Add support for AES plain encryption + with all additional needed changes#586
Draft
de-nordic wants to merge 18 commits into
Draft
Add support for AES plain encryption + with all additional needed changes#586de-nordic wants to merge 18 commits into
de-nordic wants to merge 18 commits into
Conversation
Add --test flag, which allows users to append a trailer that marks the image as ready for a test swap. This can be used for cases where the user wants to load an image to flash that MCUBoot will boot in test mode after system reset. Signed-off-by: Daniel DeGrasse <ddegrasse@tenstorrent.com> (cherry picked from commit 48b0f6d) Signed-off-by: Dominik Ermel <dominik.ermel@nordicsemi.no>
Move code around to reduce ifdes and make it more clear, and allow to reuse TLV read check loop for key read verification. (cherry picked from commit 32b3c18) Signed-off-by: Dominik Ermel <dominik.ermel@nordicsemi.no>
…t_read_enc_key Check return code instead of running loop over the key, to check if it has been read correctly. (cherry picked from commit 0ccce2f) Signed-off-by: Dominik Ermel <dominik.ermel@nordicsemi.no>
…ion file Allows disabling the default MCUboot Zephyr file specifying the multiple RAM regions, in order to allow users to supply their own versions Signed-off-by: Jamie McCrae <jamie.mccrae@nordicsemi.no> (cherry picked from commit f846e9e) Signed-off-by: Dominik Ermel <dominik.ermel@nordicsemi.no>
This code seems to have been introduced by someone without knowledge of the zephyr build system, specifying a Kconfig value in multiple files is a completely legal operation, the one that was applied last is the one that is used, and the default directory for keys should be the application configuration directory, not assuming where a .conf file is specifies the same folder as a key file (which is completely at odds with how Zephyr's file finding CMake code works). Signed-off-by: Jamie McCrae <spam@helper3000.net> (cherry picked from commit 716f338) Signed-off-by: Dominik Ermel <dominik.ermel@nordicsemi.no>
…eeded Hides this Kconfig option when the operating mode is set to work as hash only without signature Signed-off-by: Jamie McCrae <spam@helper3000.net> (cherry picked from commit 92854b7) Signed-off-by: Dominik Ermel <dominik.ermel@nordicsemi.no>
Split definitions to crypto backend specific headers. (cherry picked from commit 5a161e4) Signed-off-by: Dominik Ermel <dominik.ermel@nordicsemi.no>
Store psa_key_id_t key in AES context instead of RAW key. (cherry picked from commit e925518) Signed-off-by: Dominik Ermel <dominik.ermel@nordicsemi.no>
boot_loader_state initialization function. (cherry picked from commit a312656) Signed-off-by: Dominik Ermel <dominik.ermel@nordicsemi.no>
Replace boot_state_clear with boot_state_init, where used for initialization and add boot_state_clear to remove state after use. (cherry picked from commit dd4b01f) Signed-off-by: Dominik Ermel <dominik.ermel@nordicsemi.no>
Initialize boot_loader_state with boot_state init, then clean it up, after use, with boot_state_clear. (cherry picked from commit 8ff6b67) Signed-off-by: Dominik Ermel <dominik.ermel@nordicsemi.no>
No need to keep this defaulting logic. (cherry picked from commit d8c4cc6) Signed-off-by: Dominik Ermel <dominik.ermel@nordicsemi.no>
…boot_state_clear Call boot_enc_deinit before memset to 0. (cherry picked from commit d14ba22) Signed-off-by: Dominik Ermel <dominik.ermel@nordicsemi.no>
…clear Temporal removal of memset clear of boot_sector_clear that was causing boot to stop. The problem happens due to fill_rsp assigning pointer to header stored in cleared boot_state object, and the memset makes it inaccessible. Once change where header is copied to rsp the memset should be brought back as the boot_loader state should be completed before we pass further in execution. Fixes #2535 (cherry picked from commit e6fefac) Signed-off-by: Dominik Ermel <dominik.ermel@nordicsemi.no>
NordicBuilder
added a commit
to NordicBuilder/sdk-nrf
that referenced
this pull request
Dec 17, 2025
Automatically created by action-manifest-pr GH action from PR: nrfconnect/sdk-mcuboot#586 Signed-off-by: Nordic Builder <pylon@nordicsemi.no>
NordicBuilder
added a commit
to NordicBuilder/sdk-nrf
that referenced
this pull request
Dec 18, 2025
Automatically created by action-manifest-pr GH action from PR: nrfconnect/sdk-mcuboot#586 Signed-off-by: Nordic Builder <pylon@nordicsemi.no>
NordicBuilder
added a commit
to NordicBuilder/sdk-nrf
that referenced
this pull request
Dec 18, 2025
Automatically created by action-manifest-pr GH action from PR: nrfconnect/sdk-mcuboot#586 Signed-off-by: Nordic Builder <pylon@nordicsemi.no>
tomchy
reviewed
Dec 19, 2025
|
|
||
| if (i == read_size) { | ||
| BOOT_LOG_ERR("boot_read_enc_key: No key, read all 0xFF"); | ||
| rc = 1; |
Contributor
There was a problem hiding this comment.
The 1 is a bit magical, and it was not present in the previous implementation (edit: I now see that the check was duplicated instead). Could you add a symbolic name/return code inside the docs to document the new behavior?
|
|
||
| if (MUST_DECRYPT(fa_p, BOOT_CURR_IMG(state), hdr)) { | ||
| #ifdef MCUBOOT_EMBEDDED_ENC_KEY | ||
| rc = boot_en_take_key(bs->enckey[BOOT_SLOT_SECONDARY], BOOT_CUR_IMG(state), BOOT_SLOT_SECONDARY); |
Contributor
There was a problem hiding this comment.
Shouldn't that be boot_take_enc_key?
Contributor
Author
There was a problem hiding this comment.
Heh. I can not figure out how come I keep on bringing this bug. I thought that I have already fixed this two times.
Contributor
Author
There was a problem hiding this comment.
it is in upstream again. I think I have messed up moving commits. Need to look through what ales get broken.
| psa_key_id_t key; | ||
| } bootutil_aes_ctr_context; | ||
|
|
||
| void bootutil_aes_ctr_init(bootutil_aes_ctr_context *ctx); |
Contributor
There was a problem hiding this comment.
It'd be great to see some docs for these functions.
Contributor
Author
There was a problem hiding this comment.
This is in commit directly taken from upstream.
NordicBuilder
added a commit
to NordicBuilder/sdk-nrf
that referenced
this pull request
Dec 19, 2025
Automatically created by action-manifest-pr GH action from PR: nrfconnect/sdk-mcuboot#586 Signed-off-by: Nordic Builder <pylon@nordicsemi.no>
NordicBuilder
added a commit
to NordicBuilder/sdk-nrf
that referenced
this pull request
Dec 19, 2025
Automatically created by action-manifest-pr GH action from PR: nrfconnect/sdk-mcuboot#586 Signed-off-by: Nordic Builder <pylon@nordicsemi.no>
NordicBuilder
added a commit
to NordicBuilder/sdk-nrf
that referenced
this pull request
Dec 19, 2025
Automatically created by action-manifest-pr GH action from PR: nrfconnect/sdk-mcuboot#586 Signed-off-by: Nordic Builder <pylon@nordicsemi.no>
The change adds --aes-key option that allows to pass a key via command line. The key is used to encrypt the image and there is not key exchange TLV added to the image. The options is provided for encrypting images for devices that store AES key on them so they do not expect it to be passed with image, in encrypted form. Signed-off-by: Dominik Ermel <dominik.ermel@nordicsemi.no>
Commit provides support for MCUBOOT_EMBEDDED_ENC_KEY config option, that allows to compile code with embedded key. When this option is enabled, compilation requires definition of boot_take_enc_key function to be provided by user; prototype for the function is provided. The boot_take_enc_key function is supposed to provide encryption AES key to be used for image encryption and decryption. Signed-off-by: Dominik Ermel <dominik.ermel@nordicsemi.no>
The commit provides Kconfig options that allow to configure MCUboot to use embedded AES key. Primary option is CONFIG_BOOT_ENCRYPT_IMAGE_WITH_EMBEDDED_KEY that allows to select usage of embedded key in the code. After it follow sets of Kconfigs: - CONFIG_BOOT_ENCRYPT_IMAGE_GENERATE_BASIC_KEY_PROVIDER - CONFIG_BOOT_ENCRYPT_IMAGE_USE_CUSTOM_KEY_PROVIDER The above set allows to select source of the key. The first option will choose to generate default key provider, with a single embedded key, where the key is provided as a string assigned to CONFIG_BOOOT_ENCRYPT_IMAGE_EMBEDDED_RAW_KEY. The second option selects user provided code as source of key(s). Signed-off-by: Dominik Ermel <dominik.ermel@nordicsemi.no>
Now boot_state_init is used for state initialization and boot_state_clear to clean it after it is no longer need. Signed-off-by: Dominik Ermel <dominik.ermel@nordicsemi.no>
NordicBuilder
added a commit
to NordicBuilder/sdk-nrf
that referenced
this pull request
Dec 19, 2025
Automatically created by action-manifest-pr GH action from PR: nrfconnect/sdk-mcuboot#586 Signed-off-by: Nordic Builder <pylon@nordicsemi.no>
|
nvlsianpu
approved these changes
Dec 23, 2025
|
|
||
| config BOOT_AES_DEPENDENCIES | ||
| bool | ||
| default y if BOOT_USE_PSA_CRYPTO |
Collaborator
There was a problem hiding this comment.
think: should this be instead selected depended on whther AES encryption is selected?
It is also already depends on if BOOT_USE_PSA_CRYPTO.
Collaborator
There was a problem hiding this comment.
Suggested change
| default y if BOOT_USE_PSA_CRYPTO | |
| default y |
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
6 participants
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
No description provided.