Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

boot: Add MCUBOOT_HW_KEY support for image encryption #1722

Merged
merged 2 commits into from
Jun 12, 2024
Merged
Show file tree
Hide file tree
Changes from all commits
Commits
File filter

Filter by extension

Filter by extension

Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
13 changes: 12 additions & 1 deletion boot/bootutil/include/bootutil/enc_key.h
Original file line number Diff line number Diff line change
Expand Up @@ -32,6 +32,7 @@
#include <flash_map_backend/flash_map_backend.h>
#include "bootutil/crypto/aes_ctr.h"
#include "bootutil/image.h"
#include "bootutil/sign_key.h"
#include "bootutil/enc_key_public.h"

#ifdef __cplusplus
Expand All @@ -45,7 +46,17 @@ struct enc_key_data {
bootutil_aes_ctr_context aes_ctr;
};

extern const struct bootutil_key bootutil_enc_key;
/**
* Retrieve the private key for image encryption.
*
* @param[out] private_key structure to store the private key and
* its length.
*
* @return 0 on success; nonzero on failure.
*
*/
int boot_enc_retrieve_private_key(struct bootutil_key **private_key);

struct boot_status;

int boot_enc_init(struct enc_key_data *enc_state, uint8_t slot);
Expand Down
30 changes: 20 additions & 10 deletions boot/bootutil/src/encrypted.c
Original file line number Diff line number Diff line change
Expand Up @@ -67,13 +67,13 @@ static int bootutil_constant_time_compare(const uint8_t *a, const uint8_t *b, si

#if defined(MCUBOOT_ENCRYPT_KW)
static int
key_unwrap(const uint8_t *wrapped, uint8_t *enckey)
key_unwrap(const uint8_t *wrapped, uint8_t *enckey, struct bootutil_key *bootutil_enc_key)
{
bootutil_aes_kw_context aes_kw;
int rc;

bootutil_aes_kw_init(&aes_kw);
rc = bootutil_aes_kw_set_unwrap_key(&aes_kw, bootutil_enc_key.key, *bootutil_enc_key.len);
rc = bootutil_aes_kw_set_unwrap_key(&aes_kw, bootutil_enc_key->key, *bootutil_enc_key->len);
if (rc != 0) {
goto done;
}
Expand Down Expand Up @@ -441,13 +441,23 @@ boot_enc_decrypt(const uint8_t *buf, uint8_t *enckey)
uint8_t counter[BOOTUTIL_CRYPTO_AES_CTR_BLOCK_SIZE];
uint16_t len;
#endif
struct bootutil_key *bootutil_enc_key = NULL;
int rc = -1;

rc = boot_enc_retrieve_private_key(&bootutil_enc_key);
if (rc) {
return rc;
}

if (bootutil_enc_key == NULL) {
return rc;
}

#if defined(MCUBOOT_ENCRYPT_RSA)

bootutil_rsa_init(&rsa);
cp = (uint8_t *)bootutil_enc_key.key;
cpend = cp + *bootutil_enc_key.len;
cp = (uint8_t *)bootutil_enc_key->key;
cpend = cp + *bootutil_enc_key->len;

/* The enckey is encrypted through RSA so for decryption we need the private key */
rc = bootutil_rsa_parse_private_key(&rsa, &cp, cpend);
Expand All @@ -466,15 +476,15 @@ boot_enc_decrypt(const uint8_t *buf, uint8_t *enckey)

#if defined(MCUBOOT_ENCRYPT_KW)

assert(*bootutil_enc_key.len == BOOT_ENC_KEY_SIZE);
rc = key_unwrap(buf, enckey);
assert(*bootutil_enc_key->len == BOOT_ENC_KEY_SIZE);
rc = key_unwrap(buf, enckey, bootutil_enc_key);

#endif /* defined(MCUBOOT_ENCRYPT_KW) */

#if defined(MCUBOOT_ENCRYPT_EC256)

cp = (uint8_t *)bootutil_enc_key.key;
cpend = cp + *bootutil_enc_key.len;
cp = (uint8_t *)bootutil_enc_key->key;
cpend = cp + *bootutil_enc_key->len;

/*
* Load the stored EC256 decryption private key
Expand All @@ -500,8 +510,8 @@ boot_enc_decrypt(const uint8_t *buf, uint8_t *enckey)

#if defined(MCUBOOT_ENCRYPT_X25519)

cp = (uint8_t *)bootutil_enc_key.key;
cpend = cp + *bootutil_enc_key.len;
cp = (uint8_t *)bootutil_enc_key->key;
cpend = cp + *bootutil_enc_key->len;

/*
* Load the stored X25519 decryption private key
Expand Down
9 changes: 9 additions & 0 deletions boot/cypress/MCUBootApp/keys.c
Original file line number Diff line number Diff line change
Expand Up @@ -167,3 +167,12 @@ const struct bootutil_key bootutil_enc_key = {
.key = enc_priv_key,
.len = &enc_priv_key_len,
};

#if !defined(MCUBOOT_HW_KEY) && defined(MCUBOOT_ENC_IMAGES)
int boot_enc_retrieve_private_key(struct bootutil_key **private_key)
{
*private_key = (struct bootutil_key *)&bootutil_enc_key;

return 0;
}
#endif /* !MCUBOOT_HW_KEY && MCUBOOT_ENC_IMAGES */
9 changes: 9 additions & 0 deletions boot/mbed/app_enc_keys.c
Original file line number Diff line number Diff line change
Expand Up @@ -69,3 +69,12 @@ const struct bootutil_key bootutil_enc_key = {
#endif

#endif

#if !defined(MCUBOOT_HW_KEY) && defined(MCUBOOT_ENC_IMAGES)
int boot_enc_retrieve_private_key(struct bootutil_key **private_key)
{
*private_key = (struct bootutil_key *)&bootutil_enc_key;

return 0;
}
#endif /* !MCUBOOT_HW_KEY && MCUBOOT_ENC_IMAGES */
9 changes: 9 additions & 0 deletions boot/zephyr/keys.c
Original file line number Diff line number Diff line change
Expand Up @@ -86,3 +86,12 @@ const struct bootutil_key bootutil_enc_key = {
#elif defined(MCUBOOT_ENCRYPT_KW)
#error "Encrypted images with AES-KW is not implemented yet."
#endif

#if !defined(MCUBOOT_HW_KEY) && defined(MCUBOOT_ENC_IMAGES)
int boot_enc_retrieve_private_key(struct bootutil_key **private_key)
{
*private_key = (struct bootutil_key *)&bootutil_enc_key;

return 0;
}
#endif /* !MCUBOOT_HW_KEY && MCUBOOT_ENC_IMAGES */
9 changes: 9 additions & 0 deletions ci/mynewt_keys/enc_kw/src/keys.c
Original file line number Diff line number Diff line change
Expand Up @@ -28,3 +28,12 @@ const struct bootutil_key bootutil_enc_key = {
.key = enc_key,
.len = &enc_key_len,
};

#if !defined(MCUBOOT_HW_KEY) && defined(MCUBOOT_ENC_IMAGES)
int boot_enc_retrieve_private_key(struct bootutil_key **private_key)
{
*private_key = (struct bootutil_key *)&bootutil_enc_key;

return 0;
}
#endif /* !MCUBOOT_HW_KEY && MCUBOOT_ENC_IMAGES */
9 changes: 9 additions & 0 deletions ci/mynewt_keys/enc_rsa/src/keys.c
Original file line number Diff line number Diff line change
Expand Up @@ -126,3 +126,12 @@ const struct bootutil_key bootutil_enc_key = {
.key = enc_key,
.len = &enc_key_len,
};

#if !defined(MCUBOOT_HW_KEY) && defined(MCUBOOT_ENC_IMAGES)
int boot_enc_retrieve_private_key(struct bootutil_key **private_key)
{
*private_key = (struct bootutil_key *)&bootutil_enc_key;

return 0;
}
#endif /* !MCUBOOT_HW_KEY && MCUBOOT_ENC_IMAGES */
2 changes: 2 additions & 0 deletions docs/release-notes.d/bootutil-enc-hw-keys.md
Original file line number Diff line number Diff line change
@@ -0,0 +1,2 @@
- Added support for retrieving hw embed private keys for image encryption
(The private key can be retrieved from trusted sources like OTP, TPM.).
9 changes: 9 additions & 0 deletions sim/mcuboot-sys/csupport/keys.c
Original file line number Diff line number Diff line change
Expand Up @@ -328,3 +328,12 @@ const struct bootutil_key bootutil_enc_key = {
.len = &enc_key_len,
};
#endif

#if !defined(MCUBOOT_HW_KEY) && defined(MCUBOOT_ENC_IMAGES)
int boot_enc_retrieve_private_key(struct bootutil_key **private_key)
{
*private_key = (struct bootutil_key *)&bootutil_enc_key;

return 0;
}
#endif /* !MCUBOOT_HW_KEY && MCUBOOT_ENC_IMAGES */
Loading