commit 557451d28d907ee65238c671e810db41e835add2
author Antonio de Angelis <Antonio.deAngelis@arm.com> Tue Nov 22 15:30:09 2022 +0000
committer Dávid Vincze <david.vincze@arm.com> Wed Apr 26 13:57:53 2023 +0200
tree 92be9e3f3507fb7cb329317b3ca2fc3d6288f158
parent c725cee102c3a1e591e1266957112e06e7da386a

bootutil/crypto: Add a generic signature validation module for ECDSA

Add a dedicated signature validation module for generic ECDSA signatures,
and a corresponding cryptographic abstraction backend based on PSA Crypto
APIs. This signature verification backend is enabled by defining the
option MCUBOOT_SIGN_ECDSA

Signed-off-by: Antonio de Angelis <Antonio.deAngelis@arm.com>
Change-Id: I47da70629da0a5681ec7c4dcceed875a997b071b

boot/bootutil/src/image_ecdsa.c

diff --git a/boot/bootutil/src/image_ecdsa.c b/boot/bootutil/src/image_ecdsa.c
new file mode 100644
index 0000000..53e5db1
--- /dev/null
+++ b/boot/bootutil/src/image_ecdsa.c
@@ -0,0 +1,64 @@
+/*

+ * SPDX-License-Identifier: Apache-2.0

+ *

+ * Copyright (c) 2023 Arm Limited

+ */

+

+#include <string.h>

+

+#include "mcuboot_config/mcuboot_config.h"

+

+#ifdef MCUBOOT_SIGN_ECDSA

+#include "bootutil_priv.h"

+#include "bootutil/sign_key.h"

+#include "bootutil/fault_injection_hardening.h"

+

+#include "bootutil/crypto/ecdsa.h"

+

+static fih_ret

+bootutil_cmp_ecdsa_sig(bootutil_ecdsa_context *ctx, uint8_t *hash, uint32_t hlen,

+  uint8_t *sig, size_t slen)

+{

+    int rc = -1;

+    FIH_DECLARE(fih_rc, FIH_FAILURE);

+

+    /* PSA Crypto APIs allow the verification in a single call */

+    rc = bootutil_ecdsa_verify(ctx, hash, hlen, sig, slen);

+

+    fih_rc = fih_ret_encode_zero_equality(rc);

+    if (FIH_NOT_EQ(fih_rc, FIH_SUCCESS)) {

+        FIH_SET(fih_rc, FIH_FAILURE);

+    }

+

+    FIH_RET(fih_rc);

+}

+

+fih_ret

+bootutil_verify_sig(uint8_t *hash, uint32_t hlen, uint8_t *sig, size_t slen,

+  uint8_t key_id)

+{

+    int rc = -1;

+    FIH_DECLARE(fih_rc, FIH_FAILURE);

+    uint8_t *cp;

+    uint8_t *end;

+    bootutil_ecdsa_context ctx;

+

+    bootutil_ecdsa_init(&ctx);

+

+    cp = (uint8_t *)bootutil_keys[key_id].key;

+    end = cp + *bootutil_keys[key_id].len;

+

+    /* The key used for signature verification is a public ECDSA key */

+    rc = bootutil_ecdsa_parse_public_key(&ctx, &cp, end);

+    if (rc) {

+        goto out;

+    }

+

+    FIH_CALL(bootutil_cmp_ecdsa_sig, fih_rc, &ctx, hash, hlen, sig, slen);

+

+out:

+    bootutil_ecdsa_drop(&ctx);

+

+    FIH_RET(fih_rc);

+}

+#endif /* MCUBOOT_SIGN_ECDSA */