Support for Embedded Plain AES keys

boot/boot_serial/src/boot_serial_encryption.c

@@ -31,7 +31,11 @@ boot_image_validate_encrypted(struct boot_loader_state *state,
     int rc;
 
     if (MUST_DECRYPT(fa_p, BOOT_CURR_IMG(state), hdr)) {
+#ifdef MCUBOOT_EMBEDDED_ENC_KEY
+        rc = boot_en_take_key(bs->enckey[BOOT_SLOT_SECONDARY], BOOT_CUR_IMG(state), BOOT_SLOT_SECONDARY);
+#else
         rc = boot_enc_load(state, BOOT_SLOT_SECONDARY, hdr, fa_p, bs);
+#endif
         if (rc < 0) {
             FIH_RET(fih_rc);
         }
@@ -232,7 +236,11 @@ decrypt_image_inplace(const struct flash_area *fa_p,
         }
 #endif
         /* Load the encryption keys into cache */
+#ifdef MCUBOOT_EMBEDDED_ENC_KEY
+        rc = boot_take_enc_key(bs->enckey[BOOT_SLOT_PRIMARY], BOOT_CURR_IMG(state), BOOT_SLOT_PRIMARY);
+#else
         rc = boot_enc_load(state, BOOT_SLOT_PRIMARY, hdr, fa_p, bs);
+#endif
         if (rc < 0) {
             goto total_out;
         }

boot/bootutil/include/bootutil/enc_key.h

@@ -75,6 +75,9 @@ void boot_enc_decrypt(struct enc_key_data *enc_state,
 /* Note that boot_enc_zeorize takes BOOT_CURR_ENC, not BOOT_CURR_ENC_SLOT */
 void boot_enc_zeroize(struct enc_key_data *enc_state);
 
+/* Retrieve key for a slot */
+int boot_take_enc_key(uint8_t *key, int image, int slot);
+
 #ifdef __cplusplus
 }
 #endif

boot/bootutil/src/bootutil_loader.c

@@ -179,7 +179,11 @@ boot_check_image(struct boot_loader_state *state, struct boot_status *bs, int sl
      */
 #if defined(MCUBOOT_ENC_IMAGES) && !defined(MCUBOOT_RAM_LOAD)
     if (MUST_DECRYPT(fap, BOOT_CURR_IMG(state), hdr)) {
+#ifdef MCUBOOT_EMBEDDED_ENC_KEY
+        rc = boot_take_enc_key(bs->enckey[BOOT_SLOT_SECONDARY], BOOT_CURR_IMG(state), BOOT_SLOT_SECONDARY);
+#else
         rc = boot_enc_load(state, BOOT_SLOT_SECONDARY, hdr, fap, bs);
+#endif
         if (rc < 0) {
             FIH_RET(fih_rc);
         }

boot/bootutil/src/bootutil_misc.c

@@ -239,7 +239,7 @@ boot_read_unprotected_tlv_sizes(const struct flash_area *fap, uint16_t *tlv_size
 }
 #endif
 
-#ifdef MCUBOOT_ENC_IMAGES
+#if defined(MCUBOOT_ENC_IMAGES) && !defined(MCUBOOT_EMBEDDED_ENC_KEY)
 int
 boot_read_enc_key(const struct flash_area *fap, uint8_t slot, struct boot_status *bs)
 {

boot/bootutil/src/encrypted.c

@@ -370,6 +370,7 @@ static int fake_rng(void *p_rng, unsigned char *output, size_t len)
 #endif /* (MCUBOOT_ENCRYPT_RSA && MCUBOOT_USE_MBED_TLS && !MCUBOOT_USE_PSA_CRYPTO) ||
           (MCUBOOT_ENCRYPT_EC256 && MCUBOOT_USE_MBED_TLS) */
 
+#if !defined(MCUBOOT_EMBEDDED_ENC_KEY)
 /*
  * Decrypt an encryption key TLV.
  *
@@ -564,7 +565,9 @@ boot_decrypt_key(const uint8_t *buf, uint8_t *enckey)
     return rc;
 }
 #endif /* CONFIG_BOOT_ED25519_PSA  && CONFIG_BOOT_ECDSA_PSA */
+#endif /* defined(MCUBOOT_EMBEDDED_ENC_KEY) */
 
+#if !defined(MCUBOOT_EMBEDDED_ENC_KEY)
 /*
  * Load encryption key.
  */
@@ -625,6 +628,7 @@ boot_enc_load(struct boot_loader_state *state, int slot,
 
     return boot_decrypt_key(buf, bs->enckey[slot]);
 }
+#endif /* defined(MCUBOOT_EMBEDDED_ENC_KEY */
 
 int
 boot_enc_init(struct enc_key_data *enc_state)

boot/bootutil/src/loader.c

@@ -632,6 +632,7 @@ boot_validate_slot(struct boot_loader_state *state, int slot,
     }
 #endif
     if (!boot_check_header_valid(state, slot)) {
+        BOOT_LOG_DBG("boot_validate_slot: header validation failed %d", slot);
         fih_rc = FIH_FAILURE;
     } else {
         BOOT_HOOK_CALL_FIH(boot_image_check_hook, FIH_BOOT_HOOK_REGULAR,
@@ -644,16 +645,16 @@ boot_validate_slot(struct boot_loader_state *state, int slot,
 check_validity:
 #endif
     if (FIH_NOT_EQ(fih_rc, FIH_SUCCESS)) {
+#if !defined(__BOOTSIM__)
+        BOOT_LOG_ERR("Image in the %s slot is not valid!",
+                     (slot == BOOT_SLOT_PRIMARY) ? "primary" : "secondary");
+#endif
         if ((slot != BOOT_SLOT_PRIMARY) || ARE_SLOTS_EQUIVALENT()) {
             boot_scramble_slot(fap, slot);
             /* Image is invalid, erase it to prevent further unnecessary
              * attempts to validate and boot it.
              */
         }
-#if !defined(__BOOTSIM__)
-        BOOT_LOG_ERR("Image in the %s slot is not valid!",
-                     (slot == BOOT_SLOT_PRIMARY) ? "primary" : "secondary");
-#endif
         fih_rc = FIH_NO_BOOTABLE_IMAGE;
         goto out;
     }
@@ -1006,9 +1007,13 @@ boot_copy_image(struct boot_loader_state *state, struct boot_status *bs)
 
 #ifdef MCUBOOT_ENC_IMAGES
     if (IS_ENCRYPTED(boot_img_hdr(state, BOOT_SLOT_SECONDARY))) {
+#ifdef MCUBOOT_EMBEDDED_ENC_KEY
+        rc = boot_take_enc_key(bs->enckey[BOOT_SLOT_SECONDARY], BOOT_CURR_IMG(state), BOOT_SLOT_SECONDARY);
+#else
         rc = boot_enc_load(state, BOOT_SLOT_SECONDARY,
                 boot_img_hdr(state, BOOT_SLOT_SECONDARY),
                 fap_secondary_slot, bs);
+#endif /* MCUBOOT_EMBEDDED_ENC_KEY */
 
         if (rc < 0) {
             return BOOT_EBADIMAGE;
@@ -1130,7 +1135,11 @@ boot_swap_image(struct boot_loader_state *state, struct boot_status *bs)
 #ifdef MCUBOOT_ENC_IMAGES
         if (IS_ENCRYPTED(hdr)) {
             fap = BOOT_IMG_AREA(state, BOOT_SLOT_PRIMARY);
+#ifdef MCUBOOT_EMBEDDED_ENC_KEY
+            rc = boot_take_enc_key(bs->enckey[BOOT_SLOT_PRIMARY], BOOT_CURR_IMG(state), BOOT_SLOT_PRIMARY);
+#else
             rc = boot_enc_load(state, BOOT_SLOT_PRIMARY, hdr, fap, bs);
+#endif /* MCUBOOT_EMBEDDED_ENC_KEY */
             assert(rc >= 0);
 
             if (rc == 0) {
@@ -1154,7 +1163,11 @@ boot_swap_image(struct boot_loader_state *state, struct boot_status *bs)
         hdr = boot_img_hdr(state, BOOT_SLOT_SECONDARY);
         if (IS_ENCRYPTED(hdr)) {
             fap = BOOT_IMG_AREA(state, BOOT_SLOT_SECONDARY);
+#ifdef MCUBOOT_EMBEDDED_ENC_KEY
+            rc = boot_take_enc_key(bs->enckey[BOOT_SLOT_SECONDARY], BOOT_CURR_IMG(state), BOOT_SLOT_SECONDARY);
+#else
             rc = boot_enc_load(state, BOOT_SLOT_SECONDARY, hdr, fap, bs);
+#endif /* MCUBOOT_EMBEDDED_ENC_KEY */
             assert(rc >= 0);
 
             if (rc == 0) {
@@ -1191,15 +1204,19 @@ boot_swap_image(struct boot_loader_state *state, struct boot_status *bs)
 
             boot_enc_init(BOOT_CURR_ENC_SLOT(state, slot));
 
+#ifdef MCUBOOT_EMBEDDED_ENC_KEY
+            rc = boot_take_enc_key(bs->enckey[slot], image_index, slot);
+#else
             rc = boot_read_enc_key(fap, slot, bs);
+#endif /* MCUBOOT_EMBEDDED_ENC_KEY */
             if (rc) {
                 BOOT_LOG_DBG("boot_swap_image: Failed loading key (%d, %d)",
                               image_index, slot);
             } else {
                 boot_enc_set_key(BOOT_CURR_ENC_SLOT(state, slot), bs->enckey[slot]);
             }
         }
-#endif
+#endif /* MCUBOOT_ENC_IMAGES */
         flash_area_close(fap);
     }
 

boot/mynewt/src/single_loader.c

@@ -49,6 +49,7 @@ boot_image_validate(const struct flash_area *fa_p,
          * was performed. We will try to validate the image, and if still
          * encrypted the validation will fail, and go in panic mode
          */
+        BOOT_LOG_DBG("boot_image_validate: clearing encryption flags");
         hdr->ih_flags &= ~(ENCRYPTIONFLAGS);
     }
     FIH_CALL(bootutil_img_validate, fih_rc, NULL, hdr, fa_p, tmpbuf,

boot/zephyr/CMakeLists.txt

@@ -393,57 +393,59 @@ if(NOT CONFIG_BOOT_SIGNATURE_KEY_FILE STREQUAL "")
 endif()
 
 if(CONFIG_BOOT_ENCRYPTION_KEY_FILE AND NOT CONFIG_BOOT_ENCRYPTION_KEY_FILE STREQUAL "")
-  # CONF_FILE points to the KConfig configuration files of the bootloader.
-  unset(CONF_DIR)
-  foreach(filepath ${CONF_FILE})
-    file(READ ${filepath} temp_text)
-    string(FIND "${temp_text}" ${CONFIG_BOOT_ENCRYPTION_KEY_FILE} match)
-    if(${match} GREATER_EQUAL 0)
-      if(NOT DEFINED CONF_DIR)
-        get_filename_component(CONF_DIR ${filepath} DIRECTORY)
-      else()
-        message(FATAL_ERROR "Encryption key file defined in multiple conf files")
+  if(CONFIG_BOOT_ENCRYPT_IMAGE_WITH_SHARED_KEY)
+    # CONF_FILE points to the KConfig configuration files of the bootloader.
+    unset(CONF_DIR)
+    foreach(filepath ${CONF_FILE})
+      file(READ ${filepath} temp_text)
+      string(FIND "${temp_text}" ${CONFIG_BOOT_ENCRYPTION_KEY_FILE} match)
+      if(${match} GREATER_EQUAL 0)
+        if(NOT DEFINED CONF_DIR)
+          get_filename_component(CONF_DIR ${filepath} DIRECTORY)
+        else()
+          message(FATAL_ERROR "Encryption key file defined in multiple conf files")
+        endif()
       endif()
-    endif()
-  endforeach()
+    endforeach()
 
-  if(IS_ABSOLUTE ${CONFIG_BOOT_ENCRYPTION_KEY_FILE})
-    set(KEY_FILE ${CONFIG_BOOT_ENCRYPTION_KEY_FILE})
-  elseif((DEFINED CONF_DIR) AND
-	 (EXISTS ${CONF_DIR}/${CONFIG_BOOT_ENCRYPTION_KEY_FILE}))
-    set(KEY_FILE ${CONF_DIR}/${CONFIG_BOOT_ENCRYPTION_KEY_FILE})
-  else()
-    set(KEY_FILE ${MCUBOOT_DIR}/${CONFIG_BOOT_ENCRYPTION_KEY_FILE})
-  endif()
-  message("MCUBoot bootloader encryption key file: ${KEY_FILE}")
+    if(IS_ABSOLUTE ${CONFIG_BOOT_ENCRYPTION_KEY_FILE})
+      set(KEY_FILE ${CONFIG_BOOT_ENCRYPTION_KEY_FILE})
+    elseif((DEFINED CONF_DIR) AND
+           (EXISTS ${CONF_DIR}/${CONFIG_BOOT_ENCRYPTION_KEY_FILE}))
+      set(KEY_FILE ${CONF_DIR}/${CONFIG_BOOT_ENCRYPTION_KEY_FILE})
+    else()
+      set(KEY_FILE ${MCUBOOT_DIR}/${CONFIG_BOOT_ENCRYPTION_KEY_FILE})
+    endif()
+    message("MCUBoot bootloader encryption key file: ${KEY_FILE}")
+
+    # Emit a warning if using one of the default MCUboot key files
+    set(mcuboot_default_encryption_files
+        ${MCUBOOT_DIR}/enc-ec256-priv.pem
+        ${MCUBOOT_DIR}/enc-ec256-pub.pem
+        ${MCUBOOT_DIR}/enc-rsa2048-priv.pem
+        ${MCUBOOT_DIR}/enc-rsa2048-pub.pem
+        ${MCUBOOT_DIR}/enc-x25519-priv.pem
+        ${MCUBOOT_DIR}/enc-x25519-pub.pem
+    )
 
-  # Emit a warning if using one of the default MCUboot key files
-  set(mcuboot_default_encryption_files
-      ${MCUBOOT_DIR}/enc-ec256-priv.pem
-      ${MCUBOOT_DIR}/enc-ec256-pub.pem
-      ${MCUBOOT_DIR}/enc-rsa2048-priv.pem
-      ${MCUBOOT_DIR}/enc-rsa2048-pub.pem
-      ${MCUBOOT_DIR}/enc-x25519-priv.pem
-      ${MCUBOOT_DIR}/enc-x25519-pub.pem
-  )
+    if(${KEY_FILE} IN_LIST mcuboot_default_encryption_files)
+      message(WARNING "WARNING: Using default MCUboot encryption key file, this file is for debug use only and is not secure!")
+    endif()
 
-  if(${KEY_FILE} IN_LIST mcuboot_default_encryption_files)
-    message(WARNING "WARNING: Using default MCUboot encryption key file, this file is for debug use only and is not secure!")
+    set(GENERATED_ENCKEY ${ZEPHYR_BINARY_DIR}/autogen-enckey.c)
+    add_custom_command(
+      OUTPUT ${GENERATED_ENCKEY}
+      COMMAND
+      ${PYTHON_EXECUTABLE}
+      ${MCUBOOT_DIR}/scripts/imgtool.py
+      getpriv
+      -k
+      ${KEY_FILE}
+      > ${GENERATED_ENCKEY}
+      DEPENDS ${KEY_FILE}
+      )
+    zephyr_library_sources(${GENERATED_ENCKEY})
   endif()
-
-  set(GENERATED_ENCKEY ${ZEPHYR_BINARY_DIR}/autogen-enckey.c)
-  add_custom_command(
-    OUTPUT ${GENERATED_ENCKEY}
-    COMMAND
-    ${PYTHON_EXECUTABLE}
-    ${MCUBOOT_DIR}/scripts/imgtool.py
-    getpriv
-    -k
-    ${KEY_FILE}
-    > ${GENERATED_ENCKEY}
-    DEPENDS ${KEY_FILE}
-    )
-  zephyr_library_sources(${GENERATED_ENCKEY})
 endif()
 
 if(CONFIG_MCUBOOT_CLEANUP_ARM_CORE)
@@ -731,3 +733,18 @@ if(SYSBUILD)
   set(mcuboot_image_footer_size ${required_size} CACHE INTERNAL "Estimated MCUboot image trailer size" FORCE)
   set(mcuboot_image_upgrade_footer_size ${required_upgrade_size} CACHE INTERNAL "Estimated MCUboot update image trailer size" FORCE)
 endif()
+
+if(${CONFIG_BOOT_ENCRYPT_IMAGE_GENERATE_BASIC_KEY_PROVIDER})
+    # Need to generate single key provider source, from template.
+    # Take provided key, in form of a string and make it into C array, BOOT_AES_RAW_KEY_HEX_ARRAY,
+    # of byte size hex values.
+    set(BOOT_AES_RAW_KEY_HEX_STRING ${BOOT_ENCRYPT_IMAGE_EMBEDDED_RAW_KEY})
+    string(REGEX REPLACE "(..)" "0x\\1, " BOOT_AES_RAW_KEY_HEX_ARRAY "${BOOT_AES_RAW_KEY_HEX_STRING}")
+
+    # The tamplate references BOOT_AES_RAW_KEY_HEX_ARRAY where it expects the array to be substituted.
+    set(OUTPUT_BOOT_AES_RAW_KEY_SRC ${ZEPHYR_BINARY_DIR}/mcuboot_generated/builtin_aes_key_provider.c)
+    configure_file(templates/single_builtin_aes_key_provider.c.template ${OUTPUT_BOOT_AES_RAW_KEY_SRC} @ONLY)
+
+    # Add generated source file to build
+    zephyr_library_sources(${OUTPUT_BOOT_AES_RAW_KEY_SRC})
+endif()