Skip to content

Commit

Permalink
boot: Add MCUBOOT_HW_KEY support for image encryption
Browse files Browse the repository at this point in the history
Currently encryption supports only private key embed
in mcuboot itself. To support MCUBOOT_HW_KEY for image
encryption boot_retrieve_private_key() hook is added.

This hook helps retrieving private key from trusted
sources like OTP, TPM.

Signed-off-by: Dinesh Kumar K <[email protected]>
  • Loading branch information
DineshDK03 committed Jun 15, 2023
1 parent a5db515 commit b557325
Show file tree
Hide file tree
Showing 5 changed files with 48 additions and 4 deletions.
13 changes: 12 additions & 1 deletion boot/bootutil/include/bootutil/enc_key.h
Original file line number Diff line number Diff line change
Expand Up @@ -32,6 +32,7 @@
#include <flash_map_backend/flash_map_backend.h>
#include "bootutil/crypto/aes_ctr.h"
#include "bootutil/image.h"
#include "bootutil/sign_key.h"
#include "bootutil/enc_key_public.h"

#ifdef __cplusplus
Expand All @@ -45,7 +46,17 @@ struct enc_key_data {
bootutil_aes_ctr_context aes_ctr;
};

extern const struct bootutil_key bootutil_enc_key;
/**
* Retrieve the private key for image encryption.
*
* @param[out] private_key structure to store the private key and
* its length.
*
* @return 0 on success; nonzero on failure.
*
*/
int boot_retrieve_private_key(const struct bootutil_key *private_key);

struct boot_status;

int boot_enc_init(struct enc_key_data *enc_state, uint8_t slot);
Expand Down
10 changes: 8 additions & 2 deletions boot/bootutil/src/encrypted.c
Original file line number Diff line number Diff line change
Expand Up @@ -67,7 +67,7 @@ static int bootutil_constant_time_compare(const uint8_t *a, const uint8_t *b, si

#if defined(MCUBOOT_ENCRYPT_KW)
static int
key_unwrap(const uint8_t *wrapped, uint8_t *enckey)
key_unwrap(const uint8_t *wrapped, uint8_t *enckey, const struct bootutil_enc_key)
{
bootutil_aes_kw_context aes_kw;
int rc;
Expand Down Expand Up @@ -438,8 +438,14 @@ boot_enc_decrypt(const uint8_t *buf, uint8_t *enckey)
uint8_t counter[BOOTUTIL_CRYPTO_AES_CTR_BLOCK_SIZE];
uint16_t len;
#endif
const struct bootutil_key bootutil_enc_key = {0};
int rc = -1;

rc = boot_retrieve_private_key(&bootutil_enc_key);
if (rc) {
return rc;
}

#if defined(MCUBOOT_ENCRYPT_RSA)

bootutil_rsa_init(&rsa);
Expand All @@ -464,7 +470,7 @@ boot_enc_decrypt(const uint8_t *buf, uint8_t *enckey)
#if defined(MCUBOOT_ENCRYPT_KW)

assert(*bootutil_enc_key.len == BOOT_ENC_KEY_SIZE);
rc = key_unwrap(buf, enckey);
rc = key_unwrap(buf, enckey, bootutil_enc_key);

#endif /* defined(MCUBOOT_ENCRYPT_KW) */

Expand Down
9 changes: 9 additions & 0 deletions boot/cypress/MCUBootApp/keys.c
Original file line number Diff line number Diff line change
Expand Up @@ -167,3 +167,12 @@ const struct bootutil_key bootutil_enc_key = {
.key = enc_priv_key,
.len = &enc_priv_key_len,
};

#if !defined(MCUBOOT_HW_KEY)
int boot_retrieve_private_key(const struct bootutil_key *private_key)
{
private_key = &bootutil_enc_key;

return 0;
}
#endif /* !MCUBOOT_HW_KEY */
9 changes: 9 additions & 0 deletions boot/mbed/app_enc_keys.c
Original file line number Diff line number Diff line change
Expand Up @@ -69,3 +69,12 @@ const struct bootutil_key bootutil_enc_key = {
#endif

#endif

#if !defined(MCUBOOT_HW_KEY)
int boot_retrieve_private_key(const struct bootutil_key *private_key)
{
private_key = &bootutil_enc_key;

return 0;
}
#endif /* !MCUBOOT_HW_KEY */
11 changes: 10 additions & 1 deletion boot/zephyr/keys.c
Original file line number Diff line number Diff line change
Expand Up @@ -186,7 +186,7 @@ const struct bootutil_key bootutil_enc_key = {
.len = &enc_priv_key_len,
};
#elif defined(MCUBOOT_ENCRYPT_EC256)
extern const unsigned char enc_priv_key[];
extern unsigned char enc_priv_key[];
extern unsigned int enc_priv_key_len;
const struct bootutil_key bootutil_enc_key = {
.key = enc_priv_key,
Expand All @@ -207,3 +207,12 @@ const struct bootutil_key bootutil_enc_key = {
#elif defined(MCUBOOT_ENCRYPT_KW)
#error "Encrypted images with AES-KW is not implemented yet."
#endif

#if !defined(MCUBOOT_HW_KEY)
int boot_retrieve_private_key(const struct bootutil_key *private_key)
{
private_key = &bootutil_enc_key;

return 0;
}
#endif /* !MCUBOOT_HW_KEY */

0 comments on commit b557325

Please sign in to comment.