Add PKCS11 backend for encrypted partitions

mattia-moffa · mattia-moffa · commit 4f00942078c2 · 2025-12-24T04:54:13.000+01:00
diff --git a/docs/encrypted_partitions.md b/docs/encrypted_partitions.md
@@ -73,6 +73,36 @@ To compile wolfBoot with encryption support, use the option `ENCRYPT=1`.
 By default, this also selects `ENCRYPT_WITH_CHACHA=1`. To use AES encryption instead,
 select `ENCRYPT_WITH_AES128=1` or `ENCRYPT_WITH_AES256=1`.
 
+### PKCS#11 backend
+
+On ARM TrustZone configurations with `WOLFCRYPT_TZ_PKCS11` enabled, it is
+possible to use the keyvault provided by wolfBoot to store the encryption key.
+To enable this, use the configuration option `ENCRYPT_PKCS11=1` alongside
+`WOLFCRYPT_TZ=1`, `WOLFCRYPT_TZ_PKCS11=1` and `ENCRYPT=1`, and set
+`ENCRYPT_PKCS11_PIN` to the user PIN for the PKCS#11 vault. This should be set
+in the form of a C string literal, for example
+`ENCRYPT_PKCS11_PIN="\x01\x02\x03\x04"`, and the ending null byte will be
+ignored.
+
+When this is enabled, instead of providing the key to wolfBoot via
+`wolfBoot_set_encrypt_key`, the application should use the PKCS#11 API to store
+it in the keyvault with an appropriate ID (via the `CKA_ID` attribute). This ID
+should then be used as the `key` parameter (in place of the key) when calling
+`wolfBoot_set_encrypt_key`.
+
+The following configuration options are also available:
+
+- `ENCRYPT_PKCS11_KEY_ID_SIZE` (default `4`): this is the size, in bytes, of
+  the key ID.
+- `ENCRYPT_PKCS11_MECHANISM` (default `0x00001086UL`, i.e. AES-CTR): this is
+  the numeric ID of the PKCS#11 mechanism to be used for encryption. Currently
+  only AES-CTR is supported. The list of IDs can be found in the [appendix of
+  the PKCS#11 mechanism specification](https://docs.oasis-open.org/pkcs11/pkcs11-curr/v2.40/cs01/pkcs11-curr-v2.40-cs01.html#_Toc228894920),
+  while the list of IDs supported by wolfPKCS11 is set in the [pkcs11.h](https://github.com/wolfSSL/wolfPKCS11/blob/master/wolfpkcs11/pkcs11.h)
+  header file.
+- `ENCRYPT_PKCS11_BLOCK_SIZE` (default `16`, for AES-CTR) and
+  `ENCRYPT_PKCS11_NONCE_SIZE` (default `16`, for AES-CTR) should be set in case
+  you set `ENCRYPT_PKCS11_MECHANISM` to something other than the default.
 
 ### Signing and encrypting the update bundle with ChaCha20-256
 
diff --git a/include/encrypt.h b/include/encrypt.h
@@ -63,6 +63,21 @@ extern Aes aes_dec, aes_enc;
 
 int aes_init(void);
 void aes_set_iv(uint8_t *nonce, uint32_t address);
+
+#elif defined(ENCRYPT_PKCS11)
+#include "wolfboot/wcs_pkcs11.h"
+
+int pkcs11_crypto_init(void);
+void pkcs11_crypto_set_iv(uint8_t *nonce, uint32_t iv_ctr);
+int pkcs11_crypto_encrypt(uint8_t *out, uint8_t *in, size_t size);
+int pkcs11_crypto_decrypt(uint8_t *out, uint8_t *in, size_t size);
+void pkcs11_crypto_deinit(void);
+
+#define crypto_init() pkcs11_crypto_init()
+#define crypto_encrypt(eb,b,sz) pkcs11_crypto_encrypt(eb, b, sz)
+#define crypto_decrypt(db,b,sz) pkcs11_crypto_decrypt(db, b, sz)
+#define crypto_set_iv(n,a) pkcs11_crypto_set_iv(n, a)
+
 #endif /* ENCRYPT_WITH_CHACHA */
 
 /* external flash encryption read/write functions */
diff --git a/include/user_settings.h b/include/user_settings.h
@@ -350,11 +350,15 @@ extern int tolower(int c);
 #   define WOLFBOOT_SECURE_PKCS11
 #   define WOLFPKCS11_USER_SETTINGS
 #   define WOLFPKCS11_NO_TIME
+#ifndef WOLFSSL_AES_COUNTER
 #   define WOLFSSL_AES_COUNTER
+#endif
+#   define HAVE_AESCTR
+#ifndef WOLFSSL_AES_DIRECT
 #   define WOLFSSL_AES_DIRECT
+#endif
 #   define WOLFSSL_AES_GCM
 #   define GCM_TABLE_4BIT
-#   define ENCRYPT_WITH_AES128
 #   define WOLFSSL_AES_128
 #   define HAVE_SCRYPT
 #   define HAVE_AESGCM
diff --git a/include/wolfboot/wolfboot.h b/include/wolfboot/wolfboot.h
@@ -514,6 +514,11 @@ int wolfBoot_get_partition_state(uint8_t part, uint8_t *st);
     #define ENCRYPT_BLOCK_SIZE 16
     #define ENCRYPT_KEY_SIZE   32 /* AES256 */
     #define ENCRYPT_NONCE_SIZE 16 /* AES IV size */
+#elif defined(ENCRYPT_PKCS11)
+    #define ENCRYPT_BLOCK_SIZE ENCRYPT_PKCS11_BLOCK_SIZE
+    /* In this case, the key ID is stored in flash rather than the key itself */
+    #define ENCRYPT_KEY_SIZE   ENCRYPT_PKCS11_KEY_ID_SIZE
+    #define ENCRYPT_NONCE_SIZE ENCRYPT_PKCS11_NONCE_SIZE
 #else
 #   error "Encryption ON, but no encryption algorithm selected."
 #endif
diff --git a/options.mk b/options.mk
@@ -530,19 +530,37 @@ endif
 
 ifeq ($(ENCRYPT),1)
   CFLAGS+=-D"EXT_ENCRYPTED=1"
-  ifeq ($(ENCRYPT_WITH_AES128),1)
-    CFLAGS+=-DWOLFSSL_AES_COUNTER -DWOLFSSL_AES_DIRECT
-    CFLAGS+=-DENCRYPT_WITH_AES128 -DWOLFSSL_AES_128
-    WOLFCRYPT_OBJS+=$(WOLFBOOT_LIB_WOLFSSL)/wolfcrypt/src/aes.o
+  ifeq ($(ENCRYPT_PKCS11),1)
+    CFLAGS+=-DENCRYPT_PKCS11 -D'ENCRYPT_PKCS11_PIN=$(ENCRYPT_PKCS11_PIN)'
+    ifeq ($(ENCRYPT_PKCS11_KEY_ID_SIZE),)
+      ENCRYPT_PKCS11_KEY_ID_SIZE=4
+    endif
+    CFLAGS+=-DENCRYPT_PKCS11_KEY_ID_SIZE=$(ENCRYPT_PKCS11_KEY_ID_SIZE)
+    ifeq ($(ENCRYPT_PKCS11_MECHANISM),)
+      # No mechanism defined; assume AES-CTR
+      CFLAGS+=-DENCRYPT_PKCS11_MECHANISM=0x00001086UL
+      CFLAGS+=-DENCRYPT_PKCS11_BLOCK_SIZE=16
+      CFLAGS+=-DENCRYPT_PKCS11_NONCE_SIZE=16
+    else
+      CFLAGS+=-DENCRYPT_PKCS11_MECHANISM=$(ENCRYPT_PKCS11_MECHANISM)
+      CFLAGS+=-DENCRYPT_PKCS11_BLOCK_SIZE=$(ENCRYPT_PKCS11_BLOCK_SIZE)
+      CFLAGS+=-DENCRYPT_PKCS11_NONCE_SIZE=$(ENCRYPT_PKCS11_NONCE_SIZE)
+    endif
   else
-    ifeq ($(ENCRYPT_WITH_AES256),1)
+    ifeq ($(ENCRYPT_WITH_AES128),1)
       CFLAGS+=-DWOLFSSL_AES_COUNTER -DWOLFSSL_AES_DIRECT
-      CFLAGS+=-DENCRYPT_WITH_AES256 -DWOLFSSL_AES_256
+      CFLAGS+=-DENCRYPT_WITH_AES128 -DWOLFSSL_AES_128
       WOLFCRYPT_OBJS+=$(WOLFBOOT_LIB_WOLFSSL)/wolfcrypt/src/aes.o
     else
-      ENCRYPT_WITH_CHACHA=1
-      WOLFCRYPT_OBJS+=$(WOLFBOOT_LIB_WOLFSSL)/wolfcrypt/src/chacha.o
-      CFLAGS+=-DENCRYPT_WITH_CHACHA -DHAVE_CHACHA
+      ifeq ($(ENCRYPT_WITH_AES256),1)
+        CFLAGS+=-DWOLFSSL_AES_COUNTER -DWOLFSSL_AES_DIRECT
+        CFLAGS+=-DENCRYPT_WITH_AES256 -DWOLFSSL_AES_256
+        WOLFCRYPT_OBJS+=$(WOLFBOOT_LIB_WOLFSSL)/wolfcrypt/src/aes.o
+      else
+        ENCRYPT_WITH_CHACHA=1
+        WOLFCRYPT_OBJS+=$(WOLFBOOT_LIB_WOLFSSL)/wolfcrypt/src/chacha.o
+        CFLAGS+=-DENCRYPT_WITH_CHACHA -DHAVE_CHACHA
+      endif
     endif
   endif
 endif
@@ -665,7 +683,7 @@ ifeq ($(WOLFCRYPT_TZ_PKCS11),1)
         $(WOLFBOOT_LIB_WOLFPKCS11)/src/slot.o \
         $(WOLFBOOT_LIB_WOLFPKCS11)/src/wolfpkcs11.o
   STACK_USAGE=16688
-  ifneq ($(ENCRYPT),1)
+  ifeq ($(ENCRYPT_WITH_AES128)$(ENCRYPT_WITH_AES256),)
       WOLFCRYPT_OBJS+=$(WOLFBOOT_LIB_WOLFSSL)/wolfcrypt/src/aes.o
   endif
   ifeq ($(findstring RSA,$(SIGN)),)
diff --git a/src/libwolfboot.c b/src/libwolfboot.c
diff --git a/src/update_flash.c b/src/update_flash.c
