bootutil: Add support for HAMC-SHA512 with ECIES-X25519

de-nordic · de-nordic · commit 4cb9207a8c1b · 2025-05-28T11:52:11.000Z
Add support for HKDF/HMAC based on SHA512 for ECIES-X25519 key
exchange.
The commit adds MCUBOOT_HMAC_SHA512 that enables new TLV
IMAGE_TLV_ENC_X25519_SHA512.
Encryption code has been altered to support the MCUBOOT_HMAC_SHA512.

Signed-off-by: Dominik Ermel &lt;dominik.ermel@nordicsemi.no&gt;
diff --git a/boot/bootutil/include/bootutil/enc_key_public.h b/boot/bootutil/include/bootutil/enc_key_public.h
@@ -42,16 +42,25 @@ extern "C" {
 #define BOOT_ENC_KEY_SIZE       16
 #endif
 
+#ifdef MCUBOOT_HMAC_SHA512
+#define BOOT_HMAC_SIZE          64
+#else
+#define BOOT_HMAC_SIZE          32
+#endif
+
 #define BOOT_ENC_KEY_ALIGN_SIZE ALIGN_UP(BOOT_ENC_KEY_SIZE, BOOT_MAX_ALIGN)
 
 #define TLV_ENC_RSA_SZ    256
 #define TLV_ENC_KW_SZ     (BOOT_ENC_KEY_SIZE + 8)
-#define TLV_ENC_EC256_SZ  (65 + 32 + BOOT_ENC_KEY_SIZE)
-#define TLV_ENC_X25519_SZ (32 + 32 + BOOT_ENC_KEY_SIZE)
+#define TLV_ENC_EC256_SZ  (65 + BOOT_HMAC_SIZE + BOOT_ENC_KEY_SIZE)
+#define TLV_ENC_X25519_SZ (32 + BOOT_HMAC_SIZE + BOOT_ENC_KEY_SIZE)
 
 #if defined(MCUBOOT_ENCRYPT_RSA)
 #define BOOT_ENC_TLV_SIZE TLV_ENC_RSA_SZ
 #elif defined(MCUBOOT_ENCRYPT_EC256)
+#if MCUBOOT_HMAC_SHA512
+#error "ECIES-P256 does not support HMAC-SHA512"
+#endif
 #define BOOT_ENC_TLV_SIZE TLV_ENC_EC256_SZ
 #elif defined(MCUBOOT_ENCRYPT_X25519)
 #define BOOT_ENC_TLV_SIZE TLV_ENC_X25519_SZ
diff --git a/boot/bootutil/include/bootutil/image.h b/boot/bootutil/include/bootutil/image.h
@@ -115,6 +115,9 @@ struct flash_area;
 #define IMAGE_TLV_ENC_KW            0x31   /* Key encrypted with AES-KW 128 or 256*/
 #define IMAGE_TLV_ENC_EC256         0x32   /* Key encrypted with ECIES-EC256 */
 #define IMAGE_TLV_ENC_X25519        0x33   /* Key encrypted with ECIES-X25519 */
+#define IMAGE_TLV_ENC_X25519_SHA512 0x34   /* Key exchange using ECIES-X25519 and SHA512 for MAC
+                                            * tag and HKDF in key derivation process
+                                            */
 #define IMAGE_TLV_DEPENDENCY        0x40   /* Image depends on other image */
 #define IMAGE_TLV_SEC_CNT           0x50   /* security counter */
 #define IMAGE_TLV_BOOT_RECORD       0x60   /* measured boot record */
diff --git a/boot/bootutil/src/encrypted.c b/boot/bootutil/src/encrypted.c
@@ -60,10 +60,16 @@
 _Static_assert(EC_CIPHERKEY_INDEX + BOOT_ENC_KEY_SIZE == EXPECTED_ENC_LEN,
         "Please fix ECIES-P256 component indexes");
 #elif defined(MCUBOOT_ENCRYPT_X25519)
+#if !defined(MCUBOOT_HMAC_SHA512)
 #    define EXPECTED_ENC_TLV    IMAGE_TLV_ENC_X25519
+#elif !defined(MCUBOOT_USE_PSA_CRYPTO)
+#error "Non-PSA code does not support ECIES-X25519 with HMAC-SHA512 at this moment"
+#else
+#    define EXPECTED_ENC_TLV    IMAGE_TLV_ENC_X25519_SHA512
+#endif /* !defined(MCUBOOT_HMAC_SHA512) */
 #    define EC_PUBK_INDEX       (0)
 #    define EC_TAG_INDEX        (32)
-#    define EC_CIPHERKEY_INDEX  (32 + 32)
+#    define EC_CIPHERKEY_INDEX  (EC_TAG_INDEX + BOOT_HMAC_SIZE)
 _Static_assert(EC_CIPHERKEY_INDEX + BOOT_ENC_KEY_SIZE == EXPECTED_ENC_LEN,
         "Please fix ECIES-X25519 component indexes");
 #endif
diff --git a/boot/bootutil/src/encrypted_psa.c b/boot/bootutil/src/encrypted_psa.c
@@ -27,11 +27,19 @@
 
 BOOT_LOG_MODULE_DECLARE(mcuboot_psa_enc);
 
+#if defined(MCUBOOT_HMAC_SHA512)
+#define PSA_HMAC_HKDF_SHA PSA_ALG_SHA_512
+#else
+#define PSA_HMAC_HKDF_SHA PSA_ALG_SHA_256
+#endif
+
+#define PSA_HMAC_SIZE       BOOT_HMAC_SIZE
+
 #define EXPECTED_ENC_LEN    BOOT_ENC_TLV_SIZE
 #define EC_PUBK_INDEX       (0)
 #define EC_PUBK_LEN         (32)
 #define EC_TAG_INDEX        (EC_PUBK_INDEX + EC_PUBK_LEN)
-#define EC_TAG_LEN          (32)
+#define EC_TAG_LEN          (BOOT_HMAC_SIZE)
 #define EC_CIPHERKEY_INDEX  (EC_TAG_INDEX + EC_TAG_LEN)
 #define EC_CIPHERKEY_LEN    BOOT_ENC_KEY_SIZE
 _Static_assert(EC_CIPHERKEY_INDEX + BOOT_ENC_KEY_SIZE == EXPECTED_ENC_LEN,
@@ -172,7 +180,7 @@ boot_decrypt_key(const uint8_t *buf, uint8_t *enckey)
         return -1;
     }
 
-    key_do_alg = PSA_ALG_KEY_AGREEMENT(PSA_ALG_ECDH, PSA_ALG_HKDF(PSA_ALG_SHA_256));
+    key_do_alg = PSA_ALG_KEY_AGREEMENT(PSA_ALG_ECDH, PSA_ALG_HKDF(PSA_HMAC_HKDF_SHA));
 
     psa_ret = psa_key_derivation_setup(&key_do, key_do_alg);
     if (psa_ret != PSA_SUCCESS) {
@@ -235,7 +243,7 @@ boot_decrypt_key(const uint8_t *buf, uint8_t *enckey)
      */
     psa_set_key_type(&kattr, PSA_KEY_TYPE_HMAC);
     psa_set_key_usage_flags(&kattr, PSA_KEY_USAGE_VERIFY_MESSAGE);
-    psa_set_key_algorithm(&kattr, PSA_ALG_HMAC(PSA_ALG_SHA_256));
+    psa_set_key_algorithm(&kattr, PSA_ALG_HMAC(PSA_HMAC_HKDF_SHA));
 
     /* Import the MAC tag key part of derived key */
     psa_ret = psa_import_key(&kattr,
@@ -249,7 +257,7 @@ boot_decrypt_key(const uint8_t *buf, uint8_t *enckey)
     }
 
     /* Verify the MAC tag of the random encryption key */
-    psa_ret = psa_mac_verify(kid, PSA_ALG_HMAC(PSA_ALG_SHA_256),
+    psa_ret = psa_mac_verify(kid, PSA_ALG_HMAC(PSA_HMAC_HKDF_SHA),
                              &buf[EC_CIPHERKEY_INDEX], EC_CIPHERKEY_LEN,
                              &buf[EC_TAG_INDEX],
                              EC_TAG_LEN);
diff --git a/boot/bootutil/src/image_validate.c b/boot/bootutil/src/image_validate.c
@@ -463,7 +463,11 @@ static const uint16_t allowed_unprot_tlvs[] = {
      IMAGE_TLV_ENC_RSA2048,
      IMAGE_TLV_ENC_KW,
      IMAGE_TLV_ENC_EC256,
+#if !defined(MCUBOOT_HMAC_SHA512)
      IMAGE_TLV_ENC_X25519,
+#else
+     IMAGE_TLV_ENC_X25519_SHA512,
+#endif
      /* Mark end with ANY. */
      IMAGE_TLV_ANY,
 };
