Encryption changes needed for NCS build system

Ref: NCSDK-30935 Signed-off-by: Artur Hadasz <[email protected]>
nrfconnect · Jan 3, 2025 · afe2778 · afe2778
1 parent 638243b
commit afe2778
Show file tree

Hide file tree

Showing 5 changed files with 87 additions and 212 deletions.
diff --git a/ncs/Kconfig b/ncs/Kconfig
@@ -59,3 +59,51 @@ config SUIT_DFU_CACHE_EXTRACT_IMAGE_URI
 	default "cache://rad_recovery.bin" if (SOC_NRF54H20_CPURAD_COMMON || SOC_NRF9230_ENGB_CPURAD) && SUIT_RECOVERY
 
 endif # SUIT_DFU_CACHE_EXTRACT_IMAGE
+
+config SUIT_ENVELOPE_TARGET_ENCRYPT
+	bool "Encrypt the target image"
+
+if SUIT_ENVELOPE_TARGET_ENCRYPT
+
+config SUIT_ENVELOPE_TARGET_ENCRYPT_STRING_KEY_ID
+	string "The string key ID used to identify the encryption key on the device"
+	default "FWENC_APPLICATION_GEN1" if SOC_NRF54H20_CPUAPP_COMMON
+	default "FWENC_RADIOCORE_GEN1" if SOC_NRF54H20_CPURAD_COMMON
+	help
+	  This string is translated to the numeric KEY ID by the encryption script
+
+config SUIT_ENVELOPE_TARGET_ENCRYPT_KEY_NAME
+	string "Name of the key used for encryption - to identify the key in the KMS"
+	default SUIT_ENVELOPE_TARGET_ENCRYPT_STRING_KEY_ID
+
+
+choice SUIT_ENVELOPE_TARGET_ENCRYPT_PLAINTEXT_HASH_ALG
+	prompt "Algorithm used to calculate the digest of the plaintext firmware"
+	default SUIT_ENVELOPE_TARGET_ENCRYPT_PLAINTEXT_HASH_ALG_SHA256
+
+config SUIT_ENVELOPE_TARGET_ENCRYPT_PLAINTEXT_HASH_ALG_SHA256
+	bool "Use the SHA-256 algorithm"
+
+config SUIT_ENVELOPE_TARGET_ENCRYPT_PLAINTEXT_HASH_ALG_SHA384
+	bool "Use the SHA-384 algorithm"
+
+config SUIT_ENVELOPE_TARGET_ENCRYPT_PLAINTEXT_HASH_ALG_SHA512
+	bool "Use the SHA-512 algorithm"
+
+config SUIT_ENVELOPE_TARGET_ENCRYPT_PLAINTEXT_HASH_ALG_SHAKE128
+	bool "Use the SHAKE128 algorithm"
+
+config SUIT_ENVELOPE_TARGET_ENCRYPT_PLAINTEXT_HASH_ALG_SHAKE256
+	bool "Use the SHAKE256 algorithm"
+
+endchoice
+
+config SUIT_ENVELOPE_TARGET_ENCRYPT_PLAINTEXT_HASH_ALG_NAME
+	string "String name of the algorithm used to calculate the digest of the plaintext firmware"
+	default "sha-256" if SUIT_ENVELOPE_TARGET_ENCRYPT_PLAINTEXT_HASH_ALG_SHA256
+	default "sha-384" if SUIT_ENVELOPE_TARGET_ENCRYPT_PLAINTEXT_HASH_ALG_SHA384
+	default "sha-512" if SUIT_ENVELOPE_TARGET_ENCRYPT_PLAINTEXT_HASH_ALG_SHA512
+	default "shake128" if SUIT_ENVELOPE_TARGET_ENCRYPT_PLAINTEXT_HASH_ALG_SHAKE128
+	default "shake256" if SUIT_ENVELOPE_TARGET_ENCRYPT_PLAINTEXT_HASH_ALG_SHAKE256
+
+endif # SUIT_ENVELOPE_TARGET_ENCRYPT
diff --git a/ncs/app_envelope_encrypted.yaml.jinja2 b/ncs/app_envelope_encrypted.yaml.jinja2
diff --git a/ncs/basic_kms.py b/ncs/basic_kms.py
@@ -22,8 +22,21 @@ def parse_context(self, context):
             self.keys_directory = Path(__file__).parent
             return None
 
-        context_loaded = json.loads(context)
-        self.keys_directory = Path(context_loaded["keys_directory"])
+        # Check if context is a valid path
+        context_path = Path(context)
+        if context_path.is_dir():
+            self.keys_directory = context_path
+            return
+
+        try:
+            context_loaded = json.loads(context)
+        except json.JSONDecodeError:
+            raise ValueError(f"The provided context '{context}' is neither a valid path nor a valid JSON string.")
+
+        try:
+            self.keys_directory = Path(context_loaded["keys_directory"])
+        except KeyError:
+            raise ValueError(f"The provided json context '{context}' does not contain the 'keys_directory' key.")
 
     def init_kms(self, context) -> None:
         """
@@ -35,13 +48,13 @@ def init_kms(self, context) -> None:
 
     def encrypt(self, plaintext, key_name, context, aad) -> tuple[bytes, bytes, bytes]:
         """
-        Encrypt the plainext with an AES key.
+        Encrypt the plaintext with an AES key.
 
         :param plaintext: The plaintext to be encrypted.
         :param key_name: The name of the key to be used.
         :param context: The context to be used
                         If it is passed, it is used to point to the directory where the keys are stored.
-                        In this case, it must be a JSON string in te format '{ "keys_directory":"<path>" }'.
+                        It can either be a path or a JSON string in the format '{ "keys_directory":"<path>" }'.
         :param aad: The additional authenticated data to be used.
         :return: The nonce, tag and ciphertext.
         :rtype: tuple[bytes, bytes, bytes]

diff --git a/ncs/build.py b/ncs/build.py
@@ -40,12 +40,6 @@ def read_configurations(configurations):
         # Parse obligatory arguments
         name, binary, edt, kconfig = args[:4]
 
-        # Parse optional arguments
-        if len(args) > 4:
-            encryption_artifacts_dir = args[4]
-        else:
-            encryption_artifacts_dir = None
-
         edt_data = None
         if edt:
             with open(edt, "rb") as edt_handler:
@@ -69,8 +63,6 @@ def read_configurations(configurations):
         if binary:
             data[image_name]["filename"] = pathlib.Path(binary).name
             data[image_name]["binary"] = binary
-        if encryption_artifacts_dir:
-            data[image_name]["encryption_artifacts_dir"] = encryption_artifacts_dir
     data["get_absolute_address"] = get_absolute_address
     return data