Skip to content

Commit

Permalink
bootutil: PureEdDSA using ED25519
Browse files Browse the repository at this point in the history
The commit adds support for PureEdDSA, which validates signature
of image rather than hash. This is most secure, available, ED25519
usage in MCUboot, but due to requirement of PureEdDSA to be able
to calculate signature at whole message at once, here image,
it only works on setups where entire image can be mapped to
device address space, so that PSA functions calculating the
signature can see the whole image at once.

This option is enabled with Kconfig option:
 CONFIG_BOOT_SIGNATURE_TYPE_PURE
when the ED25519 signature type is already selected.

Note that the option will enable SHA512 for calculating public
key hash.

Signed-off-by: Dominik Ermel <[email protected]>
  • Loading branch information
de-nordic committed Oct 8, 2024
1 parent a65607f commit 33d2fd5
Show file tree
Hide file tree
Showing 5 changed files with 216 additions and 8 deletions.
3 changes: 3 additions & 0 deletions boot/bootutil/src/bootutil_priv.h
Original file line number Diff line number Diff line change
Expand Up @@ -268,6 +268,9 @@ struct boot_loader_state {
fih_ret bootutil_verify_sig(uint8_t *hash, uint32_t hlen, uint8_t *sig,
size_t slen, uint8_t key_id);

fih_ret bootutil_verify_img(const uint8_t *img, uint32_t size,
uint8_t *sig, size_t slen, uint8_t key_id);

fih_ret boot_fih_memequal(const void *s1, const void *s2, size_t n);

int boot_find_status(int image_index, const struct flash_area **fap);
Expand Down
37 changes: 37 additions & 0 deletions boot/bootutil/src/image_ed25519.c
Original file line number Diff line number Diff line change
Expand Up @@ -105,4 +105,41 @@ bootutil_verify_sig(uint8_t *hash, uint32_t hlen, uint8_t *sig, size_t slen,
FIH_RET(fih_rc);
}

fih_ret
bootutil_verify_img(const uint8_t *img, uint32_t size,
uint8_t *sig, size_t slen, uint8_t key_id)
{
int rc;
FIH_DECLARE(fih_rc, FIH_FAILURE);
uint8_t *pubkey;
uint8_t *end;

if (slen != EDDSA_SIGNATURE_LENGTH) {
FIH_SET(fih_rc, FIH_FAILURE);
goto out;
}

pubkey = (uint8_t *)bootutil_keys[key_id].key;
end = pubkey + *bootutil_keys[key_id].len;

rc = bootutil_import_key(&pubkey, end);
if (rc) {
FIH_SET(fih_rc, FIH_FAILURE);
goto out;
}

rc = ED25519_verify(img, size, sig, pubkey);

if (rc == 0) {
/* if verify returns 0, there was an error. */
FIH_SET(fih_rc, FIH_FAILURE);
goto out;
}

FIH_SET(fih_rc, FIH_SUCCESS);
out:

FIH_RET(fih_rc);
}

#endif /* MCUBOOT_SIGN_ED25519 */
147 changes: 141 additions & 6 deletions boot/bootutil/src/image_validate.c
Original file line number Diff line number Diff line change
Expand Up @@ -56,6 +56,7 @@

#include "bootutil_priv.h"

#ifndef MCUBOOT_SIGN_PURE
/*
* Compute SHA hash over the image.
* (SHA384 if ECDSA-P384 is being used,
Expand Down Expand Up @@ -175,6 +176,7 @@ bootutil_img_hash(struct enc_key_data *enc_state, int image_index,

return 0;
}
#endif

/*
* Currently, we only support being able to verify one type of
Expand Down Expand Up @@ -361,6 +363,35 @@ bootutil_get_img_security_cnt(struct image_header *hdr,
return 0;
}

#if defined(MCUBOOT_SIGN_PURE)
/* Returns:
* 0 -- found
* 1 -- not found
* -1 -- failed for some reason
*
* Value of TLV does not matter, presence decides.
*/
static int bootutil_check_for_pure(const struct image_header *hdr,
const struct flash_area *fap)
{
struct image_tlv_iter it;
uint32_t off;
uint16_t len;
int32_t rc;

rc = bootutil_tlv_iter_begin(&it, hdr, fap, IMAGE_TLV_SIG_PURE, false);
if (rc) {
return rc;
}

/* Search for the TLV */
rc = bootutil_tlv_iter_next(&it, &off, &len, NULL);

return rc;
}
#endif


#ifndef ALLOW_ROGUE_TLVS
/*
* The following list of TLVs are the only entries allowed in the unprotected
Expand All @@ -377,6 +408,9 @@ static const uint16_t allowed_unprot_tlvs[] = {
IMAGE_TLV_ECDSA_SIG,
IMAGE_TLV_RSA3072_PSS,
IMAGE_TLV_ED25519,
#if defined(MCUBOOT_SIGN_PURE)
IMAGE_TLV_SIG_PURE,
#endif
IMAGE_TLV_ENC_RSA2048,
IMAGE_TLV_ENC_KW,
IMAGE_TLV_ENC_EC256,
Expand All @@ -399,7 +433,6 @@ bootutil_img_validate(struct enc_key_data *enc_state, int image_index,
uint32_t off;
uint16_t len;
uint16_t type;
int image_hash_valid = 0;
#ifdef EXPECTED_SIG_TLV
FIH_DECLARE(valid_signature, FIH_FAILURE);
#ifndef MCUBOOT_BUILTIN_KEY
Expand All @@ -416,7 +449,10 @@ bootutil_img_validate(struct enc_key_data *enc_state, int image_index,
#endif /* EXPECTED_SIG_TLV */
struct image_tlv_iter it;
uint8_t buf[SIG_BUF_SIZE];
#if defined(EXPECTED_HASH_TLV) && !defined(MCUBOOT_SIGN_PURE)
int image_hash_valid = 0;
uint8_t hash[IMAGE_HASH_SIZE];
#endif
int rc = 0;
FIH_DECLARE(fih_rc, FIH_FAILURE);
#ifdef MCUBOOT_HW_ROLLBACK_PROT
Expand All @@ -425,6 +461,67 @@ bootutil_img_validate(struct enc_key_data *enc_state, int image_index,
FIH_DECLARE(security_counter_valid, FIH_FAILURE);
#endif

#ifdef MCUBOOT_DECOMPRESS_IMAGES
/* If the image is compressed, the integrity of the image must also be validated */
if (MUST_DECOMPRESS(fap, image_index, hdr)) {
bool found_decompressed_size = false;
bool found_decompressed_sha = false;
bool found_decompressed_signature = false;

rc = bootutil_tlv_iter_begin(&it, hdr, fap, IMAGE_TLV_ANY, true);
if (rc) {
goto out;
}

if (it.tlv_end > bootutil_max_image_size(fap)) {
rc = -1;
goto out;
}

while (true) {
uint16_t expected_size = 0;
bool *found_flag = NULL;

rc = bootutil_tlv_iter_next(&it, &off, &len, &type);
if (rc < 0) {
goto out;
} else if (rc > 0) {
break;
}

switch (type) {
case IMAGE_TLV_DECOMP_SIZE:
expected_size = sizeof(size_t);
found_flag = &found_decompressed_size;
break;
case IMAGE_TLV_DECOMP_SHA:
expected_size = IMAGE_HASH_SIZE;
found_flag = &found_decompressed_sha;
break;
case IMAGE_TLV_DECOMP_SIGNATURE:
expected_size = SIG_BUF_SIZE;
found_flag = &found_decompressed_signature;
break;
default:
continue;
};

if (len != expected_size) {
rc = -1;
goto out;
}

*found_flag = true;
}

rc = (!found_decompressed_size || !found_decompressed_sha || !found_decompressed_signature);
if (rc) {
goto out;
}
}
#endif

#if defined(EXPECTED_HASH_TLV) && !defined(MCUBOOT_SIGN_PURE)
rc = bootutil_img_hash(enc_state, image_index, hdr, fap, tmp_buf,
tmp_buf_sz, hash, seed, seed_len);
if (rc) {
Expand All @@ -434,6 +531,15 @@ bootutil_img_validate(struct enc_key_data *enc_state, int image_index,
if (out_hash) {
memcpy(out_hash, hash, IMAGE_HASH_SIZE);
}
#endif

#if defined(MCUBOOT_SIGN_PURE)
/* If Pure type signature is expected then it has to be there */
rc = bootutil_check_for_pure(hdr, fap);
if (rc != 0) {
goto out;
}
#endif

rc = bootutil_tlv_iter_begin(&it, hdr, fap, IMAGE_TLV_ANY, false);
if (rc) {
Expand Down Expand Up @@ -477,8 +583,10 @@ bootutil_img_validate(struct enc_key_data *enc_state, int image_index,
}
}
#endif

if (type == EXPECTED_HASH_TLV) {
switch(type) {
#if defined(EXPECTED_HASH_TLV) && !defined(MCUBOOT_SIGN_PURE)
case EXPECTED_HASH_TLV:
{
/* Verify the image hash. This must always be present. */
if (len != sizeof(hash)) {
rc = -1;
Expand All @@ -496,8 +604,12 @@ bootutil_img_validate(struct enc_key_data *enc_state, int image_index,
}

image_hash_valid = 1;
break;
}
#endif /* defined(EXPECTED_HASH_TLV) && !defined(MCUBOOT_SIGN_PURE) */
#ifdef EXPECTED_KEY_TLV
} else if (type == EXPECTED_KEY_TLV) {
case EXPECTED_KEY_TLV:
{
/*
* Determine which key we should be checking.
*/
Expand All @@ -522,9 +634,12 @@ bootutil_img_validate(struct enc_key_data *enc_state, int image_index,
* The key may not be found, which is acceptable. There
* can be multiple signatures, each preceded by a key.
*/
break;
}
#endif /* EXPECTED_KEY_TLV */
#ifdef EXPECTED_SIG_TLV
} else if (type == EXPECTED_SIG_TLV) {
case EXPECTED_SIG_TLV:
{
/* Ignore this signature if it is out of bounds. */
if (key_id < 0 || key_id >= bootutil_key_cnt) {
key_id = -1;
Expand All @@ -538,12 +653,25 @@ bootutil_img_validate(struct enc_key_data *enc_state, int image_index,
if (rc) {
goto out;
}
#ifndef MCUBOOT_SIGN_PURE
FIH_CALL(bootutil_verify_sig, valid_signature, hash, sizeof(hash),
buf, len, key_id);
#else
/* Directly check signature on the image, by using the mapping of
* a device to memory. The pointer is beginning of image in flash,
* so offset of area, the range is header + image + protected tlvs.
*/
FIH_CALL(bootutil_verify_img, valid_signature, (void *)flash_area_get_off(fap),
hdr->ih_hdr_size + hdr->ih_img_size + hdr->ih_protect_tlv_size,
buf, len, key_id);
#endif
key_id = -1;
break;
}
#endif /* EXPECTED_SIG_TLV */
#ifdef MCUBOOT_HW_ROLLBACK_PROT
} else if (type == IMAGE_TLV_SEC_CNT) {
case IMAGE_TLV_SEC_CNT:
{
/*
* Verify the image's security counter.
* This must always be present.
Expand Down Expand Up @@ -578,14 +706,21 @@ bootutil_img_validate(struct enc_key_data *enc_state, int image_index,

/* The image's security counter has been successfully verified. */
security_counter_valid = fih_rc;
break;
}
#endif /* MCUBOOT_HW_ROLLBACK_PROT */
}
}

#if defined(EXPECTED_HASH_TLV) && !defined(MCUBOOT_SIGN_PURE)
rc = !image_hash_valid;
if (rc) {
goto out;
}
#elif defined(MCUBOOT_SIGN_PURE)
/* This returns true on EQ, rc is err on non-0 */
rc = !FIH_EQ(valid_signature, FIH_SUCCESS);
#endif
#ifdef EXPECTED_SIG_TLV
FIH_SET(fih_rc, valid_signature);
#endif
Expand Down
33 changes: 31 additions & 2 deletions boot/zephyr/Kconfig
Original file line number Diff line number Diff line change
Expand Up @@ -134,6 +134,14 @@ config BOOT_IMG_HASH_ALG_SHA512

endchoice # BOOT_IMG_HASH_ALG

config BOOT_SIGNATURE_TYPE_PURE_ALLOW
bool
help
Hidden option set by configurations that allow Pure variant,
for example ed25519. The pure variant means that image
signature is calculated over entire image instead of hash
of an image.

choice BOOT_SIGNATURE_TYPE
prompt "Signature type"
default BOOT_SIGNATURE_TYPE_RSA
Expand Down Expand Up @@ -183,10 +191,31 @@ endif

config BOOT_SIGNATURE_TYPE_ED25519
bool "Edwards curve digital signatures using ed25519"
select BOOT_ENCRYPTION_SUPPORT
select BOOT_IMG_HASH_ALG_SHA256_ALLOW
select BOOT_ENCRYPTION_SUPPORT if !BOOT_SIGNATURE_TYPE_PURE
select BOOT_IMG_HASH_ALG_SHA256_ALLOW if !BOOT_SIGNATURE_TYPE_PURE
# The SHA is used only for key hashing, not for images.
select BOOT_SIGNATURE_TYPE_PURE_ALLOW
help
This is ed25519 signature calculated over SHA512 of SHA256 of application
image; that is not completely correct approach as the SHA512 should be
rather directly calculated over an image.
Select BOOT_SIGNATURE_TYPE_PURE to have a PureEdDSA calculating image
signature directly on image, rather than hash of the image.

if BOOT_SIGNATURE_TYPE_ED25519

config BOOT_SIGNATURE_TYPE_PURE
bool "Use Pure signature of image"
depends on BOOT_SIGNATURE_TYPE_PURE_ALLOW
help
The Pure signature is calculated directly over image rather than
hash of an image.
This is more secure signature, specifically if hardware can do the
verification without need to share key.
Note that this requires that all slots for which signature is to be
verified need to be accessible through memory address space that
cryptography can access.

choice BOOT_ED25519_IMPLEMENTATION
prompt "Ecdsa implementation"
default BOOT_ED25519_TINYCRYPT
Expand Down
4 changes: 4 additions & 0 deletions boot/zephyr/include/mcuboot_config/mcuboot_config.h
Original file line number Diff line number Diff line change
Expand Up @@ -148,6 +148,10 @@
#define MCUBOOT_HASH_STORAGE_DIRECTLY
#endif

#ifdef CONFIG_BOOT_SIGNATURE_TYPE_PURE
#define MCUBOOT_SIGN_PURE
#endif

#ifdef CONFIG_BOOT_BOOTSTRAP
#define MCUBOOT_BOOTSTRAP 1
#endif
Expand Down

0 comments on commit 33d2fd5

Please sign in to comment.