aboutsummaryrefslogtreecommitdiff
path: root/bl2
diff options
context:
space:
mode:
authorDavid Vincze <david.vincze@arm.com>2020-03-31 17:05:34 +0200
committerDavid Vincze <david.vincze@linaro.org>2020-06-24 14:27:50 +0200
commitf5c1e067a011e06f81e7f872f909bc160338f7cd (patch)
tree9a002959f1f3b693d9532ac5a2ce55e6455f79a1 /bl2
parent141f215f49aa6dc6264c64a30bbdfd28958f3305 (diff)
downloadtrusted-firmware-m-f5c1e067a011e06f81e7f872f909bc160338f7cd.tar.gz
Build: Enable using HW keys with upstream MCUboot
Modify the build system (by removing restrictions) to allow HW key usage for image authentication when the 'UPSTREAM' MCUboot repository is selected as MCUboot v1.6.0 (current default bootloader) already includes this feature. Change-Id: Ifa7de6a26febb8b140b409f63fc8c059ed2c3278 Signed-off-by: David Vincze <david.vincze@linaro.org>
Diffstat (limited to 'bl2')
-rw-r--r--bl2/ext/mcuboot/CMakeLists.txt24
-rw-r--r--bl2/ext/mcuboot/MCUBootConfig.cmake10
-rw-r--r--bl2/ext/mcuboot/keys.c13
3 files changed, 34 insertions, 13 deletions
diff --git a/bl2/ext/mcuboot/CMakeLists.txt b/bl2/ext/mcuboot/CMakeLists.txt
index 5c1cebfed7..99070f6e69 100644
--- a/bl2/ext/mcuboot/CMakeLists.txt
+++ b/bl2/ext/mcuboot/CMakeLists.txt
@@ -207,6 +207,13 @@ list(FIND _log_levels ${MCUBOOT_LOG_LEVEL} LOG_LEVEL_ID)
if (MCUBOOT_REPO STREQUAL "UPSTREAM")
set(MCUBOOT_HW_ROLLBACK_PROT On)
set(MCUBOOT_MEASURED_BOOT On)
+
+ #FixMe: This becomes unnecessary and can be deleted once the sign_key.c file
+ #in upstream MCUboot includes the mcuboot_config.h file and starts "reading"
+ #the configuration macros from there.
+ if (MCUBOOT_HW_KEY)
+ target_compile_definitions(${PROJECT_NAME} PRIVATE MCUBOOT_HW_KEY)
+ endif()
endif()
if(MCUBOOT_SIGNATURE_TYPE STREQUAL "RSA-3072")
@@ -225,9 +232,20 @@ elseif (${MCUBOOT_UPGRADE_STRATEGY} STREQUAL "RAM_LOADING")
set(MCUBOOT_RAM_LOADING On)
endif()
-configure_file("${CMAKE_CURRENT_LIST_DIR}/include/mcuboot_config/mcuboot_config.h.in"
- "${CMAKE_CURRENT_BINARY_DIR}/mcuboot_config/mcuboot_config.h"
- @ONLY)
+#FixMe: This becomes unnecessary and can be deleted once the sign_key.c file
+#in upstream MCUboot includes the mcuboot_config.h file and starts "reading"
+#the configuration macros from there.
+if (MCUBOOT_REPO STREQUAL "UPSTREAM" AND MCUBOOT_HW_KEY)
+ set(MCUBOOT_HW_KEY Off)
+ configure_file("${CMAKE_CURRENT_LIST_DIR}/include/mcuboot_config/mcuboot_config.h.in"
+ "${CMAKE_CURRENT_BINARY_DIR}/mcuboot_config/mcuboot_config.h"
+ @ONLY)
+ set(MCUBOOT_HW_KEY On)
+else()
+ configure_file("${CMAKE_CURRENT_LIST_DIR}/include/mcuboot_config/mcuboot_config.h.in"
+ "${CMAKE_CURRENT_BINARY_DIR}/mcuboot_config/mcuboot_config.h"
+ @ONLY)
+endif()
target_compile_definitions(${PROJECT_NAME} PRIVATE MBEDTLS_CONFIG_FILE="${MBEDTLS_CONFIG_FILE}")
diff --git a/bl2/ext/mcuboot/MCUBootConfig.cmake b/bl2/ext/mcuboot/MCUBootConfig.cmake
index d025ab4775..26c97d5cc6 100644
--- a/bl2/ext/mcuboot/MCUBootConfig.cmake
+++ b/bl2/ext/mcuboot/MCUBootConfig.cmake
@@ -37,15 +37,7 @@ if (BL2)
set(MCUBOOT_REPO "TF-M")
endif()
- if (MCUBOOT_REPO STREQUAL "TF-M")
- set(MCUBOOT_HW_KEY On CACHE BOOL "Configure to use HW key for image verification. Otherwise key is embedded in MCUBoot image.")
- else() #Using upstream MCUBoot
- if (MCUBOOT_HW_KEY)
- message(WARNING "Cannot use HW key for image verification when building against upstream MCUBoot."
- " Your choice was overriden (MCUBOOT_HW_KEY=Off).")
- endif()
- set(MCUBOOT_HW_KEY Off)
- endif()
+ set(MCUBOOT_HW_KEY On CACHE BOOL "Configure to use HW key for image verification. Otherwise key is embedded in MCUBoot image.")
set(MCUBOOT_LOG_LEVEL "LOG_LEVEL_INFO" CACHE STRING "Configure the level of logging in MCUBoot.")
set_property(CACHE MCUBOOT_LOG_LEVEL PROPERTY STRINGS "LOG_LEVEL_OFF;LOG_LEVEL_ERROR;LOG_LEVEL_WARNING;LOG_LEVEL_INFO;LOG_LEVEL_DEBUG")
diff --git a/bl2/ext/mcuboot/keys.c b/bl2/ext/mcuboot/keys.c
index 480994c132..df2497fee8 100644
--- a/bl2/ext/mcuboot/keys.c
+++ b/bl2/ext/mcuboot/keys.c
@@ -24,8 +24,10 @@
* Modifications are Copyright (c) 2019-2020 Arm Limited.
*/
+#include <stddef.h>
#include <bootutil/sign_key.h>
#include "mcuboot_config/mcuboot_config.h"
+#include "platform/include/tfm_plat_crypto_keys.h"
#if !defined(MCUBOOT_HW_KEY)
#if defined(MCUBOOT_SIGN_RSA)
@@ -246,4 +248,13 @@ struct bootutil_key bootutil_keys[1] = {
},
};
const int bootutil_key_cnt = 1;
-#endif
+
+int boot_retrieve_public_key_hash(uint8_t image_index,
+ uint8_t *public_key_hash,
+ size_t *key_hash_size)
+{
+ return tfm_plat_get_rotpk_hash(image_index,
+ public_key_hash,
+ (uint32_t *)key_hash_size);
+}
+#endif /* !MCUBOOT_HW_KEY */