1 /*
2 * SPDX-License-Identifier: Apache-2.0
3 *
4 * Copyright (c) 2018-2019 JUUL Labs
5 * Copyright (c) 2019-2023 Arm Limited
6 */
7
8 #include "mcuboot_config/mcuboot_config.h"
9
10 #if defined(MCUBOOT_ENC_IMAGES)
11 #include <stddef.h>
12 #include <inttypes.h>
13 #include <string.h>
14
15 #if defined(MCUBOOT_ENCRYPT_RSA)
16 #define BOOTUTIL_CRYPTO_RSA_CRYPT_ENABLED
17 #include "bootutil/crypto/rsa.h"
18 #endif
19
20 #if defined(MCUBOOT_ENCRYPT_KW)
21 #include "bootutil/crypto/aes_kw.h"
22 #endif
23
24 #if defined(MCUBOOT_ENCRYPT_EC256)
25 #include "bootutil/crypto/ecdh_p256.h"
26 #endif
27
28 #if defined(MCUBOOT_ENCRYPT_X25519)
29 #include "bootutil/crypto/ecdh_x25519.h"
30 #endif
31
32 #if defined(MCUBOOT_ENCRYPT_EC256) || defined(MCUBOOT_ENCRYPT_X25519)
33 #include "bootutil/crypto/sha.h"
34 #include "bootutil/crypto/hmac_sha256.h"
35 #include "mbedtls/oid.h"
36 #include "mbedtls/asn1.h"
37 #endif
38
39 #include "bootutil/image.h"
40 #include "bootutil/enc_key.h"
41 #include "bootutil/sign_key.h"
42 #include "bootutil/crypto/common.h"
43
44 #include "bootutil_priv.h"
45
46 #if defined(MCUBOOT_ENCRYPT_EC256) || defined(MCUBOOT_ENCRYPT_X25519)
47 #if defined(_compare)
bootutil_constant_time_compare(const uint8_t * a,const uint8_t * b,size_t size)48 static inline int bootutil_constant_time_compare(const uint8_t *a, const uint8_t *b, size_t size)
49 {
50 return _compare(a, b, size);
51 }
52 #else
bootutil_constant_time_compare(const uint8_t * a,const uint8_t * b,size_t size)53 static int bootutil_constant_time_compare(const uint8_t *a, const uint8_t *b, size_t size)
54 {
55 const uint8_t *tempa = a;
56 const uint8_t *tempb = b;
57 uint8_t result = 0;
58 unsigned int i;
59
60 for (i = 0; i < size; i++) {
61 result |= tempa[i] ^ tempb[i];
62 }
63 return result;
64 }
65 #endif
66 #endif
67
68 #if defined(MCUBOOT_ENCRYPT_KW)
69 static int
key_unwrap(const uint8_t * wrapped,uint8_t * enckey)70 key_unwrap(const uint8_t *wrapped, uint8_t *enckey)
71 {
72 bootutil_aes_kw_context aes_kw;
73 int rc;
74
75 bootutil_aes_kw_init(&aes_kw);
76 rc = bootutil_aes_kw_set_unwrap_key(&aes_kw, bootutil_enc_key.key, *bootutil_enc_key.len);
77 if (rc != 0) {
78 goto done;
79 }
80 rc = bootutil_aes_kw_unwrap(&aes_kw, wrapped, TLV_ENC_KW_SZ, enckey, BOOT_ENC_KEY_SIZE);
81 if (rc != 0) {
82 goto done;
83 }
84
85 done:
86 bootutil_aes_kw_drop(&aes_kw);
87 return rc;
88 }
89 #endif /* MCUBOOT_ENCRYPT_KW */
90
91 #if defined(MCUBOOT_ENCRYPT_EC256)
92 static const uint8_t ec_pubkey_oid[] = MBEDTLS_OID_EC_ALG_UNRESTRICTED;
93 static const uint8_t ec_secp256r1_oid[] = MBEDTLS_OID_EC_GRP_SECP256R1;
94
95 #define SHARED_KEY_LEN NUM_ECC_BYTES
96 #define PRIV_KEY_LEN NUM_ECC_BYTES
97
98 /*
99 * Parses the output of `imgtool keygen`, which produces a PKCS#8 elliptic
100 * curve keypair. See RFC5208 and RFC5915.
101 */
102 static int
parse_ec256_enckey(uint8_t ** p,uint8_t * end,uint8_t * private_key)103 parse_ec256_enckey(uint8_t **p, uint8_t *end, uint8_t *private_key)
104 {
105 int rc;
106 size_t len;
107 int version;
108 mbedtls_asn1_buf alg;
109 mbedtls_asn1_buf param;
110
111 if ((rc = mbedtls_asn1_get_tag(p, end, &len,
112 MBEDTLS_ASN1_CONSTRUCTED | MBEDTLS_ASN1_SEQUENCE)) != 0) {
113 return -1;
114 }
115
116 if (*p + len != end) {
117 return -2;
118 }
119
120 version = 0;
121 if (mbedtls_asn1_get_int(p, end, &version) || version != 0) {
122 return -3;
123 }
124
125 if ((rc = mbedtls_asn1_get_alg(p, end, &alg, ¶m)) != 0) {
126 return -5;
127 }
128
129 if (alg.MBEDTLS_CONTEXT_MEMBER(len) != sizeof(ec_pubkey_oid) - 1 ||
130 memcmp(alg.MBEDTLS_CONTEXT_MEMBER(p), ec_pubkey_oid, sizeof(ec_pubkey_oid) - 1)) {
131 return -6;
132 }
133 if (param.MBEDTLS_CONTEXT_MEMBER(len) != sizeof(ec_secp256r1_oid) - 1 ||
134 memcmp(param.MBEDTLS_CONTEXT_MEMBER(p), ec_secp256r1_oid, sizeof(ec_secp256r1_oid) - 1)) {
135 return -7;
136 }
137
138 if ((rc = mbedtls_asn1_get_tag(p, end, &len, MBEDTLS_ASN1_OCTET_STRING)) != 0) {
139 return -8;
140 }
141
142 /* RFC5915 - ECPrivateKey */
143
144 if ((rc = mbedtls_asn1_get_tag(p, end, &len,
145 MBEDTLS_ASN1_CONSTRUCTED | MBEDTLS_ASN1_SEQUENCE)) != 0) {
146 return -9;
147 }
148
149 version = 0;
150 if (mbedtls_asn1_get_int(p, end, &version) || version != 1) {
151 return -10;
152 }
153
154 /* privateKey */
155
156 if ((rc = mbedtls_asn1_get_tag(p, end, &len, MBEDTLS_ASN1_OCTET_STRING)) != 0) {
157 return -11;
158 }
159
160 if (len != NUM_ECC_BYTES) {
161 return -12;
162 }
163
164 memcpy(private_key, *p, len);
165
166 /* publicKey usually follows but is not parsed here */
167
168 return 0;
169 }
170 #endif /* defined(MCUBOOT_ENCRYPT_EC256) */
171
172 #if defined(MCUBOOT_ENCRYPT_X25519)
173 #define X25519_OID "\x6e"
174 static const uint8_t ec_pubkey_oid[] = MBEDTLS_OID_ISO_IDENTIFIED_ORG \
175 MBEDTLS_OID_ORG_GOV X25519_OID;
176
177 #define SHARED_KEY_LEN 32
178 #define PRIV_KEY_LEN 32
179
180 static int
parse_x25519_enckey(uint8_t ** p,uint8_t * end,uint8_t * private_key)181 parse_x25519_enckey(uint8_t **p, uint8_t *end, uint8_t *private_key)
182 {
183 size_t len;
184 int version;
185 mbedtls_asn1_buf alg;
186 mbedtls_asn1_buf param;
187
188 if (mbedtls_asn1_get_tag(p, end, &len, MBEDTLS_ASN1_CONSTRUCTED |
189 MBEDTLS_ASN1_SEQUENCE) != 0) {
190 return -1;
191 }
192
193 if (*p + len != end) {
194 return -2;
195 }
196
197 version = 0;
198 if (mbedtls_asn1_get_int(p, end, &version) || version != 0) {
199 return -3;
200 }
201
202 if (mbedtls_asn1_get_alg(p, end, &alg, ¶m) != 0) {
203 return -4;
204 }
205
206 if (alg.MBEDTLS_CONTEXT_MEMBER(len) != sizeof(ec_pubkey_oid) - 1 ||
207 memcmp(alg.MBEDTLS_CONTEXT_MEMBER(p), ec_pubkey_oid, sizeof(ec_pubkey_oid) - 1)) {
208 return -5;
209 }
210
211 if (mbedtls_asn1_get_tag(p, end, &len, MBEDTLS_ASN1_OCTET_STRING) != 0) {
212 return -6;
213 }
214
215 if (mbedtls_asn1_get_tag(p, end, &len, MBEDTLS_ASN1_OCTET_STRING) != 0) {
216 return -7;
217 }
218
219 if (len != PRIV_KEY_LEN) {
220 return -8;
221 }
222
223 memcpy(private_key, *p, PRIV_KEY_LEN);
224 return 0;
225 }
226 #endif /* defined(MCUBOOT_ENCRYPT_X25519) */
227
228 #if defined(MCUBOOT_ENCRYPT_EC256) || defined(MCUBOOT_ENCRYPT_X25519)
229 /*
230 * HKDF as described by RFC5869.
231 *
232 * @param ikm The input data to be derived.
233 * @param ikm_len Length of the input data.
234 * @param info An information tag.
235 * @param info_len Length of the information tag.
236 * @param okm Output of the KDF computation.
237 * @param okm_len On input the requested length; on output the generated length
238 */
239 static int
hkdf(uint8_t * ikm,uint16_t ikm_len,uint8_t * info,uint16_t info_len,uint8_t * okm,uint16_t * okm_len)240 hkdf(uint8_t *ikm, uint16_t ikm_len, uint8_t *info, uint16_t info_len,
241 uint8_t *okm, uint16_t *okm_len)
242 {
243 bootutil_hmac_sha256_context hmac;
244 uint8_t salt[BOOTUTIL_CRYPTO_SHA256_DIGEST_SIZE];
245 uint8_t prk[BOOTUTIL_CRYPTO_SHA256_DIGEST_SIZE];
246 uint8_t T[BOOTUTIL_CRYPTO_SHA256_DIGEST_SIZE];
247 uint16_t off;
248 uint16_t len;
249 uint8_t counter;
250 bool first;
251 int rc;
252
253 /*
254 * Extract
255 */
256
257 if (ikm == NULL || okm == NULL || ikm_len == 0) {
258 return -1;
259 }
260
261 bootutil_hmac_sha256_init(&hmac);
262
263 memset(salt, 0, BOOTUTIL_CRYPTO_SHA256_DIGEST_SIZE);
264 rc = bootutil_hmac_sha256_set_key(&hmac, salt, BOOTUTIL_CRYPTO_SHA256_DIGEST_SIZE);
265 if (rc != 0) {
266 goto error;
267 }
268
269 rc = bootutil_hmac_sha256_update(&hmac, ikm, ikm_len);
270 if (rc != 0) {
271 goto error;
272 }
273
274 rc = bootutil_hmac_sha256_finish(&hmac, prk, BOOTUTIL_CRYPTO_SHA256_DIGEST_SIZE);
275 if (rc != 0) {
276 goto error;
277 }
278
279 /*
280 * Expand
281 */
282
283 len = *okm_len;
284 counter = 1;
285 first = true;
286 for (off = 0; len > 0; off += BOOTUTIL_CRYPTO_SHA256_DIGEST_SIZE, ++counter) {
287 bootutil_hmac_sha256_init(&hmac);
288
289 rc = bootutil_hmac_sha256_set_key(&hmac, prk, BOOTUTIL_CRYPTO_SHA256_DIGEST_SIZE);
290 if (rc != 0) {
291 goto error;
292 }
293
294 if (first) {
295 first = false;
296 } else {
297 rc = bootutil_hmac_sha256_update(&hmac, T, BOOTUTIL_CRYPTO_SHA256_DIGEST_SIZE);
298 if (rc != 0) {
299 goto error;
300 }
301 }
302
303 rc = bootutil_hmac_sha256_update(&hmac, info, info_len);
304 if (rc != 0) {
305 goto error;
306 }
307
308 rc = bootutil_hmac_sha256_update(&hmac, &counter, 1);
309 if (rc != 0) {
310 goto error;
311 }
312
313 rc = bootutil_hmac_sha256_finish(&hmac, T, BOOTUTIL_CRYPTO_SHA256_DIGEST_SIZE);
314 if (rc != 0) {
315 goto error;
316 }
317
318 if (len > BOOTUTIL_CRYPTO_SHA256_DIGEST_SIZE) {
319 memcpy(&okm[off], T, BOOTUTIL_CRYPTO_SHA256_DIGEST_SIZE);
320 len -= BOOTUTIL_CRYPTO_SHA256_DIGEST_SIZE;
321 } else {
322 memcpy(&okm[off], T, len);
323 len = 0;
324 }
325 }
326
327 bootutil_hmac_sha256_drop(&hmac);
328 return 0;
329
330 error:
331 bootutil_hmac_sha256_drop(&hmac);
332 return -1;
333 }
334 #endif
335
336 int
boot_enc_init(struct enc_key_data * enc_state,uint8_t slot)337 boot_enc_init(struct enc_key_data *enc_state, uint8_t slot)
338 {
339 bootutil_aes_ctr_init(&enc_state[slot].aes_ctr);
340 return 0;
341 }
342
343 int
boot_enc_drop(struct enc_key_data * enc_state,uint8_t slot)344 boot_enc_drop(struct enc_key_data *enc_state, uint8_t slot)
345 {
346 bootutil_aes_ctr_drop(&enc_state[slot].aes_ctr);
347 return 0;
348 }
349
350 int
boot_enc_set_key(struct enc_key_data * enc_state,uint8_t slot,const struct boot_status * bs)351 boot_enc_set_key(struct enc_key_data *enc_state, uint8_t slot,
352 const struct boot_status *bs)
353 {
354 int rc;
355
356 rc = bootutil_aes_ctr_set_key(&enc_state[slot].aes_ctr, bs->enckey[slot]);
357 if (rc != 0) {
358 boot_enc_drop(enc_state, slot);
359 enc_state[slot].valid = 0;
360 return -1;
361 }
362
363 enc_state[slot].valid = 1;
364
365 return 0;
366 }
367
368 #define EXPECTED_ENC_LEN BOOT_ENC_TLV_SIZE
369
370 #if defined(MCUBOOT_ENCRYPT_RSA)
371 # define EXPECTED_ENC_TLV IMAGE_TLV_ENC_RSA2048
372 #elif defined(MCUBOOT_ENCRYPT_KW)
373 # define EXPECTED_ENC_TLV IMAGE_TLV_ENC_KW
374 #elif defined(MCUBOOT_ENCRYPT_EC256)
375 # define EXPECTED_ENC_TLV IMAGE_TLV_ENC_EC256
376 # define EC_PUBK_INDEX (0)
377 # define EC_TAG_INDEX (65)
378 # define EC_CIPHERKEY_INDEX (65 + 32)
379 _Static_assert(EC_CIPHERKEY_INDEX + BOOT_ENC_KEY_SIZE == EXPECTED_ENC_LEN,
380 "Please fix ECIES-P256 component indexes");
381 #elif defined(MCUBOOT_ENCRYPT_X25519)
382 # define EXPECTED_ENC_TLV IMAGE_TLV_ENC_X25519
383 # define EC_PUBK_INDEX (0)
384 # define EC_TAG_INDEX (32)
385 # define EC_CIPHERKEY_INDEX (32 + 32)
386 _Static_assert(EC_CIPHERKEY_INDEX + BOOT_ENC_KEY_SIZE == EXPECTED_ENC_LEN,
387 "Please fix ECIES-X25519 component indexes");
388 #endif
389
390 #if ( (defined(MCUBOOT_ENCRYPT_RSA) && defined(MCUBOOT_USE_MBED_TLS) && !defined(MCUBOOT_USE_PSA_CRYPTO)) || \
391 (defined(MCUBOOT_ENCRYPT_EC256) && defined(MCUBOOT_USE_MBED_TLS)) )
392 #if MBEDTLS_VERSION_NUMBER >= 0x03000000
fake_rng(void * p_rng,unsigned char * output,size_t len)393 static int fake_rng(void *p_rng, unsigned char *output, size_t len)
394 {
395 size_t i;
396
397 (void)p_rng;
398 for (i = 0; i < len; i++) {
399 output[i] = (char)i;
400 }
401
402 return 0;
403 }
404 #endif /* MBEDTLS_VERSION_NUMBER */
405 #endif /* (MCUBOOT_ENCRYPT_RSA && MCUBOOT_USE_MBED_TLS && !MCUBOOT_USE_PSA_CRYPTO) ||
406 (MCUBOOT_ENCRYPT_EC256 && MCUBOOT_USE_MBED_TLS) */
407
408 /*
409 * Decrypt an encryption key TLV.
410 *
411 * @param buf An encryption TLV read from flash (build time fixed length)
412 * @param enckey An AES-128 or AES-256 key sized buffer to store to plain key.
413 */
414 int
boot_enc_decrypt(const uint8_t * buf,uint8_t * enckey)415 boot_enc_decrypt(const uint8_t *buf, uint8_t *enckey)
416 {
417 #if defined(MCUBOOT_ENCRYPT_RSA)
418 bootutil_rsa_context rsa;
419 uint8_t *cp;
420 uint8_t *cpend;
421 size_t olen;
422 #endif
423 #if defined(MCUBOOT_ENCRYPT_EC256)
424 bootutil_ecdh_p256_context ecdh_p256;
425 #endif
426 #if defined(MCUBOOT_ENCRYPT_X25519)
427 bootutil_ecdh_x25519_context ecdh_x25519;
428 #endif
429 #if defined(MCUBOOT_ENCRYPT_EC256) || defined(MCUBOOT_ENCRYPT_X25519)
430 bootutil_hmac_sha256_context hmac;
431 bootutil_aes_ctr_context aes_ctr;
432 uint8_t tag[BOOTUTIL_CRYPTO_SHA256_DIGEST_SIZE];
433 uint8_t shared[SHARED_KEY_LEN];
434 uint8_t derived_key[BOOTUTIL_CRYPTO_AES_CTR_KEY_SIZE + BOOTUTIL_CRYPTO_SHA256_DIGEST_SIZE];
435 uint8_t *cp;
436 uint8_t *cpend;
437 uint8_t private_key[PRIV_KEY_LEN];
438 uint8_t counter[BOOTUTIL_CRYPTO_AES_CTR_BLOCK_SIZE];
439 uint16_t len;
440 #endif
441 int rc = -1;
442
443 #if defined(MCUBOOT_ENCRYPT_RSA)
444
445 bootutil_rsa_init(&rsa);
446 cp = (uint8_t *)bootutil_enc_key.key;
447 cpend = cp + *bootutil_enc_key.len;
448
449 /* The enckey is encrypted through RSA so for decryption we need the private key */
450 rc = bootutil_rsa_parse_private_key(&rsa, &cp, cpend);
451 if (rc) {
452 bootutil_rsa_drop(&rsa);
453 return rc;
454 }
455
456 rc = bootutil_rsa_oaep_decrypt(&rsa, &olen, buf, enckey, BOOT_ENC_KEY_SIZE);
457 bootutil_rsa_drop(&rsa);
458 if (rc) {
459 return rc;
460 }
461
462 #endif /* defined(MCUBOOT_ENCRYPT_RSA) */
463
464 #if defined(MCUBOOT_ENCRYPT_KW)
465
466 assert(*bootutil_enc_key.len == BOOT_ENC_KEY_SIZE);
467 rc = key_unwrap(buf, enckey);
468
469 #endif /* defined(MCUBOOT_ENCRYPT_KW) */
470
471 #if defined(MCUBOOT_ENCRYPT_EC256)
472
473 cp = (uint8_t *)bootutil_enc_key.key;
474 cpend = cp + *bootutil_enc_key.len;
475
476 /*
477 * Load the stored EC256 decryption private key
478 */
479
480 rc = parse_ec256_enckey(&cp, cpend, private_key);
481 if (rc) {
482 return rc;
483 }
484
485 /*
486 * First "element" in the TLV is the curve point (public key)
487 */
488 bootutil_ecdh_p256_init(&ecdh_p256);
489
490 rc = bootutil_ecdh_p256_shared_secret(&ecdh_p256, &buf[EC_PUBK_INDEX], private_key, shared);
491 bootutil_ecdh_p256_drop(&ecdh_p256);
492 if (rc != 0) {
493 return -1;
494 }
495
496 #endif /* defined(MCUBOOT_ENCRYPT_EC256) */
497
498 #if defined(MCUBOOT_ENCRYPT_X25519)
499
500 cp = (uint8_t *)bootutil_enc_key.key;
501 cpend = cp + *bootutil_enc_key.len;
502
503 /*
504 * Load the stored X25519 decryption private key
505 */
506
507 rc = parse_x25519_enckey(&cp, cpend, private_key);
508 if (rc) {
509 return rc;
510 }
511
512 /*
513 * First "element" in the TLV is the curve point (public key)
514 */
515
516 bootutil_ecdh_x25519_init(&ecdh_x25519);
517
518 rc = bootutil_ecdh_x25519_shared_secret(&ecdh_x25519, &buf[EC_PUBK_INDEX], private_key, shared);
519 bootutil_ecdh_x25519_drop(&ecdh_x25519);
520 if (!rc) {
521 return -1;
522 }
523
524 #endif /* defined(MCUBOOT_ENCRYPT_X25519) */
525
526 #if defined(MCUBOOT_ENCRYPT_EC256) || defined(MCUBOOT_ENCRYPT_X25519)
527
528 /*
529 * Expand shared secret to create keys for AES-128-CTR + HMAC-SHA256
530 */
531
532 len = BOOTUTIL_CRYPTO_AES_CTR_KEY_SIZE + BOOTUTIL_CRYPTO_SHA256_DIGEST_SIZE;
533 rc = hkdf(shared, SHARED_KEY_LEN, (uint8_t *)"MCUBoot_ECIES_v1", 16,
534 derived_key, &len);
535 if (rc != 0 || len != (BOOTUTIL_CRYPTO_AES_CTR_KEY_SIZE + BOOTUTIL_CRYPTO_SHA256_DIGEST_SIZE)) {
536 return -1;
537 }
538
539 /*
540 * HMAC the key and check that our received MAC matches the generated tag
541 */
542
543 bootutil_hmac_sha256_init(&hmac);
544
545 rc = bootutil_hmac_sha256_set_key(&hmac, &derived_key[BOOT_ENC_KEY_SIZE], 32);
546 if (rc != 0) {
547 (void)bootutil_hmac_sha256_drop(&hmac);
548 return -1;
549 }
550
551 rc = bootutil_hmac_sha256_update(&hmac, &buf[EC_CIPHERKEY_INDEX], BOOT_ENC_KEY_SIZE);
552 if (rc != 0) {
553 (void)bootutil_hmac_sha256_drop(&hmac);
554 return -1;
555 }
556
557 /* Assumes the tag buffer is at least sizeof(hmac_tag_size(state)) bytes */
558 rc = bootutil_hmac_sha256_finish(&hmac, tag, BOOTUTIL_CRYPTO_SHA256_DIGEST_SIZE);
559 if (rc != 0) {
560 (void)bootutil_hmac_sha256_drop(&hmac);
561 return -1;
562 }
563
564 if (bootutil_constant_time_compare(tag, &buf[EC_TAG_INDEX], 32) != 0) {
565 (void)bootutil_hmac_sha256_drop(&hmac);
566 return -1;
567 }
568
569 bootutil_hmac_sha256_drop(&hmac);
570
571 /*
572 * Finally decrypt the received ciphered key
573 */
574
575 bootutil_aes_ctr_init(&aes_ctr);
576 if (rc != 0) {
577 bootutil_aes_ctr_drop(&aes_ctr);
578 return -1;
579 }
580
581 rc = bootutil_aes_ctr_set_key(&aes_ctr, derived_key);
582 if (rc != 0) {
583 bootutil_aes_ctr_drop(&aes_ctr);
584 return -1;
585 }
586
587 memset(counter, 0, BOOTUTIL_CRYPTO_AES_CTR_BLOCK_SIZE);
588 rc = bootutil_aes_ctr_decrypt(&aes_ctr, counter, &buf[EC_CIPHERKEY_INDEX], BOOTUTIL_CRYPTO_AES_CTR_KEY_SIZE, 0, enckey);
589 if (rc != 0) {
590 bootutil_aes_ctr_drop(&aes_ctr);
591 return -1;
592 }
593
594 bootutil_aes_ctr_drop(&aes_ctr);
595
596 rc = 0;
597
598 #endif /* defined(MCUBOOT_ENCRYPT_EC256) || defined(MCUBOOT_ENCRYPT_X25519) */
599
600 return rc;
601 }
602
603 /*
604 * Load encryption key.
605 */
606 int
boot_enc_load(struct enc_key_data * enc_state,int image_index,const struct image_header * hdr,const struct flash_area * fap,struct boot_status * bs)607 boot_enc_load(struct enc_key_data *enc_state, int image_index,
608 const struct image_header *hdr, const struct flash_area *fap,
609 struct boot_status *bs)
610 {
611 uint32_t off;
612 uint16_t len;
613 struct image_tlv_iter it;
614 #if MCUBOOT_SWAP_SAVE_ENCTLV
615 uint8_t *buf;
616 #else
617 uint8_t buf[EXPECTED_ENC_LEN];
618 #endif
619 uint8_t slot;
620 int rc;
621
622 rc = flash_area_id_to_multi_image_slot(image_index, flash_area_get_id(fap));
623 if (rc < 0) {
624 return rc;
625 }
626 slot = rc;
627
628 /* Already loaded... */
629 if (enc_state[slot].valid) {
630 return 1;
631 }
632
633 /* Initialize the AES context */
634 boot_enc_init(enc_state, slot);
635
636 rc = bootutil_tlv_iter_begin(&it, hdr, fap, EXPECTED_ENC_TLV, false);
637 if (rc) {
638 return -1;
639 }
640
641 rc = bootutil_tlv_iter_next(&it, &off, &len, NULL);
642 if (rc != 0) {
643 return rc;
644 }
645
646 if (len != EXPECTED_ENC_LEN) {
647 return -1;
648 }
649
650 #if MCUBOOT_SWAP_SAVE_ENCTLV
651 buf = bs->enctlv[slot];
652 memset(buf, 0xff, BOOT_ENC_TLV_ALIGN_SIZE);
653 #endif
654
655 rc = flash_area_read(fap, off, buf, EXPECTED_ENC_LEN);
656 if (rc) {
657 return -1;
658 }
659
660 return boot_enc_decrypt(buf, bs->enckey[slot]);
661 }
662
663 bool
boot_enc_valid(struct enc_key_data * enc_state,int image_index,const struct flash_area * fap)664 boot_enc_valid(struct enc_key_data *enc_state, int image_index,
665 const struct flash_area *fap)
666 {
667 int rc;
668
669 rc = flash_area_id_to_multi_image_slot(image_index, flash_area_get_id(fap));
670 if (rc < 0) {
671 /* can't get proper slot number - skip encryption, */
672 /* postpone the error for a upper layer */
673 return false;
674 }
675
676 return enc_state[rc].valid;
677 }
678
679 void
boot_encrypt(struct enc_key_data * enc_state,int image_index,const struct flash_area * fap,uint32_t off,uint32_t sz,uint32_t blk_off,uint8_t * buf)680 boot_encrypt(struct enc_key_data *enc_state, int image_index,
681 const struct flash_area *fap, uint32_t off, uint32_t sz,
682 uint32_t blk_off, uint8_t *buf)
683 {
684 struct enc_key_data *enc;
685 uint8_t nonce[16];
686 int rc;
687
688 /* boot_copy_region will call boot_encrypt with sz = 0 when skipping over
689 the TLVs. */
690 if (sz == 0) {
691 return;
692 }
693
694 memset(nonce, 0, 12);
695 off >>= 4;
696 nonce[12] = (uint8_t)(off >> 24);
697 nonce[13] = (uint8_t)(off >> 16);
698 nonce[14] = (uint8_t)(off >> 8);
699 nonce[15] = (uint8_t)off;
700
701 rc = flash_area_id_to_multi_image_slot(image_index, flash_area_get_id(fap));
702 if (rc < 0) {
703 assert(0);
704 return;
705 }
706
707 enc = &enc_state[rc];
708 assert(enc->valid == 1);
709 bootutil_aes_ctr_encrypt(&enc->aes_ctr, nonce, buf, sz, blk_off, buf);
710 }
711
712 /**
713 * Clears encrypted state after use.
714 */
715 void
boot_enc_zeroize(struct enc_key_data * enc_state)716 boot_enc_zeroize(struct enc_key_data *enc_state)
717 {
718 uint8_t slot;
719 for (slot = 0; slot < BOOT_NUM_SLOTS; slot++) {
720 (void)boot_enc_drop(enc_state, slot);
721 }
722 memset(enc_state, 0, sizeof(struct enc_key_data) * BOOT_NUM_SLOTS);
723 }
724
725 #endif /* MCUBOOT_ENC_IMAGES */
726
