[nrf fromlist] bootloader: mcuboot: Changes needed to support AES256

ahasztag · ahasztag · commit 2b594f0197c0 · 2025-07-29T12:53:12.000+02:00
This commit adds changes which are necessary to support
the AES256 encryption algorithm in mcuboot.

Upstream PR #: 93809

Signed-off-by: Artur Hadasz &lt;artur.hadasz@nordicsemi.no&gt;
diff --git a/cmake/mcuboot.cmake b/cmake/mcuboot.cmake
@@ -152,6 +152,12 @@ function(zephyr_mcuboot_tasks)
     set(imgtool_args --align ${write_block_size} ${imgtool_args})
   endif()
 
+  if(NOT "${keyfile_enc}" STREQUAL "")
+    if(CONFIG_MCUBOOT_ENCRYPTION_ALG_AES_256)
+      set(imgtool_args ${imgtool_args} --encrypt-keylen 256)
+    endif()
+  endif()
+
   # Extensionless prefix of any output file.
   set(output ${ZEPHYR_BINARY_DIR}/${KERNEL_NAME})
 
diff --git a/modules/Kconfig.mcuboot b/modules/Kconfig.mcuboot
@@ -89,6 +89,22 @@ config MCUBOOT_ENCRYPTION_KEY_FILE
 
 	  If left empty, you must encrypt the Zephyr binaries manually.
 
+if MCUBOOT_ENCRYPTION_KEY_FILE != ""
+
+choice MCUBOOT_ENCRYPTION_ALG
+	prompt "Algorithm used for image encryption"
+	default MCUBOOT_ENCRYPTION_ALG_AES_128
+
+config MCUBOOT_ENCRYPTION_ALG_AES_128
+	bool "Use AES-128 for image encryption"
+
+config MCUBOOT_ENCRYPTION_ALG_AES_256
+	bool "Use AES-256 for image encryption"
+
+endchoice # BOOT_ENCRYPT_ALG
+
+endif # MCUBOOT_ENCRYPTION_KEY_FILE != ""
+
 config MCUBOOT_IMGTOOL_SIGN_VERSION
 	string "Version to pass to imgtool when signing"
 	default "$(APP_VERSION_TWEAK_STRING)" if "$(VERSION_MAJOR)" != ""
diff --git a/share/sysbuild/image_configurations/MAIN_image_default.cmake b/share/sysbuild/image_configurations/MAIN_image_default.cmake
@@ -51,4 +51,13 @@ if(SB_CONFIG_BOOTLOADER_MCUBOOT)
       set_config_bool(${ZCMAKE_APPLICATION} CONFIG_RETENTION_BOOT_MODE y)
     endif()
   endif()
+
+  if(SB_CONFIG_BOOT_ENCRYPTION)
+    if(SB_CONFIG_BOOT_ENCRYPTION_ALG_AES_128)
+      set_config_bool(${ZCMAKE_APPLICATION} CONFIG_MCUBOOT_ENCRYPTION_ALG_AES_128 y)
+    elseif(SB_CONFIG_BOOT_ENCRYPTION_ALG_AES_256)
+      set_config_bool(${ZCMAKE_APPLICATION} CONFIG_MCUBOOT_ENCRYPTION_ALG_AES_256 y)
+    endif()
+  endif()
+
 endif()
diff --git a/share/sysbuild/images/bootloader/CMakeLists.txt b/share/sysbuild/images/bootloader/CMakeLists.txt
@@ -18,5 +18,10 @@ if(SB_CONFIG_BOOTLOADER_MCUBOOT)
   set_config_bool(${image} CONFIG_BOOT_ENCRYPT_IMAGE "${SB_CONFIG_BOOT_ENCRYPTION}")
   if(SB_CONFIG_BOOT_ENCRYPTION)
     set_config_string(${image} CONFIG_BOOT_ENCRYPTION_KEY_FILE "${SB_CONFIG_BOOT_ENCRYPTION_KEY_FILE}")
+    if(SB_CONFIG_BOOT_ENCRYPTION_ALG_AES_128)
+      set_config_bool(${image} CONFIG_BOOT_ENCRYPT_ALG_AES_128 y)
+    elseif(SB_CONFIG_BOOT_ENCRYPTION_ALG_AES_256)
+      set_config_bool(${image} CONFIG_BOOT_ENCRYPT_ALG_AES_256 y)
+    endif()
   endif()
 endif()
diff --git a/share/sysbuild/images/bootloader/Kconfig b/share/sysbuild/images/bootloader/Kconfig
@@ -204,4 +204,20 @@ config BOOT_ENCRYPTION_KEY_FILE
 	help
 	  Absolute path to encryption key file to use with MCUBoot.
 
+if BOOT_ENCRYPTION
+
+choice BOOT_ENCRYPTION_ALG
+	prompt "Algorithm used for image encryption"
+	default BOOT_ENCRYPTION_ALG_AES_128
+
+config BOOT_ENCRYPTION_ALG_AES_128
+	bool "Use AES-128 for image encryption"
+
+config BOOT_ENCRYPTION_ALG_AES_256
+	bool "Use AES-256 for image encryption"
+
+endchoice # BOOT_ENCRYPT_ALG
+
+endif # BOOT_ENCRYPTION
+
 endif
