zephyr: Add Kconfig option to select PureEdDS

Commit adds CONFIG_BOOT_SIGNATURE_TYPE_PURE Kconfig option, which enables MCUBOOT_SIGN_PURE in MCUboot configuration. Signed-off-by: Dominik Ermel <[email protected]>
mcu-tools · Oct 11, 2024 · 75de637 · 75de637
1 parent 20c3dab
commit 75de637
Show file tree

Hide file tree

Showing 2 changed files with 32 additions and 2 deletions.
diff --git a/boot/zephyr/Kconfig b/boot/zephyr/Kconfig
@@ -134,6 +134,14 @@ config BOOT_IMG_HASH_ALG_SHA512
 
 endchoice # BOOT_IMG_HASH_ALG
 
+config BOOT_SIGNATURE_TYPE_PURE_ALLOW
+	bool
+	help
+	  Hidden option set by configurations that allow Pure variant,
+	  for example ed25519. The pure variant means that image
+	  signature is calculated over entire image instead of hash
+	  of an image.
+
 choice BOOT_SIGNATURE_TYPE
 	prompt "Signature type"
 	default BOOT_SIGNATURE_TYPE_RSA
@@ -183,10 +191,28 @@ endif
 
 config BOOT_SIGNATURE_TYPE_ED25519
 	bool "Edwards curve digital signatures using ed25519"
-	select BOOT_ENCRYPTION_SUPPORT
-	select BOOT_IMG_HASH_ALG_SHA256_ALLOW
+	select BOOT_ENCRYPTION_SUPPORT if !BOOT_SIGNATURE_TYPE_PURE
+	select BOOT_IMG_HASH_ALG_SHA256_ALLOW if !BOOT_SIGNATURE_TYPE_PURE
+	# The SHA is used only for key hashing, not for images.
+	select BOOT_SIGNATURE_TYPE_PURE_ALLOW
+	help
+	  This is ed25519 signature calculated over SHA512 of SHA256 of application
+	  image.
+	  To check signature over entire image directly, rather than hash,
+	  select BOOT_SIGNATURE_TYPE_PURE.
 
 if BOOT_SIGNATURE_TYPE_ED25519
+
+config BOOT_SIGNATURE_TYPE_PURE
+	bool "Use Pure signature of image"
+	depends on BOOT_SIGNATURE_TYPE_PURE_ALLOW
+	help
+	  The Pure signature is calculated directly over image rather than
+	  hash of an image, as the BOOT_SIGNATURE_TYPE_ED25519 does by
+	  default.
+	  Image to be verified needs to be accessible through memory address
+	  space that cryptography functions can access via pointers.
+
 choice BOOT_ED25519_IMPLEMENTATION
 	prompt "Ecdsa implementation"
 	default BOOT_ED25519_TINYCRYPT

diff --git a/boot/zephyr/include/mcuboot_config/mcuboot_config.h b/boot/zephyr/include/mcuboot_config/mcuboot_config.h
@@ -148,6 +148,10 @@
 #define MCUBOOT_HASH_STORAGE_DIRECTLY
 #endif
 
+#ifdef CONFIG_BOOT_SIGNATURE_TYPE_PURE
+#define MCUBOOT_SIGN_PURE
+#endif
+
 #ifdef CONFIG_BOOT_BOOTSTRAP
 #define MCUBOOT_BOOTSTRAP 1
 #endif