Commit 37719169 authored by Dominik Ermel's avatar Dominik Ermel Committed by Dominik Ermel
Browse files

zephyr: Support for HKDF/HMAC with SHA512 



The commit adds CONFIG_BOOT_HMAC_SHA512 that enables MCUboot
configuration option MCUBOOT_HMAC_SHA512, that is used for
switching HKDF/HMAC in ECIES key exchange to SHA512,
from default SHA256.
This option, currently, is only available for ECIES-X25519
with PSA as crypto backend.

Signed-off-by: default avatarDominik Ermel <dominik.ermel@nordicsemi.no>
parent 1d83177c

boot/zephyr/Kconfig

+9 −0
Original line number Diff line number Diff line
@@ -609,6 +609,15 @@ config BOOT_ENCRYPT_X25519 
	help

	  Hidden option selecting x25519 encryption.



config BOOT_HMAC_SHA512

	bool "Use SHA512 for HMAC/HKDF"

	depends on BOOT_ENCRYPT_X25519

	depends on BOOT_USE_PSA_CRYPTO

	help

	  By default SHA256 is used for HKDF/HMAC in key exchange expansion

	  and verification. This options switches to SHA512. The option is

	  mainly useful to reduce numer of compiled in SHA algorithms.



config BOOT_ENCRYPTION_KEY_FILE

	string "Encryption key file"

	depends on BOOT_ENCRYPT_IMAGE

boot/zephyr/include/mcuboot_config/mcuboot_config.h

+7 −0
Original line number Diff line number Diff line
@@ -157,6 +157,13 @@ 
#define MCUBOOT_ENCRYPT_X25519

#endif



/* Support for HMAC/HKDF using SHA512; this is used in key exchange where

 * HKDF is used for key expansion and HMAC is used for key verification.

 */

#ifdef CONFIG_BOOT_HMAC_SHA512

#define MCUBOOT_HMAC_SHA512

#endif



#ifdef CONFIG_BOOT_DECOMPRESSION

#define MCUBOOT_DECOMPRESS_IMAGES

#endif

CRA Git | Maintained and supported by SUSTech CRA and CCSE