Support for Embedded Plain AES keys #2516
Open
Conversation
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
de-nordic
requested review from
d3zd3z,
davidvincze and
nordicjm
as code owners
de-nordic
force-pushed
the
aes-plain
branch
3 times, most recently
from
daae031 to
5b663a9
Compare
nvlsianpu
reviewed
Oct 28, 2025
Collaborator
nvlsianpu
left a comment
nvlsianpu
left a comment
There was a problem hiding this comment.
changes in scripts/imgtool/image.py looks good.
nvlsianpu
reviewed
Oct 28, 2025
nvlsianpu
reviewed
Oct 28, 2025
nvlsianpu
added
crypto
nordicjm
requested changes
Oct 28, 2025
de-nordic
force-pushed
the
aes-plain
branch
10 times, most recently
from
882fb1f to
01a3b55
Compare
de-nordic
force-pushed
the
aes-plain
branch
6 times, most recently
from
5b76934 to
7b5d80c
Compare
de-nordic
force-pushed
the
aes-plain
branch
5 times, most recently
from
59f09d6 to
78f3a0e
Compare
Commit provides support for MCUBOOT_EMBEDDED_ENC_KEY config option, that allows to compile code with embedded key. When this option is enabled, compilation requires definition of boot_take_enc_key function to be provided by user; prototype for the function is provided. The boot_take_enc_key function is supposed to provide encryption AES key to be used for image encryption and decryption. Signed-off-by: Dominik Ermel <dominik.ermel@nordicsemi.no>
The commit provides Kconfig options that allow to configure MCUboot to use embedded AES key. Primary option is CONFIG_BOOT_ENCRYPT_IMAGE_WITH_EMBEDDED_KEY that allows to select usage of embedded key in the code. After it follow sets of Kconfigs: - CONFIG_BOOT_ENCRYPT_IMAGE_GENERATE_BASIC_KEY_PROVIDER - CONFIG_BOOT_ENCRYPT_IMAGE_USE_CUSTOM_KEY_PROVIDER The above set allows to select source of the key. The first option will choose to generate default key provider, with a single embedded key, where the key is provided as a string assigned to CONFIG_BOOOT_ENCRYPT_IMAGE_EMBEDDED_RAW_KEY. The second option selects user provided code as source of key(s). Signed-off-by: Dominik Ermel <dominik.ermel@nordicsemi.no>
The change adds --aes-key option that allows to pass a key via command line. The key is used to encrypt the image and there is not key exchange TLV added to the image. The options is provided for encrypting images for devices that store AES key on them so they do not expect it to be passed with image, in encrypted form. Signed-off-by: Dominik Ermel <dominik.ermel@nordicsemi.no>
Once TF-M stops using internal imgtool APIs this commit should be reverted. Signed-off-by: Dominik Ermel <dominik.ermel@nordicsemi.no>
nvlsianpu
approved these changes
Nov 18, 2025
|
|
||
| if (MUST_DECRYPT(fa_p, BOOT_CURR_IMG(state), hdr)) { | ||
| #ifdef MCUBOOT_EMBEDDED_ENC_KEY | ||
| rc = boot_en_take_key(bs->enckey[BOOT_SLOT_SECONDARY], BOOT_CUR_IMG(state), BOOT_SLOT_SECONDARY); |
Collaborator
There was a problem hiding this comment.
I guess wrapping this API function under boot_enc_load() doesn't make sense.
Collaborator
Author
There was a problem hiding this comment.
Crap, there is bug in this line actually.
Anyway, I was considering doing the opposite so that boot_enc_load would become one of boot_take_enc_key implementations, but could not get rid of boot_loader_state for various reasons.
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
3 participants
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.
Support in code for querying user provided function for an AES encryption key.
Extra Zephyr code and template that allows to use the new functionality.
Although I think this is ready for review I am still working, in different set of commits, on redefining encryption key type so that we could abstract that type across the MCUboot code; this means that this PR may change in how boot_take_enc_key function is defined.
Update: I will move imgtool script to separate PR, at this point. Fighting with FIH tests that from, what seems to be a timeout, without any feedback is impossible. Running personal docker is impossible either, because after getting authorized with docker registry I am denied access to required data anyway.Finally fixed the scripts to make FIH and TrustedFirmware-M happy.