From 7d8664cbde38ab286a76e2b2c0a335a6f1d2c637 Mon Sep 17 00:00:00 2001 From: Dinesh Kumar K Date: Tue, 6 Jun 2023 16:36:57 +0530 Subject: [PATCH 1/2] boot: Add MCUBOOT_HW_KEY support for image encryption Currently encryption supports only private key embed in mcuboot itself. To support MCUBOOT_HW_KEY for image encryption boot_retrieve_private_key() hook is added. This hook helps retrieving private key from trusted sources like OTP, TPM. Signed-off-by: Dinesh Kumar K --- boot/bootutil/include/bootutil/enc_key.h | 13 +++++++++- boot/bootutil/src/encrypted.c | 30 ++++++++++++++++-------- boot/cypress/MCUBootApp/keys.c | 9 +++++++ boot/mbed/app_enc_keys.c | 9 +++++++ boot/zephyr/keys.c | 9 +++++++ ci/mynewt_keys/enc_kw/src/keys.c | 9 +++++++ ci/mynewt_keys/enc_rsa/src/keys.c | 9 +++++++ sim/mcuboot-sys/csupport/keys.c | 9 +++++++ 8 files changed, 86 insertions(+), 11 deletions(-) diff --git a/boot/bootutil/include/bootutil/enc_key.h b/boot/bootutil/include/bootutil/enc_key.h index 768dd8e7e..f4c47becd 100644 --- a/boot/bootutil/include/bootutil/enc_key.h +++ b/boot/bootutil/include/bootutil/enc_key.h @@ -32,6 +32,7 @@ #include #include "bootutil/crypto/aes_ctr.h" #include "bootutil/image.h" +#include "bootutil/sign_key.h" #include "bootutil/enc_key_public.h" #ifdef __cplusplus @@ -45,7 +46,17 @@ struct enc_key_data { bootutil_aes_ctr_context aes_ctr; }; -extern const struct bootutil_key bootutil_enc_key; +/** + * Retrieve the private key for image encryption. + * + * @param[out] private_key structure to store the private key and + * its length. + * + * @return 0 on success; nonzero on failure. + * + */ +int boot_enc_retrieve_private_key(struct bootutil_key **private_key); + struct boot_status; int boot_enc_init(struct enc_key_data *enc_state, uint8_t slot); diff --git a/boot/bootutil/src/encrypted.c b/boot/bootutil/src/encrypted.c index 39e34dbd3..4082611c4 100644 --- a/boot/bootutil/src/encrypted.c +++ b/boot/bootutil/src/encrypted.c @@ -67,13 +67,13 @@ static int bootutil_constant_time_compare(const uint8_t *a, const uint8_t *b, si #if defined(MCUBOOT_ENCRYPT_KW) static int -key_unwrap(const uint8_t *wrapped, uint8_t *enckey) +key_unwrap(const uint8_t *wrapped, uint8_t *enckey, struct bootutil_key *bootutil_enc_key) { bootutil_aes_kw_context aes_kw; int rc; bootutil_aes_kw_init(&aes_kw); - rc = bootutil_aes_kw_set_unwrap_key(&aes_kw, bootutil_enc_key.key, *bootutil_enc_key.len); + rc = bootutil_aes_kw_set_unwrap_key(&aes_kw, bootutil_enc_key->key, *bootutil_enc_key->len); if (rc != 0) { goto done; } @@ -441,13 +441,23 @@ boot_enc_decrypt(const uint8_t *buf, uint8_t *enckey) uint8_t counter[BOOTUTIL_CRYPTO_AES_CTR_BLOCK_SIZE]; uint16_t len; #endif + struct bootutil_key *bootutil_enc_key = NULL; int rc = -1; + rc = boot_enc_retrieve_private_key(&bootutil_enc_key); + if (rc) { + return rc; + } + + if (bootutil_enc_key == NULL) { + return rc; + } + #if defined(MCUBOOT_ENCRYPT_RSA) bootutil_rsa_init(&rsa); - cp = (uint8_t *)bootutil_enc_key.key; - cpend = cp + *bootutil_enc_key.len; + cp = (uint8_t *)bootutil_enc_key->key; + cpend = cp + *bootutil_enc_key->len; /* The enckey is encrypted through RSA so for decryption we need the private key */ rc = bootutil_rsa_parse_private_key(&rsa, &cp, cpend); @@ -466,15 +476,15 @@ boot_enc_decrypt(const uint8_t *buf, uint8_t *enckey) #if defined(MCUBOOT_ENCRYPT_KW) - assert(*bootutil_enc_key.len == BOOT_ENC_KEY_SIZE); - rc = key_unwrap(buf, enckey); + assert(*bootutil_enc_key->len == BOOT_ENC_KEY_SIZE); + rc = key_unwrap(buf, enckey, bootutil_enc_key); #endif /* defined(MCUBOOT_ENCRYPT_KW) */ #if defined(MCUBOOT_ENCRYPT_EC256) - cp = (uint8_t *)bootutil_enc_key.key; - cpend = cp + *bootutil_enc_key.len; + cp = (uint8_t *)bootutil_enc_key->key; + cpend = cp + *bootutil_enc_key->len; /* * Load the stored EC256 decryption private key @@ -500,8 +510,8 @@ boot_enc_decrypt(const uint8_t *buf, uint8_t *enckey) #if defined(MCUBOOT_ENCRYPT_X25519) - cp = (uint8_t *)bootutil_enc_key.key; - cpend = cp + *bootutil_enc_key.len; + cp = (uint8_t *)bootutil_enc_key->key; + cpend = cp + *bootutil_enc_key->len; /* * Load the stored X25519 decryption private key diff --git a/boot/cypress/MCUBootApp/keys.c b/boot/cypress/MCUBootApp/keys.c index 20c0332f6..6f06a7d99 100644 --- a/boot/cypress/MCUBootApp/keys.c +++ b/boot/cypress/MCUBootApp/keys.c @@ -167,3 +167,12 @@ const struct bootutil_key bootutil_enc_key = { .key = enc_priv_key, .len = &enc_priv_key_len, }; + +#if !defined(MCUBOOT_HW_KEY) && defined(MCUBOOT_ENC_IMAGES) +int boot_enc_retrieve_private_key(struct bootutil_key **private_key) +{ + *private_key = (struct bootutil_key *)&bootutil_enc_key; + + return 0; +} +#endif /* !MCUBOOT_HW_KEY && MCUBOOT_ENC_IMAGES */ diff --git a/boot/mbed/app_enc_keys.c b/boot/mbed/app_enc_keys.c index 9bed4d80f..be4f9cb55 100644 --- a/boot/mbed/app_enc_keys.c +++ b/boot/mbed/app_enc_keys.c @@ -69,3 +69,12 @@ const struct bootutil_key bootutil_enc_key = { #endif #endif + +#if !defined(MCUBOOT_HW_KEY) && defined(MCUBOOT_ENC_IMAGES) +int boot_enc_retrieve_private_key(struct bootutil_key **private_key) +{ + *private_key = (struct bootutil_key *)&bootutil_enc_key; + + return 0; +} +#endif /* !MCUBOOT_HW_KEY && MCUBOOT_ENC_IMAGES */ diff --git a/boot/zephyr/keys.c b/boot/zephyr/keys.c index ab403ddc3..f1d7e3475 100644 --- a/boot/zephyr/keys.c +++ b/boot/zephyr/keys.c @@ -86,3 +86,12 @@ const struct bootutil_key bootutil_enc_key = { #elif defined(MCUBOOT_ENCRYPT_KW) #error "Encrypted images with AES-KW is not implemented yet." #endif + +#if !defined(MCUBOOT_HW_KEY) && defined(MCUBOOT_ENC_IMAGES) +int boot_enc_retrieve_private_key(struct bootutil_key **private_key) +{ + *private_key = (struct bootutil_key *)&bootutil_enc_key; + + return 0; +} +#endif /* !MCUBOOT_HW_KEY && MCUBOOT_ENC_IMAGES */ diff --git a/ci/mynewt_keys/enc_kw/src/keys.c b/ci/mynewt_keys/enc_kw/src/keys.c index ae4c5c7bb..c53459ef7 100644 --- a/ci/mynewt_keys/enc_kw/src/keys.c +++ b/ci/mynewt_keys/enc_kw/src/keys.c @@ -28,3 +28,12 @@ const struct bootutil_key bootutil_enc_key = { .key = enc_key, .len = &enc_key_len, }; + +#if !defined(MCUBOOT_HW_KEY) && defined(MCUBOOT_ENC_IMAGES) +int boot_enc_retrieve_private_key(struct bootutil_key **private_key) +{ + *private_key = (struct bootutil_key *)&bootutil_enc_key; + + return 0; +} +#endif /* !MCUBOOT_HW_KEY && MCUBOOT_ENC_IMAGES */ diff --git a/ci/mynewt_keys/enc_rsa/src/keys.c b/ci/mynewt_keys/enc_rsa/src/keys.c index 201d6ad12..1d07f5cc1 100644 --- a/ci/mynewt_keys/enc_rsa/src/keys.c +++ b/ci/mynewt_keys/enc_rsa/src/keys.c @@ -126,3 +126,12 @@ const struct bootutil_key bootutil_enc_key = { .key = enc_key, .len = &enc_key_len, }; + +#if !defined(MCUBOOT_HW_KEY) && defined(MCUBOOT_ENC_IMAGES) +int boot_enc_retrieve_private_key(struct bootutil_key **private_key) +{ + *private_key = (struct bootutil_key *)&bootutil_enc_key; + + return 0; +} +#endif /* !MCUBOOT_HW_KEY && MCUBOOT_ENC_IMAGES */ diff --git a/sim/mcuboot-sys/csupport/keys.c b/sim/mcuboot-sys/csupport/keys.c index 82a746ba0..316d10385 100644 --- a/sim/mcuboot-sys/csupport/keys.c +++ b/sim/mcuboot-sys/csupport/keys.c @@ -328,3 +328,12 @@ const struct bootutil_key bootutil_enc_key = { .len = &enc_key_len, }; #endif + +#if !defined(MCUBOOT_HW_KEY) && defined(MCUBOOT_ENC_IMAGES) +int boot_enc_retrieve_private_key(struct bootutil_key **private_key) +{ + *private_key = (struct bootutil_key *)&bootutil_enc_key; + + return 0; +} +#endif /* !MCUBOOT_HW_KEY && MCUBOOT_ENC_IMAGES */ From 5697293939bfde75c210ca1e17dd5071f5c5b22f Mon Sep 17 00:00:00 2001 From: Dinesh Kumar K Date: Tue, 28 May 2024 20:36:35 +0530 Subject: [PATCH 2/2] docs: Add release note snippet on MCUBOOT_HW_KEY for image encryption Signed-off-by: Dinesh Kumar K --- docs/release-notes.d/bootutil-enc-hw-keys.md | 2 ++ 1 file changed, 2 insertions(+) create mode 100644 docs/release-notes.d/bootutil-enc-hw-keys.md diff --git a/docs/release-notes.d/bootutil-enc-hw-keys.md b/docs/release-notes.d/bootutil-enc-hw-keys.md new file mode 100644 index 000000000..2640b6772 --- /dev/null +++ b/docs/release-notes.d/bootutil-enc-hw-keys.md @@ -0,0 +1,2 @@ +- Added support for retrieving hw embed private keys for image encryption + (The private key can be retrieved from trusted sources like OTP, TPM.).