diff options
author | David Vincze <david.vincze@arm.com> | 2020-03-31 17:05:34 +0200 |
---|---|---|
committer | David Vincze <david.vincze@linaro.org> | 2020-06-24 14:27:50 +0200 |
commit | f5c1e067a011e06f81e7f872f909bc160338f7cd (patch) | |
tree | 9a002959f1f3b693d9532ac5a2ce55e6455f79a1 | |
parent | 141f215f49aa6dc6264c64a30bbdfd28958f3305 (diff) | |
download | trusted-firmware-m-f5c1e067a011e06f81e7f872f909bc160338f7cd.tar.gz |
Build: Enable using HW keys with upstream MCUboot
Modify the build system (by removing restrictions) to allow HW key
usage for image authentication when the 'UPSTREAM' MCUboot repository is
selected as MCUboot v1.6.0 (current default bootloader) already includes
this feature.
Change-Id: Ifa7de6a26febb8b140b409f63fc8c059ed2c3278
Signed-off-by: David Vincze <david.vincze@linaro.org>
-rw-r--r-- | bl2/ext/mcuboot/CMakeLists.txt | 24 | ||||
-rw-r--r-- | bl2/ext/mcuboot/MCUBootConfig.cmake | 10 | ||||
-rw-r--r-- | bl2/ext/mcuboot/keys.c | 13 |
3 files changed, 34 insertions, 13 deletions
diff --git a/bl2/ext/mcuboot/CMakeLists.txt b/bl2/ext/mcuboot/CMakeLists.txt index 5c1cebfed7..99070f6e69 100644 --- a/bl2/ext/mcuboot/CMakeLists.txt +++ b/bl2/ext/mcuboot/CMakeLists.txt @@ -207,6 +207,13 @@ list(FIND _log_levels ${MCUBOOT_LOG_LEVEL} LOG_LEVEL_ID) if (MCUBOOT_REPO STREQUAL "UPSTREAM") set(MCUBOOT_HW_ROLLBACK_PROT On) set(MCUBOOT_MEASURED_BOOT On) + + #FixMe: This becomes unnecessary and can be deleted once the sign_key.c file + #in upstream MCUboot includes the mcuboot_config.h file and starts "reading" + #the configuration macros from there. + if (MCUBOOT_HW_KEY) + target_compile_definitions(${PROJECT_NAME} PRIVATE MCUBOOT_HW_KEY) + endif() endif() if(MCUBOOT_SIGNATURE_TYPE STREQUAL "RSA-3072") @@ -225,9 +232,20 @@ elseif (${MCUBOOT_UPGRADE_STRATEGY} STREQUAL "RAM_LOADING") set(MCUBOOT_RAM_LOADING On) endif() -configure_file("${CMAKE_CURRENT_LIST_DIR}/include/mcuboot_config/mcuboot_config.h.in" - "${CMAKE_CURRENT_BINARY_DIR}/mcuboot_config/mcuboot_config.h" - @ONLY) +#FixMe: This becomes unnecessary and can be deleted once the sign_key.c file +#in upstream MCUboot includes the mcuboot_config.h file and starts "reading" +#the configuration macros from there. +if (MCUBOOT_REPO STREQUAL "UPSTREAM" AND MCUBOOT_HW_KEY) + set(MCUBOOT_HW_KEY Off) + configure_file("${CMAKE_CURRENT_LIST_DIR}/include/mcuboot_config/mcuboot_config.h.in" + "${CMAKE_CURRENT_BINARY_DIR}/mcuboot_config/mcuboot_config.h" + @ONLY) + set(MCUBOOT_HW_KEY On) +else() + configure_file("${CMAKE_CURRENT_LIST_DIR}/include/mcuboot_config/mcuboot_config.h.in" + "${CMAKE_CURRENT_BINARY_DIR}/mcuboot_config/mcuboot_config.h" + @ONLY) +endif() target_compile_definitions(${PROJECT_NAME} PRIVATE MBEDTLS_CONFIG_FILE="${MBEDTLS_CONFIG_FILE}") diff --git a/bl2/ext/mcuboot/MCUBootConfig.cmake b/bl2/ext/mcuboot/MCUBootConfig.cmake index d025ab4775..26c97d5cc6 100644 --- a/bl2/ext/mcuboot/MCUBootConfig.cmake +++ b/bl2/ext/mcuboot/MCUBootConfig.cmake @@ -37,15 +37,7 @@ if (BL2) set(MCUBOOT_REPO "TF-M") endif() - if (MCUBOOT_REPO STREQUAL "TF-M") - set(MCUBOOT_HW_KEY On CACHE BOOL "Configure to use HW key for image verification. Otherwise key is embedded in MCUBoot image.") - else() #Using upstream MCUBoot - if (MCUBOOT_HW_KEY) - message(WARNING "Cannot use HW key for image verification when building against upstream MCUBoot." - " Your choice was overriden (MCUBOOT_HW_KEY=Off).") - endif() - set(MCUBOOT_HW_KEY Off) - endif() + set(MCUBOOT_HW_KEY On CACHE BOOL "Configure to use HW key for image verification. Otherwise key is embedded in MCUBoot image.") set(MCUBOOT_LOG_LEVEL "LOG_LEVEL_INFO" CACHE STRING "Configure the level of logging in MCUBoot.") set_property(CACHE MCUBOOT_LOG_LEVEL PROPERTY STRINGS "LOG_LEVEL_OFF;LOG_LEVEL_ERROR;LOG_LEVEL_WARNING;LOG_LEVEL_INFO;LOG_LEVEL_DEBUG") diff --git a/bl2/ext/mcuboot/keys.c b/bl2/ext/mcuboot/keys.c index 480994c132..df2497fee8 100644 --- a/bl2/ext/mcuboot/keys.c +++ b/bl2/ext/mcuboot/keys.c @@ -24,8 +24,10 @@ * Modifications are Copyright (c) 2019-2020 Arm Limited. */ +#include <stddef.h> #include <bootutil/sign_key.h> #include "mcuboot_config/mcuboot_config.h" +#include "platform/include/tfm_plat_crypto_keys.h" #if !defined(MCUBOOT_HW_KEY) #if defined(MCUBOOT_SIGN_RSA) @@ -246,4 +248,13 @@ struct bootutil_key bootutil_keys[1] = { }, }; const int bootutil_key_cnt = 1; -#endif + +int boot_retrieve_public_key_hash(uint8_t image_index, + uint8_t *public_key_hash, + size_t *key_hash_size) +{ + return tfm_plat_get_rotpk_hash(image_index, + public_key_hash, + (uint32_t *)key_hash_size); +} +#endif /* !MCUBOOT_HW_KEY */ |