Build: move signature key len into signature type
The current approach in MCUBoot assumes the signature type and the
key len are separate values, but this only applies to RSA. For
other signature types (such as ECDSA) the key len is not applicable.
This change merges the key length and the signature type for RSA
thus removing the need for extra conditions in the build
configuration when the signature is specified in a different way.
Signed-off-by: Roland Mikhel <roland.mikhel@arm.com>
Change-Id: I5e2bba814695ec0d366b202b9c40fd7daa9484ac
diff --git a/bl2/CMakeLists.txt b/bl2/CMakeLists.txt
index 977d2d2..2322a3f 100644
--- a/bl2/CMakeLists.txt
+++ b/bl2/CMakeLists.txt
@@ -75,10 +75,15 @@
add_library(bl2_mbedcrypto_config INTERFACE)
+if(NOT ${MCUBOOT_SIGNATURE_TYPE} STREQUAL "")
+ string(REGEX MATCH "[0-9]*$" SIG_LEN ${MCUBOOT_SIGNATURE_TYPE})
+ string(REGEX MATCH "^[A-Z]*" SIG_TYPE ${MCUBOOT_SIGNATURE_TYPE})
+endif()
+
target_compile_definitions(bl2_mbedcrypto_config
INTERFACE
- $<$<STREQUAL:${MCUBOOT_SIGNATURE_TYPE},RSA>:MCUBOOT_SIGN_RSA>
- $<$<STREQUAL:${MCUBOOT_SIGNATURE_TYPE},RSA>:MCUBOOT_SIGN_RSA_LEN=${MCUBOOT_SIGNATURE_KEY_LEN}>
+ $<$<STREQUAL:${SIG_TYPE},RSA>:MCUBOOT_SIGN_RSA>
+ $<$<STREQUAL:${SIG_TYPE},RSA>:MCUBOOT_SIGN_RSA_LEN=${SIG_LEN}>
$<$<BOOL:${MCUBOOT_USE_PSA_CRYPTO}>:MCUBOOT_USE_PSA_CRYPTO>
MBEDTLS_CONFIG_FILE="${MCUBOOT_MBEDCRYPTO_CONFIG_FILEPATH}"
# Workaround for https://github.com/ARMmbed/mbedtls/issues/1077
diff --git a/bl2/ext/mcuboot/CMakeLists.txt b/bl2/ext/mcuboot/CMakeLists.txt
index c35b566..ab6006d 100644
--- a/bl2/ext/mcuboot/CMakeLists.txt
+++ b/bl2/ext/mcuboot/CMakeLists.txt
@@ -1,5 +1,5 @@
#------------------------------------------------------------------------------
-# Copyright (c) 2020-2022, Arm Limited. All rights reserved.
+# Copyright (c) 2020-2023, Arm Limited. All rights reserved.
#
# SPDX-License-Identifier: BSD-3-Clause
#
@@ -86,6 +86,7 @@
if (PLATFORM_DEFAULT_IMAGE_SIGNING)
find_package(Python3)
if(MCUBOOT_GENERATE_SIGNING_KEYPAIR)
+ string(REGEX MATCH "[0-9]*$" SIG_LEN ${MCUBOOT_SIGNATURE_TYPE})
add_custom_target(generated_private_key
SOURCES
generated_private_key_s.pem
@@ -96,14 +97,14 @@
COMMAND ${Python3_EXECUTABLE} ${MCUBOOT_PATH}/scripts/imgtool.py
keygen
-k generated_private_key_s.pem
- -t rsa-${MCUBOOT_SIGNATURE_KEY_LEN}
+ -t rsa-${SIG_LEN}
COMMAND ${CMAKE_COMMAND} -E copy generated_private_key_s.pem $<TARGET_FILE_DIR:bl2>
)
add_custom_command(OUTPUT generated_private_key_ns.pem
COMMAND ${Python3_EXECUTABLE} ${MCUBOOT_PATH}/scripts/imgtool.py
keygen
-k generated_private_key_ns.pem
- -t rsa-${MCUBOOT_SIGNATURE_KEY_LEN}
+ -t rsa-${SIG_LEN}
COMMAND ${CMAKE_COMMAND} -E copy generated_private_key_ns.pem $<TARGET_FILE_DIR:bl2>
)
set(MCUBOOT_KEY_S $<TARGET_FILE_DIR:bl2>/generated_private_key_s.pem CACHE FILEPATH "" FORCE)
diff --git a/bl2/ext/mcuboot/Kconfig b/bl2/ext/mcuboot/Kconfig
index 67058e9..0a2ea96 100644
--- a/bl2/ext/mcuboot/Kconfig
+++ b/bl2/ext/mcuboot/Kconfig
@@ -167,29 +167,25 @@
default "HIGH" if MCUBOOT_FIH_PROFILE_HIGH
config MCUBOOT_SIGNATURE_TYPE
- string "Algorithm to use for signature validation"
- default "RSA"
+ string "Algorithm to use for signature validation [RSA-2048, RSA-3072]"
+ default "RSA-3072"
help
Note - If either SIGNATURE_TYPE or KEY_LEN are changed, the entries for KEY_S
and KEY_NS will either have to be updated manually or removed from the cache.
`cmake .. -UMCUBOOT_KEY_S -UMCUBOOT_KEY_NS`. Once removed from the cache it
will be set to default again.
-config MCUBOOT_SIGNATURE_KEY_LEN
- int "Key length to use for signature validation"
- default 3072
-
config MCUBOOT_GENERATE_SIGNING_KEYPAIR
bool "Generate new keypair or use MCUBOOT_KEY_S and MCUBOOT_KEY_NS for signing"
default n
config MCUBOOT_KEY_S
string "Path to key with which to sign secure binary"
- default "$(TFM_SOURCE_DIR)/bl2/ext/mcuboot/root-${MCUBOOT_SIGNATURE_TYPE}-${MCUBOOT_SIGNATURE_KEY_LEN}.pem"
+ default "$(TFM_SOURCE_DIR)/bl2/ext/mcuboot/root-${MCUBOOT_SIGNATURE_TYPE}.pem"
config MCUBOOT_KEY_NS
string "Path to key with which to sign non-secure binary"
- default "$(TFM_SOURCE_DIR)/bl2/ext/mcuboot/root-${MCUBOOT_SIGNATURE_TYPE}-${MCUBOOT_SIGNATURE_KEY_LEN}_1.pem"
+ default "$(TFM_SOURCE_DIR)/bl2/ext/mcuboot/root-${MCUBOOT_SIGNATURE_TYPE}_1.pem"
config MCUBOOT_IMAGE_VERSION_S
string "Version number of S image"
diff --git a/bl2/ext/mcuboot/mcuboot_default_config.cmake b/bl2/ext/mcuboot/mcuboot_default_config.cmake
index bdbc6e5..b092159 100644
--- a/bl2/ext/mcuboot/mcuboot_default_config.cmake
+++ b/bl2/ext/mcuboot/mcuboot_default_config.cmake
@@ -42,15 +42,14 @@
set(MCUBOOT_FIH_PROFILE OFF CACHE STRING "Fault injection hardening profile [OFF, LOW, MEDIUM, HIGH]")
set(MCUBOOT_USE_PSA_CRYPTO OFF CACHE BOOL "Enable the cryptographic abstraction layer to use PSA Crypto")
-# Note - If either SIGNATURE_TYPE or KEY_LEN are changed, the entries for KEY_S
+# Note - If SIGNATURE_TYPE is changed, the entries for KEY_S
# and KEY_NS will either have to be updated manually or removed from the cache.
# `cmake .. -UMCUBOOT_KEY_S -UMCUBOOT_KEY_NS`. Once removed from the cache it
# will be set to default again.
-set(MCUBOOT_SIGNATURE_TYPE "RSA" CACHE STRING "Algorithm to use for signature validation")
-set(MCUBOOT_SIGNATURE_KEY_LEN 3072 CACHE STRING "Key length to use for signature validation")
-set(MCUBOOT_GENERATE_SIGNING_KEYPAIR OFF CACHE BOOL "Generate new keypair for signing and use that instead of MCUBOOT_KEY_S and MCUBOOT_KEY_NS")
-set(MCUBOOT_KEY_S "${CMAKE_SOURCE_DIR}/bl2/ext/mcuboot/root-${MCUBOOT_SIGNATURE_TYPE}-${MCUBOOT_SIGNATURE_KEY_LEN}.pem" CACHE FILEPATH "Path to key with which to sign secure binary")
-set(MCUBOOT_KEY_NS "${CMAKE_SOURCE_DIR}/bl2/ext/mcuboot/root-${MCUBOOT_SIGNATURE_TYPE}-${MCUBOOT_SIGNATURE_KEY_LEN}_1.pem" CACHE FILEPATH "Path to key with which to sign non-secure binary")
+set(MCUBOOT_SIGNATURE_TYPE "RSA-3072" CACHE STRING "Algorithm to use for signature validation [RSA-2048, RSA-3072]")
+set(MCUBOOT_GENERATE_SIGNING_KEYPAIR OFF CACHE BOOL "Generate new keypair for signing and use that instead of MCUBOOT_KEY_S and MCUBOOT_KEY_NS")
+set(MCUBOOT_KEY_S "${CMAKE_SOURCE_DIR}/bl2/ext/mcuboot/root-${MCUBOOT_SIGNATURE_TYPE}.pem" CACHE FILEPATH "Path to key with which to sign secure binary")
+set(MCUBOOT_KEY_NS "${CMAKE_SOURCE_DIR}/bl2/ext/mcuboot/root-${MCUBOOT_SIGNATURE_TYPE}_1.pem" CACHE FILEPATH "Path to key with which to sign non-secure binary")
set(MCUBOOT_IMAGE_VERSION_S ${TFM_VERSION} CACHE STRING "Version number of S image")
set(MCUBOOT_IMAGE_VERSION_NS 0.0.0 CACHE STRING "Version number of NS image")
diff --git a/docs/design_docs/booting/tfm_secure_boot.rst b/docs/design_docs/booting/tfm_secure_boot.rst
index c49cde1..2f92668 100644
--- a/docs/design_docs/booting/tfm_secure_boot.rst
+++ b/docs/design_docs/booting/tfm_secure_boot.rst
@@ -365,11 +365,9 @@
- **"RAM_LOAD":** Activate RAM loading firmware upgrade operation, where
the latest image is copied to RAM and runs from there instead of being
executed in-place.
-- MCUBOOT_SIGNATURE_TYPE (default: RSA):
- - **RSA:** Image is signed with RSA algorithm
-- MCUBOOT_SIGNATURE_KEY_LEN (default: 3072):
- - **2048:** Image is signed with 2048 bit key.
- - **3072:** Image is signed with 3072 bit key.
+- MCUBOOT_SIGNATURE_TYPE (default: RSA-3072):
+ - **RSA-2048:** Image is signed with RSA algorithm and signed with 2048 bit key.
+ - **RSA-3072:** Image is signed with RSA algorithm and signed with 3072 bit key.
- MCUBOOT_IMAGE_NUMBER (default: 2):
- **1:** Single image boot, secure and non-secure images are signed and
updated together.
diff --git a/platform/CMakeLists.txt b/platform/CMakeLists.txt
index 6c5c7d1..71a62fe 100755
--- a/platform/CMakeLists.txt
+++ b/platform/CMakeLists.txt
@@ -333,6 +333,11 @@
#========================= Platform region defs ===============================#
+if(NOT ${MCUBOOT_SIGNATURE_TYPE} STREQUAL "")
+ string(REGEX MATCH "[0-9]*$" SIG_LEN ${MCUBOOT_SIGNATURE_TYPE})
+ string(REGEX MATCH "^[A-Z]*" SIG_TYPE ${MCUBOOT_SIGNATURE_TYPE})
+endif()
+
#TODO maybe just link the other platforms to this
target_compile_definitions(platform_region_defs
INTERFACE
@@ -346,8 +351,8 @@
$<$<BOOL:${SECURE_UART1}>:SECURE_UART1>
DAUTH_${DEBUG_AUTHENTICATION}
$<$<BOOL:${MCUBOOT_IMAGE_NUMBER}>:MCUBOOT_IMAGE_NUMBER=${MCUBOOT_IMAGE_NUMBER}>
- $<$<STREQUAL:${MCUBOOT_SIGNATURE_TYPE},RSA>:MCUBOOT_SIGN_RSA>
- $<$<STREQUAL:${MCUBOOT_SIGNATURE_TYPE},RSA>:MCUBOOT_SIGN_RSA_LEN=${MCUBOOT_SIGNATURE_KEY_LEN}>
+ $<$<STREQUAL:${SIG_TYPE},RSA>:MCUBOOT_SIGN_RSA>
+ $<$<STREQUAL:${SIG_TYPE},RSA>:MCUBOOT_SIGN_RSA_LEN=${SIG_LEN}>
$<$<STREQUAL:${MCUBOOT_EXECUTION_SLOT},2>:LINK_TO_SECONDARY_PARTITION>
$<$<BOOL:${TEST_PSA_API}>:PSA_API_TEST_${TEST_PSA_API}>
$<$<BOOL:${TFM_CODE_SHARING}>:CODE_SHARING>