Skip to content

Commit

Permalink
[nrf noup] boot: Add shared crypto for ECDSA and SHA
Browse files Browse the repository at this point in the history
* Add functions for ecdsa_verify_secp256r1 and sha256 to use the shared
crypto API
* Add Kconfig and CMake variables for selecting shared crypto when using
ecdsa
* Add custom section to project for placing the API section in the
correct location in flash
* Add kconfig fragment for using external crypto

Signed-off-by: Sigvart Hovland <[email protected]>
Signed-off-by: Martí Bolívar <[email protected]>
Signed-off-by: Emil Obalski <[email protected]>
Signed-off-by: Andrzej Puzdrowski <[email protected]>
Signed-off-by: Håkon Øye Amundsen <[email protected]>
Signed-off-by: Ioannis Glaropoulos <[email protected]>
Signed-off-by: Trond Einar Snekvik <[email protected]>
Signed-off-by: Georgios Vasilakis <[email protected]>
Signed-off-by: Johann Fischer <[email protected]>
Signed-off-by: Torsten Rasmussen <[email protected]>
Signed-off-by: Jamie McCrae <[email protected]>
Signed-off-by: Dominik Ermel <[email protected]>
(cherry picked from commit 5f71e80)
(cherry picked from commit beebb23)
  • Loading branch information
sigvartmh authored and jfischer-no committed Mar 6, 2024
1 parent 5cf8423 commit 55683e3
Show file tree
Hide file tree
Showing 5 changed files with 99 additions and 3 deletions.
43 changes: 43 additions & 0 deletions boot/bootutil/include/bootutil/crypto/ecdsa.h
Original file line number Diff line number Diff line change
Expand Up @@ -34,6 +34,7 @@

#if (defined(MCUBOOT_USE_TINYCRYPT) + \
defined(MCUBOOT_USE_CC310) + \
defined(MCUBOOT_USE_NRF_EXTERNAL_CRYPTO) + \
defined(MCUBOOT_USE_PSA_OR_MBED_TLS)) != 1
#error "One crypto backend must be defined: either CC310/TINYCRYPT/MBED_TLS/PSA_CRYPTO"
#endif
Expand Down Expand Up @@ -70,6 +71,11 @@
#include "bootutil/sign_key.h"
#include "common.h"

#if defined(MCUBOOT_USE_NRF_EXTERNAL_CRYPTO)
#include <bl_crypto.h>
#define BOOTUTIL_CRYPTO_ECDSA_P256_HASH_SIZE (4 * 8)
#endif /* MCUBOOT_USE_NRF_EXTERNAL_CRYPTO */

#ifdef __cplusplus
extern "C" {
#endif
Expand Down Expand Up @@ -594,6 +600,43 @@ static inline int bootutil_ecdsa_parse_public_key(bootutil_ecdsa_context *ctx,

#endif /* MCUBOOT_USE_MBED_TLS */

#if defined(MCUBOOT_USE_NRF_EXTERNAL_CRYPTO)
typedef uintptr_t bootutil_ecdsa_p256_context;

static inline void bootutil_ecdsa_p256_init(bootutil_ecdsa_p256_context *ctx)
{
(void)ctx;
}

static inline void bootutil_ecdsa_p256_drop(bootutil_ecdsa_p256_context *ctx)
{
(void)ctx;
}

static inline int bootutil_ecdsa_p256_verify(bootutil_ecdsa_p256_context *ctx,
uint8_t *pk, size_t pk_len,
uint8_t *hash,
uint8_t *sig, size_t sig_len)
{
(void)ctx;
(void)pk_len;
(void)sig_len;

/* As described on the compact representation in IETF protocols,
* the first byte of the key defines if the ECC points are
* compressed (0x2 or 0x3) or uncompressed (0x4).
* We only support uncompressed keys.
*/
if (pk[0] != 0x04)
return -1;

pk++;

return bl_secp256r1_validate(hash, BOOTUTIL_CRYPTO_ECDSA_P256_HASH_SIZE,
pk, sig);
}
#endif /* MCUBOOT_USE_NRF_EXTERNAL_CRYPTO */

#ifdef __cplusplus
}
#endif
Expand Down
32 changes: 32 additions & 0 deletions boot/bootutil/include/bootutil/crypto/sha.h
Original file line number Diff line number Diff line change
Expand Up @@ -30,6 +30,7 @@

#if (defined(MCUBOOT_USE_PSA_OR_MBED_TLS) + \
defined(MCUBOOT_USE_TINYCRYPT) + \
defined(MCUBOOT_USE_NRF_EXTERNAL_CRYPTO) + \
defined(MCUBOOT_USE_CC310)) != 1
#error "One crypto backend must be defined: either CC310/MBED_TLS/TINYCRYPT/PSA_CRYPTO"
#endif
Expand Down Expand Up @@ -206,6 +207,37 @@ static inline int bootutil_sha_finish(bootutil_sha_context *ctx,
}
#endif /* MCUBOOT_USE_CC310 */

#if defined(MCUBOOT_USE_NRF_EXTERNAL_CRYPTO)

#include <bl_crypto.h>

typedef bl_sha256_ctx_t bootutil_sha_context;

static inline void bootutil_sha_init(bootutil_sha_context *ctx)
{
bl_sha256_init(ctx);
}

static inline void bootutil_sha_drop(bootutil_sha_context *ctx)
{
(void)ctx;
}

static inline int bootutil_sha_update(bootutil_sha_context *ctx,
const void *data,
uint32_t data_len)
{
return bl_sha256_update(ctx, data, data_len);
}

static inline int bootutil_sha_finish(bootutil_sha_context *ctx,
uint8_t *output)
{
bl_sha256_finalize(ctx, output);
return 0;
}
#endif /* MCUBOOT_USE_NRF_EXTERNAL_CRYPTO */

#ifdef __cplusplus
}
#endif
Expand Down
2 changes: 2 additions & 0 deletions boot/zephyr/CMakeLists.txt
Original file line number Diff line number Diff line change
Expand Up @@ -165,6 +165,8 @@ if(CONFIG_BOOT_SIGNATURE_TYPE_ECDSA_P256 OR CONFIG_BOOT_ENCRYPT_EC256)
zephyr_library_sources(${NRF_DIR}/cc310_glue.c)
zephyr_library_include_directories(${NRF_DIR})
zephyr_link_libraries(nrfxlib_crypto)
elseif(CONFIG_BOOT_USE_NRF_EXTERNAL_CRYPTO)
zephyr_include_directories(${BL_CRYPTO_DIR}/../include)
endif()

# Since here we are not using Zephyr's mbedTLS but rather our own, we need
Expand Down
20 changes: 20 additions & 0 deletions boot/zephyr/external_crypto.conf
Original file line number Diff line number Diff line change
@@ -0,0 +1,20 @@
#
# Copyright (c) 2021 Nordic Semiconductor ASA
#
# SPDX-License-Identifier: LicenseRef-Nordic-5-Clause
#

# These configurations should be used when using nrf/samples/bootloader
# as the immutable bootloader (B0), and MCUBoot as the second stage updateable
# bootloader.

# Set ECDSA as signing mechanism
CONFIG_BOOT_SIGNATURE_TYPE_ECDSA_P256=y

# Use crypto backend from B0
CONFIG_BOOT_NRF_EXTERNAL_CRYPTO=y
CONFIG_SECURE_BOOT_CRYPTO=y
CONFIG_SB_CRYPTO_CLIENT_ECDSA_SECP256R1=y
CONFIG_SB_CRYPTO_CLIENT_SHA256=y
CONFIG_BL_SHA256_EXT_API_REQUIRED=y
CONFIG_BL_SECP256R1_EXT_API_REQUIRED=y
5 changes: 2 additions & 3 deletions boot/zephyr/include/mcuboot_config/mcuboot_config.h
Original file line number Diff line number Diff line change
Expand Up @@ -40,9 +40,8 @@
#define MCUBOOT_USE_TINYCRYPT
#elif defined(CONFIG_BOOT_USE_CC310)
#define MCUBOOT_USE_CC310
#ifdef CONFIG_BOOT_USE_NRF_CC310_BL
#define MCUBOOT_USE_NRF_CC310_BL
#endif
#elif defined(CONFIG_BOOT_USE_NRF_EXTERNAL_CRYPTO)
#define MCUBOOT_USE_NRF_EXTERNAL_CRYPTO
#endif

/* Zephyr, regardless of C library used, provides snprintf */
Expand Down

0 comments on commit 55683e3

Please sign in to comment.