Reapply "boot: Add MCUBOOT_HW_KEY support for image encryption"

This reverts commit c06f7bb.

Signed-off-by: David Vincze <david.vincze@arm.com>
Change-Id: Ic2ab2c4d3981dec3cd3c25a50b5a989000375372

Author: davidvincze

boot/bootutil/include/bootutil/enc_key.h

@@ -32,6 +32,7 @@
 #include <flash_map_backend/flash_map_backend.h>
 #include "bootutil/crypto/aes_ctr.h"
 #include "bootutil/image.h"
+#include "bootutil/sign_key.h"
 #include "bootutil/enc_key_public.h"
 
 #ifdef __cplusplus
@@ -45,7 +46,17 @@ struct enc_key_data {
     bootutil_aes_ctr_context aes_ctr;
 };
 
-extern const struct bootutil_key bootutil_enc_key;
+/**
+ * Retrieve the private key for image encryption.
+ *
+ * @param[out]  private_key  structure to store the private key and
+ *                           its length.
+ *
+ * @return                   0 on success; nonzero on failure.
+ *
+ */
+int boot_enc_retrieve_private_key(struct bootutil_key **private_key);
+
 struct boot_status;
 
 /* Decrypt random, symmetric encryption key */

boot/bootutil/src/encrypted.c

@@ -67,13 +67,13 @@ static int bootutil_constant_time_compare(const uint8_t *a, const uint8_t *b, si
 
 #if defined(MCUBOOT_ENCRYPT_KW)
 static int
-key_unwrap(const uint8_t *wrapped, uint8_t *enckey)
+key_unwrap(const uint8_t *wrapped, uint8_t *enckey, struct bootutil_key *bootutil_enc_key)
 {
     bootutil_aes_kw_context aes_kw;
     int rc;
 
     bootutil_aes_kw_init(&aes_kw);
-    rc = bootutil_aes_kw_set_unwrap_key(&aes_kw, bootutil_enc_key.key, *bootutil_enc_key.len);
+    rc = bootutil_aes_kw_set_unwrap_key(&aes_kw, bootutil_enc_key->key, *bootutil_enc_key->len);
     if (rc != 0) {
         goto done;
     }
@@ -441,13 +441,23 @@ boot_decrypt_key(const uint8_t *buf, uint8_t *enckey)
     uint8_t counter[BOOTUTIL_CRYPTO_AES_CTR_BLOCK_SIZE];
     uint16_t len;
 #endif
+    struct bootutil_key *bootutil_enc_key = NULL;
     int rc = -1;
 
+    rc = boot_enc_retrieve_private_key(&bootutil_enc_key);
+    if (rc) {
+        return rc;
+    }
+
+    if (bootutil_enc_key == NULL) {
+        return rc;
+    }
+
 #if defined(MCUBOOT_ENCRYPT_RSA)
 
     bootutil_rsa_init(&rsa);
-    cp = (uint8_t *)bootutil_enc_key.key;
-    cpend = cp + *bootutil_enc_key.len;
+    cp = (uint8_t *)bootutil_enc_key->key;
+    cpend = cp + *bootutil_enc_key->len;
 
     /* The enckey is encrypted through RSA so for decryption we need the private key */
     rc = bootutil_rsa_parse_private_key(&rsa, &cp, cpend);
@@ -466,15 +476,15 @@ boot_decrypt_key(const uint8_t *buf, uint8_t *enckey)
 
 #if defined(MCUBOOT_ENCRYPT_KW)
 
-    assert(*bootutil_enc_key.len == BOOT_ENC_KEY_SIZE);
-    rc = key_unwrap(buf, enckey);
+    assert(*bootutil_enc_key->len == BOOT_ENC_KEY_SIZE);
+    rc = key_unwrap(buf, enckey, bootutil_enc_key);
 
 #endif /* defined(MCUBOOT_ENCRYPT_KW) */
 
 #if defined(MCUBOOT_ENCRYPT_EC256)
 
-    cp = (uint8_t *)bootutil_enc_key.key;
-    cpend = cp + *bootutil_enc_key.len;
+    cp = (uint8_t *)bootutil_enc_key->key;
+    cpend = cp + *bootutil_enc_key->len;
 
     /*
      * Load the stored EC256 decryption private key
@@ -500,8 +510,8 @@ boot_decrypt_key(const uint8_t *buf, uint8_t *enckey)
 
 #if defined(MCUBOOT_ENCRYPT_X25519)
 
-    cp = (uint8_t *)bootutil_enc_key.key;
-    cpend = cp + *bootutil_enc_key.len;
+    cp = (uint8_t *)bootutil_enc_key->key;
+    cpend = cp + *bootutil_enc_key->len;
 
     /*
      * Load the stored X25519 decryption private key

boot/cypress/MCUBootApp/keys.c

@@ -167,3 +167,12 @@ const struct bootutil_key bootutil_enc_key = {
     .key = enc_priv_key,
     .len = &enc_priv_key_len,
 };
+
+#if !defined(MCUBOOT_HW_KEY) && defined(MCUBOOT_ENC_IMAGES)
+int boot_enc_retrieve_private_key(struct bootutil_key **private_key)
+{
+    *private_key = (struct bootutil_key *)&bootutil_enc_key;
+
+    return 0;
+}
+#endif /* !MCUBOOT_HW_KEY && MCUBOOT_ENC_IMAGES */

boot/mbed/app_enc_keys.c

@@ -69,3 +69,12 @@ const struct bootutil_key bootutil_enc_key = {
 #endif
 
 #endif
+
+#if !defined(MCUBOOT_HW_KEY) && defined(MCUBOOT_ENC_IMAGES)
+int boot_enc_retrieve_private_key(struct bootutil_key **private_key)
+{
+    *private_key = (struct bootutil_key *)&bootutil_enc_key;
+
+    return 0;
+}
+#endif /* !MCUBOOT_HW_KEY && MCUBOOT_ENC_IMAGES */

boot/zephyr/keys.c

@@ -86,3 +86,12 @@ const struct bootutil_key bootutil_enc_key = {
 #elif defined(MCUBOOT_ENCRYPT_KW)
 #error "Encrypted images with AES-KW is not implemented yet."
 #endif
+
+#if !defined(MCUBOOT_HW_KEY) && defined(MCUBOOT_ENC_IMAGES)
+int boot_enc_retrieve_private_key(struct bootutil_key **private_key)
+{
+    *private_key = (struct bootutil_key *)&bootutil_enc_key;
+
+    return 0;
+}
+#endif /* !MCUBOOT_HW_KEY && MCUBOOT_ENC_IMAGES */

ci/mynewt_keys/enc_kw/src/keys.c

@@ -28,3 +28,12 @@ const struct bootutil_key bootutil_enc_key = {
     .key = enc_key,
     .len = &enc_key_len,
 };
+
+#if !defined(MCUBOOT_HW_KEY) && defined(MCUBOOT_ENC_IMAGES)
+int boot_enc_retrieve_private_key(struct bootutil_key **private_key)
+{
+    *private_key = (struct bootutil_key *)&bootutil_enc_key;
+
+    return 0;
+}
+#endif /* !MCUBOOT_HW_KEY && MCUBOOT_ENC_IMAGES */

ci/mynewt_keys/enc_rsa/src/keys.c

@@ -126,3 +126,12 @@ const struct bootutil_key bootutil_enc_key = {
     .key = enc_key,
     .len = &enc_key_len,
 };
+
+#if !defined(MCUBOOT_HW_KEY) && defined(MCUBOOT_ENC_IMAGES)
+int boot_enc_retrieve_private_key(struct bootutil_key **private_key)
+{
+    *private_key = (struct bootutil_key *)&bootutil_enc_key;
+
+    return 0;
+}
+#endif /* !MCUBOOT_HW_KEY && MCUBOOT_ENC_IMAGES */

sim/mcuboot-sys/csupport/keys.c

@@ -328,3 +328,12 @@ const struct bootutil_key bootutil_enc_key = {
     .len = &enc_key_len,
 };
 #endif
+
+#if !defined(MCUBOOT_HW_KEY) && defined(MCUBOOT_ENC_IMAGES)
+int boot_enc_retrieve_private_key(struct bootutil_key **private_key)
+{
+    *private_key = (struct bootutil_key *)&bootutil_enc_key;
+
+    return 0;
+}
+#endif /* !MCUBOOT_HW_KEY && MCUBOOT_ENC_IMAGES */