Build: Add RSA-3072 support

PSA TBSA-M recommends to use RSA signature for firmware
authentication with at least 3072 bits length key size.

Change-Id: I0689123d61b55167b3efab90fe520e94d9586055
Signed-off-by: Tamas Ban <tamas.ban@arm.com>
diff --git a/CommonConfig.cmake b/CommonConfig.cmake
index 318e7f0..c75cc79 100644
--- a/CommonConfig.cmake
+++ b/CommonConfig.cmake
@@ -226,6 +226,12 @@
 
 if (BL2)
 	add_definitions(-DBL2)
+	if (NOT ${MCUBOOT_SIGNATURE_TYPE} STREQUAL "RSA-2048" AND NOT ${MCUBOOT_SIGNATURE_TYPE} STREQUAL "RSA-3072")
+		message(FATAL_ERROR "MCUBoot only supports RSA-2048 and RSA-3072 signature")
+	endif()
+	if (NOT DEFINED MCUBOOT_SIGNATURE_TYPE)
+		set(MCUBOOT_SIGNATURE_TYPE "RSA-2048")
+	endif()
 	if (NOT ${MCUBOOT_UPGRADE_STRATEGY} STREQUAL "OVERWRITE_ONLY" AND
 		NOT ${MCUBOOT_UPGRADE_STRATEGY} STREQUAL "SWAP" AND
 		NOT ${MCUBOOT_UPGRADE_STRATEGY} STREQUAL "NO_SWAP" AND
@@ -286,3 +292,6 @@
 
 ##Set mbedTLS compiler flags for BL2 bootloader
 set(MBEDTLS_C_FLAGS_BL2 "-D__ARM_FEATURE_CMSE=3 -D__thumb2__ ${COMMON_COMPILE_FLAGS_STR} -DMBEDTLS_CONFIG_FILE=\\\\\\\"config-boot.h\\\\\\\" -I${CMAKE_CURRENT_LIST_DIR}/bl2/ext/mcuboot/include")
+if (MCUBOOT_SIGNATURE_TYPE STREQUAL "RSA-3072")
+	string(APPEND MBEDTLS_C_FLAGS_BL2 " -DMCUBOOT_SIGN_RSA_LEN=3072")
+endif()
\ No newline at end of file
diff --git a/bl2/ext/mcuboot/CMakeLists.txt b/bl2/ext/mcuboot/CMakeLists.txt
index 06e0d5b..19ddf3d 100644
--- a/bl2/ext/mcuboot/CMakeLists.txt
+++ b/bl2/ext/mcuboot/CMakeLists.txt
@@ -130,12 +130,19 @@
 
 #Set macro definitions for the project.
 target_compile_definitions(${PROJECT_NAME} PRIVATE
-							MCUBOOT_SIGN_RSA
 							MCUBOOT_VALIDATE_SLOT0
 							MCUBOOT_USE_FLASH_AREA_GET_SECTORS
 							MBEDTLS_CONFIG_FILE="config-boot.h"
 							MCUBOOT_TARGET_CONFIG="flash_layout.h")
 
+if (MCUBOOT_SIGNATURE_TYPE STREQUAL "RSA-3072")
+	target_compile_definitions(${PROJECT_NAME} PRIVATE MCUBOOT_SIGN_RSA MCUBOOT_SIGN_RSA_LEN=3072)
+elseif(MCUBOOT_SIGNATURE_TYPE STREQUAL "RSA-2048")
+	target_compile_definitions(${PROJECT_NAME} PRIVATE MCUBOOT_SIGN_RSA MCUBOOT_SIGN_RSA_LEN=2048)
+else()
+	message(FATAL_ERROR "${MCUBOOT_SIGNATURE_TYPE} is not supported as firmware signing algorithm")
+endif()
+
 if (${MCUBOOT_UPGRADE_STRATEGY} STREQUAL "OVERWRITE_ONLY")
 	target_compile_definitions(${PROJECT_NAME} PRIVATE MCUBOOT_OVERWRITE_ONLY)
 elseif (${MCUBOOT_UPGRADE_STRATEGY} STREQUAL "NO_SWAP")
diff --git a/bl2/ext/mcuboot/MCUBoot.cmake b/bl2/ext/mcuboot/MCUBoot.cmake
index 95f5ff0..7c2caba 100644
--- a/bl2/ext/mcuboot/MCUBoot.cmake
+++ b/bl2/ext/mcuboot/MCUBoot.cmake
@@ -47,6 +47,14 @@
 		message(FATAL_ERROR "ERROR: Incomplete Configuration: FLASH_LAYOUT is not defined.")
 	endif()
 
+	if (MCUBOOT_SIGNATURE_TYPE STREQUAL "RSA-3072")
+		set(KEY_FILE "${MCUBOOT_DIR}/root-rsa-3072.pem")
+	elseif(MCUBOOT_SIGNATURE_TYPE STREQUAL "RSA-2048")
+		set(KEY_FILE "${MCUBOOT_DIR}/root-rsa-2048.pem")
+	else()
+		message(FATAL_ERROR "${MCUBOOT_SIGNATURE_TYPE} is not supported as firmware signing algorithm")
+	endif()
+
 	if (DEFINED SECURITY_COUNTER)
 		set (ADD_SECURITY_COUNTER "-s ${SECURITY_COUNTER}")
 	else()
@@ -66,7 +74,7 @@
 						COMMAND ${PYTHON_EXECUTABLE} ${MCUBOOT_DIR}/scripts/imgtool.py
 						ARGS sign
 							 --layout ${FLASH_LAYOUT}
-							 -k ${MCUBOOT_DIR}/root-rsa-2048.pem
+							 -k ${KEY_FILE}
 							 --align 1
 							 -v ${IMAGE_VERSION}
 							 ${ADD_SECURITY_COUNTER}
diff --git a/docs/user_guides/tfm_secure_boot.rst b/docs/user_guides/tfm_secure_boot.rst
index 9097538..066d916 100644
--- a/docs/user_guides/tfm_secure_boot.rst
+++ b/docs/user_guides/tfm_secure_boot.rst
@@ -20,14 +20,14 @@
 
 Bootloader is started when CPU is released from reset. It runs in secure mode.
 It authenticates the firmware image by hash (SHA-256) and digital signature
-(RSA-2048) validation. Public key, that the checks happens against, is built
+(RSA-3072) validation. Public key, that the checks happens against, is built
 into the bootloader image. Metadata of the image is delivered together with the
 image itself in a header and trailer section. In case of successful
 authentication, bootloader passes execution to the secure image. Execution never
 returns to bootloader until next reset.
 
 A default RSA key pair is stored in the repository, public key is in ``keys.c``
-and private key is in ``root-rsa-2048.pem``.
+and private key is in ``root-rsa-3072.pem``.
 
 .. Warning::
     DO NOT use them in production code, they are exclusively for testing!
@@ -37,7 +37,7 @@
 
 The bootloader handles the secure and non-secure images as a single blob which
 is contiguous in the device memory. At compile time these images are
-concatenated and signed with RSA-2048 digital signature. Preparation of payload
+concatenated and signed with RSA-3072 digital signature. Preparation of payload
 is done by Python scripts: ``bl2/ext/mcuboot/scripts/``. At the end of a
 successful build signed TF-M payload can be found in:
 ``<build_dir>/install/outputs/fvp/tfm_sign.bin``
@@ -196,6 +196,15 @@
     ``MCUBOOT_UPGRADE_STRATEGY`` configuration variable in the top-level
     configuration file, or include this macro definition in the command line
 
+********************
+Signature algorithms
+********************
+MbedTLS library is used to sign the images. The list of supported signing
+algorithms:
+    - RSA-2048
+    - RSA-3072 (default)
+Example keys stored in ``root-rsa-2048.pem`` and ``root-rsa-3072.pem``.
+
 ************************
 Build time configuration
 ************************
@@ -219,6 +228,9 @@
     - **"RAM_LOADING":** Activate RAM loading firmware upgrade operation, where
       latest image is copied to RAM and runs from there instead of being
       executed in-place.
+- MCUBOOT_SIGNATURE_TYPE (default: RSA-3072):
+    - **RSA-3072** Image is signed with RSA-3072 algorithm
+    - **RSA-2048** Image is signed with RSA-2048 algorithm
 
 Image versioning
 ================