mcuboot/boot/mbed/app_enc_keys.c

/*
 * Copyright (c) 2020 Embedded Planet
 * SPDX-License-Identifier: Apache-2.0
 *
 * Licensed under the Apache License, Version 2.0 (the "License");
 * you may not use this file except in compliance with the License.
 * You may obtain a copy of the License at
 *
 *     http://www.apache.org/licenses/LICENSE-2.0
 *
 * Unless required by applicable law or agreed to in writing, software
 * distributed under the License is distributed on an "AS IS" BASIS,
 * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
 * See the License for the specific language governing permissions and
 * limitations under the License
 */

#include <bootutil/sign_key.h>
#include <mcuboot_config/mcuboot_config.h>

#if defined(MCUBOOT_SIGN_RSA)
#define HAVE_KEYS
extern const unsigned char rsa_pub_key[];
extern unsigned int rsa_pub_key_len;
#elif defined(MCUBOOT_SIGN_EC256)
#define HAVE_KEYS
extern const unsigned char ecdsa_pub_key[];
extern unsigned int ecdsa_pub_key_len;
#elif defined(MCUBOOT_SIGN_ED25519)
#define HAVE_KEYS
extern const unsigned char ed25519_pub_key[];
extern unsigned int ed25519_pub_key_len;
#endif

/*
 * Note: Keys for both signing and encryption must be provided by the application.
 * mcuboot's imgtool utility can be used to generate these keys and convert them into compatible C code.
 * See imgtool's documentation, specifically the section: "Incorporating the public key into the code" which can be found here:
 * https://github.com/JuulLabs-OSS/mcuboot/blob/master/docs/imgtool.md#incorporating-the-public-key-into-the-code
 */
#if defined(HAVE_KEYS)
const struct bootutil_key bootutil_keys[] = {
    {
#if defined(MCUBOOT_SIGN_RSA)
        .key = rsa_pub_key,
        .len = &rsa_pub_key_len,
#elif defined(MCUBOOT_SIGN_EC256)
        .key = ecdsa_pub_key,
        .len = &ecdsa_pub_key_len,
#elif defined(MCUBOOT_SIGN_ED25519)
        .key = ed25519_pub_key,
        .len = &ed25519_pub_key_len,
#endif
    },
};
const int bootutil_key_cnt = 1;

#if defined(MCUBOOT_ENCRYPT_RSA)

extern const unsigned char enc_priv_key[];
extern const unsigned int enc_priv_key_len;

const struct bootutil_key bootutil_enc_key = {
    .key = enc_priv_key,
    .len = &enc_priv_key_len,
};
#elif defined(MCUBOOT_ENCRYPT_KW)
#error "Encrypted images with AES-KW is not implemented yet."
#endif

#endif
Mbed-OS porting layer implementation for mcuboot This PR provides a porting layer implementation and framework for building an mcuboot-based bootloader with Mbed-OS. Some symbols are not provided by the Mbed-OS port within mcuboot, namely: - The secondary storage device (see below) - The signing keys - The encryption keys, if used Use of this port is demonstrated by the following projects: - https://github.com/AGlass0fMilk/mbed-mcuboot-demo (a complete mcuboot/Mbed-OS-based bootloader) - https://github.com/AGlass0fMilk/mbed-mcuboot-blinky (example showing how to make an Mbed-OS application that is bootable by mcuboot) Memory porting implementation: The underlying implemenation uses Mbed's BlockDevice API as the storage backend for mcuboot's memory operations. This provides a very flexible way of configuring the location and layout of the secondary flash storage area. To build an mcuboot-based bootloader with Mbed-OS, the user must implement a hook function, mbed::BlockDevice* get_secondary_bd(), to provide the secondary BlockDevice that mcuboot will use. The signing and encryption keys must also be provided by the user. They can be generated using the existing imgtool utility in the same manner used by Zephyr. There are no automated build steps currently provided by Mbed-OS to sign/encrypt build artifacts. Known limitations: The update candidate encryption features have not yet been fully tested. A truly secure implementation will require integration with Mbed's TRNG API in the future to inhibit side-channel attacks on the decryption process. The TinyCrypt backend is currently only supported for Mbed-OS builds when building with the GCC toolchain. The new cmake-based Mbed-OS build system will fix the underlying issue (file name uniqueness). Signed-off-by: George Beckstein <becksteing@embeddedplanet.com> Signed-off-by: Evelyne Donnaes <evelyne.donnaes@arm.com> Signed-off-by: Lingkai Dong <lingkai.dong@arm.com> Co-authored-by: Lingkai Dong <lingkai.dong@arm.com> Co-authored-by: Fabio Utzig <fabio.utzig@nordicsemi.no> 2020-10-30 05:32:11 +08:00			`/*`
			`* Copyright (c) 2020 Embedded Planet`
			`* SPDX-License-Identifier: Apache-2.0`
			`*`
			`* Licensed under the Apache License, Version 2.0 (the "License");`
			`* you may not use this file except in compliance with the License.`
			`* You may obtain a copy of the License at`
			`*`
			`* http://www.apache.org/licenses/LICENSE-2.0`
			`*`
			`* Unless required by applicable law or agreed to in writing, software`
			`* distributed under the License is distributed on an "AS IS" BASIS,`
			`* WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.`
			`* See the License for the specific language governing permissions and`
			`* limitations under the License`
			`*/`

			`#include <bootutil/sign_key.h>`
			`#include <mcuboot_config/mcuboot_config.h>`

			`#if defined(MCUBOOT_SIGN_RSA)`
			`#define HAVE_KEYS`
			`extern const unsigned char rsa_pub_key[];`
			`extern unsigned int rsa_pub_key_len;`
			`#elif defined(MCUBOOT_SIGN_EC256)`
			`#define HAVE_KEYS`
			`extern const unsigned char ecdsa_pub_key[];`
			`extern unsigned int ecdsa_pub_key_len;`
			`#elif defined(MCUBOOT_SIGN_ED25519)`
			`#define HAVE_KEYS`
			`extern const unsigned char ed25519_pub_key[];`
			`extern unsigned int ed25519_pub_key_len;`
			`#endif`

			`/*`
			`* Note: Keys for both signing and encryption must be provided by the application.`
			`* mcuboot's imgtool utility can be used to generate these keys and convert them into compatible C code.`
			`* See imgtool's documentation, specifically the section: "Incorporating the public key into the code" which can be found here:`
			`* https://github.com/JuulLabs-OSS/mcuboot/blob/master/docs/imgtool.md#incorporating-the-public-key-into-the-code`
			`*/`
			`#if defined(HAVE_KEYS)`
			`const struct bootutil_key bootutil_keys[] = {`
			`{`
			`#if defined(MCUBOOT_SIGN_RSA)`
			`.key = rsa_pub_key,`
			`.len = &rsa_pub_key_len,`
			`#elif defined(MCUBOOT_SIGN_EC256)`
			`.key = ecdsa_pub_key,`
			`.len = &ecdsa_pub_key_len,`
			`#elif defined(MCUBOOT_SIGN_ED25519)`
			`.key = ed25519_pub_key,`
			`.len = &ed25519_pub_key_len,`
			`#endif`
			`},`
			`};`
			`const int bootutil_key_cnt = 1;`

			`#if defined(MCUBOOT_ENCRYPT_RSA)`

			`extern const unsigned char enc_priv_key[];`
			`extern const unsigned int enc_priv_key_len;`

			`const struct bootutil_key bootutil_enc_key = {`
			`.key = enc_priv_key,`
			`.len = &enc_priv_key_len,`
			`};`
			`#elif defined(MCUBOOT_ENCRYPT_KW)`
			`#error "Encrypted images with AES-KW is not implemented yet."`
			`#endif`

			`#endif`