Skip to content

Commit

Permalink
boot: Introduce the MCUBOOT_ENC_BUILTIN_KEY option
Browse files Browse the repository at this point in the history
- Introduce the MCUBOOT_ENC_BUILTIN_KEY config option for controlling the
usage of builtin key-encryption keys and replacing the MCUBOOT_HW_KEY
option in the image encryption module to avoid ambiguity as the latter
mentioned option is meant for configuring the handling of the
image verification keys,
- Add encryption build configs to template file.

Change-Id: Ic633d2103fb4e56d9fafdabef1fbddc3244cb795
Signed-off-by: David Vincze <david.vincze@arm.com>
  • Loading branch information
davidvincze authored and nordicjm committed Aug 21, 2024
1 parent ab4fb32 commit 6071ceb
Show file tree
Hide file tree
Showing 2 changed files with 30 additions and 3 deletions.
6 changes: 3 additions & 3 deletions boot/bootutil/src/encrypted.c
Original file line number Diff line number Diff line change
Expand Up @@ -336,20 +336,20 @@ hkdf(uint8_t *ikm, uint16_t ikm_len, uint8_t *info, uint16_t info_len,
}
#endif /* MCUBOOT_ENCRYPT_EC256 || MCUBOOT_ENCRYPT_X25519 */

#if !defined(MCUBOOT_HW_KEY)
#if !defined(MCUBOOT_ENC_BUILTIN_KEY)
extern const struct bootutil_key bootutil_enc_key;

/*
* Default implementation to retrieve the private encryption key which is
* embedded in the bootloader code (when MCUBOOT_HW_KEY is not defined).
* embedded in the bootloader code (when MCUBOOT_ENC_BUILTIN_KEY is not defined).
*/
int boot_enc_retrieve_private_key(struct bootutil_key **private_key)
{
*private_key = (struct bootutil_key *)&bootutil_enc_key;

return 0;
}
#endif /* !MCUBOOT_HW_KEY */
#endif /* !MCUBOOT_ENC_BUILTIN_KEY */

int
boot_enc_init(struct enc_key_data *enc_state, uint8_t slot)
Expand Down
27 changes: 27 additions & 0 deletions samples/mcuboot_config/mcuboot_config.template.h
Original file line number Diff line number Diff line change
Expand Up @@ -88,6 +88,33 @@
/* Uncomment to use Tinycrypt's. */
/* #define MCUBOOT_USE_TINYCRYPT */

/*
* Encrypted images
*
* Uncomment one of the below options (MCUBOOT_ENCRYPT_x) to enable
* encrypted image upgrades.
*/

/* Uncomment to use RSA-OAEP for key encryption */
/* #define MCUBOOT_ENCRYPT_RSA */
/* Uncomment to use AES-KW for key encryption */
/* #define MCUBOOT_ENCRYPT_KW */
/* Uncomment to use ECIES-P256 for key encryption */
/* #define MCUBOOT_ENCRYPT_EC256 */
/* Uncomment to use ECIES-X25519 for key encryption */
/* #define MCUBOOT_ENCRYPT_X25519 */

/* Uncomment to use a builtin key-encryption key (retrieved from a trusted
* source - if implemented) instead of a key embedded in the bootloader. */
/* #define MCUBOOT_ENC_BUILTIN_KEY */

#if defined(MCUBOOT_ENCRYPT_RSA) || \
defined(MCUBOOT_ENCRYPT_KW) || \
defined(MCUBOOT_ENCRYPT_EC256) || \
defined(MCUBOOT_ENCRYPT_X25519)
#define MCUBOOT_ENC_IMAGES
#endif

/*
* Always check the signature of the image in the primary slot before booting,
* even if no upgrade was performed. This is recommended if the boot
Expand Down

0 comments on commit 6071ceb

Please sign in to comment.