Add MBEDTLS option to use mbedtls decryption stage

will-v-pi · will-v-pi · commit dc1f3df68ec4 · 2025-03-31T10:37:57.000+01:00
diff --git a/tools/CMakeLists.txt b/tools/CMakeLists.txt
@@ -53,6 +53,12 @@ define_property(TARGET
     BRIEF_DOCS "Embed decryption stage into encrypted binary"
     FULL_DOCS "Embed decryption stage into encrypted binary"
 )
+define_property(TARGET
+    PROPERTY PICOTOOL_USE_MBEDTLS_DECRYPTION
+    INHERITED
+    BRIEF_DOCS "Use MbedTLS based decryption stage - this is faster, but not secure against power snooping"
+    FULL_DOCS "Use MbedTLS based decryption stage - this is faster, but not secure against power snooping"
+)
 define_property(TARGET
     PROPERTY PICOTOOL_OTP_KEY_PAGE
     INHERITED
@@ -398,7 +404,7 @@ function(pico_embed_pt_in_binary TARGET PTFILE)
     )
 endfunction()
 
-# pico_encrypt_binary(TARGET AESFILE IVFILE [SIGFILE <file>] [EMBED] [OTP_KEY_PAGE <page>])
+# pico_encrypt_binary(TARGET AESFILE IVFILE [SIGFILE <file>] [EMBED] [MBEDTLS] [OTP_KEY_PAGE <page>])
 # Encrypt the target binary with the given AES key (should be a binary
 # file containing 128 bytes of a random key), and sign the encrypted binary.
 # Salts the public IV with the provided IVFILE (should be a binary file
@@ -407,10 +413,13 @@ endfunction()
 # PICOTOOL_ENC_SIGFILE to SIGFILE if specified, else PICOTOOL_SIGFILE.
 # Optionally, use EMBED to embed a decryption stage into the encrypted binary.
 # This sets PICOTOOL_EMBED_DECRYPTION to TRUE.
+# Optionally, use MBEDTLS to to use the MbedTLS based decryption stage - this
+# is faster, but less secure.
+# This sets PICOTOOL_USE_MBEDTLS_DECRYPTION to TRUE.
 # Optionally, use OTP_KEY_PAGE to specify the OTP page storing the AES key.
 # This sets PICOTOOL_OTP_KEY_PAGE to OTP_KEY_PAGE.
 function(pico_encrypt_binary TARGET AESFILE IVFILE)
-    set(options EMBED)
+    set(options EMBED MBEDTLS)
     set(oneValueArgs OTP_KEY_PAGE SIGFILE)
     # set(multiValueArgs )
     cmake_parse_arguments(PARSE_ARGV 3 ENC "${options}" "${oneValueArgs}" "${multiValueArgs}")
@@ -428,6 +437,12 @@ function(pico_encrypt_binary TARGET AESFILE IVFILE)
         )
     endif()
 
+    if (ENC_MBEDTLS)
+        set_target_properties(${TARGET} PROPERTIES
+            PICOTOOL_USE_MBEDTLS_DECRYPTION TRUE
+        )
+    endif()
+
     if (ENC_OTP_KEY_PAGE)
         set_target_properties(${TARGET} PROPERTIES
             PICOTOOL_OTP_KEY_PAGE ${ENC_OTP_KEY_PAGE}
@@ -600,6 +615,11 @@ function(picotool_postprocess_binary TARGET)
                 list(APPEND picotool_encrypt_args "--embed")
             endif()
 
+            get_target_property(picotool_mbedtls_decryption ${TARGET} PICOTOOL_USE_MBEDTLS_DECRYPTION)
+            if (picotool_mbedtls_decryption)
+                list(APPEND picotool_encrypt_args "--use-mbedtls")
+            endif()
+
             get_target_property(otp_key_page ${TARGET} PICOTOOL_OTP_KEY_PAGE)
             if (otp_key_page)
                 list(APPEND picotool_encrypt_args "--otp-key-page" ${otp_key_page})
