Boot: Support AES256 in TF-M integration
Signed-off-by: Sherry Zhang <sherry.zhang2@arm.com>
Change-Id: I06eaf877212d3448b035a097cace1f3604be5b18
diff --git a/bl2/ext/mcuboot/CMakeLists.txt b/bl2/ext/mcuboot/CMakeLists.txt
index bd6126c..ccc9883 100644
--- a/bl2/ext/mcuboot/CMakeLists.txt
+++ b/bl2/ext/mcuboot/CMakeLists.txt
@@ -133,6 +133,7 @@
--pad-header
-H 0x400
-s ${MCUBOOT_SECURITY_COUNTER_S}
+ -L ${MCUBOOT_ENC_KEY_LEN_S}
-d \"\(1,${MCUBOOT_NS_IMAGE_MIN_VER}\)\"
$<$<STREQUAL:${MCUBOOT_UPGRADE_STRATEGY},OVERWRITE_ONLY>:--overwrite-only>
$<$<BOOL:${MCUBOOT_ENC_IMAGES}>:-E${MCUBOOT_KEY_ENC}>
@@ -183,6 +184,7 @@
--pad-header
-H 0x400
-s ${MCUBOOT_SECURITY_COUNTER_NS}
+ -L ${MCUBOOT_ENC_KEY_LEN_NS}
-d \"\(0, ${MCUBOOT_S_IMAGE_MIN_VER}\)\"
$<TARGET_FILE_DIR:tfm_ns>/tfm_ns.bin
$<$<STREQUAL:${MCUBOOT_UPGRADE_STRATEGY},OVERWRITE_ONLY>:--overwrite-only>
@@ -232,6 +234,7 @@
--pad-header
-H 0x400
-s ${MCUBOOT_SECURITY_COUNTER_S}
+ -L ${MCUBOOT_ENC_KEY_LEN_S}
$<$<STREQUAL:${MCUBOOT_UPGRADE_STRATEGY},OVERWRITE_ONLY>:--overwrite-only>
$<$<BOOL:${MCUBOOT_ENC_IMAGES}>:-E${MCUBOOT_KEY_ENC}>
${CMAKE_CURRENT_BINARY_DIR}/tfm_s_ns.bin
diff --git a/bl2/ext/mcuboot/mcuboot_default_config.cmake b/bl2/ext/mcuboot/mcuboot_default_config.cmake
index 676c557..141459b 100644
--- a/bl2/ext/mcuboot/mcuboot_default_config.cmake
+++ b/bl2/ext/mcuboot/mcuboot_default_config.cmake
@@ -43,5 +43,6 @@
set(MCUBOOT_SECURITY_COUNTER_NS 1 CACHE STRING "Security counter for NS image. auto sets it to IMAGE_VERSION_NS")
set(MCUBOOT_S_IMAGE_MIN_VER 0.0.0+0 CACHE STRING "Minimum version of secure image required by the non-secure image for upgrade to this non-secure image. If MCUBOOT_IMAGE_NUMBER == 1 this option has no effect")
set(MCUBOOT_NS_IMAGE_MIN_VER 0.0.0+0 CACHE STRING "Minimum version of non-secure image required by the secure image for upgrade to this secure image. If MCUBOOT_IMAGE_NUMBER == 1 this option has no effect")
-
+set(MCUBOOT_ENC_KEY_LEN_S 128 CACHE STRING "Length of the AES key for encrypt S image")
+set(MCUBOOT_ENC_KEY_LEN_NS 128 CACHE STRING "Length of the AES key for encrypt NS image")
set(MCUBOOT_MBEDCRYPTO_CONFIG_FILEPATH "${CMAKE_SOURCE_DIR}/bl2/ext/mcuboot/config/mcuboot-mbedtls-cfg.h" CACHE FILEPATH "Mbedtls config file to use with MCUboot")
diff --git a/bl2/ext/mcuboot/scripts/wrapper/wrapper.py b/bl2/ext/mcuboot/scripts/wrapper/wrapper.py
index 247cb10..5cff01b 100755
--- a/bl2/ext/mcuboot/scripts/wrapper/wrapper.py
+++ b/bl2/ext/mcuboot/scripts/wrapper/wrapper.py
@@ -74,6 +74,9 @@
callback=imgtool.main.validate_security_counter,
help='Specify the value of security counter. Use the `auto` '
'keyword to automatically generate it from the image version.')
+@click.option('-L', '--encrypt-keylen', type=click.Choice(['128', '256']),
+ default='128',
+ help='Specify the value of encrypt key length. Default 128.')
@click.option('-v', '--version', callback=imgtool.main.validate_version,
required=True)
@click.option('--align', type=click.Choice(['1', '2', '4', '8']),
@@ -88,7 +91,7 @@
def wrap(key, align, version, header_size, pad_header, layout, pad, confirm,
max_sectors, overwrite_only, endian, encrypt, infile, outfile,
dependencies, hex_addr, erased_val, save_enctlv, public_key_format,
- security_counter):
+ security_counter, encrypt_keylen):
slot_size = macro_parser.evaluate_macro(layout, sign_bin_size_re, 0, 1)
load_addr = macro_parser.evaluate_macro(layout, load_addr_re, 0, 1)
@@ -119,8 +122,8 @@
# FIXME
raise click.UsageError("Signing and encryption must use the same "
"type of key")
-
- img.create(key, public_key_format, enckey, dependencies, boot_record)
+ img.create(key, public_key_format, enckey, dependencies, boot_record,
+ None, encrypt_keylen=int(encrypt_keylen))
img.save(outfile, hex_addr)