Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Validate encrypted content before writing it to RAM #159

Open
wants to merge 1 commit into
base: ncs
Choose a base branch
from
Open

Validate encrypted content before writing it to RAM #159

wants to merge 1 commit into from

Conversation

ahasztag
Copy link
Collaborator

@ahasztag ahasztag commented Dec 12, 2024
edited
Loading

This PR modifies the encrypted application manifest so first decrypts the encrypted content without storing it to MRAM, in order to verify if the the AAD and Tag are correct.

If it wasn't done, then the device would need to enter recovery in case of a decryption failure.

@ahasztag
Validate encrypted content before writing it to RAM
5ae7d31 
This commit modifies the encrypted application manifest
so first decrypts the encrypted content without storing
it to MRAM, in order to verify if the the AAD and
Tag are correct.

If it wasn't done, then the device would need to
enter recovery in case of a decryption failure.

Ref: NCSDK-30932

Signed-off-by: Artur Hadasz <[email protected]>
@ahasztag ahasztag changed the base branch from main to ncs December 12, 2024 15:58
@ahasztag ahasztag changed the title Ncsdk 30932 validate encrypted payload on ram Validate encrypted content before writing it to RAM Dec 12, 2024
@NordicBuilder
Copy link
Collaborator

NordicBuilder commented Dec 12, 2024
edited
Loading

pytest coverage results

Detailed report:

Type Coverage
lines 90.3% (1896 of 2100 lines)
functions 45.8% (168 of 367 functions)
branches no data found

Note: This message is automatically posted and updated by the CI (latest/test-sdk-dfu/master/267)

@ahasztag ahasztag requested a review from nordic-mik7 December 13, 2024 08:51
SylwesterKonczyk
SylwesterKonczyk reviewed Jan 8, 2025
View reviewed changes
ncs/app_envelope_encrypted.yaml.jinja2
@@ -136,19 +121,16 @@ SUIT_Envelope_Tagged:
suit-digest-algorithm-id: cose-alg-sha-256
suit-digest-bytes:
file: {{ application['encryption_artifacts_dir'] }}/encrypted_content.bin
suit-parameter-encryption-info:
Copy link
Collaborator

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

  • What is a meaning of line 120 (setting parameter-image-digest)?

  • Why in case of suit-candidate-verification (line 119) just that URI is considered:
    suit-parameter-uri: '#{{ application['name'] }}'

    ... while, in case of suit-install (line 81), also that one is considered:
    suit-parameter-uri: '{{ application['config']['CONFIG_SUIT_IMAGE_DFU_CACHE_URI'] }}'

@tomchy
Copy link
Collaborator

tomchy commented Jan 10, 2025

I think you should rebase & redirect the PR to the main branch now 🙂

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@SylwesterKonczyk SylwesterKonczyk SylwesterKonczyk left review comments

@adsz-nordic adsz-nordic adsz-nordic approved these changes

@robertstypa robertstypa robertstypa approved these changes

@tomchy tomchy tomchy approved these changes

@nordic-mik7 nordic-mik7 Awaiting requested review from nordic-mik7

Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
6 participants
@ahasztag @NordicBuilder @tomchy @SylwesterKonczyk @robertstypa @adsz-nordic