Build: Add RSA-3072 support
PSA TBSA-M recommends to use RSA signature for firmware
authentication with at least 3072 bits length key size.
Change-Id: I0689123d61b55167b3efab90fe520e94d9586055
Signed-off-by: Tamas Ban <tamas.ban@arm.com>
diff --git a/CommonConfig.cmake b/CommonConfig.cmake
index 318e7f0..c75cc79 100644
--- a/CommonConfig.cmake
+++ b/CommonConfig.cmake
@@ -226,6 +226,12 @@
if (BL2)
add_definitions(-DBL2)
+ if (NOT ${MCUBOOT_SIGNATURE_TYPE} STREQUAL "RSA-2048" AND NOT ${MCUBOOT_SIGNATURE_TYPE} STREQUAL "RSA-3072")
+ message(FATAL_ERROR "MCUBoot only supports RSA-2048 and RSA-3072 signature")
+ endif()
+ if (NOT DEFINED MCUBOOT_SIGNATURE_TYPE)
+ set(MCUBOOT_SIGNATURE_TYPE "RSA-2048")
+ endif()
if (NOT ${MCUBOOT_UPGRADE_STRATEGY} STREQUAL "OVERWRITE_ONLY" AND
NOT ${MCUBOOT_UPGRADE_STRATEGY} STREQUAL "SWAP" AND
NOT ${MCUBOOT_UPGRADE_STRATEGY} STREQUAL "NO_SWAP" AND
@@ -286,3 +292,6 @@
##Set mbedTLS compiler flags for BL2 bootloader
set(MBEDTLS_C_FLAGS_BL2 "-D__ARM_FEATURE_CMSE=3 -D__thumb2__ ${COMMON_COMPILE_FLAGS_STR} -DMBEDTLS_CONFIG_FILE=\\\\\\\"config-boot.h\\\\\\\" -I${CMAKE_CURRENT_LIST_DIR}/bl2/ext/mcuboot/include")
+if (MCUBOOT_SIGNATURE_TYPE STREQUAL "RSA-3072")
+ string(APPEND MBEDTLS_C_FLAGS_BL2 " -DMCUBOOT_SIGN_RSA_LEN=3072")
+endif()
\ No newline at end of file
diff --git a/bl2/ext/mcuboot/CMakeLists.txt b/bl2/ext/mcuboot/CMakeLists.txt
index 06e0d5b..19ddf3d 100644
--- a/bl2/ext/mcuboot/CMakeLists.txt
+++ b/bl2/ext/mcuboot/CMakeLists.txt
@@ -130,12 +130,19 @@
#Set macro definitions for the project.
target_compile_definitions(${PROJECT_NAME} PRIVATE
- MCUBOOT_SIGN_RSA
MCUBOOT_VALIDATE_SLOT0
MCUBOOT_USE_FLASH_AREA_GET_SECTORS
MBEDTLS_CONFIG_FILE="config-boot.h"
MCUBOOT_TARGET_CONFIG="flash_layout.h")
+if (MCUBOOT_SIGNATURE_TYPE STREQUAL "RSA-3072")
+ target_compile_definitions(${PROJECT_NAME} PRIVATE MCUBOOT_SIGN_RSA MCUBOOT_SIGN_RSA_LEN=3072)
+elseif(MCUBOOT_SIGNATURE_TYPE STREQUAL "RSA-2048")
+ target_compile_definitions(${PROJECT_NAME} PRIVATE MCUBOOT_SIGN_RSA MCUBOOT_SIGN_RSA_LEN=2048)
+else()
+ message(FATAL_ERROR "${MCUBOOT_SIGNATURE_TYPE} is not supported as firmware signing algorithm")
+endif()
+
if (${MCUBOOT_UPGRADE_STRATEGY} STREQUAL "OVERWRITE_ONLY")
target_compile_definitions(${PROJECT_NAME} PRIVATE MCUBOOT_OVERWRITE_ONLY)
elseif (${MCUBOOT_UPGRADE_STRATEGY} STREQUAL "NO_SWAP")
diff --git a/bl2/ext/mcuboot/MCUBoot.cmake b/bl2/ext/mcuboot/MCUBoot.cmake
index 95f5ff0..7c2caba 100644
--- a/bl2/ext/mcuboot/MCUBoot.cmake
+++ b/bl2/ext/mcuboot/MCUBoot.cmake
@@ -47,6 +47,14 @@
message(FATAL_ERROR "ERROR: Incomplete Configuration: FLASH_LAYOUT is not defined.")
endif()
+ if (MCUBOOT_SIGNATURE_TYPE STREQUAL "RSA-3072")
+ set(KEY_FILE "${MCUBOOT_DIR}/root-rsa-3072.pem")
+ elseif(MCUBOOT_SIGNATURE_TYPE STREQUAL "RSA-2048")
+ set(KEY_FILE "${MCUBOOT_DIR}/root-rsa-2048.pem")
+ else()
+ message(FATAL_ERROR "${MCUBOOT_SIGNATURE_TYPE} is not supported as firmware signing algorithm")
+ endif()
+
if (DEFINED SECURITY_COUNTER)
set (ADD_SECURITY_COUNTER "-s ${SECURITY_COUNTER}")
else()
@@ -66,7 +74,7 @@
COMMAND ${PYTHON_EXECUTABLE} ${MCUBOOT_DIR}/scripts/imgtool.py
ARGS sign
--layout ${FLASH_LAYOUT}
- -k ${MCUBOOT_DIR}/root-rsa-2048.pem
+ -k ${KEY_FILE}
--align 1
-v ${IMAGE_VERSION}
${ADD_SECURITY_COUNTER}
diff --git a/docs/user_guides/tfm_secure_boot.rst b/docs/user_guides/tfm_secure_boot.rst
index 9097538..066d916 100644
--- a/docs/user_guides/tfm_secure_boot.rst
+++ b/docs/user_guides/tfm_secure_boot.rst
@@ -20,14 +20,14 @@
Bootloader is started when CPU is released from reset. It runs in secure mode.
It authenticates the firmware image by hash (SHA-256) and digital signature
-(RSA-2048) validation. Public key, that the checks happens against, is built
+(RSA-3072) validation. Public key, that the checks happens against, is built
into the bootloader image. Metadata of the image is delivered together with the
image itself in a header and trailer section. In case of successful
authentication, bootloader passes execution to the secure image. Execution never
returns to bootloader until next reset.
A default RSA key pair is stored in the repository, public key is in ``keys.c``
-and private key is in ``root-rsa-2048.pem``.
+and private key is in ``root-rsa-3072.pem``.
.. Warning::
DO NOT use them in production code, they are exclusively for testing!
@@ -37,7 +37,7 @@
The bootloader handles the secure and non-secure images as a single blob which
is contiguous in the device memory. At compile time these images are
-concatenated and signed with RSA-2048 digital signature. Preparation of payload
+concatenated and signed with RSA-3072 digital signature. Preparation of payload
is done by Python scripts: ``bl2/ext/mcuboot/scripts/``. At the end of a
successful build signed TF-M payload can be found in:
``<build_dir>/install/outputs/fvp/tfm_sign.bin``
@@ -196,6 +196,15 @@
``MCUBOOT_UPGRADE_STRATEGY`` configuration variable in the top-level
configuration file, or include this macro definition in the command line
+********************
+Signature algorithms
+********************
+MbedTLS library is used to sign the images. The list of supported signing
+algorithms:
+ - RSA-2048
+ - RSA-3072 (default)
+Example keys stored in ``root-rsa-2048.pem`` and ``root-rsa-3072.pem``.
+
************************
Build time configuration
************************
@@ -219,6 +228,9 @@
- **"RAM_LOADING":** Activate RAM loading firmware upgrade operation, where
latest image is copied to RAM and runs from there instead of being
executed in-place.
+- MCUBOOT_SIGNATURE_TYPE (default: RSA-3072):
+ - **RSA-3072** Image is signed with RSA-3072 algorithm
+ - **RSA-2048** Image is signed with RSA-2048 algorithm
Image versioning
================