Cypress: add encryption with mbedTLS
Signed-off-by: Bohdan Kovalchuk <bohd@cypress.com>
Signed-off-by: Roman Okhrimenko <roman.okhrimenko@infineon.com>
diff --git a/boot/cypress/BlinkyApp/BlinkyApp.mk b/boot/cypress/BlinkyApp/BlinkyApp.mk
index a4ae952..c60f27e 100644
--- a/boot/cypress/BlinkyApp/BlinkyApp.mk
+++ b/boot/cypress/BlinkyApp/BlinkyApp.mk
@@ -95,6 +95,9 @@
# Set build directory for BOOT and UPGRADE images
ifeq ($(IMG_TYPE), UPGRADE)
+ ifeq ($(ENC_IMG), 1)
+ SIGN_ARGS += --encrypt ../../$(ENC_KEY_FILE).pem
+ endif
SIGN_ARGS += --pad
UPGRADE_SUFFIX :=_upgrade
OUT_CFG := $(OUT_CFG)/upgrade
diff --git a/boot/cypress/BlinkyApp/Readme.md b/boot/cypress/BlinkyApp/Readme.md
index de13e8d..60ab3ce 100644
--- a/boot/cypress/BlinkyApp/Readme.md
+++ b/boot/cypress/BlinkyApp/Readme.md
@@ -83,7 +83,7 @@
To prepare MCUBootApp for work with external memory please refer to `MCUBootApp/ExternalMemory.md`.
-For build BlinkyApp upgarde image for external memory use command:
+For build BlinkyApp upgrade image for external memory use command:
make app APP_NAME=BlinkyApp PLATFORM=PSOC_062_2M IMG_TYPE=UPGRADE HEADER_OFFSET=0x7FE8000 ERASED_VALUE=0xff
@@ -97,6 +97,16 @@
Note: for S25FL512S block address shuld be mutiple by 0x40000
+**How to build encrypted upgrade image :**
+
+To prepare MCUBootApp for work with encrypted upgrade image please refer to `MCUBootApp/Readme.md`.
+
+To obtain encrypted upgrade image of BlinkyApp extra flag `ENC_IMG=1` should be passed in command line, for example:
+
+ make app APP_NAME=BlinkyApp PLATFORM=PSOC_062_2M IMG_TYPE=UPGRADE HEADER_OFFSET=0x20000 ENC_IMG=1
+
+This also suggests user already placed corresponing `*.pem` key in `\keys` folder. The key variables are defined in root `Makefile` as `SIGN_KEY_FILE` and `ENC_KEY_FILE`
+
### Post-Build
Post build action is executed at compile time for `BlinkyApp`. In case of build for `PSOC_062_2M` platform it calls `imgtool` from `MCUBoot` scripts and adds signature to compiled image.
diff --git a/boot/cypress/MCUBootApp/MCUBootApp.mk b/boot/cypress/MCUBootApp/MCUBootApp.mk
index 18474e1..7a15ce5 100644
--- a/boot/cypress/MCUBootApp/MCUBootApp.mk
+++ b/boot/cypress/MCUBootApp/MCUBootApp.mk
@@ -30,6 +30,7 @@
USE_CRYPTO_HW ?= 1
USE_EXTERNAL_FLASH ?= 0
MCUBOOT_IMAGE_NUMBER ?= 1
+ENC_IMG ?= 0
ifneq ($(COMPILER), GCC_ARM)
$(error Only GCC ARM is supported at this moment)
@@ -53,12 +54,17 @@
DEFINES_APP += -DCY_BOOT_USE_EXTERNAL_FLASH
endif
DEFINES_APP += -DMCUBOOT_MAX_IMG_SECTORS=$(MAX_IMG_SECTORS)
-
+# Hardrware acceleration support
ifeq ($(USE_CRYPTO_HW), 1)
DEFINES_APP += -DMBEDTLS_USER_CONFIG_FILE="\"mcuboot_crypto_acc_config.h\""
DEFINES_APP += -DCY_CRYPTO_HAL_DISABLE
DEFINES_APP += -DCY_MBEDTLS_HW_ACCELERATION
endif
+# Encrypted image support
+ifeq ($(ENC_IMG), 1)
+DEFINES_APP += -DENC_IMG=1
+endif
+
# Collect MCUBoot sourses
SOURCES_MCUBOOT := $(wildcard $(CURDIR)/../bootutil/src/*.c)
# Collect MCUBoot Application sources
diff --git a/boot/cypress/MCUBootApp/README.md b/boot/cypress/MCUBootApp/README.md
index 713757d..931281d 100644
--- a/boot/cypress/MCUBootApp/README.md
+++ b/boot/cypress/MCUBootApp/README.md
@@ -148,6 +148,15 @@
Root directory for build is **boot/cypress.**
+**Encrypted Image Support**
+
+To protect user image from unwanted read Upgrade Image Encryption can be applied. The ECDH/HKDF with EC256 scheme is used in a given solution as well as mbedTLS as a crypto provider.
+
+To enable image encryption support `MCUBOOT_ENC_IMAGES` and `MCUBOOT_ENCRYPT_EC256` have to be defined (can be done by uncommenting in `mcuboot_config.h`).
+User is also responsible on providing corresponding binary key data in `enc_priv_key[]` (file `\MCUBootApp\keys.c`). The public part will be used by imgtool when signing and encrypting upgrade image. Signing image with encryption is described in `\BlinkyApp\readme.md`.
+
+After MCUBootApp is built with these settings unencrypted and encrypted images will be accepted in secondary (upgrade) slot.
+
**Programming solution**
There are couple ways of programming hex of MCUBootApp and BlinkyApp. Following instructions assume one of Cypress development kits, for example `CY8CPROTO_062_4343W`.
diff --git a/boot/cypress/MCUBootApp/config/mcuboot_config/mcuboot_config.h b/boot/cypress/MCUBootApp/config/mcuboot_config/mcuboot_config.h
index cecd807..196bbd6 100644
--- a/boot/cypress/MCUBootApp/config/mcuboot_config/mcuboot_config.h
+++ b/boot/cypress/MCUBootApp/config/mcuboot_config/mcuboot_config.h
@@ -144,4 +144,11 @@
/* TODO: to be implemented */ \
} while (0)
+/* Uncomment these if support of encrypted upgrade image is needed */
+#ifdef ENC_IMG
+#define MCUBOOT_ENC_IMAGES
+#define MCUBOOT_ENCRYPT_EC256
+#define NUM_ECC_BYTES (256 / 8)
+#endif /* ENC_IMG */
+
#endif /* MCUBOOT_CONFIG_H */
diff --git a/boot/cypress/MCUBootApp/config/mcuboot_crypto_acc_config.h b/boot/cypress/MCUBootApp/config/mcuboot_crypto_acc_config.h
index 2bf440a..b172740 100644
--- a/boot/cypress/MCUBootApp/config/mcuboot_crypto_acc_config.h
+++ b/boot/cypress/MCUBootApp/config/mcuboot_crypto_acc_config.h
@@ -35,7 +35,9 @@
// #define MBEDTLS_CIPHER_MODE_CBC
// #define MBEDTLS_CIPHER_MODE_CFB
// #define MBEDTLS_CIPHER_MODE_OFB
-// #define MBEDTLS_CIPHER_MODE_CTR
+#ifdef MCUBOOT_ENC_IMAGES
+#define MBEDTLS_CIPHER_MODE_CTR
+#endif
// #define MBEDTLS_CIPHER_MODE_XTS
/* Only NIST-P curves are currently supported */
diff --git a/boot/cypress/MCUBootApp/config/mcuboot_crypto_config.h b/boot/cypress/MCUBootApp/config/mcuboot_crypto_config.h
index 6bc5145..efb1bda 100644
--- a/boot/cypress/MCUBootApp/config/mcuboot_crypto_config.h
+++ b/boot/cypress/MCUBootApp/config/mcuboot_crypto_config.h
@@ -3598,4 +3598,9 @@
#include "mbedtls/check_config.h"
+#ifdef MCUBOOT_ENC_IMAGES
+#define MBEDTLS_SHA256_DIGEST_SIZE (32)
+#define MBEDTLS_AES_KEY_SIZE 16
+#endif
+
#endif /* MBEDTLS_CONFIG_H */
diff --git a/boot/cypress/MCUBootApp/keys.c b/boot/cypress/MCUBootApp/keys.c
index a09528c..4dbd5af 100644
--- a/boot/cypress/MCUBootApp/keys.c
+++ b/boot/cypress/MCUBootApp/keys.c
@@ -174,3 +174,23 @@
};
const int bootutil_key_cnt = 1;
#endif /* !MCUBOOT_HW_KEY */
+
+unsigned char enc_priv_key[] = {
+ 0x30, 0x81, 0x87, 0x02, 0x01, 0x00, 0x30, 0x13, 0x06, 0x07, 0x2a, 0x86,
+ 0x48, 0xce, 0x3d, 0x02, 0x01, 0x06, 0x08, 0x2a, 0x86, 0x48, 0xce, 0x3d,
+ 0x03, 0x01, 0x07, 0x04, 0x6d, 0x30, 0x6b, 0x02, 0x01, 0x01, 0x04, 0x20,
+ 0xf6, 0x1e, 0x51, 0x9d, 0xf8, 0xfa, 0xdd, 0xa1, 0xb7, 0xd9, 0xa9, 0x64,
+ 0x64, 0x3b, 0x54, 0xd0, 0x3d, 0xd0, 0x1f, 0xe5, 0x78, 0xd9, 0x17, 0x98,
+ 0xa5, 0x28, 0xca, 0xcc, 0x6b, 0x67, 0x9e, 0x06, 0xa1, 0x44, 0x03, 0x42,
+ 0x00, 0x04, 0x8a, 0x44, 0x73, 0x00, 0x94, 0xc9, 0x80, 0x27, 0x31, 0x0d,
+ 0x23, 0x36, 0x6b, 0xe9, 0x69, 0x9f, 0xcb, 0xc5, 0x7c, 0xc8, 0x44, 0x1a,
+ 0x93, 0xe6, 0xee, 0x7d, 0x86, 0xa6, 0xae, 0x5e, 0x93, 0x72, 0x74, 0xd9,
+ 0xe1, 0x5a, 0x1c, 0x9b, 0x65, 0x1a, 0x2b, 0x61, 0x41, 0x28, 0x02, 0x73,
+ 0x84, 0x12, 0x97, 0x3a, 0x2d, 0xa2, 0xa0, 0x67, 0x77, 0x02, 0xda, 0x67,
+ 0x1a, 0x4b, 0xdd, 0xd7, 0x71, 0xcc,
+};
+static unsigned int enc_priv_key_len = 138;
+const struct bootutil_key bootutil_enc_key = {
+ .key = enc_priv_key,
+ .len = &enc_priv_key_len,
+};
diff --git a/boot/cypress/MCUBootApp/libs.mk b/boot/cypress/MCUBootApp/libs.mk
index 3605bb3..3dc7027 100644
--- a/boot/cypress/MCUBootApp/libs.mk
+++ b/boot/cypress/MCUBootApp/libs.mk
@@ -45,20 +45,10 @@
INCLUDE_DIRS_CORE_LIB := $(CUR_LIBS_PATH)/core-lib/include
INCLUDE_DIRS_WATCHDOG := $(CUR_LIBS_PATH)/watchdog
-SOURCES_HAL += $(CUR_LIBS_PATH)/psoc6hal/COMPONENT_PSOC6HAL/source/cyhal_crypto_common.c
-SOURCES_HAL += $(CUR_LIBS_PATH)/psoc6hal/COMPONENT_PSOC6HAL/source/cyhal_hwmgr.c
-
# Collected source files for libraries
SOURCES_LIBS := $(SOURCES_PDL)
SOURCES_LIBS += $(SOURCES_WATCHDOG)
SOURCES_LIBS += $(SOURCES_PLATFORM)
-SOURCES_LIBS += $(SOURCES_HAL)
-
-# needed for Crypto HW Acceleration and headers inclusion, do not use for peripherals
-# peripherals should be accessed
-INCLUDE_DIRS_HAL := $(CUR_LIBS_PATH)/psoc6hal/COMPONENT_PSOC6HAL/include
-INCLUDE_DIRS_HAL += $(CUR_LIBS_PATH)/psoc6hal/include
-INCLUDE_DIRS_HAL += $(CUR_LIBS_PATH)/psoc6hal/COMPONENT_PSOC6HAL/include/pin_packages
# Collected include directories for libraries
INCLUDE_DIRS_LIBS := $(addprefix -I,$(INCLUDE_DIRS_PDL))
diff --git a/boot/cypress/Makefile b/boot/cypress/Makefile
index 9a7b43a..c2edca6 100644
--- a/boot/cypress/Makefile
+++ b/boot/cypress/Makefile
@@ -43,6 +43,8 @@
POST_BUILD ?= 1
SIGN_KEY_FILE ?= cypress-test-ec-p256
+ENC_KEY_FILE ?= enc-ec256-pub
+ENC_IMG ?= 0
# set this variable to a path, where cysecuretools python package is installed
# use command `python -m pip show cysecuretools` to find out this path