kconfig: Add option for encryption of binaries

Introduce new Kconfig option MCUBOOT_ENCRYPTION_KEY_FILE. If the string is not empty Cmake will try to encrypt the final binaries using the given key file. Signed-off-by: Helge Juul <helge@fastmail.com>
2021-08-10 10:59:00 +02:00 · 2021-08-10 10:59:00 +02:00 · 8749cd4d76
commit 8749cd4d76
parent 936f3523d3
2 changed files with 63 additions and 24 deletions
--- a/Kconfig.zephyr
+++ b/Kconfig.zephyr
@ -535,16 +535,43 @@ config MCUBOOT_SIGNATURE_KEY_FILE
 	  The existence of bin and hex files depends on CONFIG_BUILD_OUTPUT_BIN
 	  and CONFIG_BUILD_OUTPUT_HEX.

-	  This option should contain an absolute path to the same file
-	  as the BOOT_SIGNATURE_KEY_FILE option in your MCUboot
-	  .config. (The MCUboot config option is used for the MCUboot
-	  bootloader image; this option is for your application which
-	  is to be loaded by MCUboot. The MCUboot config option can be
-	  a relative path from the MCUboot repository root; this option's
-	  behavior is undefined for relative paths.)
+	  This option should contain a path to the same file as the
+	  BOOT_SIGNATURE_KEY_FILE option in your MCUboot .config. The path
+	  may be absolute or relative to the west workspace topdir. (The MCUboot
+	  config option is used for the MCUboot bootloader image; this option is
+	  for your application which is to be loaded by MCUboot. The MCUboot
+	  config option can be a relative path from the MCUboot repository
+	  root.)

 	  If left empty, you must sign the Zephyr binaries manually.

+config MCUBOOT_ENCRYPTION_KEY_FILE
+	string "Path to the mcuboot encryption key file"
+	default ""
+	depends on MCUBOOT_SIGNATURE_KEY_FILE != ""
+	help
+	  The file contains the public key that is used to encrypt the
+	  ephemeral key that encrypts the image. The corresponding
+	  private key is hard coded in the MCUboot source code and is
+	  used to decrypt the ephemeral key that is embedded in the
+	  image. The file is in PEM format.
+
+	  If set to a non-empty value, the build system tries to
+	  sign and encrypt the final binaries using a 'west sign -t imgtool'
+	  command. The binaries are placed in the build directory at
+	  zephyr/zephyr.signed.encrypted.bin and
+	  zephyr/zephyr.signed.encrypted.hex.
+
+	  The file names can be customized with CONFIG_KERNEL_BIN_NAME.
+	  The existence of bin and hex files depends on CONFIG_BUILD_OUTPUT_BIN
+	  and CONFIG_BUILD_OUTPUT_HEX.
+
+	  This option should either be an absolute path or a path relative to
+	  the west workspace topdir.
+	  Example: './bootloader/mcuboot/enc-rsa2048-pub.pem'
+
+	  If left empty, you must encrypt the Zephyr binaries manually.
+
 config MCUBOOT_EXTRA_IMGTOOL_ARGS
 	string "Extra arguments to pass to imgtool"
 	default ""
--- a/cmake/mcuboot.cmake
+++ b/cmake/mcuboot.cmake
@ -18,6 +18,7 @@ endfunction()

 function(zephyr_mcuboot_tasks)
  set(keyfile "${CONFIG_MCUBOOT_SIGNATURE_KEY_FILE}")
+  set(keyfile_enc "${CONFIG_MCUBOOT_ENCRYPTION_KEY_FILE}")

  # Check for misconfiguration.
  if("${keyfile}" STREQUAL "")
@ -31,24 +32,20 @@ function(zephyr_mcuboot_tasks)
    message(FATAL_ERROR "Can't sign images for MCUboot: west not found. To fix, install west and ensure it's on PATH.")
  endif()

-  if(NOT IS_ABSOLUTE "${keyfile}")
-    # Relative paths are relative to 'west topdir'.
-    set(keyfile "${WEST_TOPDIR}/${keyfile}")
-    set(keyfile_relative TRUE)
-  else()
-    set(keyfile_relative FALSE)
-  endif()
+  foreach(file keyfile keyfile_enc)
+    if(NOT "${${file}}" STREQUAL "")
+      if(NOT IS_ABSOLUTE "${${file}}")
+        # Relative paths are relative to 'west topdir'.
+        set(${file} "${WEST_TOPDIR}/${${file}}")
+      endif()

-  if(NOT EXISTS "${keyfile}")
-    if(keyfile_relative)
-      set(relative_msg " Note: relative paths are relative to the west workspace topdir \"${WEST_TOPDIR}\".")
-    else()
-      set(relative_msg "")
+      if(NOT EXISTS "${${file}}")
+        message(FATAL_ERROR "west sign can't find file ${${file}} (Note: Relative paths are relative to the west workspace topdir \"${WEST_TOPDIR}\")")
+      elseif(NOT (CONFIG_BUILD_OUTPUT_BIN OR CONFIG_BUILD_OUTPUT_HEX))
+        message(FATAL_ERROR "Can't sign images for MCUboot: Neither CONFIG_BUILD_OUTPUT_BIN nor CONFIG_BUILD_OUTPUT_HEX is enabled, so there's nothing to sign.")
+      endif()
    endif()
-    message(FATAL_ERROR "Can't sign images for MCUboot: CONFIG_MCUBOOT_SIGNATURE_KEY_FILE=\"${CONFIG_MCUBOOT_SIGNATURE_KEY_FILE}\" not found.${relative_msg}")
-  elseif(NOT (CONFIG_BUILD_OUTPUT_BIN OR CONFIG_BUILD_OUTPUT_HEX))
-    message(FATAL_ERROR "Can't sign images for MCUboot: Neither CONFIG_BUILD_OUTPUT_BIN nor CONFIG_BUILD_OUTPUT_HEX is enabled, so there's nothing to sign.")
-  endif()
+  endforeach()

  # Find imgtool. Even though west is installed, imgtool might not be.
  # The user may also have a custom manifest which doesn't include
@ -95,9 +92,10 @@ function(zephyr_mcuboot_tasks)
  # List of additional build byproducts.
  set(byproducts)

-  # 'west sign' arguments for confirmed and unconfirmed images.
+  # 'west sign' arguments for confirmed, unconfirmed and encrypted images.
  set(unconfirmed_args)
  set(confirmed_args)
+  set(encrypted_args)

  # Set up .bin outputs.
  if(CONFIG_BUILD_OUTPUT_BIN)
@ -109,6 +107,11 @@ function(zephyr_mcuboot_tasks)
      list(APPEND confirmed_args --bin --sbin ${output}.signed.confirmed.bin)
      list(APPEND byproducts ${output}.signed.confirmed.bin)
    endif()
+
+    if(NOT "${keyfile_enc}" STREQUAL "")
+      list(APPEND encrypted_args --bin --sbin ${output}.signed.encrypted.bin)
+      list(APPEND byproducts ${output}.signed.encrypted.bin)
+    endif()
  endif()

  # Set up .hex outputs.
@ -121,6 +124,11 @@ function(zephyr_mcuboot_tasks)
      list(APPEND confirmed_args --hex --shex ${output}.signed.confirmed.hex)
      list(APPEND byproducts ${output}.signed.confirmed.hex)
    endif()
+
+    if(NOT "${keyfile_enc}" STREQUAL "")
+      list(APPEND encrypted_args --hex --shex ${output}.signed.encrypted.hex)
+      list(APPEND byproducts ${output}.signed.encrypted.hex)
+    endif()
  endif()

  # Add the west sign calls and their byproducts to the post-processing
@ -136,6 +144,10 @@ function(zephyr_mcuboot_tasks)
    set_property(GLOBAL APPEND PROPERTY extra_post_build_commands COMMAND
      ${west_sign} ${confirmed_args} ${imgtool_args} --pad --confirm)
  endif()
+  if(encrypted_args)
+    set_property(GLOBAL APPEND PROPERTY extra_post_build_commands COMMAND
+      ${west_sign} ${encrypted_args} ${imgtool_args} --encrypt "${keyfile_enc}")
+  endif()
  set_property(GLOBAL APPEND PROPERTY extra_post_build_byproducts ${byproducts})
 endfunction()