suit: nRF9280 SUIT support

Update nRF9280 SUIT templates according NCSDK-30935 changes. Signed-off-by: Tuomas Parttimaa <[email protected]>
nrfconnect · Jan 27, 2025 · da16ff5 · da16ff5
1 parent 8defc10
commit da16ff5
Show file tree

Hide file tree

Showing 4 changed files with 68 additions and 1 deletion.
diff --git a/config/suit/templates/nrf9280/default/v1/app_envelope.yaml.jinja2 b/config/suit/templates/nrf9280/default/v1/app_envelope.yaml.jinja2
@@ -1,5 +1,12 @@
 {%- set mpi_application_vendor_name = sysbuild['config']['SB_CONFIG_SUIT_MPI_APP_LOCAL_1_VENDOR_NAME']|default('nordicsemi.com') %}
 {%- set mpi_application_class_name = sysbuild['config']['SB_CONFIG_SUIT_MPI_APP_LOCAL_1_CLASS_NAME']|default('nRF9280_sample_app') %}
+{%- set suit_artifacts_base_dir = ( application['binary'].split('/')[:-1] | join('/') ) %}
+{%- if 'CONFIG_SUIT_ENVELOPE_TARGET_ENCRYPT' in application['config'] and application['config']['CONFIG_SUIT_ENVELOPE_TARGET_ENCRYPT'] != '' %}
+  {%- set encrypted = True %}
+  {%- set app_encryption_dir = ( suit_artifacts_base_dir ) + "/" + ( application['name'] ) + "_encryption_artifacts" %}
+{%- else %}
+  {%- set encrypted = False %}
+{%- endif %}
 SUIT_Envelope_Tagged:
   suit-authentication-wrapper:
     SuitDigest:
@@ -33,9 +40,17 @@ SUIT_Envelope_Tagged:
           suit-parameter-image-digest:
             suit-digest-algorithm-id: cose-alg-sha-256
             suit-digest-bytes:
+{%- if encrypted %}
+              file_direct: {{ app_encryption_dir }}/plain_text_digest.bin
+{%- else %}
               file: {{ application['binary'] }}
+{%- endif %}
           suit-parameter-image-size:
+{%- if encrypted %}
+            file_direct: {{ app_encryption_dir }}/plain_text_size.txt
+{%- else %}
             file: {{ application['binary'] }}
+{%- endif %}
       - suit-condition-vendor-identifier:
         - suit-send-record-success
         - suit-send-record-failure
@@ -102,6 +117,10 @@ SUIT_Envelope_Tagged:
     - suit-directive-set-component-index: 0
     - suit-directive-override-parameters:
         suit-parameter-source-component: 1
+{%- if encrypted %}
+        suit-parameter-encryption-info:
+          file: {{ app_encryption_dir }}/suit_encryption_info.bin
+{%- endif %}
     # When copying the data it is worth to retry the sequence of
     # suit-directive-copy and suit-condition-image-match at least once.
     # If a bit flip occurs, it might be due to a transport issue, not
@@ -138,8 +157,21 @@ SUIT_Envelope_Tagged:
           suit-digest-algorithm-id: cose-alg-sha-256
           suit-digest-bytes:
             file: {{ application['binary'] }}
+{%- if encrypted %}
+    # For the encrypted image this fetch directive is used to verify the tag and the AAD
+    # of the received encrypted image The target "CAND_IMG" behaves like a /dev/null device
+    # and all the data is discarded.
+    # This way even if the encrypted content is incorrect, the contents of the target memory
+    # will not be affected.
+    # Note that no digest checking is required on the encrypted content itself, as checking the tag
+    # and the AAD verifies the integrity of the content. In fact, suit-condition-image-match
+    # won't be able to work in this case, as the CAND_IMG won't contain any valid content.
+          suit-parameter-encryption-info:
+            file: {{ app_encryption_dir }}/suit_encryption_info.bin
+{%- endif %}
     - suit-directive-fetch:
       - suit-send-record-failure
+{%- if not encrypted %}
     - suit-directive-try-each:
       - - suit-condition-image-match:
           - suit-send-record-success
@@ -151,6 +183,7 @@ SUIT_Envelope_Tagged:
           - suit-send-record-failure
           - suit-send-sysinfo-success
           - suit-send-sysinfo-failure
+{%- endif %}
 
     suit-manifest-component-id:
     - INSTLD_MFST

diff --git a/config/suit/templates/nrf9280/default/v1/app_recovery_local_envelope.yaml.jinja2 b/config/suit/templates/nrf9280/default/v1/app_recovery_local_envelope.yaml.jinja2
@@ -69,7 +69,7 @@ SUIT_Envelope_Tagged:
     - suit-directive-override-parameters:
         suit-parameter-invoke-args:
           suit-synchronous-invoke: True
-          suit-timeout: 1000
+          suit-timeout: 5000
 {%- endif %}
     - suit-directive-invoke:
       - suit-send-record-failure

diff --git a/config/suit/templates/nrf9280/default/v1/rad_envelope.yaml.jinja2 b/config/suit/templates/nrf9280/default/v1/rad_envelope.yaml.jinja2
@@ -1,5 +1,12 @@
 {%- set mpi_radio_vendor_name = sysbuild['config']['SB_CONFIG_SUIT_MPI_RAD_LOCAL_1_VENDOR_NAME']|default('nordicsemi.com') %}
 {%- set mpi_radio_class_name = sysbuild['config']['SB_CONFIG_SUIT_MPI_RAD_LOCAL_1_CLASS_NAME']|default('nRF9280_sample_rad') %}
+{%- set suit_artifacts_base_dir = ( radio['binary'].split('/')[:-1] | join('/') ) %}
+{%- if 'CONFIG_SUIT_ENVELOPE_TARGET_ENCRYPT' in radio['config'] and radio['config']['CONFIG_SUIT_ENVELOPE_TARGET_ENCRYPT'] != '' %}
+  {%- set encrypted = True %}
+  {%- set rad_encryption_dir = ( suit_artifacts_base_dir ) + "/" + ( radio['name'] ) + "_encryption_artifacts" %}
+{%- else %}
+  {%- set encrypted = False %}
+{%- endif %}
 SUIT_Envelope_Tagged:
   suit-authentication-wrapper:
     SuitDigest:
@@ -33,9 +40,17 @@ SUIT_Envelope_Tagged:
           suit-parameter-image-digest:
             suit-digest-algorithm-id: cose-alg-sha-256
             suit-digest-bytes:
+{%- if encrypted %}
+              file_direct: {{ rad_encryption_dir }}/plain_text_digest.bin
+{%- else %}
               file: {{ radio['binary'] }}
+{%- endif %}
           suit-parameter-image-size:
+{%- if encrypted %}
+            file_direct: {{ rad_encryption_dir }}/plain_text_size.txt
+{%- else %}
             file: {{ radio['binary'] }}
+{%- endif %}
       - suit-condition-vendor-identifier:
         - suit-send-record-success
         - suit-send-record-failure
@@ -102,6 +117,10 @@ SUIT_Envelope_Tagged:
     - suit-directive-set-component-index: 0
     - suit-directive-override-parameters:
         suit-parameter-source-component: 1
+{%- if encrypted %}
+        suit-parameter-encryption-info:
+          file: {{ rad_encryption_dir }}/suit_encryption_info.bin
+{%- endif %}
     # When copying the data it is worth to retry the sequence of
     # suit-directive-copy and suit-condition-image-match at least once.
     # If a bit flip occurs, it might be due to a transport issue, not
@@ -138,8 +157,21 @@ SUIT_Envelope_Tagged:
           suit-digest-algorithm-id: cose-alg-sha-256
           suit-digest-bytes:
             file: {{ radio['binary'] }}
+{%- if encrypted %}
+    # For the encrypted image this fetch directive is used to verify the tag and the AAD
+    # of the received encrypted image The target "CAND_IMG" behaves like a /dev/null device
+    # and all the data is discarded.
+    # This way even if the encrypted content is incorrect, the contents of the target memory
+    # will not be affected.
+    # Note that no digest checking is required on the encrypted content itself, as checking the tag
+    # and the AAD verifies the integrity of the content. In fact, suit-condition-image-match
+    # won't be able to work in this case, as the CAND_IMG won't contain any valid content.
+          suit-parameter-encryption-info:
+            file: {{ rad_encryption_dir }}/suit_encryption_info.bin
+{%- endif %}
     - suit-directive-fetch:
       - suit-send-record-failure
+{%- if not encrypted %}
     - suit-directive-try-each:
       - - suit-condition-image-match:
           - suit-send-record-success
@@ -151,6 +183,7 @@ SUIT_Envelope_Tagged:
           - suit-send-record-failure
           - suit-send-sysinfo-success
           - suit-send-sysinfo-failure
+{%- endif %}
 
     suit-manifest-component-id:
     - INSTLD_MFST

diff --git a/config/suit/templates/nrf9280/default/v1/root_with_binary_nordic_top.yaml.jinja2 b/config/suit/templates/nrf9280/default/v1/root_with_binary_nordic_top.yaml.jinja2
@@ -465,6 +465,7 @@ SUIT_Envelope_Tagged:
 {%- endif %}
 
 {%- if nordic_top %}
+    - suit-directive-set-component-index: 0
     - suit-directive-override-parameters:
         suit-parameter-uri: '#top'
         suit-parameter-image-digest: