boot: zephyr: add ECIES-X25519 support
Signed-off-by: Fabio Utzig <utzig@apache.org>
diff --git a/boot/zephyr/CMakeLists.txt b/boot/zephyr/CMakeLists.txt
index 891b75d..c382c52 100644
--- a/boot/zephyr/CMakeLists.txt
+++ b/boot/zephyr/CMakeLists.txt
@@ -145,7 +145,7 @@
# Use mbedTLS provided by Zephyr for RSA signatures. (Its config file
# is set using Kconfig.)
zephyr_include_directories(include)
-elseif(CONFIG_BOOT_SIGNATURE_TYPE_ED25519)
+elseif(CONFIG_BOOT_SIGNATURE_TYPE_ED25519 OR CONFIG_BOOT_ENCRYPT_X25519)
if(CONFIG_BOOT_USE_TINYCRYPT)
zephyr_library_include_directories(
${MBEDTLS_ASN1_DIR}/include
@@ -178,7 +178,7 @@
)
endif()
-if(CONFIG_BOOT_ENCRYPT_EC256)
+if(CONFIG_BOOT_ENCRYPT_EC256 OR CONFIG_BOOT_ENCRYPT_X25519)
zephyr_library_sources(
${TINYCRYPT_DIR}/source/aes_encrypt.c
${TINYCRYPT_DIR}/source/aes_decrypt.c
@@ -188,6 +188,12 @@
)
endif()
+if(CONFIG_BOOT_ENCRYPT_EC256)
+ zephyr_library_sources(
+ ${TINYCRYPT_DIR}/source/ecc_dh.c
+ )
+endif()
+
if(CONFIG_MCUBOOT_SERIAL)
zephyr_sources(${BOOT_DIR}/zephyr/serial_adapter.c)
zephyr_sources(${BOOT_DIR}/boot_serial/src/boot_serial.c)
diff --git a/boot/zephyr/Kconfig b/boot/zephyr/Kconfig
index 374aef0..4f1b172 100644
--- a/boot/zephyr/Kconfig
+++ b/boot/zephyr/Kconfig
@@ -208,6 +208,16 @@
encryption mechanism used in this case is ECIES using primitives
described under "ECIES-P256 encryption" in docs/encrypted_images.md.
+config BOOT_ENCRYPT_X25519
+ bool "Support for encrypted upgrade images using ECIES-X25519"
+ default n
+ help
+ If y, images in the secondary slot can be encrypted and are decrypted
+ on the fly when upgrading to the primary slot, as well as encrypted
+ back when swapping from the primary slot to the secondary slot. The
+ encryption mechanism used in this case is ECIES using primitives
+ described under "ECIES-X25519 encryption" in docs/encrypted_images.md.
+
config BOOT_MAX_IMG_SECTORS
int "Maximum number of sectors per image slot"
default 128
diff --git a/boot/zephyr/include/mcuboot-mbedtls-cfg.h b/boot/zephyr/include/mcuboot-mbedtls-cfg.h
index 0eb6e74..2bab537 100644
--- a/boot/zephyr/include/mcuboot-mbedtls-cfg.h
+++ b/boot/zephyr/include/mcuboot-mbedtls-cfg.h
@@ -23,7 +23,9 @@
#if defined(CONFIG_BOOT_SIGNATURE_TYPE_RSA) || defined(CONFIG_BOOT_ENCRYPT_RSA)
#include "config-rsa.h"
-#elif defined(CONFIG_BOOT_SIGNATURE_TYPE_ECDSA_P256) || defined(CONFIG_BOOT_ENCRYPT_EC256)
+#elif defined(CONFIG_BOOT_SIGNATURE_TYPE_ECDSA_P256) || \
+ defined(CONFIG_BOOT_ENCRYPT_EC256) || \
+ (defined(CONFIG_BOOT_ENCRYPT_X25519) && !defined(CONFIG_BOOT_SIGNATURE_TYPE_ED25519))
#include "config-asn1.h"
#elif defined(CONFIG_BOOT_SIGNATURE_TYPE_ED25519)
#include "config-ed25519.h"
diff --git a/boot/zephyr/include/mcuboot_config/mcuboot_config.h b/boot/zephyr/include/mcuboot_config/mcuboot_config.h
index a2749e8..a642088 100644
--- a/boot/zephyr/include/mcuboot_config/mcuboot_config.h
+++ b/boot/zephyr/include/mcuboot_config/mcuboot_config.h
@@ -80,6 +80,11 @@
#define MCUBOOT_ENCRYPT_EC256
#endif
+#ifdef CONFIG_BOOT_ENCRYPT_X25519
+#define MCUBOOT_ENC_IMAGES
+#define MCUBOOT_ENCRYPT_X25519
+#endif
+
#ifdef CONFIG_BOOT_BOOTSTRAP
#define MCUBOOT_BOOTSTRAP 1
#endif
diff --git a/boot/zephyr/keys.c b/boot/zephyr/keys.c
index d5aeba4..5dd0ca2 100644
--- a/boot/zephyr/keys.c
+++ b/boot/zephyr/keys.c
@@ -201,6 +201,18 @@
.key = enc_priv_key,
.len = &enc_priv_key_len,
};
+#elif defined(MCUBOOT_ENCRYPT_X25519)
+unsigned char enc_key[] = {
+ 0x30, 0x2e, 0x02, 0x01, 0x00, 0x30, 0x05, 0x06, 0x03, 0x2b, 0x65, 0x6e,
+ 0x04, 0x22, 0x04, 0x20, 0x28, 0x80, 0x2f, 0xef, 0xef, 0x82, 0x95, 0x50,
+ 0xf1, 0x41, 0x93, 0x03, 0x6c, 0x1b, 0xb9, 0x49, 0x6c, 0x51, 0xe5, 0x26,
+ 0x87, 0x8f, 0x77, 0x07, 0xf8, 0xb4, 0x1f, 0x04, 0x45, 0x6d, 0x84, 0x4f,
+};
+static unsigned int enc_key_len = 48;
+const struct bootutil_key bootutil_enc_key = {
+ .key = enc_key,
+ .len = &enc_key_len,
+};
#elif defined(MCUBOOT_ENCRYPT_KW)
#error "Encrypted images with AES-KW is not implemented yet."
#endif
diff --git a/boot/zephyr/prj.conf b/boot/zephyr/prj.conf
index e075591..71e9a2a 100644
--- a/boot/zephyr/prj.conf
+++ b/boot/zephyr/prj.conf
@@ -9,6 +9,7 @@
CONFIG_BOOT_SWAP_SAVE_ENCTLV=n
CONFIG_BOOT_ENCRYPT_RSA=n
CONFIG_BOOT_ENCRYPT_EC256=n
+CONFIG_BOOT_ENCRYPT_X25519=n
CONFIG_BOOT_UPGRADE_ONLY=n
CONFIG_BOOT_BOOTSTRAP=n