From 9038c78e4218c8623a53b15577c1075af5313642 Mon Sep 17 00:00:00 2001
From: Artur Hadasz <artur.hadasz@nordicsemi.no>
Date: Mon, 28 Jul 2025 11:55:53 +0200
Subject: [PATCH] bootloader: mcuboot: Changes needed to support AES256

This commit adds changes which are necessary to support
the AES256 encryption algorithm in mcuboot.

Signed-off-by: Artur Hadasz <artur.hadasz@nordicsemi.no>
---
 cmake/mcuboot.cmake                              |  7 +++++++
 modules/Kconfig.mcuboot                          | 16 ++++++++++++++++
 .../BOOTLOADER_image_default.cmake               |  9 +++++++++
 .../MAIN_image_default.cmake                     |  8 ++++++++
 share/sysbuild/images/bootloader/CMakeLists.txt  |  4 ----
 share/sysbuild/images/bootloader/Kconfig         | 16 ++++++++++++++++
 6 files changed, 56 insertions(+), 4 deletions(-)

diff --git a/cmake/mcuboot.cmake b/cmake/mcuboot.cmake
index 0a835d6394881..6013eeb5bc314 100644
--- a/cmake/mcuboot.cmake
+++ b/cmake/mcuboot.cmake
@@ -161,6 +161,13 @@ function(zephyr_mcuboot_tasks)
     set(imgtool_args --sha 512 ${imgtool_args})
   endif()
 
+  if(NOT "${keyfile_enc}" STREQUAL "")
+    if(CONFIG_MCUBOOT_ENCRYPTION_ALG_AES_256)
+      # Note: this overrides the default behavior of using AES-128
+      set(imgtool_args ${imgtool_args} --encrypt-keylen 256)
+    endif()
+  endif()
+
   # Extensionless prefix of any output file.
   set(output ${ZEPHYR_BINARY_DIR}/${KERNEL_NAME})
 
diff --git a/modules/Kconfig.mcuboot b/modules/Kconfig.mcuboot
index c421aa6ed7974..34d9f75798528 100644
--- a/modules/Kconfig.mcuboot
+++ b/modules/Kconfig.mcuboot
@@ -89,6 +89,22 @@ config MCUBOOT_ENCRYPTION_KEY_FILE
 
 	  If left empty, you must encrypt the Zephyr binaries manually.
 
+if MCUBOOT_ENCRYPTION_KEY_FILE != ""
+
+choice MCUBOOT_ENCRYPTION_ALG
+	prompt "Algorithm used for image encryption"
+	default MCUBOOT_ENCRYPTION_ALG_AES_128
+
+config MCUBOOT_ENCRYPTION_ALG_AES_128
+	bool "Use AES-128 for image encryption"
+
+config MCUBOOT_ENCRYPTION_ALG_AES_256
+	bool "Use AES-256 for image encryption"
+
+endchoice # MCUBOOT_ENCRYPTION_ALG
+
+endif # MCUBOOT_ENCRYPTION_KEY_FILE != ""
+
 config MCUBOOT_IMGTOOL_SIGN_VERSION
 	string "Version to pass to imgtool when signing"
 	default "$(APP_VERSION_TWEAK_STRING)" if "$(VERSION_MAJOR)" != ""
diff --git a/share/sysbuild/image_configurations/BOOTLOADER_image_default.cmake b/share/sysbuild/image_configurations/BOOTLOADER_image_default.cmake
index 3998ac202df37..e543de1bc3b51 100644
--- a/share/sysbuild/image_configurations/BOOTLOADER_image_default.cmake
+++ b/share/sysbuild/image_configurations/BOOTLOADER_image_default.cmake
@@ -84,3 +84,12 @@ foreach(loopkeytype ${keytypes})
     set_config_bool(${ZCMAKE_APPLICATION} ${loopkeytype} n)
   endif()
 endforeach()
+
+if(SB_CONFIG_BOOT_ENCRYPTION)
+  set_config_string(${ZCMAKE_APPLICATION} CONFIG_BOOT_ENCRYPTION_KEY_FILE "${SB_CONFIG_BOOT_ENCRYPTION_KEY_FILE}")
+  if(SB_CONFIG_BOOT_ENCRYPTION_ALG_AES_128)
+    set_config_bool(${ZCMAKE_APPLICATION} CONFIG_BOOT_ENCRYPT_ALG_AES_128 y)
+  elseif(SB_CONFIG_BOOT_ENCRYPTION_ALG_AES_256)
+    set_config_bool(${ZCMAKE_APPLICATION} CONFIG_BOOT_ENCRYPT_ALG_AES_256 y)
+  endif()
+endif()
diff --git a/share/sysbuild/image_configurations/MAIN_image_default.cmake b/share/sysbuild/image_configurations/MAIN_image_default.cmake
index a7f6398e6218c..8e569b228e25d 100644
--- a/share/sysbuild/image_configurations/MAIN_image_default.cmake
+++ b/share/sysbuild/image_configurations/MAIN_image_default.cmake
@@ -56,4 +56,12 @@ if(SB_CONFIG_BOOTLOADER_MCUBOOT)
       set_config_bool(${ZCMAKE_APPLICATION} CONFIG_RETENTION_BOOT_MODE y)
     endif()
   endif()
+
+  if(SB_CONFIG_BOOT_ENCRYPTION)
+    if(SB_CONFIG_BOOT_ENCRYPTION_ALG_AES_128)
+      set_config_bool(${ZCMAKE_APPLICATION} CONFIG_MCUBOOT_ENCRYPTION_ALG_AES_128 y)
+    elseif(SB_CONFIG_BOOT_ENCRYPTION_ALG_AES_256)
+      set_config_bool(${ZCMAKE_APPLICATION} CONFIG_MCUBOOT_ENCRYPTION_ALG_AES_256 y)
+    endif()
+  endif()
 endif()
diff --git a/share/sysbuild/images/bootloader/CMakeLists.txt b/share/sysbuild/images/bootloader/CMakeLists.txt
index c82f0808c66ec..501a1f366f2a4 100644
--- a/share/sysbuild/images/bootloader/CMakeLists.txt
+++ b/share/sysbuild/images/bootloader/CMakeLists.txt
@@ -15,8 +15,4 @@ if(SB_CONFIG_BOOTLOADER_MCUBOOT)
   sysbuild_add_dependencies(FLASH ${DEFAULT_IMAGE} ${image})
 
   set_config_string(${image} CONFIG_BOOT_SIGNATURE_KEY_FILE "${SB_CONFIG_BOOT_SIGNATURE_KEY_FILE}")
-  set_config_bool(${image} CONFIG_BOOT_ENCRYPT_IMAGE "${SB_CONFIG_BOOT_ENCRYPTION}")
-  if(SB_CONFIG_BOOT_ENCRYPTION)
-    set_config_string(${image} CONFIG_BOOT_ENCRYPTION_KEY_FILE "${SB_CONFIG_BOOT_ENCRYPTION_KEY_FILE}")
-  endif()
 endif()
diff --git a/share/sysbuild/images/bootloader/Kconfig b/share/sysbuild/images/bootloader/Kconfig
index 51b1c382969d1..c8b776c1be064 100644
--- a/share/sysbuild/images/bootloader/Kconfig
+++ b/share/sysbuild/images/bootloader/Kconfig
@@ -219,4 +219,20 @@ config BOOT_ENCRYPTION_KEY_FILE
 	help
 	  Absolute path to encryption key file to use with MCUBoot.
 
+if BOOT_ENCRYPTION
+
+choice BOOT_ENCRYPTION_ALG
+	prompt "Algorithm used for image encryption"
+	default BOOT_ENCRYPTION_ALG_AES_128
+
+config BOOT_ENCRYPTION_ALG_AES_128
+	bool "Use AES-128 for image encryption"
+
+config BOOT_ENCRYPTION_ALG_AES_256
+	bool "Use AES-256 for image encryption"
+
+endchoice # BOOT_ENCRYPTION_ALG
+
+endif # BOOT_ENCRYPTION
+
 endif