From f38075bf15e1cb0e63396b1780f8f01707845291 Mon Sep 17 00:00:00 2001 From: Dinesh Kumar K Date: Tue, 6 Jun 2023 16:36:57 +0530 Subject: [PATCH] boot: Add MCUBOOT_HW_KEY support for image encryption Currently encryption supports only private key embed in mcuboot itself. To support MCUBOOT_HW_KEY for image encryption boot_retrieve_private_key() hook is added. This hook helps retrieving private key from trusted sources like OTP, TPM. Signed-off-by: Dinesh Kumar K --- boot/bootutil/include/bootutil/enc_key.h | 16 ++++++++++++++++ boot/bootutil/src/encrypted.c | 7 +++++++ boot/zephyr/keys.c | 6 ++++++ 3 files changed, 29 insertions(+) diff --git a/boot/bootutil/include/bootutil/enc_key.h b/boot/bootutil/include/bootutil/enc_key.h index 768dd8e7ed..1dba83656f 100644 --- a/boot/bootutil/include/bootutil/enc_key.h +++ b/boot/bootutil/include/bootutil/enc_key.h @@ -45,7 +45,23 @@ struct enc_key_data { bootutil_aes_ctr_context aes_ctr; }; +#ifdef MCUBOOT_HW_KEY +extern struct bootutil_key bootutil_enc_key; + +/** + * Retrieve the private key for image encryption. + * + * @param[out] private_key Buffer to store the private key in. + * @param[out] key_size size of the private key. + * + * @return 0 on success; nonzero on failure. + * + */ +int boot_retrieve_private_key(uint8_t **private_key, unsigned int **key_size); +#else extern const struct bootutil_key bootutil_enc_key; +#endif /* MCUBOOT_HW_KEY */ + struct boot_status; int boot_enc_init(struct enc_key_data *enc_state, uint8_t slot); diff --git a/boot/bootutil/src/encrypted.c b/boot/bootutil/src/encrypted.c index fdd98524cb..5fec61c012 100644 --- a/boot/bootutil/src/encrypted.c +++ b/boot/bootutil/src/encrypted.c @@ -513,6 +513,13 @@ boot_enc_decrypt(const uint8_t *buf, uint8_t *enckey) #endif int rc = -1; +#if defined(MCUBOOT_HW_KEY) + rc = boot_retrieve_private_key(&bootutil_enc_key.key, &bootutil_enc_key.len); + if (rc) { + return rc; + } +#endif + #if defined(MCUBOOT_ENCRYPT_RSA) #if MBEDTLS_VERSION_NUMBER >= 0x03000000 diff --git a/boot/zephyr/keys.c b/boot/zephyr/keys.c index b7a9edf791..b71cad8967 100644 --- a/boot/zephyr/keys.c +++ b/boot/zephyr/keys.c @@ -76,6 +76,7 @@ struct bootutil_key bootutil_keys[1] = { const int bootutil_key_cnt = 1; #endif /* !MCUBOOT_HW_KEY */ +#if !defined(MCUBOOT_HW_KEY) #if defined(MCUBOOT_ENCRYPT_RSA) unsigned char enc_priv_key[] = { 0x30, 0x82, 0x04, 0xa4, 0x02, 0x01, 0x00, 0x02, 0x82, 0x01, 0x01, 0x00, @@ -207,3 +208,8 @@ const struct bootutil_key bootutil_enc_key = { #elif defined(MCUBOOT_ENCRYPT_KW) #error "Encrypted images with AES-KW is not implemented yet." #endif +#endif /* !MCUBOOT_HW_KEY */ + +#if defined(MCUBOOT_HW_KEY) +struct bootutil_key bootutil_enc_key = {0}; +#endif