Update sim to run ecdsa sig + kw enc
This adds the functionality to build/run testing on images that were
signed using ECDSA and encrypted with KW, using tinycrypt.
Also when it this mode, ecdsa+kw, adds the Mbed-TLS submodule to the
build because the simulator needs to use the Mbed-TLS keywrapping
infrastructure to generate the keys sent to the image.
Signed-off-by: Fabio Utzig <utzig@apache.org>
diff --git a/sim/mcuboot-sys/build.rs b/sim/mcuboot-sys/build.rs
index 12377db..9e9ef36 100644
--- a/sim/mcuboot-sys/build.rs
+++ b/sim/mcuboot-sys/build.rs
@@ -54,7 +54,9 @@
conf.define("MCUBOOT_SIGN_EC256", None);
conf.define("MCUBOOT_USE_TINYCRYPT", None);
- conf.include("../../ext/mbedtls/include");
+ if !enc_kw {
+ conf.include("../../ext/mbedtls/include");
+ }
conf.include("../../ext/tinycrypt/lib/include");
conf.file("csupport/keys.c");
@@ -65,6 +67,7 @@
conf.file("../../ext/tinycrypt/lib/source/ecc_dsa.c");
conf.file("../../ext/tinycrypt/lib/source/ecc_platform_specific.c");
+ conf.file("../../ext/mbedtls/src/platform_util.c");
conf.file("../../ext/mbedtls/src/asn1parse.c");
} else {
// Neither signature type, only verify sha256. The default
@@ -104,27 +107,40 @@
if enc_kw {
conf.define("MCUBOOT_ENCRYPT_KW", None);
conf.define("MCUBOOT_ENC_IMAGES", None);
- conf.define("MCUBOOT_USE_MBED_TLS", None);
conf.file("../../boot/bootutil/src/encrypted.c");
conf.file("csupport/keys.c");
- conf.include("mbedtls/include");
- conf.file("mbedtls/library/sha256.c");
+ if sig_rsa {
+ conf.file("mbedtls/library/sha256.c");
+ }
+ /* Simulator uses Mbed-TLS to wrap keys */
+ conf.include("mbedtls/include");
conf.file("mbedtls/library/platform.c");
conf.file("mbedtls/library/platform_util.c");
conf.file("mbedtls/library/nist_kw.c");
conf.file("mbedtls/library/cipher.c");
conf.file("mbedtls/library/cipher_wrap.c");
conf.file("mbedtls/library/aes.c");
+
+ if sig_ecdsa {
+ conf.define("MCUBOOT_USE_TINYCRYPT", None);
+
+ conf.include("../../ext/tinycrypt/lib/include");
+
+ conf.file("../../ext/tinycrypt/lib/source/utils.c");
+ conf.file("../../ext/tinycrypt/lib/source/sha256.c");
+ conf.file("../../ext/tinycrypt/lib/source/aes_encrypt.c");
+ conf.file("../../ext/tinycrypt/lib/source/aes_decrypt.c");
+ }
}
if sig_rsa && enc_kw {
conf.define("MBEDTLS_CONFIG_FILE", Some("<config-rsa-kw.h>"));
} else if sig_rsa || enc_rsa {
conf.define("MBEDTLS_CONFIG_FILE", Some("<config-rsa.h>"));
- } else if sig_ecdsa {
+ } else if sig_ecdsa && !enc_kw {
conf.define("MBEDTLS_CONFIG_FILE", Some("<config-asn1.h>"));
} else if enc_kw {
conf.define("MBEDTLS_CONFIG_FILE", Some("<config-kw.h>"));
diff --git a/sim/src/lib.rs b/sim/src/lib.rs
index 629b916..0fc9363 100644
--- a/sim/src/lib.rs
+++ b/sim/src/lib.rs
@@ -1196,6 +1196,13 @@
}
#[cfg(feature = "sig-ecdsa")]
+#[cfg(feature = "enc-kw")]
+fn make_tlv() -> TlvGen {
+ TlvGen::new_ecdsa_kw()
+}
+
+#[cfg(feature = "sig-ecdsa")]
+#[cfg(not(feature = "enc-kw"))]
fn make_tlv() -> TlvGen {
TlvGen::new_ecdsa()
}
@@ -1213,6 +1220,7 @@
}
#[cfg(not(feature = "sig-rsa"))]
+#[cfg(not(feature = "sig-ecdsa"))]
#[cfg(feature = "enc-kw")]
fn make_tlv() -> TlvGen {
TlvGen::new_enc_kw()
diff --git a/sim/src/tlv.rs b/sim/src/tlv.rs
index afc34aa..9aea50d 100644
--- a/sim/src/tlv.rs
+++ b/sim/src/tlv.rs
@@ -117,6 +117,16 @@
}
}
+ #[allow(dead_code)]
+ pub fn new_ecdsa_kw() -> TlvGen {
+ TlvGen {
+ flags: TlvFlags::ENCRYPTED as u32,
+ kinds: vec![TlvKinds::SHA256, TlvKinds::ECDSA256, TlvKinds::ENCKW128],
+ size: 4 + 32 + 4 + 32 + 4 + 72 + 4 + 24,
+ payload: vec![],
+ }
+ }
+
/// Retrieve the header flags for this configuration. This can be called at any time.
pub fn get_flags(&self) -> u32 {
self.flags