Improve PSA offset/len defines for tlv and remove some defs from bootutil #2281
Conversation
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Remove unneeded and improve used. Signed-off-by: Dominik Ermel <[email protected]>
BOOT_ENC_KEY_SIZE is enough. BOOTUTIL_CRYPTO_AES_CTR_BLOCK_SIZE has been replaced with BOOT_ENC_BLOCK_SIZE. Signed-off-by: Dominik Ermel <[email protected]>
There was a problem hiding this comment.
Pull Request Overview
This PR improves the PSA offset/length definitions for TLV handling and removes outdated bootutil definitions, streamlining the key and block size constants used in encryption functions.
- Update key and block size constants from BOOTUTIL_CRYPTO_AES_CTR_KEY_SIZE/BOOTUTIL_CRYPTO_AES_CTR_BLOCK_SIZE to BOOT_ENC_KEY_SIZE/BOOT_ENC_BLOCK_SIZE.
- Adjust associated index and length calculations in encryption and decryption routines.
- Refactor crypto header definitions for consistency across crypto branches.
Reviewed Changes
Copilot reviewed 3 out of 3 changed files in this pull request and generated no comments.
| File | Description |
|---|---|
| boot/bootutil/src/encrypted_psa.c | Updated key derivation and decryption routines to use the new BOOT_ENC_* definitions. |
| boot/bootutil/src/encrypted.c | Revised AES key unwrap and decryption functions to consistently reflect the updated defines. |
| boot/bootutil/include/bootutil/crypto/aes_ctr.h | Modified macro definitions to use BOOT_ENC_BLOCK_SIZE (and ensure compatibility with new sizes). |
Comments suppressed due to low confidence (3)
boot/bootutil/src/encrypted_psa.c:184
- The updated argument in psa_key_derivation_key_agreement has changed from BOOTUTIL_CRYPTO_SHA256_DIGEST_SIZE to EC_PUBK_LEN; please confirm that using the public key length here is intentional and matches the expected input size for key derivation. Adding a clarifying comment could aid future maintainers.
psa_ret = psa_key_derivation_key_agreement(&key_do, PSA_KEY_DERIVATION_INPUT_SECRET, kid, &buf[EC_PUBK_INDEX], EC_PUBK_LEN);
boot/bootutil/src/encrypted.c:537
- Ensure that there are adequate tests covering the new key derivation logic with the updated key size constants, including both success and failure scenarios for the hkdf function.
if (rc != 0 || len != (BOOT_ENC_KEY_SIZE + BOOTUTIL_CRYPTO_SHA256_DIGEST_SIZE)) {
boot/bootutil/include/bootutil/crypto/aes_ctr.h:25
- Review the consistency of macro definitions across different crypto branches; verify that BOOT_ENC_KEY_SIZE is defined for the MBEDTLS and PSA branches, as it is not explicitly declared in this header.
#define BOOT_ENC_BLOCK_SIZE (16)
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.
Fixes in encrypted_psa.
BOOTUTIL_CRYPTO_AES_CTR_KEY_SIZE has been replaced with BOOT_ENC_KEY_SIZE
BOOTUTIL_CRYPTO_AES_CTR_BLOCK_SIZE has been replaced with BOOT_ENC_BLOCK_SIZE