Cypress: add encryption with mbedTLS

Signed-off-by: Bohdan Kovalchuk <bohd@cypress.com>
Signed-off-by: Roman Okhrimenko <roman.okhrimenko@infineon.com>

Author: Bohdan Kovalchuk

boot/cypress/BlinkyApp/BlinkyApp.mk

@@ -95,6 +95,9 @@ OUT_CFG := $(OUT_TARGET)/$(BUILDCFG)
 
 # Set build directory for BOOT and UPGRADE images
 ifeq ($(IMG_TYPE), UPGRADE)
+	ifeq ($(ENC_IMG), 1)
+		SIGN_ARGS += --encrypt ../../$(ENC_KEY_FILE).pem
+	endif
 	SIGN_ARGS += --pad
 	UPGRADE_SUFFIX :=_upgrade
 	OUT_CFG := $(OUT_CFG)/upgrade

boot/cypress/BlinkyApp/Readme.md

@@ -83,7 +83,7 @@ To get appropriate artifact for second image PRIMARY slot run this command:
 
 To prepare MCUBootApp for work with external memory please refer to `MCUBootApp/ExternalMemory.md`.
 
-For build BlinkyApp upgarde image for external memory use command:
+For build BlinkyApp upgrade image for external memory use command:
 
     make app APP_NAME=BlinkyApp PLATFORM=PSOC_062_2M IMG_TYPE=UPGRADE HEADER_OFFSET=0x7FE8000 ERASED_VALUE=0xff
 
@@ -97,6 +97,16 @@ In case of using muti-image configuration, upgrade image for second application
 
     Note: for S25FL512S block address shuld be mutiple by 0x40000
 
+**How to build encrypted upgrade image :**
+
+To prepare MCUBootApp for work with encrypted upgrade image please refer to `MCUBootApp/Readme.md`.
+
+To obtain encrypted upgrade image of BlinkyApp extra flag `ENC_IMG=1` should be passed in command line, for example:
+
+    make app APP_NAME=BlinkyApp PLATFORM=PSOC_062_2M IMG_TYPE=UPGRADE HEADER_OFFSET=0x20000 ENC_IMG=1
+
+This also suggests user already placed corresponing `*.pem` key in `\keys` folder. The key variables are defined in root `Makefile` as `SIGN_KEY_FILE` and `ENC_KEY_FILE`
+
 ### Post-Build
 
 Post build action is executed at compile time for `BlinkyApp`. In case of build for `PSOC_062_2M` platform it calls `imgtool` from `MCUBoot` scripts and adds signature to compiled image.

boot/cypress/MCUBootApp/MCUBootApp.mk

@@ -30,6 +30,7 @@ COMPILER ?= GCC_ARM
 USE_CRYPTO_HW ?= 1
 USE_EXTERNAL_FLASH ?= 0
 MCUBOOT_IMAGE_NUMBER ?= 1
+ENC_IMG ?= 0
 
 ifneq ($(COMPILER), GCC_ARM)
 $(error Only GCC ARM is supported at this moment)
@@ -53,12 +54,17 @@ ifeq ($(USE_EXTERNAL_FLASH), 1)
 DEFINES_APP += -DCY_BOOT_USE_EXTERNAL_FLASH
 endif
 DEFINES_APP += -DMCUBOOT_MAX_IMG_SECTORS=$(MAX_IMG_SECTORS)
-
+# Hardrware acceleration support
 ifeq ($(USE_CRYPTO_HW), 1)
 DEFINES_APP += -DMBEDTLS_USER_CONFIG_FILE="\"mcuboot_crypto_acc_config.h\""
 DEFINES_APP += -DCY_CRYPTO_HAL_DISABLE
 DEFINES_APP += -DCY_MBEDTLS_HW_ACCELERATION
 endif
+# Encrypted image support
+ifeq ($(ENC_IMG), 1)
+DEFINES_APP += -DENC_IMG=1
+endif
+
 # Collect MCUBoot sourses
 SOURCES_MCUBOOT := $(wildcard $(CURDIR)/../bootutil/src/*.c)
 # Collect MCUBoot Application sources

boot/cypress/MCUBootApp/README.md

@@ -148,6 +148,15 @@ This folder contains make files infrastructure for building MCUBoot Bootloader.
 
 Root directory for build is **boot/cypress.**
 
+**Encrypted Image Support**
+
+To protect user image from unwanted read Upgrade Image Encryption can be applied. The ECDH/HKDF with EC256 scheme is used in a given solution as well as mbedTLS as a crypto provider.
+
+To enable image encryption support `MCUBOOT_ENC_IMAGES` and `MCUBOOT_ENCRYPT_EC256` have to be defined (can be done by uncommenting in `mcuboot_config.h`).
+User is also responsible on providing corresponding binary key data in `enc_priv_key[]` (file `\MCUBootApp\keys.c`). The public part will be used by imgtool when signing and encrypting upgrade image. Signing image with encryption is described in `\BlinkyApp\readme.md`.
+
+After MCUBootApp is built with these settings unencrypted and encrypted images will be accepted in secondary (upgrade) slot.
+
 **Programming solution**
 
 There are couple ways of programming hex of MCUBootApp and BlinkyApp. Following instructions assume one of Cypress development kits, for example `CY8CPROTO_062_4343W`.

boot/cypress/MCUBootApp/config/mcuboot_config/mcuboot_config.h

@@ -144,4 +144,11 @@
         /* TODO: to be implemented */   \
     } while (0)
 
+/* Uncomment these if support of encrypted upgrade image is needed */
+#ifdef ENC_IMG
+#define MCUBOOT_ENC_IMAGES
+#define MCUBOOT_ENCRYPT_EC256
+#define NUM_ECC_BYTES (256 / 8)
+#endif /* ENC_IMG */
+
 #endif /* MCUBOOT_CONFIG_H */

boot/cypress/MCUBootApp/config/mcuboot_crypto_acc_config.h

@@ -35,7 +35,9 @@
 // #define MBEDTLS_CIPHER_MODE_CBC
 // #define MBEDTLS_CIPHER_MODE_CFB
 // #define MBEDTLS_CIPHER_MODE_OFB
-// #define MBEDTLS_CIPHER_MODE_CTR
+#ifdef MCUBOOT_ENC_IMAGES
+#define MBEDTLS_CIPHER_MODE_CTR
+#endif
 // #define MBEDTLS_CIPHER_MODE_XTS
 
 /* Only NIST-P curves are currently supported */

boot/cypress/MCUBootApp/config/mcuboot_crypto_config.h

@@ -3598,4 +3598,9 @@
 
 #include "mbedtls/check_config.h"
 
+#ifdef MCUBOOT_ENC_IMAGES
+#define MBEDTLS_SHA256_DIGEST_SIZE (32)
+#define MBEDTLS_AES_KEY_SIZE 16
+#endif
+
 #endif /* MBEDTLS_CONFIG_H */

boot/cypress/MCUBootApp/keys.c

@@ -174,3 +174,23 @@ struct bootutil_key bootutil_keys[1] = {
 };
 const int bootutil_key_cnt = 1;
 #endif /* !MCUBOOT_HW_KEY */
+
+unsigned char enc_priv_key[] = {
+  0x30, 0x81, 0x87, 0x02, 0x01, 0x00, 0x30, 0x13, 0x06, 0x07, 0x2a, 0x86,
+  0x48, 0xce, 0x3d, 0x02, 0x01, 0x06, 0x08, 0x2a, 0x86, 0x48, 0xce, 0x3d,
+  0x03, 0x01, 0x07, 0x04, 0x6d, 0x30, 0x6b, 0x02, 0x01, 0x01, 0x04, 0x20,
+  0xf6, 0x1e, 0x51, 0x9d, 0xf8, 0xfa, 0xdd, 0xa1, 0xb7, 0xd9, 0xa9, 0x64,
+  0x64, 0x3b, 0x54, 0xd0, 0x3d, 0xd0, 0x1f, 0xe5, 0x78, 0xd9, 0x17, 0x98,
+  0xa5, 0x28, 0xca, 0xcc, 0x6b, 0x67, 0x9e, 0x06, 0xa1, 0x44, 0x03, 0x42,
+  0x00, 0x04, 0x8a, 0x44, 0x73, 0x00, 0x94, 0xc9, 0x80, 0x27, 0x31, 0x0d,
+  0x23, 0x36, 0x6b, 0xe9, 0x69, 0x9f, 0xcb, 0xc5, 0x7c, 0xc8, 0x44, 0x1a,
+  0x93, 0xe6, 0xee, 0x7d, 0x86, 0xa6, 0xae, 0x5e, 0x93, 0x72, 0x74, 0xd9,
+  0xe1, 0x5a, 0x1c, 0x9b, 0x65, 0x1a, 0x2b, 0x61, 0x41, 0x28, 0x02, 0x73,
+  0x84, 0x12, 0x97, 0x3a, 0x2d, 0xa2, 0xa0, 0x67, 0x77, 0x02, 0xda, 0x67,
+  0x1a, 0x4b, 0xdd, 0xd7, 0x71, 0xcc,
+};
+static unsigned int enc_priv_key_len = 138;
+const struct bootutil_key bootutil_enc_key = {
+    .key = enc_priv_key,
+    .len = &enc_priv_key_len,
+};

boot/cypress/MCUBootApp/libs.mk

@@ -45,20 +45,10 @@ INCLUDE_DIRS_PDL += $(CUR_LIBS_PATH)/pdl/psoc6pdl/cmsis/include
 INCLUDE_DIRS_CORE_LIB := $(CUR_LIBS_PATH)/core-lib/include
 INCLUDE_DIRS_WATCHDOG := $(CUR_LIBS_PATH)/watchdog
 
-SOURCES_HAL += $(CUR_LIBS_PATH)/psoc6hal/COMPONENT_PSOC6HAL/source/cyhal_crypto_common.c
-SOURCES_HAL += $(CUR_LIBS_PATH)/psoc6hal/COMPONENT_PSOC6HAL/source/cyhal_hwmgr.c
-
 # Collected source files for libraries
 SOURCES_LIBS := $(SOURCES_PDL)
 SOURCES_LIBS += $(SOURCES_WATCHDOG)
 SOURCES_LIBS += $(SOURCES_PLATFORM)
-SOURCES_LIBS += $(SOURCES_HAL)
-
-# needed for Crypto HW Acceleration and headers inclusion, do not use for peripherals
-# peripherals should be accessed
-INCLUDE_DIRS_HAL := $(CUR_LIBS_PATH)/psoc6hal/COMPONENT_PSOC6HAL/include
-INCLUDE_DIRS_HAL += $(CUR_LIBS_PATH)/psoc6hal/include
-INCLUDE_DIRS_HAL += $(CUR_LIBS_PATH)/psoc6hal/COMPONENT_PSOC6HAL/include/pin_packages
 
 # Collected include directories for libraries
 INCLUDE_DIRS_LIBS := $(addprefix -I,$(INCLUDE_DIRS_PDL))

boot/cypress/Makefile

@@ -43,6 +43,8 @@ APP_NAME ?= MCUBootApp
 POST_BUILD ?= 1
 
 SIGN_KEY_FILE ?= cypress-test-ec-p256
+ENC_KEY_FILE ?= enc-ec256-pub
+ENC_IMG ?= 0
 
 # set this variable to a path, where cysecuretools python package is installed
 # use command `python -m pip show cysecuretools` to find out this path