From da16ff565d317de75a0ce2730bfea452412f05f8 Mon Sep 17 00:00:00 2001
From: Tuomas Parttimaa <tuomas.parttimaa@nordicsemi.no>
Date: Mon, 27 Jan 2025 09:05:21 +0200
Subject: [PATCH] suit: nRF9280 SUIT support

Update nRF9280 SUIT templates according NCSDK-30935 changes.

Signed-off-by: Tuomas Parttimaa <tuomas.parttimaa@nordicsemi.no>
---
 .../default/v1/app_envelope.yaml.jinja2       | 33 +++++++++++++++++++
 .../app_recovery_local_envelope.yaml.jinja2   |  2 +-
 .../default/v1/rad_envelope.yaml.jinja2       | 33 +++++++++++++++++++
 .../root_with_binary_nordic_top.yaml.jinja2   |  1 +
 4 files changed, 68 insertions(+), 1 deletion(-)

diff --git a/config/suit/templates/nrf9280/default/v1/app_envelope.yaml.jinja2 b/config/suit/templates/nrf9280/default/v1/app_envelope.yaml.jinja2
index f847a29132c0..9ccb611a7354 100644
--- a/config/suit/templates/nrf9280/default/v1/app_envelope.yaml.jinja2
+++ b/config/suit/templates/nrf9280/default/v1/app_envelope.yaml.jinja2
@@ -1,5 +1,12 @@
 {%- set mpi_application_vendor_name = sysbuild['config']['SB_CONFIG_SUIT_MPI_APP_LOCAL_1_VENDOR_NAME']|default('nordicsemi.com') %}
 {%- set mpi_application_class_name = sysbuild['config']['SB_CONFIG_SUIT_MPI_APP_LOCAL_1_CLASS_NAME']|default('nRF9280_sample_app') %}
+{%- set suit_artifacts_base_dir = ( application['binary'].split('/')[:-1] | join('/') ) %}
+{%- if 'CONFIG_SUIT_ENVELOPE_TARGET_ENCRYPT' in application['config'] and application['config']['CONFIG_SUIT_ENVELOPE_TARGET_ENCRYPT'] != '' %}
+  {%- set encrypted = True %}
+  {%- set app_encryption_dir = ( suit_artifacts_base_dir ) + "/" + ( application['name'] ) + "_encryption_artifacts" %}
+{%- else %}
+  {%- set encrypted = False %}
+{%- endif %}
 SUIT_Envelope_Tagged:
   suit-authentication-wrapper:
     SuitDigest:
@@ -33,9 +40,17 @@ SUIT_Envelope_Tagged:
           suit-parameter-image-digest:
             suit-digest-algorithm-id: cose-alg-sha-256
             suit-digest-bytes:
+{%- if encrypted %}
+              file_direct: {{ app_encryption_dir }}/plain_text_digest.bin
+{%- else %}
               file: {{ application['binary'] }}
+{%- endif %}
           suit-parameter-image-size:
+{%- if encrypted %}
+            file_direct: {{ app_encryption_dir }}/plain_text_size.txt
+{%- else %}
             file: {{ application['binary'] }}
+{%- endif %}
       - suit-condition-vendor-identifier:
         - suit-send-record-success
         - suit-send-record-failure
@@ -102,6 +117,10 @@ SUIT_Envelope_Tagged:
     - suit-directive-set-component-index: 0
     - suit-directive-override-parameters:
         suit-parameter-source-component: 1
+{%- if encrypted %}
+        suit-parameter-encryption-info:
+          file: {{ app_encryption_dir }}/suit_encryption_info.bin
+{%- endif %}
     # When copying the data it is worth to retry the sequence of
     # suit-directive-copy and suit-condition-image-match at least once.
     # If a bit flip occurs, it might be due to a transport issue, not
@@ -138,8 +157,21 @@ SUIT_Envelope_Tagged:
           suit-digest-algorithm-id: cose-alg-sha-256
           suit-digest-bytes:
             file: {{ application['binary'] }}
+{%- if encrypted %}
+    # For the encrypted image this fetch directive is used to verify the tag and the AAD
+    # of the received encrypted image The target "CAND_IMG" behaves like a /dev/null device
+    # and all the data is discarded.
+    # This way even if the encrypted content is incorrect, the contents of the target memory
+    # will not be affected.
+    # Note that no digest checking is required on the encrypted content itself, as checking the tag
+    # and the AAD verifies the integrity of the content. In fact, suit-condition-image-match
+    # won't be able to work in this case, as the CAND_IMG won't contain any valid content.
+          suit-parameter-encryption-info:
+            file: {{ app_encryption_dir }}/suit_encryption_info.bin
+{%- endif %}
     - suit-directive-fetch:
       - suit-send-record-failure
+{%- if not encrypted %}
     - suit-directive-try-each:
       - - suit-condition-image-match:
           - suit-send-record-success
@@ -151,6 +183,7 @@ SUIT_Envelope_Tagged:
           - suit-send-record-failure
           - suit-send-sysinfo-success
           - suit-send-sysinfo-failure
+{%- endif %}
 
     suit-manifest-component-id:
     - INSTLD_MFST
diff --git a/config/suit/templates/nrf9280/default/v1/app_recovery_local_envelope.yaml.jinja2 b/config/suit/templates/nrf9280/default/v1/app_recovery_local_envelope.yaml.jinja2
index 6d1ebf5e8a31..dce87b0e5a6c 100644
--- a/config/suit/templates/nrf9280/default/v1/app_recovery_local_envelope.yaml.jinja2
+++ b/config/suit/templates/nrf9280/default/v1/app_recovery_local_envelope.yaml.jinja2
@@ -69,7 +69,7 @@ SUIT_Envelope_Tagged:
     - suit-directive-override-parameters:
         suit-parameter-invoke-args:
           suit-synchronous-invoke: True
-          suit-timeout: 1000
+          suit-timeout: 5000
 {%- endif %}
     - suit-directive-invoke:
       - suit-send-record-failure
diff --git a/config/suit/templates/nrf9280/default/v1/rad_envelope.yaml.jinja2 b/config/suit/templates/nrf9280/default/v1/rad_envelope.yaml.jinja2
index 8096641cd34c..c41e03e8b96b 100644
--- a/config/suit/templates/nrf9280/default/v1/rad_envelope.yaml.jinja2
+++ b/config/suit/templates/nrf9280/default/v1/rad_envelope.yaml.jinja2
@@ -1,5 +1,12 @@
 {%- set mpi_radio_vendor_name = sysbuild['config']['SB_CONFIG_SUIT_MPI_RAD_LOCAL_1_VENDOR_NAME']|default('nordicsemi.com') %}
 {%- set mpi_radio_class_name = sysbuild['config']['SB_CONFIG_SUIT_MPI_RAD_LOCAL_1_CLASS_NAME']|default('nRF9280_sample_rad') %}
+{%- set suit_artifacts_base_dir = ( radio['binary'].split('/')[:-1] | join('/') ) %}
+{%- if 'CONFIG_SUIT_ENVELOPE_TARGET_ENCRYPT' in radio['config'] and radio['config']['CONFIG_SUIT_ENVELOPE_TARGET_ENCRYPT'] != '' %}
+  {%- set encrypted = True %}
+  {%- set rad_encryption_dir = ( suit_artifacts_base_dir ) + "/" + ( radio['name'] ) + "_encryption_artifacts" %}
+{%- else %}
+  {%- set encrypted = False %}
+{%- endif %}
 SUIT_Envelope_Tagged:
   suit-authentication-wrapper:
     SuitDigest:
@@ -33,9 +40,17 @@ SUIT_Envelope_Tagged:
           suit-parameter-image-digest:
             suit-digest-algorithm-id: cose-alg-sha-256
             suit-digest-bytes:
+{%- if encrypted %}
+              file_direct: {{ rad_encryption_dir }}/plain_text_digest.bin
+{%- else %}
               file: {{ radio['binary'] }}
+{%- endif %}
           suit-parameter-image-size:
+{%- if encrypted %}
+            file_direct: {{ rad_encryption_dir }}/plain_text_size.txt
+{%- else %}
             file: {{ radio['binary'] }}
+{%- endif %}
       - suit-condition-vendor-identifier:
         - suit-send-record-success
         - suit-send-record-failure
@@ -102,6 +117,10 @@ SUIT_Envelope_Tagged:
     - suit-directive-set-component-index: 0
     - suit-directive-override-parameters:
         suit-parameter-source-component: 1
+{%- if encrypted %}
+        suit-parameter-encryption-info:
+          file: {{ rad_encryption_dir }}/suit_encryption_info.bin
+{%- endif %}
     # When copying the data it is worth to retry the sequence of
     # suit-directive-copy and suit-condition-image-match at least once.
     # If a bit flip occurs, it might be due to a transport issue, not
@@ -138,8 +157,21 @@ SUIT_Envelope_Tagged:
           suit-digest-algorithm-id: cose-alg-sha-256
           suit-digest-bytes:
             file: {{ radio['binary'] }}
+{%- if encrypted %}
+    # For the encrypted image this fetch directive is used to verify the tag and the AAD
+    # of the received encrypted image The target "CAND_IMG" behaves like a /dev/null device
+    # and all the data is discarded.
+    # This way even if the encrypted content is incorrect, the contents of the target memory
+    # will not be affected.
+    # Note that no digest checking is required on the encrypted content itself, as checking the tag
+    # and the AAD verifies the integrity of the content. In fact, suit-condition-image-match
+    # won't be able to work in this case, as the CAND_IMG won't contain any valid content.
+          suit-parameter-encryption-info:
+            file: {{ rad_encryption_dir }}/suit_encryption_info.bin
+{%- endif %}
     - suit-directive-fetch:
       - suit-send-record-failure
+{%- if not encrypted %}
     - suit-directive-try-each:
       - - suit-condition-image-match:
           - suit-send-record-success
@@ -151,6 +183,7 @@ SUIT_Envelope_Tagged:
           - suit-send-record-failure
           - suit-send-sysinfo-success
           - suit-send-sysinfo-failure
+{%- endif %}
 
     suit-manifest-component-id:
     - INSTLD_MFST
diff --git a/config/suit/templates/nrf9280/default/v1/root_with_binary_nordic_top.yaml.jinja2 b/config/suit/templates/nrf9280/default/v1/root_with_binary_nordic_top.yaml.jinja2
index 0d196af29b10..d4e21afebff0 100644
--- a/config/suit/templates/nrf9280/default/v1/root_with_binary_nordic_top.yaml.jinja2
+++ b/config/suit/templates/nrf9280/default/v1/root_with_binary_nordic_top.yaml.jinja2
@@ -465,6 +465,7 @@ SUIT_Envelope_Tagged:
 {%- endif %}
 
 {%- if nordic_top %}
+    - suit-directive-set-component-index: 0
     - suit-directive-override-parameters:
         suit-parameter-uri: '#top'
         suit-parameter-image-digest: