Skip to content

Modify MCUboot to use PSA key_id_t for key type in AES encryption context #565

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Open
wants to merge 2 commits into
base: main
Choose a base branch
from
Open

Modify MCUboot to use PSA key_id_t for key type in AES encryption context #565

wants to merge 2 commits into from

Conversation

@de-nordic
Copy link
Contributor

@de-nordic de-nordic commented Oct 30, 2025

Two commits from upstream:

  • split of encryption headers
  • change in encryption context, where there is no longer raw key stored in encryption context, instead context setup function has been setup to import key into PSA and obtain psa_key_id_t key id for it that is then stored in context; all encryption functions will now operate on that key_id, when using the context.

Replacement of raw key array in encryption context, with psa_key_id_t, has reduced MCUboot binary size by ~224 bytes, for non-KMU and non-log-dbg build; small amount of RAM is saved also.

@NordicBuilder NordicBuilder mentioned this pull request Oct 30, 2025
Open
tomchy
tomchy reviewed Nov 7, 2025
View reviewed changes
boot/bootutil/include/bootutil/crypto/aes_ctr_mbedtls.h
return mbedtls_aes_setkey_enc(ctx, k, BOOT_ENC_KEY_SIZE * 8);
}

static inline int bootutil_aes_ctr_encrypt(bootutil_aes_ctr_context *ctx, uint8_t *counter, const uint8_t *m, uint32_t mlen, size_t blk_off, uint8_t *c)
Copy link
Contributor

@tomchy tomchy Nov 7, 2025
edited
Loading

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Ideally, I'd prefer to have docstrings inside the interface header, but since this is a [fromtree] commit, I'm not going to require them at this stage.

@de-nordic de-nordic requested a review from nordicjm November 13, 2025 11:22
@de-nordic
[nrf fromtree] bootutil: Split header with encryption functions
d75dd21 
Split definitions to crypto backend specific headers.

Signed-off-by: Dominik Ermel <[email protected]>
(cherry picked from commit 5a161e4cc1cd5329c073d996f0300d2661c6b768)
@de-nordic
[nrf fromtree] bootutil: Allow using psa_key_id_t in AES crypto context
818e6fa 
Store psa_key_id_t key in AES context instead of RAW key.

Signed-off-by: Dominik Ermel <[email protected]>
(cherry picked from commit e92551838e18b6219af0891a18a757e538bd3ff6)
@sonarqubecloud
Copy link

sonarqubecloud bot commented Nov 13, 2025

Quality Gate Passed Quality Gate passed

Issues
2 New issues
0 Accepted issues

Measures
0 Security Hotspots
0.0% Coverage on New Code
0.0% Duplication on New Code

See analysis details on SonarQube Cloud

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@tomchy tomchy tomchy approved these changes

@nvlsianpu nvlsianpu Awaiting requested review from nvlsianpu

@michalek-no michalek-no Awaiting requested review from michalek-no

@nordicjm nordicjm Awaiting requested review from nordicjm

At least 2 approving reviews are required to merge this pull request.

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

2 participants

@de-nordic @tomchy