Sim: Add testcases for AES256 image encryption
Signed-off-by: Salome Thirot <salome.thirot@arm.com>
diff --git a/sim/mcuboot-sys/Cargo.toml b/sim/mcuboot-sys/Cargo.toml
index ac203f1..06f6aec 100644
--- a/sim/mcuboot-sys/Cargo.toml
+++ b/sim/mcuboot-sys/Cargo.toml
@@ -38,18 +38,30 @@
# Encrypt image in the secondary slot using RSA-OAEP-2048
enc-rsa = []
+# Encrypt image in the secondary slot using AES-256-CTR and RSA-OAEP-2048
+enc-aes256-rsa = []
+
# Encrypt image in the secondary slot using AES-KW-128
enc-kw = []
+# Encrypt image in the secondary slot using AES-256-CTR and AES-KW-256
+enc-aes256-kw = []
+
# Encrypt image in the secondary slot using ECIES-P256
enc-ec256 = []
+# Encrypt image in the secondary slot using AES-256-CTR and ECIES-P256
+enc-aes256-ec256 = []
+
# Encrypt image in the secondary slot using ECIES-P256 using Mbed TLS
enc-ec256-mbedtls = []
# Encrypt image in the secondary slot using ECIES-X25519
enc-x25519 = []
+# Encrypt image in the secondary slot using AES-256-CTR and ECIES-X25519
+enc-aes256-x25519 = []
+
# Allow bootstrapping an empty/invalid primary slot from a valid secondary slot
bootstrap = []
@@ -59,6 +71,7 @@
# Check (in software) against version downgrades.
downgrade-prevention = []
+
[build-dependencies]
cc = "1.0.25"
diff --git a/sim/mcuboot-sys/build.rs b/sim/mcuboot-sys/build.rs
index 620e84f..082899c 100644
--- a/sim/mcuboot-sys/build.rs
+++ b/sim/mcuboot-sys/build.rs
@@ -19,10 +19,14 @@
let validate_primary_slot =
env::var("CARGO_FEATURE_VALIDATE_PRIMARY_SLOT").is_ok();
let enc_rsa = env::var("CARGO_FEATURE_ENC_RSA").is_ok();
+ let enc_aes256_rsa = env::var("CARGO_FEATURE_ENC_AES256_RSA").is_ok();
let enc_kw = env::var("CARGO_FEATURE_ENC_KW").is_ok();
+ let enc_aes256_kw = env::var("CARGO_FEATURE_ENC_AES256_KW").is_ok();
let enc_ec256 = env::var("CARGO_FEATURE_ENC_EC256").is_ok();
let enc_ec256_mbedtls = env::var("CARGO_FEATURE_ENC_EC256_MBEDTLS").is_ok();
+ let enc_aes256_ec256 = env::var("CARGO_FEATURE_ENC_AES256_EC256").is_ok();
let enc_x25519 = env::var("CARGO_FEATURE_ENC_X25519").is_ok();
+ let enc_aes256_x25519 = env::var("CARGO_FEATURE_ENC_AES256_X25519").is_ok();
let bootstrap = env::var("CARGO_FEATURE_BOOTSTRAP").is_ok();
let multiimage = env::var("CARGO_FEATURE_MULTIIMAGE").is_ok();
let downgrade_prevention = env::var("CARGO_FEATURE_DOWNGRADE_PREVENTION").is_ok();
@@ -148,7 +152,10 @@
conf.define("MCUBOOT_SWAP_USING_SCRATCH", None);
}
- if enc_rsa {
+ if enc_rsa || enc_aes256_rsa {
+ if enc_aes256_rsa {
+ conf.define("MCUBOOT_AES_256", None);
+ }
conf.define("MCUBOOT_ENCRYPT_RSA", None);
conf.define("MCUBOOT_ENC_IMAGES", None);
conf.define("MCUBOOT_USE_MBED_TLS", None);
@@ -169,7 +176,10 @@
conf.file("../../ext/mbedtls/crypto/library/asn1parse.c");
}
- if enc_kw {
+ if enc_kw || enc_aes256_kw {
+ if enc_aes256_kw {
+ conf.define("MCUBOOT_AES_256", None);
+ }
conf.define("MCUBOOT_ENCRYPT_KW", None);
conf.define("MCUBOOT_ENC_IMAGES", None);
@@ -234,7 +244,10 @@
conf.file("../../ext/tinycrypt/lib/source/ctr_mode.c");
conf.file("../../ext/tinycrypt/lib/source/hmac.c");
conf.file("../../ext/tinycrypt/lib/source/ecc_dh.c");
- } else if enc_ec256_mbedtls {
+ } else if enc_ec256_mbedtls || enc_aes256_ec256 {
+ if enc_aes256_ec256 {
+ conf.define("MCUBOOT_AES_256", None);
+ }
conf.define("MCUBOOT_ENCRYPT_EC256", None);
conf.define("MCUBOOT_ENC_IMAGES", None);
conf.define("MCUBOOT_USE_MBED_TLS", None);
@@ -283,18 +296,42 @@
conf.file("../../ext/tinycrypt/lib/source/hmac.c");
}
+ else if enc_aes256_x25519 {
+ conf.define("MCUBOOT_AES_256", None);
+ conf.define("MCUBOOT_ENCRYPT_X25519", None);
+ conf.define("MCUBOOT_ENC_IMAGES", None);
+ conf.define("MCUBOOT_USE_MBED_TLS", None);
+ conf.define("MCUBOOT_SWAP_SAVE_ENCTLV", None);
+
+ conf.file("../../boot/bootutil/src/encrypted.c");
+ conf.file("csupport/keys.c");
+
+ conf.include("../../ext/mbedtls/crypto/include");
+ conf.file("../../ext/fiat/src/curve25519.c");
+ conf.file("../../ext/mbedtls-asn1/src/platform_util.c");
+ conf.file("../../ext/mbedtls-asn1/src/asn1parse.c");
+ conf.file("../../ext/mbedtls/crypto/library/platform.c");
+ conf.file("../../ext/mbedtls/crypto/library/platform_util.c");
+ conf.file("../../ext/mbedtls/crypto/library/aes.c");
+ conf.file("../../ext/mbedtls/crypto/library/sha256.c");
+ conf.file("../../ext/mbedtls/crypto/library/md.c");
+ conf.file("../../ext/mbedtls/crypto/library/sha512.c");
+ }
+
if sig_rsa && enc_kw {
conf.define("MBEDTLS_CONFIG_FILE", Some("<config-rsa-kw.h>"));
- } else if sig_rsa || sig_rsa3072 || enc_rsa {
+ } else if sig_rsa || sig_rsa3072 || enc_rsa || enc_aes256_rsa {
conf.define("MBEDTLS_CONFIG_FILE", Some("<config-rsa.h>"));
- } else if sig_ecdsa_mbedtls || enc_ec256_mbedtls {
+ } else if sig_ecdsa_mbedtls || enc_ec256_mbedtls || enc_aes256_ec256 {
conf.define("MBEDTLS_CONFIG_FILE", Some("<config-ec.h>"));
} else if (sig_ecdsa || enc_ec256) && !enc_kw {
conf.define("MBEDTLS_CONFIG_FILE", Some("<config-asn1.h>"));
} else if sig_ed25519 || enc_x25519 {
conf.define("MBEDTLS_CONFIG_FILE", Some("<config-asn1.h>"));
- } else if enc_kw {
+ } else if enc_kw || enc_aes256_kw {
conf.define("MBEDTLS_CONFIG_FILE", Some("<config-kw.h>"));
+ } else if enc_aes256_x25519 {
+ conf.define("MBEDTLS_CONFIG_FILE", Some("<config-ed25519.h>"));
}
conf.file("../../boot/bootutil/src/image_validate.c");
diff --git a/sim/mcuboot-sys/csupport/keys.c b/sim/mcuboot-sys/csupport/keys.c
index 8011629..f9325be 100644
--- a/sim/mcuboot-sys/csupport/keys.c
+++ b/sim/mcuboot-sys/csupport/keys.c
@@ -256,11 +256,20 @@
#endif
#if defined(MCUBOOT_ENCRYPT_KW)
+#if defined(MCUBOOT_AES_256)
+unsigned char enc_key[] = {
+ 0xE4, 0x5C, 0x51, 0x46, 0xD2, 0x1C, 0x82, 0x35, 0xCC, 0x1A, 0x19, 0xAF,
+ 0xA1, 0xF2, 0xAA, 0x20, 0xC8, 0x8C, 0x7F, 0x40, 0x6C, 0xDB, 0x22, 0xAA,
+ 0x6A, 0xB5, 0xCB, 0xAA, 0xF8, 0xB1, 0x5B, 0xB4
+};
+static unsigned int enc_key_len = 32;
+#else
unsigned char enc_key[] = {
0xd1, 0x5a, 0x04, 0x95, 0xc4, 0xc2, 0xa8, 0xff, 0x30, 0x78, 0xce, 0x49,
0xb5, 0xfc, 0xb2, 0xdd
};
static unsigned int enc_key_len = 16;
+#endif
const struct bootutil_key bootutil_enc_key = {
.key = enc_key,
.len = &enc_key_len,
diff --git a/sim/mcuboot-sys/csupport/run.c b/sim/mcuboot-sys/csupport/run.c
index 2bea140..c8bfd4e 100644
--- a/sim/mcuboot-sys/csupport/run.c
+++ b/sim/mcuboot-sys/csupport/run.c
@@ -174,6 +174,15 @@
int kw_encrypt_(const uint8_t *kek, const uint8_t *seckey, uint8_t *encbuf)
{
#ifdef MCUBOOT_ENCRYPT_KW
+#ifdef MCUBOOT_AES_256
+ int key_len = 256;
+ int out_size = 40;
+ int in_len = 32;
+#else
+ int key_len = 128;
+ int out_size = 24;
+ int in_len = 16;
+#endif
mbedtls_nist_kw_context kw;
size_t olen;
int rc;
@@ -182,13 +191,13 @@
mbedtls_nist_kw_init(&kw);
- rc = mbedtls_nist_kw_setkey(&kw, MBEDTLS_CIPHER_ID_AES, kek, 128, 1);
+ rc = mbedtls_nist_kw_setkey(&kw, MBEDTLS_CIPHER_ID_AES, kek, key_len, 1);
if (rc) {
goto done;
}
- rc = mbedtls_nist_kw_wrap(&kw, MBEDTLS_KW_MODE_KW, seckey, 16, encbuf,
- &olen, 24);
+ rc = mbedtls_nist_kw_wrap(&kw, MBEDTLS_KW_MODE_KW, seckey, in_len, encbuf,
+ &olen, out_size);
done:
mbedtls_nist_kw_free(&kw);
@@ -232,7 +241,8 @@
#if defined(MCUBOOT_SIGN_RSA) || \
(defined(MCUBOOT_SIGN_EC256) && defined(MCUBOOT_USE_MBED_TLS)) ||\
- (defined(MCUBOOT_ENCRYPT_EC256) && defined(MCUBOOT_USE_MBED_TLS))
+ (defined(MCUBOOT_ENCRYPT_EC256) && defined(MCUBOOT_USE_MBED_TLS)) ||\
+ (defined(MCUBOOT_ENCRYPT_X25519) && defined(MCUBOOT_USE_MBED_TLS))
mbedtls_platform_set_calloc_free(calloc, free);
#endif
diff --git a/sim/mcuboot-sys/src/c.rs b/sim/mcuboot-sys/src/c.rs
index 5f518f5..7814375 100644
--- a/sim/mcuboot-sys/src/c.rs
+++ b/sim/mcuboot-sys/src/c.rs
@@ -1,6 +1,6 @@
// Copyright (c) 2017-2019 Linaro LTD
// Copyright (c) 2017-2019 JUUL Labs
-// Copyright (c) 2019 Arm Limited
+// Copyright (c) 2019-2021 Arm Limited
//
// SPDX-License-Identifier: Apache-2.0
@@ -67,9 +67,12 @@
}
}
-pub fn kw_encrypt(kek: &[u8], seckey: &[u8]) -> Result<[u8; 24], &'static str> {
+pub fn kw_encrypt(kek: &[u8], seckey: &[u8], keylen: u32) -> Result<Vec<u8>, &'static str> {
unsafe {
- let mut encbuf = [0u8; 24];
+ let mut encbuf = vec![0u8; 24];
+ if keylen == 32 {
+ encbuf = vec![0u8; 40];
+ }
if raw::kw_encrypt_(kek.as_ptr(), seckey.as_ptr(), encbuf.as_mut_ptr()) == 0 {
return Ok(encbuf);
}