Skip to content

Commit 4f70786

Browse files
committed
Support for CUSTOM_ENCRYPT_KEY that allows customer to supply their own implementation
1 parent ec01e13 commit 4f70786

3 files changed

Lines changed: 31 additions & 1 deletion

File tree

docs/encrypted_partitions.md

Lines changed: 22 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -36,6 +36,28 @@ wolfBoot upon next boot.
3636
Aside from setting the temporary key, the update mechanism remains the same for distributing, uploading and
3737
installing firmware updates through wolfBoot.
3838

39+
### Custom encryption key storage
40+
41+
You can use the `CUSTOM_ENCRYPT_KEY` option to implement your own functions for:
42+
`wolfBoot_get_encrypt_key`, `wolfBoot_set_encrypt_key`, `wolfBoot_erase_encrypt_key`,
43+
and `wolfBoot_initialize_encryption`.
44+
45+
To enable:
46+
47+
1) Add `CUSTOM_ENCRYPT_KEY=1` to your `.config`
48+
2) Add your own .c file using `OBJS_EXTRA`. For example, for your own
49+
`src/custom_encrypt_key.c` add this to your `.config`:
50+
`OBJS_EXTRA=src/custom_encrypt_key.o`
51+
52+
Your custom implementation must provide these functions:
53+
54+
```c
55+
int wolfBoot_set_encrypt_key(const uint8_t *key, const uint8_t *nonce);
56+
int wolfBoot_get_encrypt_key(uint8_t *key, uint8_t *nonce);
57+
int wolfBoot_erase_encrypt_key(void);
58+
int wolfBoot_initialize_encryption(void);
59+
```
60+
3961
### Libwolfboot API
4062
4163
The API to communicate with the bootloader from the application is expanded when this feature is enabled,

options.mk

Lines changed: 3 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -563,6 +563,9 @@ ifeq ($(ENCRYPT),1)
563563
endif
564564
endif
565565
endif
566+
ifeq ($(CUSTOM_ENCRYPT_KEY),1)
567+
CFLAGS+=-D"CUSTOM_ENCRYPT_KEY"
568+
endif
566569
endif
567570

568571
ifeq ($(EXT_FLASH),1)

src/libwolfboot.c

Lines changed: 6 additions & 1 deletion
Original file line numberDiff line numberDiff line change
@@ -81,6 +81,7 @@ extern void aes_set_iv(uint8_t *nonce, uint32_t address);
8181
#endif
8282

8383
#if defined (__WOLFBOOT) || defined (UNIT_TEST)
84+
#ifndef CUSTOM_ENCRYPT_KEY
8485
int wolfBoot_initialize_encryption(void)
8586
{
8687
if (!encrypt_initialized) {
@@ -91,6 +92,7 @@ int wolfBoot_initialize_encryption(void)
9192
}
9293
return 0;
9394
}
95+
#endif /* !CUSTOM_ENCRYPT_KEY */
9496
#endif
9597

9698
#else
@@ -1491,6 +1493,7 @@ static int RAMFUNCTION hal_set_key(const uint8_t *k, const uint8_t *nonce)
14911493
return ret;
14921494
#endif
14931495
}
1496+
#ifndef CUSTOM_ENCRYPT_KEY
14941497
/**
14951498
* @brief Set the encryption key.
14961499
*
@@ -1545,7 +1548,8 @@ int RAMFUNCTION wolfBoot_get_encrypt_key(uint8_t *k, uint8_t *nonce)
15451548
#endif
15461549
return 0;
15471550
}
1548-
#endif
1551+
#endif /* UNIT_TEST */
1552+
15491553
/**
15501554
* @brief Erase the encryption key.
15511555
*
@@ -1575,6 +1579,7 @@ int RAMFUNCTION wolfBoot_erase_encrypt_key(void)
15751579
#endif
15761580
return 0;
15771581
}
1582+
#endif /* !CUSTOM_ENCRYPT_KEY */
15781583

15791584
#if defined(__WOLFBOOT) || defined(UNIT_TEST)
15801585

0 commit comments

Comments
 (0)