Skip to content

Boot_serial improvements around encryption #2521

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Merged
merged 2 commits into from
Oct 29, 2025
Merged

Boot_serial improvements around encryption #2521

Changes from all commits
Commits
Show all changes
2 commits
Select commit Hold shift + click to select a range
18d6a32
boot_serial: Fix double boot_loader_state init
de-nordic Oct 24, 2025
149a2d5
boot_serial: Use struct enc_data in decrypt_region_inplace
de-nordic Oct 24, 2025
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
29 changes: 16 additions & 13 deletions boot/boot_serial/src/boot_serial_encryption.c
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -111,7 +111,7 @@ read_image_size(const struct flash_area *fa_p,
* @return 0 on success; nonzero on failure.
*/
static int
decrypt_region_inplace(struct boot_loader_state *state,
decrypt_region_inplace(struct enc_data *enc_data,
const struct flash_area *fap,
struct image_header *hdr,
uint32_t off, uint32_t sz)
Expand All @@ -123,11 +123,8 @@ decrypt_region_inplace(struct boot_loader_state *state,
size_t blk_off;
uint16_t idx;
uint32_t blk_sz;
int slot = flash_area_id_to_multi_image_slot(BOOT_CURR_IMG(state),
flash_area_get_id(fap));
uint8_t buf[sz] __attribute__((aligned));
assert(sz <= sizeof buf);
assert(slot >= 0);

bytes_copied = 0;
while (bytes_copied < sz) {
Expand Down Expand Up @@ -169,7 +166,7 @@ decrypt_region_inplace(struct boot_loader_state *state,
blk_sz = tlv_off - (off + bytes_copied);
}
}
boot_enc_decrypt(BOOT_CURR_ENC_SLOT(state, slot),
boot_enc_decrypt(enc_data,
(off + bytes_copied + idx) - hdr->ih_hdr_size, blk_sz,
blk_off, &buf[idx]);
}
Expand Down Expand Up @@ -217,8 +214,9 @@ decrypt_image_inplace(const struct flash_area *fa_p,
size_t sect_count;
size_t sect;
struct flash_sector sector;
struct enc_key_data enc_data;

memset(&boot_data, 0, sizeof(struct boot_loader_state));
boot_state_clear(state);
memset(&_bs, 0, sizeof(struct boot_status));

/* Get size from last sector to know page/sector erase size */
Expand All @@ -233,26 +231,28 @@ decrypt_image_inplace(const struct flash_area *fa_p,
FIH_RET(fih_rc);
}
#endif
memset(&boot_data, 0, sizeof(struct boot_loader_state));
/* Load the encryption keys into cache */
rc = boot_enc_load(state, BOOT_SLOT_PRIMARY, hdr, fa_p, bs);
if (rc < 0) {
FIH_RET(fih_rc);
goto total_out;
}
if (rc == 0 && boot_enc_set_key(BOOT_CURR_ENC_SLOT(state, BOOT_SLOT_PRIMARY), bs->enckey[BOOT_SLOT_PRIMARY])) {
FIH_RET(fih_rc);

boot_enc_init(&enc_data);

if (rc == 0 && boot_enc_set_key(&enc_data, bs->enckey[BOOT_SLOT_PRIMARY])) {
goto total_out;
}
}
else
{
/* Expected encrypted image! */
FIH_RET(fih_rc);
goto total_out;
}

uint32_t src_size = 0;
rc = read_image_size(fa_p,hdr, &src_size);
if (rc != 0) {
FIH_RET(fih_rc);
goto total_out;
}

/* TODO: This assumes every sector has an equal size, should instead use
Expand All @@ -262,14 +262,17 @@ decrypt_image_inplace(const struct flash_area *fa_p,
sect_size = sector.fs_size;
sect_count = fa_p->fa_size / sect_size;
for (sect = 0, size = 0; size < src_size && sect < sect_count; sect++) {
rc = decrypt_region_inplace(state, fa_p,hdr, size, sect_size);
rc = decrypt_region_inplace(enc_data, fa_p, hdr, size, sect_size);
if (rc != 0) {
FIH_RET(fih_rc);
}
size += sect_size;
}

fih_rc = FIH_SUCCESS;
total_out:
boot_enc_zeorize(&enc_data);
boot_state_clear(&state);
FIH_RET(fih_rc);
}

Expand Down
Loading