@@ -336,20 +336,20 @@ hkdf(uint8_t *ikm, uint16_t ikm_len, uint8_t *info, uint16_t info_len,
 }
 #endif /* MCUBOOT_ENCRYPT_EC256 || MCUBOOT_ENCRYPT_X25519 */
 
-#if !defined(MCUBOOT_HW_KEY)
+#if !defined(MCUBOOT_ENC_BUILTIN_KEY)
 extern const struct bootutil_key bootutil_enc_key;
 
 /*
  * Default implementation to retrieve the private encryption key which is
- * embedded in the bootloader code (when MCUBOOT_HW_KEY is not defined).
+ * embedded in the bootloader code (when MCUBOOT_ENC_BUILTIN_KEY is not defined).
  */
 int boot_enc_retrieve_private_key(struct bootutil_key **private_key)
 {
     *private_key = (struct bootutil_key *)&bootutil_enc_key;
 
     return 0;
 }
-#endif /* !MCUBOOT_HW_KEY */
+#endif /* !MCUBOOT_ENC_BUILTIN_KEY */
 
 int
 boot_enc_init(struct enc_key_data *enc_state, uint8_t slot)

diff --git a/samples/mcuboot_config/mcuboot_config.template.h b/samples/mcuboot_config/mcuboot_config.template.h
@@ -88,6 +88,33 @@
 /* Uncomment to use Tinycrypt's. */
 /* #define MCUBOOT_USE_TINYCRYPT */
 
+/*
+ * Encrypted images
+ *
+ * Uncomment one of the below options (MCUBOOT_ENCRYPT_x) to enable
+ * encrypted image upgrades.
+ */
+
+/* Uncomment to use RSA-OAEP for key encryption */
+/* #define MCUBOOT_ENCRYPT_RSA */
+/* Uncomment to use AES-KW for key encryption */
+/* #define MCUBOOT_ENCRYPT_KW */
+/* Uncomment to use ECIES-P256 for key encryption */
+/* #define MCUBOOT_ENCRYPT_EC256 */
+/* Uncomment to use ECIES-X25519 for key encryption */
+/* #define MCUBOOT_ENCRYPT_X25519 */
+
+/* Uncomment to use a builtin key-encryption key (retrieved from a trusted
+ * source - if implemented) instead of a key embedded in the bootloader. */
+/* #define MCUBOOT_ENC_BUILTIN_KEY */
+
+#if defined(MCUBOOT_ENCRYPT_RSA)    || \
+    defined(MCUBOOT_ENCRYPT_KW)     || \
+    defined(MCUBOOT_ENCRYPT_EC256)  || \
+    defined(MCUBOOT_ENCRYPT_X25519)
+#define MCUBOOT_ENC_IMAGES
+#endif
+
 /*
  * Always check the signature of the image in the primary slot before booting,
  * even if no upgrade was performed. This is recommended if the boot