bootloader: mcuboot: Changes needed to support AES256

ahasztag · carlescufi · commit 9a1fe3019934 · 2025-08-12T12:35:31.000+02:00
This commit adds changes which are necessary to support
the AES256 encryption algorithm in mcuboot.

Signed-off-by: Artur Hadasz &lt;artur.hadasz@nordicsemi.no&gt;
diff --git a/cmake/mcuboot.cmake b/cmake/mcuboot.cmake
@@ -161,6 +161,13 @@ function(zephyr_mcuboot_tasks)
     set(imgtool_args --sha 512 ${imgtool_args})
   endif()
 
+  if(NOT "${keyfile_enc}" STREQUAL "")
+    if(CONFIG_MCUBOOT_ENCRYPTION_ALG_AES_256)
+      # Note: this overrides the default behavior of using AES-128
+      set(imgtool_args ${imgtool_args} --encrypt-keylen 256)
+    endif()
+  endif()
+
   # Extensionless prefix of any output file.
   set(output ${ZEPHYR_BINARY_DIR}/${KERNEL_NAME})
 
diff --git a/modules/Kconfig.mcuboot b/modules/Kconfig.mcuboot
@@ -89,6 +89,22 @@ config MCUBOOT_ENCRYPTION_KEY_FILE
 
 	  If left empty, you must encrypt the Zephyr binaries manually.
 
+if MCUBOOT_ENCRYPTION_KEY_FILE != ""
+
+choice MCUBOOT_ENCRYPTION_ALG
+	prompt "Algorithm used for image encryption"
+	default MCUBOOT_ENCRYPTION_ALG_AES_128
+
+config MCUBOOT_ENCRYPTION_ALG_AES_128
+	bool "Use AES-128 for image encryption"
+
+config MCUBOOT_ENCRYPTION_ALG_AES_256
+	bool "Use AES-256 for image encryption"
+
+endchoice # MCUBOOT_ENCRYPTION_ALG
+
+endif # MCUBOOT_ENCRYPTION_KEY_FILE != ""
+
 config MCUBOOT_IMGTOOL_SIGN_VERSION
 	string "Version to pass to imgtool when signing"
 	default "$(APP_VERSION_TWEAK_STRING)" if "$(VERSION_MAJOR)" != ""
diff --git a/share/sysbuild/image_configurations/BOOTLOADER_image_default.cmake b/share/sysbuild/image_configurations/BOOTLOADER_image_default.cmake
@@ -84,3 +84,12 @@ foreach(loopkeytype ${keytypes})
     set_config_bool(${ZCMAKE_APPLICATION} ${loopkeytype} n)
   endif()
 endforeach()
+
+if(SB_CONFIG_BOOT_ENCRYPTION)
+  set_config_string(${ZCMAKE_APPLICATION} CONFIG_BOOT_ENCRYPTION_KEY_FILE "${SB_CONFIG_BOOT_ENCRYPTION_KEY_FILE}")
+  if(SB_CONFIG_BOOT_ENCRYPTION_ALG_AES_128)
+    set_config_bool(${ZCMAKE_APPLICATION} CONFIG_BOOT_ENCRYPT_ALG_AES_128 y)
+  elseif(SB_CONFIG_BOOT_ENCRYPTION_ALG_AES_256)
+    set_config_bool(${ZCMAKE_APPLICATION} CONFIG_BOOT_ENCRYPT_ALG_AES_256 y)
+  endif()
+endif()
diff --git a/share/sysbuild/image_configurations/MAIN_image_default.cmake b/share/sysbuild/image_configurations/MAIN_image_default.cmake
@@ -56,4 +56,12 @@ if(SB_CONFIG_BOOTLOADER_MCUBOOT)
       set_config_bool(${ZCMAKE_APPLICATION} CONFIG_RETENTION_BOOT_MODE y)
     endif()
   endif()
+
+  if(SB_CONFIG_BOOT_ENCRYPTION)
+    if(SB_CONFIG_BOOT_ENCRYPTION_ALG_AES_128)
+      set_config_bool(${ZCMAKE_APPLICATION} CONFIG_MCUBOOT_ENCRYPTION_ALG_AES_128 y)
+    elseif(SB_CONFIG_BOOT_ENCRYPTION_ALG_AES_256)
+      set_config_bool(${ZCMAKE_APPLICATION} CONFIG_MCUBOOT_ENCRYPTION_ALG_AES_256 y)
+    endif()
+  endif()
 endif()
diff --git a/share/sysbuild/images/bootloader/CMakeLists.txt b/share/sysbuild/images/bootloader/CMakeLists.txt
@@ -15,8 +15,4 @@ if(SB_CONFIG_BOOTLOADER_MCUBOOT)
   sysbuild_add_dependencies(FLASH ${DEFAULT_IMAGE} ${image})
 
   set_config_string(${image} CONFIG_BOOT_SIGNATURE_KEY_FILE "${SB_CONFIG_BOOT_SIGNATURE_KEY_FILE}")
-  set_config_bool(${image} CONFIG_BOOT_ENCRYPT_IMAGE "${SB_CONFIG_BOOT_ENCRYPTION}")
-  if(SB_CONFIG_BOOT_ENCRYPTION)
-    set_config_string(${image} CONFIG_BOOT_ENCRYPTION_KEY_FILE "${SB_CONFIG_BOOT_ENCRYPTION_KEY_FILE}")
-  endif()
 endif()
diff --git a/share/sysbuild/images/bootloader/Kconfig b/share/sysbuild/images/bootloader/Kconfig
@@ -219,4 +219,20 @@ config BOOT_ENCRYPTION_KEY_FILE
 	help
 	  Absolute path to encryption key file to use with MCUBoot.
 
+if BOOT_ENCRYPTION
+
+choice BOOT_ENCRYPTION_ALG
+	prompt "Algorithm used for image encryption"
+	default BOOT_ENCRYPTION_ALG_AES_128
+
+config BOOT_ENCRYPTION_ALG_AES_128
+	bool "Use AES-128 for image encryption"
+
+config BOOT_ENCRYPTION_ALG_AES_256
+	bool "Use AES-256 for image encryption"
+
+endchoice # BOOT_ENCRYPTION_ALG
+
+endif # BOOT_ENCRYPTION
+
 endif
