How to implement encryption and decryption of aes algorithm in secure boot (IDFGH-12406)

[ouer1224]

Answers checklist.

• [X] I have read the documentation ESP-IDF Programming Guide and the issue is not addressed there.
• [X] I have updated my IDF branch (master or release) to the latest version and checked that the issue is present there.
• [X] I have searched the issue tracker for a similar issue and not found a similar issue.

General issue report

Hi teams, I am trying to add some new feature in the secure bootloader. And I need to use AES algorithm to decrypt and encrypt some data. Due to the limitations of the bootloader ram, I was unable to call mbedtls and the AES functions I wrote myself.  So I want to call the esp32 hardware aes calculation function.  But I can't call 'esp_aes_crypt_ecb()' and 'esp_aes.h' in bootloader. 

Is there any way I can use AES algorithm for encryption and decryption in secure bootloader.

[boarchuz]

aes_128_cbc_decrypt and aes_128_cbc_encrypt are available in ROM: https://github.com/espressif/esp-idf/blob/4f3cd0deb9c79c8282da4938a29d265705a57564/components/esp_rom/esp32/ld/esp32.rom.redefined.ld#L8-L9

[mahavirj]

@ouer1224

As you rightly mentioned that using mbedtls in the bootloader could be bit complicated due to footprint considerations, maximum size of the bootloader has limitation with secure boot enabled case. Bootloader will need OS agnostic version of the crypto APIs.

I think you can refer to aes_hal.c (HAL) or aes_ll.h (LL layer) APIs, they should work for the bootloader case. Alternatively, ROM APIs pointed above could also help here. Another option is to consider some small crypto library (e.g., tinycrypt) for this use-case.

Hope this helps!

[ouer1224]

Sorry for the later reply. I am fixing a memory release bug. As soon as it is fixed, I will test the ROM APIs and aes_hal.c or tinycrypt.