Loading boot/boot_serial/src/boot_serial.c +22 −0 Original line number Diff line number Diff line Loading @@ -58,6 +58,10 @@ #include "bootutil_priv.h" #endif #ifdef MCUBOOT_ENC_IMAGES #include "single_loader.h" #endif #include "serial_recovery_cbor.h" #include "bootutil/boot_hooks.h" Loading Loading @@ -200,6 +204,17 @@ bs_list(char *buf, int len) fih_rc, image_index, slot); if (fih_eq(fih_rc, BOOT_HOOK_REGULAR)) { #ifdef MCUBOOT_ENC_IMAGES if (slot == 0 && IS_ENCRYPTED(&hdr)) { /* Clear the encrypted flag we didn't supply a key * This flag could be set if there was a decryption in place * performed before. We will try to validate the image without * decryption by clearing the flag in the heder. If * still encrypted the validation will fail. */ hdr.ih_flags &= ~(ENCRYPTIONFLAGS); } #endif FIH_CALL(bootutil_img_validate, fih_rc, NULL, 0, &hdr, fap, tmpbuf, sizeof(tmpbuf), NULL, 0, NULL); } Loading Loading @@ -437,6 +452,13 @@ out: boot_serial_output(); flash_area_close(fap); #ifdef MCUBOOT_ENC_IMAGES if (curr_off == img_size) { /* Last sector received, now start a decryption on the image if it is encrypted*/ rc = boot_handle_enc_fw(); } #endif //#ifdef MCUBOOT_ENC_IMAGES } /* Loading boot/bootutil/include/bootutil/image.h +1 −0 Original line number Diff line number Diff line Loading @@ -149,6 +149,7 @@ struct image_tlv { uint16_t it_len; /* Data length (not including TLV header). */ }; #define ENCRYPTIONFLAGS (IMAGE_F_ENCRYPTED_AES128 | IMAGE_F_ENCRYPTED_AES256) #define IS_ENCRYPTED(hdr) (((hdr)->ih_flags & IMAGE_F_ENCRYPTED_AES128) \ || ((hdr)->ih_flags & IMAGE_F_ENCRYPTED_AES256)) #define MUST_DECRYPT(fap, idx, hdr) \ Loading boot/zephyr/CMakeLists.txt +44 −2 Original line number Diff line number Diff line Loading @@ -143,7 +143,7 @@ zephyr_library_sources( ) endif() if(CONFIG_BOOT_SIGNATURE_TYPE_ECDSA_P256 OR CONFIG_BOOT_ENCRYPT_EC256) if(CONFIG_BOOT_SIGNATURE_TYPE_ECDSA_P256 OR CONFIG_BOOT_ENCRYPT_EC256 OR CONFIG_BOOT_SERIAL_ENCRYPT_EC256) zephyr_library_include_directories( ${MBEDTLS_ASN1_DIR}/include ) Loading @@ -158,6 +158,7 @@ if(CONFIG_BOOT_SIGNATURE_TYPE_ECDSA_P256 OR CONFIG_BOOT_ENCRYPT_EC256) ${BOOT_DIR}/zephyr/include ${TINYCRYPT_DIR}/include ) zephyr_include_directories(${TINYCRYPT_DIR}/include) zephyr_library_sources( ${TINYCRYPT_DIR}/source/ecc.c Loading Loading @@ -231,7 +232,7 @@ elseif(CONFIG_BOOT_SIGNATURE_TYPE_ED25519 OR CONFIG_BOOT_ENCRYPT_X25519) ) endif() if(CONFIG_BOOT_ENCRYPT_EC256 OR CONFIG_BOOT_ENCRYPT_X25519) if(CONFIG_BOOT_ENCRYPT_EC256 OR CONFIG_BOOT_ENCRYPT_X25519 OR CONFIG_BOOT_SERIAL_ENCRYPT_EC256) zephyr_library_sources( ${TINYCRYPT_DIR}/source/aes_encrypt.c ${TINYCRYPT_DIR}/source/aes_decrypt.c Loading Loading @@ -304,6 +305,47 @@ if(NOT CONFIG_BOOT_SIGNATURE_KEY_FILE STREQUAL "") zephyr_library_sources(${GENERATED_PUBKEY}) endif() # CONF_FILE points to the KConfig configuration files of the bootloader. unset(CONF_DIR) foreach(filepath ${CONF_FILE}) file(READ ${filepath} temp_text) string(FIND "${temp_text}" ${CONFIG_BOOT_ENCRYPTION_KEY_FILE} match) if(${match} GREATER_EQUAL 0) if(NOT DEFINED CONF_DIR) get_filename_component(CONF_DIR ${filepath} DIRECTORY) else() message(FATAL_ERROR "Encryption key file defined in multiple conf files") endif() endif() endforeach() if(NOT CONFIG_BOOT_ENCRYPTION_KEY_FILE STREQUAL "") if(IS_ABSOLUTE ${CONFIG_BOOT_ENCRYPTION_KEY_FILE}) set(KEY_FILE ${CONFIG_BOOT_ENCRYPTION_KEY_FILE}) elseif((DEFINED CONF_DIR) AND (EXISTS ${CONF_DIR}/${CONFIG_BOOT_ENCRYPTION_KEY_FILE})) set(KEY_FILE ${CONF_DIR}/${CONFIG_BOOT_ENCRYPTION_KEY_FILE}) else() set(KEY_FILE ${MCUBOOT_DIR}/${CONFIG_BOOT_ENCRYPTION_KEY_FILE}) endif() message("MCUBoot bootloader key file: ${KEY_FILE}") set(GENERATED_ENCKEY ${ZEPHYR_BINARY_DIR}/autogen-enckey.c) add_custom_command( OUTPUT ${GENERATED_ENCKEY} COMMAND ${PYTHON_EXECUTABLE} ${MCUBOOT_DIR}/scripts/imgtool.py getpriv -k ${KEY_FILE} > ${GENERATED_ENCKEY} DEPENDS ${KEY_FILE} ) zephyr_library_sources(${GENERATED_ENCKEY}) endif() if(CONFIG_MCUBOOT_CLEANUP_ARM_CORE) zephyr_library_sources( ${BOOT_DIR}/zephyr/arm_cleanup.c Loading boot/zephyr/Kconfig +25 −0 Original line number Diff line number Diff line Loading @@ -292,6 +292,21 @@ config BOOT_ENCRYPT_X25519 described under "ECIES-X25519 encryption" in docs/encrypted_images.md. endif # !SINGLE_APPLICATION_SLOT config BOOT_ENCRYPTION_KEY_FILE string "encryption key file" depends on BOOT_ENCRYPT_EC256 || BOOT_SERIAL_ENCRYPT_EC256 default "enc-ec256-priv.pem" if BOOT_SIGNATURE_TYPE_ECDSA_P256 default "" help You can use either absolute or relative path. In case relative path is used, the build system assumes that it starts from the directory where the MCUBoot KConfig configuration file is located. If the key file is not there, the build system uses relative path that starts from the MCUBoot repository root directory. The key file will be parsed by imgtool's getpriv command and a .c source with the public key information will be written in a format expected by MCUboot. config BOOT_MAX_IMG_SECTORS int "Maximum number of sectors per image slot" default 128 Loading Loading @@ -581,6 +596,16 @@ config BOOT_MGMT_CUSTOM_IMG_LIST statuses (custom property) for all images. endif # ENABLE_MGMT_PERUSER config BOOT_SERIAL_ENCRYPT_EC256 bool "Support for encrypted upgrade images using ECIES-P256 in serial recovery upload" default n help If y, uploaded images via serial recovery can be decrypted on the fly when upgrading to the primary slot. The encryption mechanism used in this case is ECIES using primitives described under "ECIES-P256 encryption" in docs/encrypted_images.md. endif # MCUBOOT_SERIAL config BOOT_INTR_VEC_RELOC Loading boot/zephyr/include/mcuboot-mbedtls-cfg.h +1 −0 Original line number Diff line number Diff line Loading @@ -25,6 +25,7 @@ #include "config-rsa.h" #elif defined(CONFIG_BOOT_SIGNATURE_TYPE_ECDSA_P256) || \ defined(CONFIG_BOOT_ENCRYPT_EC256) || \ defined(CONFIG_BOOT_SERIAL_ENCRYPT_EC256) || \ (defined(CONFIG_BOOT_ENCRYPT_X25519) && !defined(CONFIG_BOOT_SIGNATURE_TYPE_ED25519)) #include "config-asn1.h" #elif defined(CONFIG_BOOT_SIGNATURE_TYPE_ED25519) Loading Loading
boot/boot_serial/src/boot_serial.c +22 −0 Original line number Diff line number Diff line Loading @@ -58,6 +58,10 @@ #include "bootutil_priv.h" #endif #ifdef MCUBOOT_ENC_IMAGES #include "single_loader.h" #endif #include "serial_recovery_cbor.h" #include "bootutil/boot_hooks.h" Loading Loading @@ -200,6 +204,17 @@ bs_list(char *buf, int len) fih_rc, image_index, slot); if (fih_eq(fih_rc, BOOT_HOOK_REGULAR)) { #ifdef MCUBOOT_ENC_IMAGES if (slot == 0 && IS_ENCRYPTED(&hdr)) { /* Clear the encrypted flag we didn't supply a key * This flag could be set if there was a decryption in place * performed before. We will try to validate the image without * decryption by clearing the flag in the heder. If * still encrypted the validation will fail. */ hdr.ih_flags &= ~(ENCRYPTIONFLAGS); } #endif FIH_CALL(bootutil_img_validate, fih_rc, NULL, 0, &hdr, fap, tmpbuf, sizeof(tmpbuf), NULL, 0, NULL); } Loading Loading @@ -437,6 +452,13 @@ out: boot_serial_output(); flash_area_close(fap); #ifdef MCUBOOT_ENC_IMAGES if (curr_off == img_size) { /* Last sector received, now start a decryption on the image if it is encrypted*/ rc = boot_handle_enc_fw(); } #endif //#ifdef MCUBOOT_ENC_IMAGES } /* Loading
boot/bootutil/include/bootutil/image.h +1 −0 Original line number Diff line number Diff line Loading @@ -149,6 +149,7 @@ struct image_tlv { uint16_t it_len; /* Data length (not including TLV header). */ }; #define ENCRYPTIONFLAGS (IMAGE_F_ENCRYPTED_AES128 | IMAGE_F_ENCRYPTED_AES256) #define IS_ENCRYPTED(hdr) (((hdr)->ih_flags & IMAGE_F_ENCRYPTED_AES128) \ || ((hdr)->ih_flags & IMAGE_F_ENCRYPTED_AES256)) #define MUST_DECRYPT(fap, idx, hdr) \ Loading
boot/zephyr/CMakeLists.txt +44 −2 Original line number Diff line number Diff line Loading @@ -143,7 +143,7 @@ zephyr_library_sources( ) endif() if(CONFIG_BOOT_SIGNATURE_TYPE_ECDSA_P256 OR CONFIG_BOOT_ENCRYPT_EC256) if(CONFIG_BOOT_SIGNATURE_TYPE_ECDSA_P256 OR CONFIG_BOOT_ENCRYPT_EC256 OR CONFIG_BOOT_SERIAL_ENCRYPT_EC256) zephyr_library_include_directories( ${MBEDTLS_ASN1_DIR}/include ) Loading @@ -158,6 +158,7 @@ if(CONFIG_BOOT_SIGNATURE_TYPE_ECDSA_P256 OR CONFIG_BOOT_ENCRYPT_EC256) ${BOOT_DIR}/zephyr/include ${TINYCRYPT_DIR}/include ) zephyr_include_directories(${TINYCRYPT_DIR}/include) zephyr_library_sources( ${TINYCRYPT_DIR}/source/ecc.c Loading Loading @@ -231,7 +232,7 @@ elseif(CONFIG_BOOT_SIGNATURE_TYPE_ED25519 OR CONFIG_BOOT_ENCRYPT_X25519) ) endif() if(CONFIG_BOOT_ENCRYPT_EC256 OR CONFIG_BOOT_ENCRYPT_X25519) if(CONFIG_BOOT_ENCRYPT_EC256 OR CONFIG_BOOT_ENCRYPT_X25519 OR CONFIG_BOOT_SERIAL_ENCRYPT_EC256) zephyr_library_sources( ${TINYCRYPT_DIR}/source/aes_encrypt.c ${TINYCRYPT_DIR}/source/aes_decrypt.c Loading Loading @@ -304,6 +305,47 @@ if(NOT CONFIG_BOOT_SIGNATURE_KEY_FILE STREQUAL "") zephyr_library_sources(${GENERATED_PUBKEY}) endif() # CONF_FILE points to the KConfig configuration files of the bootloader. unset(CONF_DIR) foreach(filepath ${CONF_FILE}) file(READ ${filepath} temp_text) string(FIND "${temp_text}" ${CONFIG_BOOT_ENCRYPTION_KEY_FILE} match) if(${match} GREATER_EQUAL 0) if(NOT DEFINED CONF_DIR) get_filename_component(CONF_DIR ${filepath} DIRECTORY) else() message(FATAL_ERROR "Encryption key file defined in multiple conf files") endif() endif() endforeach() if(NOT CONFIG_BOOT_ENCRYPTION_KEY_FILE STREQUAL "") if(IS_ABSOLUTE ${CONFIG_BOOT_ENCRYPTION_KEY_FILE}) set(KEY_FILE ${CONFIG_BOOT_ENCRYPTION_KEY_FILE}) elseif((DEFINED CONF_DIR) AND (EXISTS ${CONF_DIR}/${CONFIG_BOOT_ENCRYPTION_KEY_FILE})) set(KEY_FILE ${CONF_DIR}/${CONFIG_BOOT_ENCRYPTION_KEY_FILE}) else() set(KEY_FILE ${MCUBOOT_DIR}/${CONFIG_BOOT_ENCRYPTION_KEY_FILE}) endif() message("MCUBoot bootloader key file: ${KEY_FILE}") set(GENERATED_ENCKEY ${ZEPHYR_BINARY_DIR}/autogen-enckey.c) add_custom_command( OUTPUT ${GENERATED_ENCKEY} COMMAND ${PYTHON_EXECUTABLE} ${MCUBOOT_DIR}/scripts/imgtool.py getpriv -k ${KEY_FILE} > ${GENERATED_ENCKEY} DEPENDS ${KEY_FILE} ) zephyr_library_sources(${GENERATED_ENCKEY}) endif() if(CONFIG_MCUBOOT_CLEANUP_ARM_CORE) zephyr_library_sources( ${BOOT_DIR}/zephyr/arm_cleanup.c Loading
boot/zephyr/Kconfig +25 −0 Original line number Diff line number Diff line Loading @@ -292,6 +292,21 @@ config BOOT_ENCRYPT_X25519 described under "ECIES-X25519 encryption" in docs/encrypted_images.md. endif # !SINGLE_APPLICATION_SLOT config BOOT_ENCRYPTION_KEY_FILE string "encryption key file" depends on BOOT_ENCRYPT_EC256 || BOOT_SERIAL_ENCRYPT_EC256 default "enc-ec256-priv.pem" if BOOT_SIGNATURE_TYPE_ECDSA_P256 default "" help You can use either absolute or relative path. In case relative path is used, the build system assumes that it starts from the directory where the MCUBoot KConfig configuration file is located. If the key file is not there, the build system uses relative path that starts from the MCUBoot repository root directory. The key file will be parsed by imgtool's getpriv command and a .c source with the public key information will be written in a format expected by MCUboot. config BOOT_MAX_IMG_SECTORS int "Maximum number of sectors per image slot" default 128 Loading Loading @@ -581,6 +596,16 @@ config BOOT_MGMT_CUSTOM_IMG_LIST statuses (custom property) for all images. endif # ENABLE_MGMT_PERUSER config BOOT_SERIAL_ENCRYPT_EC256 bool "Support for encrypted upgrade images using ECIES-P256 in serial recovery upload" default n help If y, uploaded images via serial recovery can be decrypted on the fly when upgrading to the primary slot. The encryption mechanism used in this case is ECIES using primitives described under "ECIES-P256 encryption" in docs/encrypted_images.md. endif # MCUBOOT_SERIAL config BOOT_INTR_VEC_RELOC Loading
boot/zephyr/include/mcuboot-mbedtls-cfg.h +1 −0 Original line number Diff line number Diff line Loading @@ -25,6 +25,7 @@ #include "config-rsa.h" #elif defined(CONFIG_BOOT_SIGNATURE_TYPE_ECDSA_P256) || \ defined(CONFIG_BOOT_ENCRYPT_EC256) || \ defined(CONFIG_BOOT_SERIAL_ENCRYPT_EC256) || \ (defined(CONFIG_BOOT_ENCRYPT_X25519) && !defined(CONFIG_BOOT_SIGNATURE_TYPE_ED25519)) #include "config-asn1.h" #elif defined(CONFIG_BOOT_SIGNATURE_TYPE_ED25519) Loading
Wouter Cappelle <wouter.cappelle@crodeon.com>Wouter Cappelle <wouter.cappelle@crodeon.com>