zephyr: Support RSA, and ECDSA P-256 signing
Make it clear in the top-level Makefile how to configure mcuboot for
Zephyr for a particular signing algorithm. Currently supported, are the
RSA signatures, and ECDSA with the P-256 curve. These configuration
lines will select the code built in the bootloader, as well as which
public key gets included with the image.
This also adds a demo public key for the P-256 signatures.
diff --git a/Makefile b/Makefile
index 525e91e..529184a 100644
--- a/Makefile
+++ b/Makefile
@@ -1,5 +1,30 @@
-BOARD ?= qemu_x86
+# Makefile for building mcuboot as a Zephyr project.
+
+# These are the main configuration choices, mainly having to do with
+# what signature algorithm is desired. Choose one of the blocks
+# below, and uncomment the settings after it.
+
+#####
+# RSA
+#####
CONF_FILE = boot/zephyr/prj.conf
+CFLAGS += -DBOOTUTIL_SIGN_RSA
+
+#############
+# ECDSA P-256
+#############
+#CONF_FILE = boot/zephyr/prj-p256.conf
+#CFLAGS += -DBOOTUTIL_SIGN_EC256
+
+##############################
+# End of configuration blocks.
+##############################
+
+# The board should be set to one of the targets supported by
+# mcuboot/Zephyr. These can be found in ``boot/zephyr/targets``
+BOARD ?= qemu_x86
+
+# The source to the Zephyr-specific code lives here.
SOURCE_DIR = boot/zephyr
# Needed for mbedtls config-boot.h file.
diff --git a/boot/bootutil/src/Makefile b/boot/bootutil/src/Makefile
index 820d7a6..2ee4452 100644
--- a/boot/bootutil/src/Makefile
+++ b/boot/bootutil/src/Makefile
@@ -1,5 +1,3 @@
# Makefile for Zephyr build
-ccflags-y += -DBOOTUTIL_SIGN_RSA
-
-obj-y += loader.o bootutil_misc.o image_validate.o image_rsa.o
+obj-y += loader.o bootutil_misc.o image_validate.o image_rsa.o image_ec256.o
diff --git a/boot/zephyr/include/config-asn1.h b/boot/zephyr/include/config-asn1.h
new file mode 100644
index 0000000..ba5b97c
--- /dev/null
+++ b/boot/zephyr/include/config-asn1.h
@@ -0,0 +1,47 @@
+/*
+ * Configuration of mbedTLS containing only the ASN.1 parser.
+ *
+ * Copyright (C) 2006-2015, ARM Limited, All Rights Reserved
+ * Copyright (C) 2016, Linaro Ltd
+ * SPDX-License-Identifier: Apache-2.0
+ *
+ * Licensed under the Apache License, Version 2.0 (the "License"); you may
+ * not use this file except in compliance with the License.
+ * You may obtain a copy of the License at
+ *
+ * http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS, WITHOUT
+ * WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ *
+ * This file is part of mbed TLS (https://tls.mbed.org)
+ */
+
+/*
+ * Minimal configuration for using TLS in the bootloader
+ *
+ * - RSA or ECDSA signature verification
+ */
+
+#ifndef MBEDTLS_CONFIG_H
+#define MBEDTLS_CONFIG_H
+
+#define MBEDTLS_PLATFORM_C
+#define MBEDTLS_PLATFORM_MEMORY
+#define MBEDTLS_MEMORY_BUFFER_ALLOC_C
+#define MBEDTLS_PLATFORM_NO_STD_FUNCTIONS
+
+/* mbed TLS modules */
+#define MBEDTLS_ASN1_PARSE_C
+// #define MBEDTLS_ASN1_WRITE_C
+// #define MBEDTLS_BIGNUM_C
+// #define MBEDTLS_MD_C
+// #define MBEDTLS_OID_C
+#define MBEDTLS_SHA256_C
+
+#include "mbedtls/check_config.h"
+
+#endif /* MBEDTLS_CONFIG_H */
diff --git a/boot/zephyr/keys.c b/boot/zephyr/keys.c
index 051eb8a..9a06f3c 100644
--- a/boot/zephyr/keys.c
+++ b/boot/zephyr/keys.c
@@ -19,6 +19,7 @@
#include <bootutil/sign_key.h>
+#if defined(BOOTUTIL_SIGN_RSA)
const unsigned char root_pub_der[] = {
0x30, 0x82, 0x01, 0x0a, 0x02, 0x82, 0x01, 0x01, 0x00, 0xd1, 0x06, 0x08,
0x1a, 0x18, 0x44, 0x2c, 0x18, 0xe8, 0xfb, 0xfd, 0xf7, 0x0d, 0xa3, 0x4f,
@@ -45,6 +46,24 @@
0xc9, 0x02, 0x03, 0x01, 0x00, 0x01
};
const unsigned int root_pub_der_len = 270;
+#elif defined(BOOTUTIL_SIGN_EC256)
+const unsigned char root_pub_der[] = {
+ 0x30, 0x59, 0x30, 0x13, 0x06, 0x07, 0x2a, 0x86,
+ 0x48, 0xce, 0x3d, 0x02, 0x01, 0x06, 0x08, 0x2a,
+ 0x86, 0x48, 0xce, 0x3d, 0x03, 0x01, 0x07, 0x03,
+ 0x42, 0x00, 0x04, 0x2a, 0xcb, 0x40, 0x3c, 0xe8,
+ 0xfe, 0xed, 0x5b, 0xa4, 0x49, 0x95, 0xa1, 0xa9,
+ 0x1d, 0xae, 0xe8, 0xdb, 0xbe, 0x19, 0x37, 0xcd,
+ 0x14, 0xfb, 0x2f, 0x24, 0x57, 0x37, 0xe5, 0x95,
+ 0x39, 0x88, 0xd9, 0x94, 0xb9, 0xd6, 0x5a, 0xeb,
+ 0xd7, 0xcd, 0xd5, 0x30, 0x8a, 0xd6, 0xfe, 0x48,
+ 0xb2, 0x4a, 0x6a, 0x81, 0x0e, 0xe5, 0xf0, 0x7d,
+ 0x8b, 0x68, 0x34, 0xcc, 0x3a, 0x6a, 0xfc, 0x53,
+ 0x8e, 0xfa, 0xc1, };
+const unsigned int root_pub_der_len = 91;
+#else
+#error "No public key available for given signing algorithm."
+#endif
const struct bootutil_key bootutil_keys[] = {
{
diff --git a/boot/zephyr/prj-p256.conf b/boot/zephyr/prj-p256.conf
new file mode 100644
index 0000000..95b2b7e
--- /dev/null
+++ b/boot/zephyr/prj-p256.conf
@@ -0,0 +1,18 @@
+CONFIG_CONSOLE_HANDLER=y
+CONFIG_SYS_LOG=y
+CONFIG_DEBUG=y
+
+CONFIG_MAIN_STACK_SIZE=10240
+CONFIG_MBEDTLS=y
+CONFIG_MBEDTLS_BUILTIN=y
+CONFIG_MBEDTLS_CFG_FILE="config-asn1.h"
+CONFIG_TINYCRYPT=y
+CONFIG_TINYCRYPT_ECC_DSA=y
+
+### mbedTLS wants a heap
+CONFIG_HEAP_MEM_POOL_SIZE=16384
+
+CONFIG_FLASH=y
+
+### Disable Bluetooth by default
+# CONFIG_BLUETOOTH is not set
diff --git a/root-ec-p256.pem b/root-ec-p256.pem
new file mode 100644
index 0000000..2f4accf
--- /dev/null
+++ b/root-ec-p256.pem
@@ -0,0 +1,5 @@
+-----BEGIN EC PRIVATE KEY-----
+MHcCAQEEINeY1S+DASQ701QrflXtTHRhGQCw+VBagk/h6OwGO8/xoAoGCCqGSM49
+AwEHoUQDQgAEKstAPOj+7VukSZWhqR2u6Nu+GTfNFPsvJFc35ZU5iNmUudZa69fN
+1TCK1v5IskpqgQ7l8H2LaDTMOmr8U476wQ==
+-----END EC PRIVATE KEY-----
diff --git a/root.pem b/root-rsa-2048.pem
similarity index 100%
rename from root.pem
rename to root-rsa-2048.pem
diff --git a/sign.sh b/sign.sh
index 6fe08f5..5c9989e 100755
--- a/sign.sh
+++ b/sign.sh
@@ -1,22 +1,48 @@
#! /bin/sh
+# This script can be used as an example of how to sign images.
+
source $(dirname $0)/target.sh
-./scripts/zep2newt.py \
- --bin ../zephyr/samples/shell/outdir/$BOARD/zephyr.bin \
- --key root.pem \
- --sig RSA \
- --out shell.signed.bin \
- --vtoff 0x200 \
- --word-size 8 \
- --image-version 3 \
- --bit --pad 0x20000
+# RSA signatures can be made with the signing script in the scripts
+# directory.
+if true; then
+ ./scripts/zep2newt.py \
+ --bin ../zephyr/samples/shell/outdir/$BOARD/zephyr.bin \
+ --key root.pem \
+ --sig RSA \
+ --out shell.signed.bin \
+ --vtoff 0x200 \
+ --word-size 8 \
+ --image-version 3 \
+ --bit --pad 0x20000
-./scripts/zep2newt.py \
- --bin ../zephyr/samples/hello_world/outdir/$BOARD/zephyr.bin \
- --key root.pem \
- --sig RSA \
- --vtoff 0x200 \
- --word-size 8 \
- --image-version 2 \
- --out hello.signed.bin
+ ./scripts/zep2newt.py \
+ --bin ../zephyr/samples/hello_world/outdir/$BOARD/zephyr.bin \
+ --key root.pem \
+ --sig RSA \
+ --vtoff 0x200 \
+ --word-size 8 \
+ --image-version 2 \
+ --out hello.signed.bin
+fi
+
+# Currently, ECDSA signatures need to be made with the imgtool. See
+# 'imgtool' for instructions on building the tool.
+if false; then
+ imgtool sign \
+ --key root_ec.pem \
+ --header-size 0x200 \
+ --version 3.0 \
+ --align 8 \
+ --pad 0x20000 \
+ ../zephyr/samples/shell/outdir/$BOARD/zephyr.bin \
+ shell.signed.bin
+
+ imgtool sign \
+ --key root_ec.pem \
+ --header-size 0x200 \
+ --version 3.0 \
+ ../zephyr/samples/hello_world/outdir/$BOARD/zephyr.bin \
+ hello.signed.bin
+fi