How to do the HAB encryption in mcuboot with XIP mode enabled

[Sathishkumar-rk]

Hi Team,

I want to enable the HAB based encryption for mcuboot code, but when i'm trying to do tool saying HAB encryption cannot be apply for XIP images (I'm using Secure provisioning tool [NXP]) to build bootable image.

Regards,
Sathishkumar K

[d3zd3z]

I believe there was some work toward self-decryption by the SOC to allow for XIP boot of encrypted images. It was never contributed back to MCUboot, unfortunately, so it would need to be done. Aside from the MCUboot and imgtool support needed to make this work, we would need to device a clean interface, since the actually execution decryption operation is going to be fairly SoC specific.

There also has to be made a decision as to what the signature in MCUboot's TLB covers. Likely, having it over the encrypted image would be easier, as it would allow verification of the image before enabling the decryption, as well as allowing the image to be verified by parties that don't have access to the decryption key.

[Sathishkumar-rk]

Hi,

Are you referring image as application image or MCUBoot image?

I was trying to do encrypt the MCUBoot image with HAB.

Regards,
Sathishkumar K

[d3zd3z]

If you are wanting to encrypt MCUBoot itself, that would be something that is going to be SOC-specific. I wouldn't expect it to affect the MCUboot code itself, because the encryption would have to be set up before MCUboot can even run.

Changes would be need to be made to mcuboot in order to support encrypting the application image.