HMAC/HKDF-SHA512 support basics #2299
Open
Conversation
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
MCUboot now runs and boots up macs? 😆 |
de-nordic
force-pushed
the
mac
branch
4 times, most recently
from
c374032 to
96074f2
Compare
nvlsianpu
reviewed
May 20, 2025
boot/zephyr/Kconfig
Outdated
| depends on BOOT_ENCRYPT_X25519 | ||
| depends on BOOT_USE_PSA_CRYPTO | ||
| help | ||
| By default SHA512 is used for HKDF/HMAC in key exchange expansion |
There was a problem hiding this comment.
help: By default SHA256 is used...
There was a problem hiding this comment.
Sorry I am stuck at PSA of nrf54
nvlsianpu
approved these changes
May 28, 2025
scripts/imgtool/image.py
Outdated
| hmac_sha_alg = hashes.SHA256() | ||
| elif hmac_sha == '512': | ||
| if not isinstance(enckey, x25519.X25519Public): | ||
| raise click.UsageError("Currently only ECIES-X2519 supports HMAC-SHA512") |
There was a problem hiding this comment.
typo: ECIES-X2519 -> ECIES-X25519
Information on TLV and format. Signed-off-by: Dominik Ermel <[email protected]>
Add support for HKDF/HMAC based on SHA512 for ECIES-X25519 key exchange. The commit adds MCUBOOT_HMAC_SHA512 that enables new TLV IMAGE_TLV_ENC_X25519_SHA512. Encryption code has been altered to support the MCUBOOT_HMAC_SHA512. Signed-off-by: Dominik Ermel <[email protected]>
The commit addds CONFIG_BOOT_HMAC_SHA512 that enables MCUboot configuration option MCUBOOT_HMAC_SHA512, that is used for switching HKDF/HMAC in ECIES key exchange to SHA512, from default SHA256. This option, currently, is only available for ECIES-X25519 with PSA as crypto backend. Signed-off-by: Dominik Ermel <[email protected]>
Commit adds imgtool command line option --hmac-sha allowing to select between SHA256 and SHA512 for HMAC/HKDF. Signed-off-by: Dominik Ermel <[email protected]>
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.
No description provided.