commit 7801ed4dcba33a5412ed5c9bcbded0ee6d48dd52
author Tamas Ban <tamas.ban@arm.com> Mon May 20 13:21:53 2019 +0100
committer Tamas Ban <tamas.ban@arm.com> Fri May 24 12:26:02 2019 +0000
tree 5313b77e497f7193a2f4fa172a4d99de64aeb59b
parent 861835c0c534848bf6dcd81ef8042cfc1b0bffae

Build: Add RSA-3072 support

PSA TBSA-M recommends to use RSA signature for firmware
authentication with at least 3072 bits length key size.

Change-Id: I0689123d61b55167b3efab90fe520e94d9586055
Signed-off-by: Tamas Ban <tamas.ban@arm.com>

bl2/ext/mcuboot/CMakeLists.txt

diff --git a/bl2/ext/mcuboot/CMakeLists.txt b/bl2/ext/mcuboot/CMakeLists.txt
index 06e0d5b..19ddf3d 100644
--- a/bl2/ext/mcuboot/CMakeLists.txt
+++ b/bl2/ext/mcuboot/CMakeLists.txt
@@ -130,12 +130,19 @@
 
 #Set macro definitions for the project.
 target_compile_definitions(${PROJECT_NAME} PRIVATE
-							MCUBOOT_SIGN_RSA
 							MCUBOOT_VALIDATE_SLOT0
 							MCUBOOT_USE_FLASH_AREA_GET_SECTORS
 							MBEDTLS_CONFIG_FILE="config-boot.h"
 							MCUBOOT_TARGET_CONFIG="flash_layout.h")
 
+if (MCUBOOT_SIGNATURE_TYPE STREQUAL "RSA-3072")
+	target_compile_definitions(${PROJECT_NAME} PRIVATE MCUBOOT_SIGN_RSA MCUBOOT_SIGN_RSA_LEN=3072)
+elseif(MCUBOOT_SIGNATURE_TYPE STREQUAL "RSA-2048")
+	target_compile_definitions(${PROJECT_NAME} PRIVATE MCUBOOT_SIGN_RSA MCUBOOT_SIGN_RSA_LEN=2048)
+else()
+	message(FATAL_ERROR "${MCUBOOT_SIGNATURE_TYPE} is not supported as firmware signing algorithm")
+endif()
+
 if (${MCUBOOT_UPGRADE_STRATEGY} STREQUAL "OVERWRITE_ONLY")
 	target_compile_definitions(${PROJECT_NAME} PRIVATE MCUBOOT_OVERWRITE_ONLY)
 elseif (${MCUBOOT_UPGRADE_STRATEGY} STREQUAL "NO_SWAP")

bl2/ext/mcuboot/MCUBoot.cmake

diff --git a/bl2/ext/mcuboot/MCUBoot.cmake b/bl2/ext/mcuboot/MCUBoot.cmake
index 95f5ff0..7c2caba 100644
--- a/bl2/ext/mcuboot/MCUBoot.cmake
+++ b/bl2/ext/mcuboot/MCUBoot.cmake
@@ -47,6 +47,14 @@
 		message(FATAL_ERROR "ERROR: Incomplete Configuration: FLASH_LAYOUT is not defined.")
 	endif()
 
+	if (MCUBOOT_SIGNATURE_TYPE STREQUAL "RSA-3072")
+		set(KEY_FILE "${MCUBOOT_DIR}/root-rsa-3072.pem")
+	elseif(MCUBOOT_SIGNATURE_TYPE STREQUAL "RSA-2048")
+		set(KEY_FILE "${MCUBOOT_DIR}/root-rsa-2048.pem")
+	else()
+		message(FATAL_ERROR "${MCUBOOT_SIGNATURE_TYPE} is not supported as firmware signing algorithm")
+	endif()
+
 	if (DEFINED SECURITY_COUNTER)
 		set (ADD_SECURITY_COUNTER "-s ${SECURITY_COUNTER}")
 	else()
@@ -66,7 +74,7 @@
 						COMMAND ${PYTHON_EXECUTABLE} ${MCUBOOT_DIR}/scripts/imgtool.py
 						ARGS sign
 							 --layout ${FLASH_LAYOUT}
-							 -k ${MCUBOOT_DIR}/root-rsa-2048.pem
+							 -k ${KEY_FILE}
 							 --align 1
 							 -v ${IMAGE_VERSION}
 							 ${ADD_SECURITY_COUNTER}