From 8749cd4d768127359c1ead4a940ab85a9f13e8b3 Mon Sep 17 00:00:00 2001
From: Helge Juul <helge@fastmail.com>
Date: Tue, 10 Aug 2021 10:59:00 +0200
Subject: [PATCH] kconfig: Add option for encryption of binaries

Introduce new Kconfig option MCUBOOT_ENCRYPTION_KEY_FILE. If the
string is not empty Cmake will try to encrypt the final binaries using
the given key file.

Signed-off-by: Helge Juul <helge@fastmail.com>
---
 Kconfig.zephyr      | 41 +++++++++++++++++++++++++++++++++-------
 cmake/mcuboot.cmake | 46 ++++++++++++++++++++++++++++-----------------
 2 files changed, 63 insertions(+), 24 deletions(-)

diff --git a/Kconfig.zephyr b/Kconfig.zephyr
index 308274bddcf..dc5843b74b0 100644
--- a/Kconfig.zephyr
+++ b/Kconfig.zephyr
@@ -535,16 +535,43 @@ config MCUBOOT_SIGNATURE_KEY_FILE
 	  The existence of bin and hex files depends on CONFIG_BUILD_OUTPUT_BIN
 	  and CONFIG_BUILD_OUTPUT_HEX.
 
-	  This option should contain an absolute path to the same file
-	  as the BOOT_SIGNATURE_KEY_FILE option in your MCUboot
-	  .config. (The MCUboot config option is used for the MCUboot
-	  bootloader image; this option is for your application which
-	  is to be loaded by MCUboot. The MCUboot config option can be
-	  a relative path from the MCUboot repository root; this option's
-	  behavior is undefined for relative paths.)
+	  This option should contain a path to the same file as the
+	  BOOT_SIGNATURE_KEY_FILE option in your MCUboot .config. The path
+	  may be absolute or relative to the west workspace topdir. (The MCUboot
+	  config option is used for the MCUboot bootloader image; this option is
+	  for your application which is to be loaded by MCUboot. The MCUboot
+	  config option can be a relative path from the MCUboot repository
+	  root.)
 
 	  If left empty, you must sign the Zephyr binaries manually.
 
+config MCUBOOT_ENCRYPTION_KEY_FILE
+	string "Path to the mcuboot encryption key file"
+	default ""
+	depends on MCUBOOT_SIGNATURE_KEY_FILE != ""
+	help
+	  The file contains the public key that is used to encrypt the
+	  ephemeral key that encrypts the image. The corresponding
+	  private key is hard coded in the MCUboot source code and is
+	  used to decrypt the ephemeral key that is embedded in the
+	  image. The file is in PEM format.
+
+	  If set to a non-empty value, the build system tries to
+	  sign and encrypt the final binaries using a 'west sign -t imgtool'
+	  command. The binaries are placed in the build directory at
+	  zephyr/zephyr.signed.encrypted.bin and
+	  zephyr/zephyr.signed.encrypted.hex.
+
+	  The file names can be customized with CONFIG_KERNEL_BIN_NAME.
+	  The existence of bin and hex files depends on CONFIG_BUILD_OUTPUT_BIN
+	  and CONFIG_BUILD_OUTPUT_HEX.
+
+	  This option should either be an absolute path or a path relative to
+	  the west workspace topdir.
+	  Example: './bootloader/mcuboot/enc-rsa2048-pub.pem'
+
+	  If left empty, you must encrypt the Zephyr binaries manually.
+
 config MCUBOOT_EXTRA_IMGTOOL_ARGS
 	string "Extra arguments to pass to imgtool"
 	default ""
diff --git a/cmake/mcuboot.cmake b/cmake/mcuboot.cmake
index 70df5e5904b..29b8e02de97 100644
--- a/cmake/mcuboot.cmake
+++ b/cmake/mcuboot.cmake
@@ -18,6 +18,7 @@ endfunction()
 
 function(zephyr_mcuboot_tasks)
   set(keyfile "${CONFIG_MCUBOOT_SIGNATURE_KEY_FILE}")
+  set(keyfile_enc "${CONFIG_MCUBOOT_ENCRYPTION_KEY_FILE}")
 
   # Check for misconfiguration.
   if("${keyfile}" STREQUAL "")
@@ -31,24 +32,20 @@ function(zephyr_mcuboot_tasks)
     message(FATAL_ERROR "Can't sign images for MCUboot: west not found. To fix, install west and ensure it's on PATH.")
   endif()
 
-  if(NOT IS_ABSOLUTE "${keyfile}")
-    # Relative paths are relative to 'west topdir'.
-    set(keyfile "${WEST_TOPDIR}/${keyfile}")
-    set(keyfile_relative TRUE)
-  else()
-    set(keyfile_relative FALSE)
-  endif()
+  foreach(file keyfile keyfile_enc)
+    if(NOT "${${file}}" STREQUAL "")
+      if(NOT IS_ABSOLUTE "${${file}}")
+        # Relative paths are relative to 'west topdir'.
+        set(${file} "${WEST_TOPDIR}/${${file}}")
+      endif()
 
-  if(NOT EXISTS "${keyfile}")
-    if(keyfile_relative)
-      set(relative_msg " Note: relative paths are relative to the west workspace topdir \"${WEST_TOPDIR}\".")
-    else()
-      set(relative_msg "")
+      if(NOT EXISTS "${${file}}")
+        message(FATAL_ERROR "west sign can't find file ${${file}} (Note: Relative paths are relative to the west workspace topdir \"${WEST_TOPDIR}\")")
+      elseif(NOT (CONFIG_BUILD_OUTPUT_BIN OR CONFIG_BUILD_OUTPUT_HEX))
+        message(FATAL_ERROR "Can't sign images for MCUboot: Neither CONFIG_BUILD_OUTPUT_BIN nor CONFIG_BUILD_OUTPUT_HEX is enabled, so there's nothing to sign.")
+      endif()
     endif()
-    message(FATAL_ERROR "Can't sign images for MCUboot: CONFIG_MCUBOOT_SIGNATURE_KEY_FILE=\"${CONFIG_MCUBOOT_SIGNATURE_KEY_FILE}\" not found.${relative_msg}")
-  elseif(NOT (CONFIG_BUILD_OUTPUT_BIN OR CONFIG_BUILD_OUTPUT_HEX))
-    message(FATAL_ERROR "Can't sign images for MCUboot: Neither CONFIG_BUILD_OUTPUT_BIN nor CONFIG_BUILD_OUTPUT_HEX is enabled, so there's nothing to sign.")
-  endif()
+  endforeach()
 
   # Find imgtool. Even though west is installed, imgtool might not be.
   # The user may also have a custom manifest which doesn't include
@@ -95,9 +92,10 @@ function(zephyr_mcuboot_tasks)
   # List of additional build byproducts.
   set(byproducts)
 
-  # 'west sign' arguments for confirmed and unconfirmed images.
+  # 'west sign' arguments for confirmed, unconfirmed and encrypted images.
   set(unconfirmed_args)
   set(confirmed_args)
+  set(encrypted_args)
 
   # Set up .bin outputs.
   if(CONFIG_BUILD_OUTPUT_BIN)
@@ -109,6 +107,11 @@ function(zephyr_mcuboot_tasks)
       list(APPEND confirmed_args --bin --sbin ${output}.signed.confirmed.bin)
       list(APPEND byproducts ${output}.signed.confirmed.bin)
     endif()
+
+    if(NOT "${keyfile_enc}" STREQUAL "")
+      list(APPEND encrypted_args --bin --sbin ${output}.signed.encrypted.bin)
+      list(APPEND byproducts ${output}.signed.encrypted.bin)
+    endif()
   endif()
 
   # Set up .hex outputs.
@@ -121,6 +124,11 @@ function(zephyr_mcuboot_tasks)
       list(APPEND confirmed_args --hex --shex ${output}.signed.confirmed.hex)
       list(APPEND byproducts ${output}.signed.confirmed.hex)
     endif()
+
+    if(NOT "${keyfile_enc}" STREQUAL "")
+      list(APPEND encrypted_args --hex --shex ${output}.signed.encrypted.hex)
+      list(APPEND byproducts ${output}.signed.encrypted.hex)
+    endif()
   endif()
 
   # Add the west sign calls and their byproducts to the post-processing
@@ -136,6 +144,10 @@ function(zephyr_mcuboot_tasks)
     set_property(GLOBAL APPEND PROPERTY extra_post_build_commands COMMAND
       ${west_sign} ${confirmed_args} ${imgtool_args} --pad --confirm)
   endif()
+  if(encrypted_args)
+    set_property(GLOBAL APPEND PROPERTY extra_post_build_commands COMMAND
+      ${west_sign} ${encrypted_args} ${imgtool_args} --encrypt "${keyfile_enc}")
+  endif()
   set_property(GLOBAL APPEND PROPERTY extra_post_build_byproducts ${byproducts})
 endfunction()