boot: zephyr: add ECIES-P256 configuration
Signed-off-by: Fabio Utzig <utzig@apache.org>
diff --git a/boot/zephyr/CMakeLists.txt b/boot/zephyr/CMakeLists.txt
index f5e02c7..ee0710d 100644
--- a/boot/zephyr/CMakeLists.txt
+++ b/boot/zephyr/CMakeLists.txt
@@ -113,7 +113,7 @@
${BOOT_DIR}/bootutil/src/tlv.c
)
-if(CONFIG_BOOT_SIGNATURE_TYPE_ECDSA_P256)
+if(CONFIG_BOOT_SIGNATURE_TYPE_ECDSA_P256 OR CONFIG_BOOT_ENCRYPT_EC256)
zephyr_library_include_directories(
${MBEDTLS_ASN1_DIR}/include
)
@@ -165,6 +165,16 @@
)
endif()
+if(CONFIG_BOOT_ENCRYPT_EC256)
+ zephyr_library_sources(
+ ${TINYCRYPT_DIR}/source/aes_encrypt.c
+ ${TINYCRYPT_DIR}/source/aes_decrypt.c
+ ${TINYCRYPT_DIR}/source/ctr_mode.c
+ ${TINYCRYPT_DIR}/source/hmac.c
+ ${TINYCRYPT_DIR}/source/ecc_dh.c
+ )
+endif()
+
if(CONFIG_MCUBOOT_SERIAL)
zephyr_sources(${BOOT_DIR}/zephyr/serial_adapter.c)
zephyr_sources(${BOOT_DIR}/boot_serial/src/boot_serial.c)
diff --git a/boot/zephyr/Kconfig b/boot/zephyr/Kconfig
index 42e8d82..56b5b19 100644
--- a/boot/zephyr/Kconfig
+++ b/boot/zephyr/Kconfig
@@ -135,12 +135,23 @@
If unsure, leave at the default value.
config BOOT_ENCRYPT_RSA
- bool "Support for encrypted upgrade images"
+ bool "Support for encrypted upgrade images using RSA"
default n
help
If y, images in the secondary slot can be encrypted and are decrypted
on the fly when upgrading to the primary slot, as well as encrypted
- back when swapping from the primary slot to the secondary slot.
+ back when swapping from the primary slot to the secondary slot. The
+ encryption mechanism used in this case is RSA-OAEP (2048 bits).
+
+config BOOT_ENCRYPT_EC256
+ bool "Support for encrypted upgrade images using ECIES-P256"
+ default n
+ help
+ If y, images in the secondary slot can be encrypted and are decrypted
+ on the fly when upgrading to the primary slot, as well as encrypted
+ back when swapping from the primary slot to the secondary slot. The
+ encryption mechanism used in this case is ECIES using primitives
+ described under "ECIES-P256 encryption" in docs/encrypted_images.md.
config BOOT_MAX_IMG_SECTORS
int "Maximum number of sectors per image slot"
diff --git a/boot/zephyr/include/mcuboot-mbedtls-cfg.h b/boot/zephyr/include/mcuboot-mbedtls-cfg.h
index b15d5ac..0eb6e74 100644
--- a/boot/zephyr/include/mcuboot-mbedtls-cfg.h
+++ b/boot/zephyr/include/mcuboot-mbedtls-cfg.h
@@ -23,7 +23,7 @@
#if defined(CONFIG_BOOT_SIGNATURE_TYPE_RSA) || defined(CONFIG_BOOT_ENCRYPT_RSA)
#include "config-rsa.h"
-#elif defined(CONFIG_BOOT_SIGNATURE_TYPE_ECDSA_P256)
+#elif defined(CONFIG_BOOT_SIGNATURE_TYPE_ECDSA_P256) || defined(CONFIG_BOOT_ENCRYPT_EC256)
#include "config-asn1.h"
#elif defined(CONFIG_BOOT_SIGNATURE_TYPE_ED25519)
#include "config-ed25519.h"
diff --git a/boot/zephyr/include/mcuboot_config/mcuboot_config.h b/boot/zephyr/include/mcuboot_config/mcuboot_config.h
index 925591c..f517b7e 100644
--- a/boot/zephyr/include/mcuboot_config/mcuboot_config.h
+++ b/boot/zephyr/include/mcuboot_config/mcuboot_config.h
@@ -62,6 +62,11 @@
#define MCUBOOT_ENCRYPT_RSA
#endif
+#ifdef CONFIG_BOOT_ENCRYPT_EC256
+#define MCUBOOT_ENC_IMAGES
+#define MCUBOOT_ENCRYPT_EC256
+#endif
+
#ifdef CONFIG_BOOT_BOOTSTRAP
#define MCUBOOT_BOOTSTRAP 1
#endif
diff --git a/boot/zephyr/keys.c b/boot/zephyr/keys.c
index ee61c7d..afc0ea6 100644
--- a/boot/zephyr/keys.c
+++ b/boot/zephyr/keys.c
@@ -176,6 +176,26 @@
.key = enc_priv_key,
.len = &enc_priv_key_len,
};
+#elif defined(MCUBOOT_ENCRYPT_EC256)
+unsigned char enc_priv_key[] = {
+ 0x30, 0x81, 0x87, 0x02, 0x01, 0x00, 0x30, 0x13, 0x06, 0x07, 0x2a, 0x86,
+ 0x48, 0xce, 0x3d, 0x02, 0x01, 0x06, 0x08, 0x2a, 0x86, 0x48, 0xce, 0x3d,
+ 0x03, 0x01, 0x07, 0x04, 0x6d, 0x30, 0x6b, 0x02, 0x01, 0x01, 0x04, 0x20,
+ 0xf6, 0x1e, 0x51, 0x9d, 0xf8, 0xfa, 0xdd, 0xa1, 0xb7, 0xd9, 0xa9, 0x64,
+ 0x64, 0x3b, 0x54, 0xd0, 0x3d, 0xd0, 0x1f, 0xe5, 0x78, 0xd9, 0x17, 0x98,
+ 0xa5, 0x28, 0xca, 0xcc, 0x6b, 0x67, 0x9e, 0x06, 0xa1, 0x44, 0x03, 0x42,
+ 0x00, 0x04, 0x8a, 0x44, 0x73, 0x00, 0x94, 0xc9, 0x80, 0x27, 0x31, 0x0d,
+ 0x23, 0x36, 0x6b, 0xe9, 0x69, 0x9f, 0xcb, 0xc5, 0x7c, 0xc8, 0x44, 0x1a,
+ 0x93, 0xe6, 0xee, 0x7d, 0x86, 0xa6, 0xae, 0x5e, 0x93, 0x72, 0x74, 0xd9,
+ 0xe1, 0x5a, 0x1c, 0x9b, 0x65, 0x1a, 0x2b, 0x61, 0x41, 0x28, 0x02, 0x73,
+ 0x84, 0x12, 0x97, 0x3a, 0x2d, 0xa2, 0xa0, 0x67, 0x77, 0x02, 0xda, 0x67,
+ 0x1a, 0x4b, 0xdd, 0xd7, 0x71, 0xcc,
+};
+static unsigned int enc_priv_key_len = 138;
+const struct bootutil_key bootutil_enc_key = {
+ .key = enc_priv_key,
+ .len = &enc_priv_key_len,
+};
#elif defined(MCUBOOT_ENCRYPT_KW)
#error "Encrypted images with AES-KW is not implemented yet."
#endif
diff --git a/boot/zephyr/prj.conf b/boot/zephyr/prj.conf
index d40307a..89e55f5 100644
--- a/boot/zephyr/prj.conf
+++ b/boot/zephyr/prj.conf
@@ -7,6 +7,7 @@
CONFIG_MBEDTLS_CFG_FILE="mcuboot-mbedtls-cfg.h"
CONFIG_BOOT_ENCRYPT_RSA=n
+CONFIG_BOOT_ENCRYPT_EC256=n
CONFIG_BOOT_BOOTSTRAP=n