From 86e1acb392134ab253bd9aa9f2cfad9f9f584793 Mon Sep 17 00:00:00 2001 From: Steven Lee Date: Wed, 10 Apr 2024 14:10:50 +0800 Subject: [PATCH] bootutil/crypto: Support using mbedTLS for ecdsa Add BOOT_ECDSA_MBEDTLS for BOOT_SIGNATURE_TYPE_ECDSA_P256 to enable mbedTLS library for ecdsa module. Signed-off-by: Steven Lee --- boot/bootutil/include/bootutil/crypto/ecdsa.h | 8 +-- boot/zephyr/CMakeLists.txt | 68 ++++++++++--------- boot/zephyr/Kconfig | 5 ++ boot/zephyr/include/mcuboot-mbedtls-cfg.h | 1 + 4 files changed, 46 insertions(+), 36 deletions(-) diff --git a/boot/bootutil/include/bootutil/crypto/ecdsa.h b/boot/bootutil/include/bootutil/crypto/ecdsa.h index a73388622..d7570dedb 100644 --- a/boot/bootutil/include/bootutil/crypto/ecdsa.h +++ b/boot/bootutil/include/bootutil/crypto/ecdsa.h @@ -102,13 +102,13 @@ static int bootutil_import_key(uint8_t **cp, uint8_t *end) return -2; } /* id-ecPublicKey (RFC5480) */ - if (alg.MBEDTLS_CONTEXT_MEMBER(len) != sizeof(ec_pubkey_oid) - 1 || - memcmp(alg.MBEDTLS_CONTEXT_MEMBER(p), ec_pubkey_oid, sizeof(ec_pubkey_oid) - 1)) { + if (alg.len != sizeof(ec_pubkey_oid) - 1 || + memcmp(alg.p, ec_pubkey_oid, sizeof(ec_pubkey_oid) - 1)) { return -3; } /* namedCurve (RFC5480) */ - if (param.MBEDTLS_CONTEXT_MEMBER(len) != sizeof(ec_secp256r1_oid) - 1 || - memcmp(param.MBEDTLS_CONTEXT_MEMBER(p), ec_secp256r1_oid, sizeof(ec_secp256r1_oid) - 1)) { + if (param.len != sizeof(ec_secp256r1_oid) - 1 || + memcmp(param.p, ec_secp256r1_oid, sizeof(ec_secp256r1_oid) - 1)) { return -4; } /* ECPoint (RFC5480) */ diff --git a/boot/zephyr/CMakeLists.txt b/boot/zephyr/CMakeLists.txt index f6c4b7eea..8d8b36ba5 100644 --- a/boot/zephyr/CMakeLists.txt +++ b/boot/zephyr/CMakeLists.txt @@ -148,40 +148,44 @@ zephyr_library_sources( endif() if(CONFIG_BOOT_SIGNATURE_TYPE_ECDSA_P256 OR CONFIG_BOOT_ENCRYPT_EC256) - zephyr_library_include_directories( - ${MBEDTLS_ASN1_DIR}/include - ) - zephyr_library_sources( - # Additionally pull in just the ASN.1 parser from mbedTLS. - ${MBEDTLS_ASN1_DIR}/src/asn1parse.c - ${MBEDTLS_ASN1_DIR}/src/platform_util.c - ) - if(CONFIG_BOOT_USE_TINYCRYPT) - # When using ECDSA signatures, pull in our copy of the tinycrypt library. - zephyr_library_include_directories( - ${BOOT_DIR}/zephyr/include - ${TINYCRYPT_DIR}/include - ) - zephyr_include_directories(${TINYCRYPT_DIR}/include) + if (CONFIG_BOOT_ECDSA_MBEDTLS) + zephyr_include_directories(include) + else() + zephyr_library_include_directories( + ${MBEDTLS_ASN1_DIR}/include + ) + zephyr_library_sources( + # Additionally pull in just the ASN.1 parser from mbedTLS. + ${MBEDTLS_ASN1_DIR}/src/asn1parse.c + ${MBEDTLS_ASN1_DIR}/src/platform_util.c + ) + if(CONFIG_BOOT_USE_TINYCRYPT) + # When using ECDSA signatures, pull in our copy of the tinycrypt library. + zephyr_library_include_directories( + ${BOOT_DIR}/zephyr/include + ${TINYCRYPT_DIR}/include + ) + zephyr_include_directories(${TINYCRYPT_DIR}/include) - zephyr_library_sources( - ${TINYCRYPT_DIR}/source/ecc.c - ${TINYCRYPT_DIR}/source/ecc_dsa.c - ${TINYCRYPT_DIR}/source/sha256.c - ${TINYCRYPT_DIR}/source/utils.c - ) - elseif(CONFIG_BOOT_USE_NRF_CC310_BL) - zephyr_library_sources(${NRF_DIR}/cc310_glue.c) - zephyr_library_include_directories(${NRF_DIR}) - zephyr_link_libraries(nrfxlib_crypto) - endif() + zephyr_library_sources( + ${TINYCRYPT_DIR}/source/ecc.c + ${TINYCRYPT_DIR}/source/ecc_dsa.c + ${TINYCRYPT_DIR}/source/sha256.c + ${TINYCRYPT_DIR}/source/utils.c + ) + elseif(CONFIG_BOOT_USE_NRF_CC310_BL) + zephyr_library_sources(${NRF_DIR}/cc310_glue.c) + zephyr_library_include_directories(${NRF_DIR}) + zephyr_link_libraries(nrfxlib_crypto) + endif() - # Since here we are not using Zephyr's mbedTLS but rather our own, we need - # to set MBEDTLS_CONFIG_FILE ourselves. When using Zephyr's copy, this - # variable is set by its Kconfig in the Zephyr codebase. - zephyr_library_compile_definitions( - MBEDTLS_CONFIG_FILE="${CMAKE_CURRENT_LIST_DIR}/include/mcuboot-mbedtls-cfg.h" - ) + # Since here we are not using Zephyr's mbedTLS but rather our own, we need + # to set MBEDTLS_CONFIG_FILE ourselves. When using Zephyr's copy, this + # variable is set by its Kconfig in the Zephyr codebase. + zephyr_library_compile_definitions( + MBEDTLS_CONFIG_FILE="${CMAKE_CURRENT_LIST_DIR}/include/mcuboot-mbedtls-cfg.h" + ) + endif() elseif(CONFIG_BOOT_SIGNATURE_TYPE_NONE) zephyr_library_include_directories( ${BOOT_DIR}/zephyr/include diff --git a/boot/zephyr/Kconfig b/boot/zephyr/Kconfig index 1fd9bfce0..261b7e12e 100644 --- a/boot/zephyr/Kconfig +++ b/boot/zephyr/Kconfig @@ -101,6 +101,11 @@ config BOOT_ECDSA_TINYCRYPT bool "Use tinycrypt" select BOOT_USE_TINYCRYPT +config BOOT_ECDSA_MBEDTLS + bool "Use mbedTLS" + select BOOT_USE_MBEDTLS + select MBEDTLS + config BOOT_ECDSA_CC310 bool "Use CC310" depends on HAS_HW_NRF_CC310 diff --git a/boot/zephyr/include/mcuboot-mbedtls-cfg.h b/boot/zephyr/include/mcuboot-mbedtls-cfg.h index 2bab537d7..331fd2776 100644 --- a/boot/zephyr/include/mcuboot-mbedtls-cfg.h +++ b/boot/zephyr/include/mcuboot-mbedtls-cfg.h @@ -27,6 +27,7 @@ defined(CONFIG_BOOT_ENCRYPT_EC256) || \ (defined(CONFIG_BOOT_ENCRYPT_X25519) && !defined(CONFIG_BOOT_SIGNATURE_TYPE_ED25519)) #include "config-asn1.h" +#include "config-ec.h" #elif defined(CONFIG_BOOT_SIGNATURE_TYPE_ED25519) #include "config-ed25519.h" #else