imgtool: Temporary workaround for entanglement with TF-M.

de-nordic · de-nordic · commit 05ec490489fc · 2025-11-13T14:12:40.000Z
Once TF-M stops using internal imgtool APIs this commit should
be reverted.

Signed-off-by: Dominik Ermel &lt;dominik.ermel@nordicsemi.no&gt;
diff --git a/scripts/imgtool/image.py b/scripts/imgtool/image.py
@@ -512,6 +512,34 @@ def ecies_hkdf(self, enckey, plainkey, hmac_sha_alg):
         return cipherkey, ciphermac, pubk
 
     def create(self, key, public_key_format, enckey, dependencies=None,
+               sw_type=None, custom_tlvs=None, compression_tlvs=None,
+               compression_type=None, encrypt_keylen=128, clear=False,
+               fixed_sig=None, pub_key=None, vector_to_sign=None,
+               user_sha='auto', hmac_sha='auto', is_pure=False, keep_comp_size=False,
+               dont_encrypt=False):
+
+        # This is old logic of image creation where lack of enckey indicated
+        # lack of encryption.
+        # New create requires a key to be provided from outside.
+        if enckey:
+            if encrypt_keylen == 256:
+                encrypt_keylen_bytes = 32
+            else:
+                encrypt_keylen_bytes = 16
+
+            # No AES plain key and there is request to encrypt, generate random AES key
+            raw_key = os.urandom(encrypt_keylen_bytes)
+        else:
+            raw_key = None
+
+        self.create2(key, public_key_format, enckey, dependencies,
+                     sw_type, custom_tlvs, compression_tlvs,
+                     compression_type, raw_key, clear,
+                     fixed_sig, pub_key, vector_to_sign,
+                     user_sha, hmac_sha, is_pure, keep_comp_size,
+                     dont_encrypt)
+
+    def create2(self, key, public_key_format, enckey, dependencies=None,
                sw_type=None, custom_tlvs=None, compression_tlvs=None,
                compression_type=None, aes_raw=None, clear=False,
                fixed_sig=None, pub_key=None, vector_to_sign=None,
diff --git a/scripts/imgtool/main.py b/scripts/imgtool/main.py
@@ -559,7 +559,7 @@ def sign(ctx, key, public_key_format, align, version, pad_sig, header_size,
         aes_raw_key = os.urandom(int(int(encrypt_keylen) / 8))
 
     if compression in ["lzma2", "lzma2armthumb"]:
-        img.create(key, public_key_format, enckey, dependencies, boot_record,
+        img.create2(key, public_key_format, enckey, dependencies, boot_record,
                custom_tlvs, compression_tlvs, None, aes_raw_key, clear,
                baked_signature, pub_key, vector_to_sign, user_sha=user_sha,
                hmac_sha=hmac_sha, is_pure=is_pure, keep_comp_size=False, dont_encrypt=True)
@@ -604,14 +604,14 @@ def sign(ctx, key, public_key_format, align, version, pad_sig, header_size,
             keep_comp_size = False
             if enckey:
                 keep_comp_size = True
-            compressed_img.create(key, public_key_format, enckey,
+            compressed_img.create2(key, public_key_format, enckey,
                dependencies, boot_record, custom_tlvs, compression_tlvs,
                compression, aes_raw_key, clear, baked_signature,
                pub_key, vector_to_sign, user_sha=user_sha, hmac_sha=hmac_sha,
                is_pure=is_pure, keep_comp_size=keep_comp_size)
             img = compressed_img
     else:
-        img.create(key, public_key_format, enckey, dependencies, boot_record,
+        img.create2(key, public_key_format, enckey, dependencies, boot_record,
                custom_tlvs, compression_tlvs, None, aes_raw_key, clear,
                baked_signature, pub_key, vector_to_sign, user_sha=user_sha,
                hmac_sha=hmac_sha, is_pure=is_pure)
