TrustedFirmware Git Browser
Code Review Sign In
review.trustedfirmware.org / mirror / mcuboot / 78135ee6eb6759ea009442d7f9bcec6bbe6934ef^! / . / scripts
commit78135ee6eb6759ea009442d7f9bcec6bbe6934ef[log] [tgz]
authorRoland Mikhel <roland.mikhel@arm.com>Tue Feb 07 14:11:02 2023 +0100
committerDávid Vincze <david.vincze@arm.com>Wed Apr 26 13:27:44 2023 +0200
tree62a4a23fdf7ce9b772f712f284db82da47cdc0a1
parent5704174c126f8757e09588f9b9133f4ad0f6a0c6 [diff]
imgtool: Add backwards compatibility for ECDSA

Add backwards compatibility to the imgtool to support
the old curve specific TLVs. Currently only ECDSA256 needs this.

Signed-off-by: Roland Mikhel <roland.mikhel@arm.com>
Change-Id: I275894ebc713ea8adcaab4198b036c41233b11e8

diff --git a/scripts/imgtool/image.py b/scripts/imgtool/image.py
index 8da49b9..de8352a 100644
--- a/scripts/imgtool/image.py
+++ b/scripts/imgtool/image.py

@@ -484,10 +484,18 @@
                 else:
                     print(os.path.basename(__file__) + ": sign the digest")
                     sig = key.sign_digest(digest)
-                tlv.add(key.sig_tlv(), sig)
+                # only ecdsa256 has legacy tlv type
+                if use_legacy_tlv and isinstance(key, ecdsa.ECDSA256P1):
+                    tlv.add(key.legacy_sig_tlv(), sig)
+                else:
+                    tlv.add(key.sig_tlv(), sig)
                 self.signature = sig
             elif fixed_sig is not None and key is None:
-                tlv.add(pub_key.sig_tlv(), fixed_sig['value'])
+                if use_legacy_tlv and isinstance(pub_key,
+                                                 ecdsa.ECDSA256P1Public):
+                    tlv.add(pub_key.legacy_sig_tlv(), fixed_sig['value'])
+                else:
+                    tlv.add(pub_key.sig_tlv(), fixed_sig['value'])
                 self.signature = fixed_sig['value']
             else:
                 raise click.UsageError("Can not sign using key and provide fixed-signature at the same time")

diff --git a/scripts/imgtool/main.py b/scripts/imgtool/main.py
index eba557f..b8b2e49 100755
--- a/scripts/imgtool/main.py
+++ b/scripts/imgtool/main.py

@@ -362,6 +362,8 @@
               help='send to OUTFILE the payload or payload''s digest instead '
               'of complied image. These data can be used for external image '
               'signing')
+@click.option('--legacy-ecdsa-tlv', default=False, is_flag=True,
+              help='Use the old curve specific ECDSA TLV')
 @click.command(help='''Create a signed or unsigned image\n
                INFILE and OUTFILE are parsed as Intel HEX if the params have
                .hex extension, otherwise binary format is used''')
@@ -370,7 +372,7 @@
          endian, encrypt_keylen, encrypt, infile, outfile, dependencies,
          load_addr, hex_addr, erased_val, save_enctlv, security_counter,
          boot_record, custom_tlv, rom_fixed, max_align, clear, fix_sig,
-         fix_sig_pubkey, sig_out, vector_to_sign):
+         fix_sig_pubkey, sig_out, vector_to_sign, legacy_ecdsa_tlv):
 
     if confirm:
         # Confirmed but non-padded images don't make much sense, because
@@ -437,7 +439,7 @@
 
     img.create(key, public_key_format, enckey, dependencies, boot_record,
                custom_tlvs, int(encrypt_keylen), clear, baked_signature,
-               pub_key, vector_to_sign)
+               pub_key, vector_to_sign, legacy_ecdsa_tlv)
     img.save(outfile, hex_addr)
 
     if sig_out is not None: