mcuboot icon indicating copy to clipboard operation
mcuboot copied to clipboard

Published 20 hours ago verified publisher icon mcu-tools

RFC: Should we deprecate the `MCUBOOT_SWAP_SAVE_ENCTLV` by making it default and removing code supporting plain text keys?

Open de-nordic opened this issue 1 year ago • 1 comments

What is this RFC about?

MCUboot, when using encrypted images, needs to temporarily store encryption key in swap area, when decrypting image. There are two possible options for that: store the key in plain text and store it as a full TLV the key has been decrypted from.

Obviously storing plain text key takes a little less code and is quicker at recovery.

But the key is stored outside of MCUboot flash area, which may be read protected and unavailable by user in contrast to app image area the key is stored to. Even though accessing that area may also be hard, the fact that the key needs to be stored somewhere to flash may be exploited to obtain the key and decrypt the image without access to MCUboot protected private key.

The key decoding code is there whether MCUBOOT_SWAP_SAVE_ENCTLV is 1 or not, so at a little cost of adding flash usage it is worth having it always enabled and perform decryption every time when the key is needed, on recovery from interrupted operation.

What is the proposal?

With the increasing focus on security we may assume that MCUBOOT_SWAP_SAVE_ENCTLV will become default for every MCUboot build in the future, flash savings are probably neglectable when this is turned off, so my proposal is to make the option default and remove code that serves the opposite case (when MCUBOOT_SWAP_SAVE_ENCTLV). Additional benefit would be reduction in time spent on maintaining both paths.

What is the "neglectable" difference?

When build the MCUboot for nrf52840dk, with x25519 encryption enabled, the difference between having encrypted and unencrypted TLV is 96 bytes (size optimization, no logging, etc), 42546 vs 42450.

de-nordic avatar Aug 09 '24 16:08 de-nordic

This issue has been marked as stale because it has been open (more than) 60 days with no activity. Remove the stale label or add a comment saying that you would like to have the label removed otherwise this issue will automatically be closed in 14 days. Note, that you can always re-open a closed issue at any time.

github-actions[bot] avatar Feb 06 '25 01:02 github-actions[bot]

This issue has been marked as stale because it has been open (more than) 60 days with no activity. Remove the stale label or add a comment saying that you would like to have the label removed otherwise this issue will automatically be closed in 14 days. Note, that you can always re-open a closed issue at any time.

github-actions[bot] avatar Aug 06 '25 02:08 github-actions[bot]