boot: Add MCUBOOT_HW_KEY support for image encryption #1722

DineshDK03 · 2023-06-08T11:43:17Z

Currently encryption supports only private key embed in mcuboot itself. To support MCUBOOT_HW_KEY for image encryption boot_retrieve_private_key() hook is added.

This hook helps retrieving private key from trusted sources like OTP, TPM.

d3zd3z

I like the idea of this change. I'd like to see if we can do this without introducing more ifdefs throughout the code. Perhaps we make the main code so that it always calls this function, and then, depending on the feature (ifdefs around whole functions are better than ones sprinkled through the code), we could just return a copy of the compiled in one. This could be conditionalized out if a given developer wishes to provide their own implementation.

boot/bootutil/src/encrypted.c

DineshDK03 · 2023-06-20T09:52:38Z

@d3zd3z please revisit.

DineshDK03 · 2023-07-03T10:06:17Z

@d3zd3z Ping

boot/bootutil/src/encrypted.c

boot/cypress/MCUBootApp/keys.c

boot/bootutil/src/encrypted.c

jimmyzumthurm · 2023-10-25T13:35:28Z

Any update on this ? We have similar solution currently in our software by patching MCUboot, but would highly appreciate if that would be officially available

DineshDK03 · 2023-10-31T03:41:21Z

Any update on this ? We have similar solution currently in our software by patching MCUboot, but would highly appreciate if that would be officially available

@jimmyzumthurm. I have already addressed the comments from @mingulov and @d3zd3z and waiting for their acceptance to merge this PR.

mingulov · 2023-10-31T07:19:49Z

Any update on this ? We have similar solution currently in our software by patching MCUboot, but would highly appreciate if that would be officially available

@jimmyzumthurm. I have already addressed the comments from @mingulov and @d3zd3z and waiting for their acceptance to merge this PR.

I am not an official approver / maintainer for MCUboot, so unfortunately my acceptance would not help anyhow.

DineshDK03 · 2023-11-01T06:06:20Z

@d3zd3z @de-nordic @nordicjm please have a look.

DineshDK03 · 2023-11-20T07:00:24Z

@d3zd3z ping

nordicjm · 2023-11-20T07:45:36Z

@sigvartmh

DineshDK03 · 2023-12-11T09:26:46Z

@d3zd3z @sigvartmh @nordicjm @de-nordic please have a look, if all is good, kindly merge this PR.

d3zd3z

Other than the whitespace issue, this looks good now.

boot/bootutil/src/encrypted.c

DineshDK03 · 2023-12-13T10:53:11Z

@d3zd3z Thanks for the review and fixed all the whitespace issues now.

DineshDK03 · 2023-12-25T11:02:31Z

@d3zd3z pushed changes to fix the CI. please approve to run the workflow jobs.

boot/mbed/app_enc_keys.c

Currently encryption supports only private key embed in mcuboot itself. To support MCUBOOT_HW_KEY for image encryption boot_retrieve_private_key() hook is added. This hook helps retrieving private key from trusted sources like OTP, TPM. Signed-off-by: Dinesh Kumar K <dinesh@linumiz.com>

DineshDK03 · 2024-04-23T08:49:42Z

@d3zd3z please have a look, all the comments addressed and waiting to be merged.

davidvincze · 2024-05-23T15:05:06Z

boot/bootutil/include/bootutil/enc_key.h

+ * @return                   0 on success; nonzero on failure.
+ *
+ */
+int boot_retrieve_private_key(struct bootutil_key **private_key);


Would you mind renaming this function to boot_enc_retrieve_priv_key or similar?
It's for avoiding ambiguity - one might think that it's retrieving the private key used for image signing (there's already a function called boot_retrieve_public_key_hash).

davidvincze · 2024-05-23T15:16:37Z

boot/cypress/MCUBootApp/keys.c

+
+    return 0;
+}
+#endif /* !MCUBOOT_HW_KEY */
