TrustedFirmware Git Browser
Code Review Sign In
review.trustedfirmware.org / mirror / mcuboot / e369784ba4cd699a5b85e608a61c8aad06420eaf^! / . / docs
commite369784ba4cd699a5b85e608a61c8aad06420eaf[log] [tgz]
authorDavid Vincze <david.vincze@arm.com>Wed Apr 03 10:24:26 2024 +0200
committerDavid Brown <davidb@davidb.org>Wed Apr 10 12:05:08 2024 -0600
tree53d1b964ee3b6bb18ac69d7e375a2aa929ff1955
parent39757d6a426824bf0255b84d3eef8463cf2f4f0d [diff]
bootutil: Allow the usage of builtin keys in verification

Introduce a new MCUBOOT_BUILTIN_KEY option to enable the usage of
builtin keys for signature verification. This way the details of the key
handling mechanism are abstracted away from the boot code and this
responsibility is delegated to the given crypto library.
This is an alternative option to the existing MCUBOOT_HW_KEY feature,
however in this case we can entirely rely on key IDs and not only the
code, but also the image metadata does not contain any public key data.

Change-Id: Id01b67951310549b2734730c58bfa7210a2d5236
Signed-off-by: David Vincze <david.vincze@arm.com>

diff --git a/docs/design.md b/docs/design.md
index 27262bd..8539ae0 100755
--- a/docs/design.md
+++ b/docs/design.md

@@ -3,7 +3,7 @@
 
   - Copyright (c) 2017-2020 Linaro LTD
   - Copyright (c) 2017-2019 JUUL Labs
-  - Copyright (c) 2019-2023 Arm Limited
+  - Copyright (c) 2019-2024 Arm Limited
 
   - Original license:
 
@@ -1182,8 +1182,15 @@
 
 By default, the whole public key is embedded in the bootloader code and its
 hash is added to the image manifest as a KEYHASH TLV entry. As an alternative
-the bootloader can be made independent of the keys by setting the
-`MCUBOOT_HW_KEY` option. In this case the hash of the public key must be
+the bootloader can be made independent of the keys (avoiding the incorporation
+of the public key into the code) by using one of the following options:
+`MCUBOOT_HW_KEY` or `MCUBOOT_BUILTIN_KEY`.
+
+Using any of these options makes MCUboot independent from the public key(s).
+The key(s) can be provisioned any time and by different parties.
+
+Hardware KEYs support options details:
+- `MCUBOOT_HW_KEY`: In this case the hash of the public key must be
 provisioned to the target device and MCUboot must be able to retrieve the
 key-hash from there. For this reason the target must provide a definition
 for the `boot_retrieve_public_key_hash()` function which is declared in
@@ -1193,8 +1200,17 @@
 hash (KEYHASH TLV). During boot the public key is validated before using it for
 signature verification, MCUboot calculates the hash of the public key from the
 TLV area and compares it with the key-hash that was retrieved from the device.
-This way MCUboot is independent from the public key(s). The key(s) can be
-provisioned any time and by different parties.
+- `MCUBOOT_BUILTIN_KEY`: With this option the whole public key(s) used for
+signature verification must be provisioned to the target device and the used
+[cryptographic library](PORTING.md) must support the usage of builtin keys based
+on key IDs. In this case, neither the code nor the image metadata needs to
+contain any public key data. During image validation only a key ID is passed to
+the verifier function. The key handling is entirely the responsibility of the
+crypto library and the details of the key handling mechanism are abstracted away
+from the boot code.\
+***Note:*** *At the moment the usage of builtin keys is only available with the*
+*PSA Crypto API based crypto backend (`MCUBOOT_USE_PSA_CRYPTO`) for ECDSA*
+*signatures.*
 
 ## [Protected TLVs](#protected-tlvs)