Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

PureEdDSA and support for calculating SHA directly on device #2080

Open
wants to merge 6 commits into
base: main
Choose a base branch
from
Open

PureEdDSA and support for calculating SHA directly on device #2080

wants to merge 6 commits into from

Commits on Oct 11, 2024

  1. bootutil: Allow SHA512 with TinyCrypt 

    The commit enables SHA512 support, for image hashing, with
TinyCrypt.
Although on 32bit machines the SHA256 will be faster than
SHA512, benefit of enabling the SHA512 is that you have only
one algorithm compiled in which reduces size of code.

Signed-off-by: Dominik Ermel <[email protected]>
    @de-nordic
    de-nordic committed Oct 11, 2024
    Configuration menu
    Copy the full SHA
    5c19b56 View commit details
    Browse the repository at this point in the history

  2. bootutil: Enable hash calculation directly on storage 

    The commit add support for passing storage device address space
to hash calculation functions, which allows to use hardware
accelerated hash calculation on storage.
This feature only works when image encryption is not enabled
and all slots are defined within internal storage of device.

The feature is enabled with MCUboot configuration option
MCUBOOT_HASH_STORAGE_DIRECTLY.

Signed-off-by: Dominik Ermel <[email protected]>
    @de-nordic
    de-nordic committed Oct 11, 2024
    Configuration menu
    Copy the full SHA
    b96a5de View commit details
    Browse the repository at this point in the history

  3. bootutil: PureEdDSA using ED25519 

    The commit adds support for PureEdDSA, which validates signature
of image rather than hash. This is most secure, available, ED25519
usage in MCUboot, but due to requirement of PureEdDSA to be able
to calculate signature at whole message at once, here image,
it only works on setups where entire image can be mapped to
device address space, so that PSA functions calculating the
signature can see the whole image at once.

The feature is enabled with MCUBOOT_SIGN_PURE MCUboot configuration
option.

Signed-off-by: Dominik Ermel <[email protected]>
    @de-nordic
    de-nordic committed Oct 11, 2024
    Configuration menu
    Copy the full SHA
    d07abb1 View commit details
    Browse the repository at this point in the history

  4. zephyr: Allow SHA512 with TinyCrypt 

    Select BOOT_IMG_HASH_ALG_SHA512_ALLOW via BOOT_ED25519_TINYCRYPT.

Signed-off-by: Dominik Ermel <[email protected]>
    @de-nordic
    de-nordic committed Oct 11, 2024
    Configuration menu
    Copy the full SHA
    4eb04b1 View commit details
    Browse the repository at this point in the history

  5. zephyr: Add Kconfig and configuration for SHA on storage 

    Adds CONFIG_BOOT_IMG_HASH_DIRECTLY_ON_STORAGE, which
enables MCUBOOT_HASH_STORAGE_DIRECTLY for Zephyr.

Signed-off-by: Dominik Ermel <[email protected]>
    @de-nordic
    de-nordic committed Oct 11, 2024
    Configuration menu
    Copy the full SHA
    20c3dab View commit details
    Browse the repository at this point in the history

  6. zephyr: Add Kconfig option to select PureEdDS 

    Commit adds CONFIG_BOOT_SIGNATURE_TYPE_PURE Kconfig option,
which enables MCUBOOT_SIGN_PURE in MCUboot configuration.

Signed-off-by: Dominik Ermel <[email protected]>
    @de-nordic
    de-nordic committed Oct 11, 2024
    Configuration menu
    Copy the full SHA
    75de637 View commit details
    Browse the repository at this point in the history