zephyr: Add support for AES256

ahasztag · de-nordic · commit 268968f8e4a8 · 2025-08-01T13:24:56.000+02:00
This commit adds the parts in the tooling allowing
AES256 to work with MCUBoot in zephyr.
Currently only in combination PSA + ED25519

Signed-off-by: Artur Hadasz &lt;artur.hadasz@nordicsemi.no&gt;
diff --git a/boot/zephyr/Kconfig b/boot/zephyr/Kconfig
@@ -691,6 +691,22 @@ config BOOT_ENCRYPT_X25519
 	help
 	  Hidden option selecting x25519 encryption.
 
+if BOOT_ENCRYPT_IMAGE
+
+choice BOOT_ENCRYPT_ALG
+	prompt "Algorithm used for image encryption"
+	default BOOT_ENCRYPT_ALG_AES_128
+
+config BOOT_ENCRYPT_ALG_AES_128
+	bool "Use AES-128 for image encryption"
+
+config BOOT_ENCRYPT_ALG_AES_256
+	bool "Use AES-256 for image encryption"
+
+endchoice # BOOT_ENCRYPT_ALG
+
+endif # BOOT_ENCRYPT_IMAGE
+
 if BOOT_ENCRYPT_X25519 && BOOT_USE_PSA_CRYPTO
 
 choice BOOT_HMAC_SHA
diff --git a/boot/zephyr/include/mcuboot_config/mcuboot_config.h b/boot/zephyr/include/mcuboot_config/mcuboot_config.h
@@ -165,6 +165,14 @@
 #define MCUBOOT_ENCRYPT_X25519
 #endif
 
+#ifdef CONFIG_BOOT_ENCRYPT_ALG_AES_128
+#define MCUBOOT_AES_128
+#endif
+
+#ifdef CONFIG_BOOT_ENCRYPT_ALG_AES_256
+#define MCUBOOT_AES_256
+#endif
+
 /* Support for HMAC/HKDF using SHA512; this is used in key exchange where
  * HKDF is used for key expansion and HMAC is used for key verification.
  */
