Boot: Add encrypted image support
Introduces the 'MCUBOOT_ENCRYPT_RSA' compile time switch. When set to
'ON', adds encrypted image support in the BL2 source and encrypts the
signed images. As a result, BL2 can now accept an encrypted image
for upgrade and decrypt it when applying. It can also re-encrypt the
original image if it is kept and moved back to the secondary slot.
Change-Id: I998861c7175c136eed60ac13c802134705b5c3f3
Signed-off-by: Balint Matyi <Balint.Matyi@arm.com>
diff --git a/bl2/ext/mcuboot/include/config-rsa.h b/bl2/ext/mcuboot/include/config-rsa.h
index b721953..c345245 100644
--- a/bl2/ext/mcuboot/include/config-rsa.h
+++ b/bl2/ext/mcuboot/include/config-rsa.h
@@ -1,7 +1,7 @@
/*
* Minimal configuration for using TLS in the bootloader
*
- * Copyright (C) 2006-2019, Arm Limited. All rights reserved.
+ * Copyright (C) 2006-2020, Arm Limited. All rights reserved.
* Copyright (C) 2016, Linaro Ltd
*
* SPDX-License-Identifier: Apache-2.0
@@ -47,7 +47,7 @@
#define MBEDTLS_PLATFORM_PRINTF_ALT
#define MBEDTLS_RSA_C
-#define MBEDTLS_PKCS1_V15
+#define MBEDTLS_PKCS1_V21
/* mbed TLS modules */
#define MBEDTLS_ASN1_PARSE_C
@@ -56,6 +56,7 @@
#define MBEDTLS_MD_C
#define MBEDTLS_OID_C
#define MBEDTLS_SHA256_C
+#define MBEDTLS_AES_C
/* Save RAM by adjusting to our exact needs */
#if MCUBOOT_SIGN_RSA_LEN == 3072
@@ -71,7 +72,6 @@
#ifdef CRYPTO_HW_ACCELERATOR_OTP_PROVISIONING
#define MBEDTLS_CIPHER_C
-#define MBEDTLS_AES_C
#define MBEDTLS_CCM_C
#define MBEDTLS_ECDSA_C
#define MBEDTLS_ECP_C
diff --git a/bl2/ext/mcuboot/include/hal/hal_flash.h b/bl2/ext/mcuboot/include/hal/hal_flash.h
new file mode 100644
index 0000000..dd3d206
--- /dev/null
+++ b/bl2/ext/mcuboot/include/hal/hal_flash.h
@@ -0,0 +1,40 @@
+/*
+ * Licensed to the Apache Software Foundation (ASF) under one
+ * or more contributor license agreements. See the NOTICE file
+ * distributed with this work for additional information
+ * regarding copyright ownership. The ASF licenses this file
+ * to you under the Apache License, Version 2.0 (the
+ * "License"); you may not use this file except in compliance
+ * with the License. You may obtain a copy of the License at
+ *
+ * http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing,
+ * software distributed under the License is distributed on an
+ * "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY
+ * KIND, either express or implied. See the License for the
+ * specific language governing permissions and limitations
+ * under the License.
+ */
+
+/*
+ * Original code taken from mcuboot project at:
+ * https://github.com/JuulLabs-OSS/mcuboot
+ * Git SHA of the original version: 50d24a57516f558dac72bef634723b60c5cfb46b
+ *
+ * This file is only here for compatibility and build purposes, and was emptied
+ * of all its meaningful contents.
+ */
+
+#ifndef H_HAL_FLASH_
+#define H_HAL_FLASH_
+
+#ifdef __cplusplus
+extern "C" {
+#endif
+
+#ifdef __cplusplus
+}
+#endif
+
+#endif /* H_HAL_FLASH_ */
diff --git a/bl2/ext/mcuboot/include/mcuboot_config/mcuboot_config.h.in b/bl2/ext/mcuboot/include/mcuboot_config/mcuboot_config.h.in
index f7b5252..49f07dd 100644
--- a/bl2/ext/mcuboot/include/mcuboot_config/mcuboot_config.h.in
+++ b/bl2/ext/mcuboot/include/mcuboot_config/mcuboot_config.h.in
@@ -62,6 +62,9 @@
*/
#define MAX_BOOT_RECORD_SZ (100u)
+#cmakedefine MCUBOOT_ENC_IMAGES
+#cmakedefine MCUBOOT_ENCRYPT_RSA
+
/*
* Cryptographic settings
*/