boot: Add MCUBOOT_HW_KEY support for image encryption

Currently encryption supports only private key embed
in mcuboot itself. To support MCUBOOT_HW_KEY for image
encryption boot_retrieve_private_key() hook is added.

This hook helps retrieving private key from trusted
sources like OTP, TPM.

Signed-off-by: Dinesh Kumar K <[email protected]>

boot/bootutil/include/bootutil/enc_key.h

@@ -45,7 +45,23 @@ struct enc_key_data {
     bootutil_aes_ctr_context aes_ctr;
 };
 
+#ifdef MCUBOOT_HW_KEY
+extern struct bootutil_key bootutil_enc_key;
+
+/**
+ * Retrieve the private key for image encryption.
+ *
+ * @param[out]  private_key  Buffer to store the private key in.
+ * @param[out]  key_size     size of the private key.
+ *
+ * @return                   0 on success; nonzero on failure.
+ *
+ */
+int boot_retrieve_private_key(uint8_t **private_key, unsigned int **key_size);
+#else
 extern const struct bootutil_key bootutil_enc_key;
+#endif /* MCUBOOT_HW_KEY */
+
 struct boot_status;
 
 int boot_enc_init(struct enc_key_data *enc_state, uint8_t slot);

boot/bootutil/src/encrypted.c

@@ -513,6 +513,13 @@ boot_enc_decrypt(const uint8_t *buf, uint8_t *enckey)
 #endif
     int rc = -1;
 
+#if defined(MCUBOOT_HW_KEY)
+    rc = boot_retrieve_private_key(&bootutil_enc_key.key, &bootutil_enc_key.len);
+    if (rc) {
+	return rc;
+    }
+#endif
+
 #if defined(MCUBOOT_ENCRYPT_RSA)
 
 #if MBEDTLS_VERSION_NUMBER >= 0x03000000

boot/zephyr/keys.c

@@ -76,6 +76,7 @@ struct bootutil_key bootutil_keys[1] = {
 const int bootutil_key_cnt = 1;
 #endif /* !MCUBOOT_HW_KEY */
 
+#if !defined(MCUBOOT_HW_KEY)
 #if defined(MCUBOOT_ENCRYPT_RSA)
 unsigned char enc_priv_key[] = {
   0x30, 0x82, 0x04, 0xa4, 0x02, 0x01, 0x00, 0x02, 0x82, 0x01, 0x01, 0x00,
@@ -207,3 +208,8 @@ const struct bootutil_key bootutil_enc_key = {
 #elif defined(MCUBOOT_ENCRYPT_KW)
 #error "Encrypted images with AES-KW is not implemented yet."
 #endif
+#endif /* !MCUBOOT_HW_KEY */
+
+#if defined(MCUBOOT_HW_KEY)
+struct bootutil_key bootutil_enc_key = {0};
+#endif