imgtool: Temporary workaround for entanglement with TF-M.

de-nordic · de-nordic · commit 9372d159ae28 · 2025-11-04T15:20:51.000Z
Once TF-M stops using internal imgtool APIs this commit should
be reverted.

Signed-off-by: Dominik Ermel &lt;dominik.ermel@nordicsemi.no&gt;
diff --git a/scripts/imgtool/image.py b/scripts/imgtool/image.py
@@ -511,7 +511,7 @@ def ecies_hkdf(self, enckey, plainkey, hmac_sha_alg):
                 format=PublicFormat.Raw)
         return cipherkey, ciphermac, pubk
 
-    def create(self, key, public_key_format, enckey, dependencies=None,
+    def create2(self, key, public_key_format, enckey, dependencies=None,
                sw_type=None, custom_tlvs=None, compression_tlvs=None,
                compression_type=None, aes_key=None, clear=False,
                fixed_sig=None, pub_key=None, vector_to_sign=None,
@@ -792,6 +792,30 @@ def create(self, key, public_key_format, enckey, dependencies=None,
 
         self.check_trailer()
 
+    def create(self, key, public_key_format, enckey, dependencies=None,
+                sw_type=None, custom_tlvs=None, compression_tlvs=None,
+                compression_type=None, encrypt_keylen=128, clear=False,
+                fixed_sig=None, pub_key=None, vector_to_sign=None,
+                user_sha='auto', hmac_sha='auto', is_pure=False, keep_comp_size=False,
+                dont_encrypt=False):
+
+        if dont_encrypt:
+            plainkey = None
+        else:
+            if encrypt_keylen == 256:
+                encrypt_keylen_bytes = 32
+            else:
+                encrypt_keylen_bytes = 16
+
+            # No AES plain key and there is request to encrypt, generate random AES key
+            plainkey = os.urandom(encrypt_keylen_bytes)
+
+        return self.create2(key, public_key_format, enckey, dependencies, sw_type,
+                        custom_tlvs, compression_tlvs, compression_type,
+                        plainkey, clear, fixed_sig, pub_key, vector_to_sign,
+                        user_sha, hmac_sha, is_pure, keep_comp_size)
+
+
     def get_struct_endian(self):
         return STRUCT_ENDIAN_DICT[self.endian]
 
diff --git a/scripts/imgtool/main.py b/scripts/imgtool/main.py
@@ -565,7 +565,7 @@ def sign(ctx, key, public_key_format, align, version, pad_sig, header_size,
         plainkey = os.urandom(encrypt_keylen_bytes)
 
     if compression in ["lzma2", "lzma2armthumb"]:
-        img.create(key, public_key_format, enckey, dependencies, boot_record,
+        img.create2(key, public_key_format, enckey, dependencies, boot_record,
                custom_tlvs, compression_tlvs, None, None, clear,
                baked_signature, pub_key, vector_to_sign, user_sha=user_sha,
                hmac_sha=hmac_sha, is_pure=is_pure, keep_comp_size=False)
@@ -610,14 +610,14 @@ def sign(ctx, key, public_key_format, align, version, pad_sig, header_size,
             keep_comp_size = False
             if enckey:
                 keep_comp_size = True
-            compressed_img.create(key, public_key_format, enckey,
+            compressed_img.create2(key, public_key_format, enckey,
                dependencies, boot_record, custom_tlvs, compression_tlvs,
                compression, plainkey, clear, baked_signature,
                pub_key, vector_to_sign, user_sha=user_sha, hmac_sha=hmac_sha,
                is_pure=is_pure, keep_comp_size=keep_comp_size)
             img = compressed_img
     else:
-        img.create(key, public_key_format, enckey, dependencies, boot_record,
+        img.create2(key, public_key_format, enckey, dependencies, boot_record,
                custom_tlvs, compression_tlvs, None, plainkey, clear,
                baked_signature, pub_key, vector_to_sign, user_sha=user_sha,
                hmac_sha=hmac_sha, is_pure=is_pure)
