sysbuild: Add support for MCUboot/app encryption keys

Adds support for controlling the MCUboot (and application) signing key, and allows for generating encrypted updates. Signed-off-by: Jamie McCrae <jamie.mccrae@nordicsemi.no>
2023-07-17 14:46:45 +01:00 · 2023-07-17 14:46:45 +01:00 · 62f07c67d5
parent c796e1bee2
commit 62f07c67d5
3 changed files with 25 additions and 2 deletions
--- a/share/sysbuild/image_configurations/MAIN_image_default.cmake
+++ b/share/sysbuild/image_configurations/MAIN_image_default.cmake
@ -9,6 +9,9 @@ set_config_bool(${ZCMAKE_APPLICATION} CONFIG_BOOTLOADER_MCUBOOT "${SB_CONFIG_BOO
 set_config_string(${ZCMAKE_APPLICATION} CONFIG_MCUBOOT_SIGNATURE_KEY_FILE
                  "${SB_CONFIG_BOOT_SIGNATURE_KEY_FILE}"
 )
+set_config_string(${ZCMAKE_APPLICATION} CONFIG_MCUBOOT_ENCRYPTION_KEY_FILE
+                  "${SB_CONFIG_BOOT_ENCRYPTION_KEY_FILE}"
+)

 if(SB_CONFIG_BOOTLOADER_MCUBOOT)
  if("${SB_CONFIG_SIGNATURE_TYPE}" STREQUAL "NONE")
--- a/share/sysbuild/images/bootloader/CMakeLists.txt
+++ b/share/sysbuild/images/bootloader/CMakeLists.txt
@ -15,4 +15,8 @@ if(SB_CONFIG_BOOTLOADER_MCUBOOT)
  sysbuild_add_dependencies(FLASH ${DEFAULT_IMAGE} ${image})

  set_config_string(${image} CONFIG_BOOT_SIGNATURE_KEY_FILE "${SB_CONFIG_BOOT_SIGNATURE_KEY_FILE}")
+  set_config_bool(${image} CONFIG_BOOT_ENCRYPT_IMAGE "${SB_CONFIG_BOOT_ENCRYPTION}")
+  if(SB_CONFIG_BOOT_ENCRYPTION)
+    set_config_string(${image} CONFIG_BOOT_ENCRYPTION_KEY_FILE "${SB_CONFIG_BOOT_ENCRYPTION_KEY_FILE}")
+  endif()
 endif()
--- a/share/sysbuild/images/bootloader/Kconfig
+++ b/share/sysbuild/images/bootloader/Kconfig
@ -56,12 +56,28 @@ config BOOT_SIGNATURE_TYPE_ED25519
 endchoice

 config BOOT_SIGNATURE_KEY_FILE
-	string "PEM key file"
+	string "Signing PEM key file"
 	default "$(ZEPHYR_MCUBOOT_MODULE_DIR)/root-ec-p256.pem" if BOOT_SIGNATURE_TYPE_ECDSA_P256
 	default "$(ZEPHYR_MCUBOOT_MODULE_DIR)/root-ed25519.pem" if BOOT_SIGNATURE_TYPE_ED25519
 	default "$(ZEPHYR_MCUBOOT_MODULE_DIR)/root-rsa-2048.pem" if BOOT_SIGNATURE_TYPE_RSA
 	default ""
 	help
-	  Absolute path to key file to use with MCUBoot.
+	  Absolute path to signing key file to use with MCUBoot.
+
+config BOOT_ENCRYPTION
+	bool "Encrypted image support"
+	depends on !BOOT_SIGNATURE_TYPE_NONE
+	help
+	  Support encrypted images.
+
+config BOOT_ENCRYPTION_KEY_FILE
+	string "Encryption PEM key file"
+	depends on BOOT_ENCRYPTION
+	default "$(ZEPHYR_MCUBOOT_MODULE_DIR)/enc-ec256-priv.pem" if BOOT_SIGNATURE_TYPE_ECDSA_P256
+	default "$(ZEPHYR_MCUBOOT_MODULE_DIR)/enc-x25519-priv.pem" if BOOT_SIGNATURE_TYPE_ED25519
+	default "$(ZEPHYR_MCUBOOT_MODULE_DIR)/enc-rsa2048-priv.pem" if BOOT_SIGNATURE_TYPE_RSA
+	default ""
+	help
+	  Absolute path to encryption key file to use with MCUBoot.

 endif