MCUBOOT_HW_KEY: How to handle multiple keys

[naNEQ]

I'm considering using the MCUBOOT_HW_KEY option and the main reason is because I want to have the option to potentially change the key in the future, if I have the need for that. Otherwise I don't see the reason for using this option instead of just integrating the key in the MCUboot image.

In any case, I was wondering how it will be possible to transition to the new key when the time comes. I could imagine that the new key-hash is being provisioned but without overwriting the previous key, so that both have to exist. Because otherwise, the existing image (using the previous key) will not be able to boot again (needed perhaps in the case that the swap to the new image fails).

Then that brings the question of how to handle the two keys. More specifically, I'm looking at the bootutil_find_key() function implementation where boot_retrieve_public_key_hash() is being called. But from what I understand it is implied that there is way to map a specific image index to a specific key-hash.

How can this be implemented? Since the images are being swapped around, you'll have to update the mapping between image-index and key-hash every time, isn't it? Otherwise I don't see a way to try out all possible available key-hashes until the one that matches the key in the image is found. At least not with the current implementation.

What do people think?

[nordicjm]

MCUboot at the current time does not support multiple keys, doing so would invalidate your loaded image meaning the device is bricked