bootutil: Add support for HAMC-SHA512 with ECIES-X25519

de-nordic · de-nordic · commit 207f85088a5f · 2025-06-06T15:34:36.000Z
Add support for HKDF/HMAC based on SHA512 for ECIES-X25519 key
exchange.
The commit adds MCUBOOT_HMAC_SHA512 that enables new TLV
IMAGE_TLV_ENC_X25519_SHA512.
Encryption code has been altered to support the MCUBOOT_HMAC_SHA512.

Signed-off-by: Dominik Ermel &lt;dominik.ermel@nordicsemi.no&gt;
diff --git a/boot/bootutil/include/bootutil/enc_key_public.h b/boot/bootutil/include/bootutil/enc_key_public.h
@@ -70,10 +70,19 @@ extern "C" {
 #   define BOOT_ENC_KEY_SIZE   16
 #endif
 
+#ifdef MCUBOOT_HMAC_SHA512
+#   define BOOT_HMAC_SIZE      64
+#else
+#   define BOOT_HMAC_SIZE      32
+#endif
+
 #if defined(MCUBOOT_ENCRYPT_RSA)
 #   define BOOT_ENC_TLV_SIZE   (256)
 #   define BOOT_ENC_TLV        IMAGE_TLV_ENC_RSA2048
 #elif defined(MCUBOOT_ENCRYPT_EC256)
+#   if defined(MCUBOOT_HMAC_SHA512)
+#       error "ECIES-P256 does not support HMAC-SHA512"
+#   endif
 #   define EC_PUBK_LEN         (65)
 #   define EC_PRIVK_LEN        (32)
 #   define EC_SHARED_LEN       (32)
@@ -82,7 +91,11 @@ extern "C" {
 #   define EC_PUBK_LEN         (32)
 #   define EC_PRIVK_LEN        (32)
 #   define EC_SHARED_LEN       (32)
-#   define BOOT_ENC_TLV        IMAGE_TLV_ENC_X25519
+#   if !defined(MCUBOOT_HMAC_SHA512)
+#       define BOOT_ENC_TLV     IMAGE_TLV_ENC_X25519
+#   else
+#       define BOOT_ENC_TLV     IMAGE_TLV_ENC_X25519_SHA512
+#   endif
 #elif defined(MCUBOOT_ENCRYPT_KW)
 #   define BOOT_ENC_TLV_SIZE   (BOOT_ENC_KEY_SIZE + 8)
 #   define BOOT_ENC_TLV        IMAGE_TLV_ENC_KW
@@ -91,7 +104,7 @@ extern "C" {
 /* Common ECIES definitions */
 #if defined(EC_PUBK_LEN)
 #   define EC_PUBK_INDEX       (0)
-#   define EC_TAG_LEN          (32)
+#   define EC_TAG_LEN          (BOOT_HMAC_SIZE)
 #   define EC_TAG_INDEX        (EC_PUBK_INDEX + EC_PUBK_LEN)
 #   define EC_CIPHERKEY_INDEX  (EC_TAG_INDEX + EC_TAG_LEN)
 #   define EC_CIPHERKEY_LEN    BOOT_ENC_KEY_SIZE
diff --git a/boot/bootutil/include/bootutil/image.h b/boot/bootutil/include/bootutil/image.h
@@ -115,6 +115,9 @@ struct flash_area;
 #define IMAGE_TLV_ENC_KW            0x31   /* Key encrypted with AES-KW 128 or 256*/
 #define IMAGE_TLV_ENC_EC256         0x32   /* Key encrypted with ECIES-EC256 */
 #define IMAGE_TLV_ENC_X25519        0x33   /* Key encrypted with ECIES-X25519 */
+#define IMAGE_TLV_ENC_X25519_SHA512 0x34   /* Key exchange using ECIES-X25519 and SHA512 for MAC
+                                            * tag and HKDF in key derivation process
+                                            */
 #define IMAGE_TLV_DEPENDENCY        0x40   /* Image depends on other image */
 #define IMAGE_TLV_SEC_CNT           0x50   /* security counter */
 #define IMAGE_TLV_BOOT_RECORD       0x60   /* measured boot record */
diff --git a/boot/bootutil/src/encrypted_psa.c b/boot/bootutil/src/encrypted_psa.c
@@ -27,6 +27,12 @@
 
 BOOT_LOG_MODULE_DECLARE(mcuboot_psa_enc);
 
+#if defined(MCUBOOT_HMAC_SHA512)
+#define PSA_HMAC_HKDF_SHA PSA_ALG_SHA_512
+#else
+#define PSA_HMAC_HKDF_SHA PSA_ALG_SHA_256
+#endif
+
 #define X25519_OID "\x6e"
 static const uint8_t ec_pubkey_oid[] = MBEDTLS_OID_ISO_IDENTIFIED_ORG \
                                        MBEDTLS_OID_ORG_GOV X25519_OID;
@@ -160,7 +166,7 @@ boot_decrypt_key(const uint8_t *buf, uint8_t *enckey)
         return -1;
     }
 
-    key_do_alg = PSA_ALG_KEY_AGREEMENT(PSA_ALG_ECDH, PSA_ALG_HKDF(PSA_ALG_SHA_256));
+    key_do_alg = PSA_ALG_KEY_AGREEMENT(PSA_ALG_ECDH, PSA_ALG_HKDF(PSA_HMAC_HKDF_SHA));
 
     psa_ret = psa_key_derivation_setup(&key_do, key_do_alg);
     if (psa_ret != PSA_SUCCESS) {
@@ -223,7 +229,7 @@ boot_decrypt_key(const uint8_t *buf, uint8_t *enckey)
      */
     psa_set_key_type(&kattr, PSA_KEY_TYPE_HMAC);
     psa_set_key_usage_flags(&kattr, PSA_KEY_USAGE_VERIFY_MESSAGE);
-    psa_set_key_algorithm(&kattr, PSA_ALG_HMAC(PSA_ALG_SHA_256));
+    psa_set_key_algorithm(&kattr, PSA_ALG_HMAC(PSA_HMAC_HKDF_SHA));
 
     /* Import the MAC tag key part of derived key */
     psa_ret = psa_import_key(&kattr,
@@ -237,7 +243,7 @@ boot_decrypt_key(const uint8_t *buf, uint8_t *enckey)
     }
 
     /* Verify the MAC tag of the random encryption key */
-    psa_ret = psa_mac_verify(kid, PSA_ALG_HMAC(PSA_ALG_SHA_256),
+    psa_ret = psa_mac_verify(kid, PSA_ALG_HMAC(PSA_HMAC_HKDF_SHA),
                              &buf[EC_CIPHERKEY_INDEX], EC_CIPHERKEY_LEN,
                              &buf[EC_TAG_INDEX],
                              EC_TAG_LEN);
diff --git a/boot/bootutil/src/image_validate.c b/boot/bootutil/src/image_validate.c
@@ -463,7 +463,11 @@ static const uint16_t allowed_unprot_tlvs[] = {
      IMAGE_TLV_ENC_RSA2048,
      IMAGE_TLV_ENC_KW,
      IMAGE_TLV_ENC_EC256,
+#if !defined(MCUBOOT_HMAC_SHA512)
      IMAGE_TLV_ENC_X25519,
+#else
+     IMAGE_TLV_ENC_X25519_SHA512,
+#endif
      /* Mark end with ANY. */
      IMAGE_TLV_ANY,
 };
