Skip to content

Commit 293252a

Browse files
de-nordicde-nordic
committed
sysbuild: Allow selecting SHA512 for HMAC/HKDF in MCUboot
When encryption is used and ECIES-X25519 is used for AES-128 key exchange it is possible now to use SB_CONFIG_NRF_MCUBOOT_HMAC_SHA512 sysbuild option to use SHA512 for HMAC/HKDF. This should allow to reduce size of MCUboot by removing need for SHA256 being compiled in just for the key exchange. Signed-off-by: Dominik Ermel <[email protected]>
1 parent 782105f commit 293252a

File tree

2 files changed

+16
-0
lines changed

2 files changed

+16
-0
lines changed

sysbuild/CMakeLists.txt

Lines changed: 7 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -238,11 +238,18 @@ function(${SYSBUILD_CURRENT_MODULE_NAME}_pre_cmake)
238238
set_config_bool(mcuboot CONFIG_PSA_USE_CRACEN_MAC_DRIVER y)
239239
set_config_bool(mcuboot CONFIG_PSA_USE_CRACEN_KEY_AGREEMENT_DRIVER y)
240240
set_config_bool(mcuboot CONFIG_PSA_USE_CRACEN_KEY_DERIVATION_DRIVER y)
241+
242+
if(SB_CONFIG_NRF_MCUBOOT_HMAC_SHA512)
243+
set_config_bool(mcuboot CONFIG_BOOT_HMAC_SHA512 y)
244+
else()
245+
set_config_bool(mcuboot CONFIG_BOOT_HMAC_SHA512 n)
246+
endif()
241247
else()
242248
set_config_bool(mcuboot CONFIG_PSA_USE_CRACEN_CIPHER_DRIVER n)
243249
set_config_bool(mcuboot CONFIG_PSA_USE_CRACEN_MAC_DRIVER n)
244250
set_config_bool(mcuboot CONFIG_PSA_USE_CRACEN_KEY_AGREEMENT_DRIVER n)
245251
set_config_bool(mcuboot CONFIG_PSA_USE_CRACEN_KEY_DERIVATION_DRIVER n)
252+
set_config_bool(mcuboot CONFIG_BOOT_HMAC_SHA512 n)
246253
endif()
247254

248255
if(SB_CONFIG_MCUBOOT_SIGNATURE_USING_KMU)

sysbuild/Kconfig.mcuboot

Lines changed: 9 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -184,6 +184,15 @@ config MCUBOOT_GENERATE_DEFAULT_KMU_KEYFILE
184184
help
185185
If enabled, the build system will generate keyfile.json file in the build directory.
186186

187+
config NRF_MCUBOOT_HMAC_SHA512
188+
bool "Use SHA256 for HMAC"
189+
depends on BOOT_ENCRYPTION && SOC_SERIES_NRF54LX && BOOT_SIGNATURE_TYPE_ED25519
190+
help
191+
Default is to use SHA256 for HMAC/HKDF ECIES-X25519 key exchange is used.
192+
This means that both SHA256 and SHA512 support has to be compiled in.
193+
Enabling this option switches to SHA512 for HMAC/HKDF slightly reducing
194+
MCUboot code size.
195+
187196
endif
188197

189198
config MCUBOOT_USE_ALL_AVAILABLE_RAM

0 commit comments

Comments
 (0)