michaelh/zephyr
1
0
Fork 0
Code Releases Activity

kconfig: Add option for encryption of binaries

Browse source 
Introduce new Kconfig option MCUBOOT_ENCRYPTION_KEY_FILE. If the
string is not empty Cmake will try to encrypt the final binaries using
the given key file.

Signed-off-by: Helge Juul <helge@fastmail.com>
This commit is contained in:
Helge Juul 2021-08-10 10:59:00 +02:00 committed by Christopher Friedt
commit 8749cd4d76
2 changed files with 63 additions and 24 deletions
Download patch file Download diff file Expand all files Collapse all files

41
Kconfig.zephyr
View file

@ -535,16 +535,43 @@ config MCUBOOT_SIGNATURE_KEY_FILE
The existence of bin and hex files depends on CONFIG_BUILD_OUTPUT_BIN The existence of bin and hex files depends on CONFIG_BUILD_OUTPUT_BIN
and CONFIG_BUILD_OUTPUT_HEX. and CONFIG_BUILD_OUTPUT_HEX.
This option should contain an absolute path to the same file This option should contain a path to the same file as the
as the BOOT_SIGNATURE_KEY_FILE option in your MCUboot BOOT_SIGNATURE_KEY_FILE option in your MCUboot .config. The path
.config. (The MCUboot config option is used for the MCUboot may be absolute or relative to the west workspace topdir. (The MCUboot
bootloader image; this option is for your application which config option is used for the MCUboot bootloader image; this option is
is to be loaded by MCUboot. The MCUboot config option can be for your application which is to be loaded by MCUboot. The MCUboot
a relative path from the MCUboot repository root; this option's config option can be a relative path from the MCUboot repository
behavior is undefined for relative paths.) root.)
If left empty, you must sign the Zephyr binaries manually. If left empty, you must sign the Zephyr binaries manually.
config MCUBOOT_ENCRYPTION_KEY_FILE
string "Path to the mcuboot encryption key file"
default ""
depends on MCUBOOT_SIGNATURE_KEY_FILE != ""
help
The file contains the public key that is used to encrypt the
ephemeral key that encrypts the image. The corresponding
private key is hard coded in the MCUboot source code and is
used to decrypt the ephemeral key that is embedded in the
image. The file is in PEM format.
If set to a non-empty value, the build system tries to
sign and encrypt the final binaries using a 'west sign -t imgtool'
command. The binaries are placed in the build directory at
zephyr/zephyr.signed.encrypted.bin and
zephyr/zephyr.signed.encrypted.hex.
The file names can be customized with CONFIG_KERNEL_BIN_NAME.
The existence of bin and hex files depends on CONFIG_BUILD_OUTPUT_BIN
and CONFIG_BUILD_OUTPUT_HEX.
This option should either be an absolute path or a path relative to
the west workspace topdir.
Example: './bootloader/mcuboot/enc-rsa2048-pub.pem'
If left empty, you must encrypt the Zephyr binaries manually.
config MCUBOOT_EXTRA_IMGTOOL_ARGS config MCUBOOT_EXTRA_IMGTOOL_ARGS
string "Extra arguments to pass to imgtool" string "Extra arguments to pass to imgtool"
default "" default ""

46
cmake/mcuboot.cmake
View file

@ -18,6 +18,7 @@ endfunction()
function(zephyr_mcuboot_tasks) function(zephyr_mcuboot_tasks)
set(keyfile "${CONFIG_MCUBOOT_SIGNATURE_KEY_FILE}") set(keyfile "${CONFIG_MCUBOOT_SIGNATURE_KEY_FILE}")
set(keyfile_enc "${CONFIG_MCUBOOT_ENCRYPTION_KEY_FILE}")
# Check for misconfiguration. # Check for misconfiguration.
if("${keyfile}" STREQUAL "") if("${keyfile}" STREQUAL "")
@ -31,24 +32,20 @@ function(zephyr_mcuboot_tasks)
message(FATAL_ERROR "Can't sign images for MCUboot: west not found. To fix, install west and ensure it's on PATH.") message(FATAL_ERROR "Can't sign images for MCUboot: west not found. To fix, install west and ensure it's on PATH.")
endif() endif()
if(NOT IS_ABSOLUTE "${keyfile}") foreach(file keyfile keyfile_enc)
# Relative paths are relative to 'west topdir'. if(NOT "${${file}}" STREQUAL "")
set(keyfile "${WEST_TOPDIR}/${keyfile}") if(NOT IS_ABSOLUTE "${${file}}")
set(keyfile_relative TRUE) # Relative paths are relative to 'west topdir'.
else() set(${file} "${WEST_TOPDIR}/${${file}}")
set(keyfile_relative FALSE) endif()
endif()
if(NOT EXISTS "${keyfile}") if(NOT EXISTS "${${file}}")
if(keyfile_relative) message(FATAL_ERROR "west sign can't find file ${${file}} (Note: Relative paths are relative to the west workspace topdir \"${WEST_TOPDIR}\")")
set(relative_msg " Note: relative paths are relative to the west workspace topdir \"${WEST_TOPDIR}\".") elseif(NOT (CONFIG_BUILD_OUTPUT_BIN OR CONFIG_BUILD_OUTPUT_HEX))
else() message(FATAL_ERROR "Can't sign images for MCUboot: Neither CONFIG_BUILD_OUTPUT_BIN nor CONFIG_BUILD_OUTPUT_HEX is enabled, so there's nothing to sign.")
set(relative_msg "") endif()
endif() endif()
message(FATAL_ERROR "Can't sign images for MCUboot: CONFIG_MCUBOOT_SIGNATURE_KEY_FILE=\"${CONFIG_MCUBOOT_SIGNATURE_KEY_FILE}\" not found.${relative_msg}") endforeach()
elseif(NOT (CONFIG_BUILD_OUTPUT_BIN OR CONFIG_BUILD_OUTPUT_HEX))
message(FATAL_ERROR "Can't sign images for MCUboot: Neither CONFIG_BUILD_OUTPUT_BIN nor CONFIG_BUILD_OUTPUT_HEX is enabled, so there's nothing to sign.")
endif()
# Find imgtool. Even though west is installed, imgtool might not be. # Find imgtool. Even though west is installed, imgtool might not be.
# The user may also have a custom manifest which doesn't include # The user may also have a custom manifest which doesn't include
@ -95,9 +92,10 @@ function(zephyr_mcuboot_tasks)
# List of additional build byproducts. # List of additional build byproducts.
set(byproducts) set(byproducts)
# 'west sign' arguments for confirmed and unconfirmed images. # 'west sign' arguments for confirmed, unconfirmed and encrypted images.
set(unconfirmed_args) set(unconfirmed_args)
set(confirmed_args) set(confirmed_args)
set(encrypted_args)
# Set up .bin outputs. # Set up .bin outputs.
if(CONFIG_BUILD_OUTPUT_BIN) if(CONFIG_BUILD_OUTPUT_BIN)
@ -109,6 +107,11 @@ function(zephyr_mcuboot_tasks)
list(APPEND confirmed_args --bin --sbin ${output}.signed.confirmed.bin) list(APPEND confirmed_args --bin --sbin ${output}.signed.confirmed.bin)
list(APPEND byproducts ${output}.signed.confirmed.bin) list(APPEND byproducts ${output}.signed.confirmed.bin)
endif() endif()
if(NOT "${keyfile_enc}" STREQUAL "")
list(APPEND encrypted_args --bin --sbin ${output}.signed.encrypted.bin)
list(APPEND byproducts ${output}.signed.encrypted.bin)
endif()
endif() endif()
# Set up .hex outputs. # Set up .hex outputs.
@ -121,6 +124,11 @@ function(zephyr_mcuboot_tasks)
list(APPEND confirmed_args --hex --shex ${output}.signed.confirmed.hex) list(APPEND confirmed_args --hex --shex ${output}.signed.confirmed.hex)
list(APPEND byproducts ${output}.signed.confirmed.hex) list(APPEND byproducts ${output}.signed.confirmed.hex)
endif() endif()
if(NOT "${keyfile_enc}" STREQUAL "")
list(APPEND encrypted_args --hex --shex ${output}.signed.encrypted.hex)
list(APPEND byproducts ${output}.signed.encrypted.hex)
endif()
endif() endif()
# Add the west sign calls and their byproducts to the post-processing # Add the west sign calls and their byproducts to the post-processing
@ -136,6 +144,10 @@ function(zephyr_mcuboot_tasks)
set_property(GLOBAL APPEND PROPERTY extra_post_build_commands COMMAND set_property(GLOBAL APPEND PROPERTY extra_post_build_commands COMMAND
${west_sign} ${confirmed_args} ${imgtool_args} --pad --confirm) ${west_sign} ${confirmed_args} ${imgtool_args} --pad --confirm)
endif() endif()
if(encrypted_args)
set_property(GLOBAL APPEND PROPERTY extra_post_build_commands COMMAND
${west_sign} ${encrypted_args} ${imgtool_args} --encrypt "${keyfile_enc}")
endif()
set_property(GLOBAL APPEND PROPERTY extra_post_build_byproducts ${byproducts}) set_property(GLOBAL APPEND PROPERTY extra_post_build_byproducts ${byproducts})
endfunction() endfunction()