zephyr: Support RSA, and ECDSA P-256 signing
Make it clear in the top-level Makefile how to configure mcuboot for Zephyr for a particular signing algorithm. Currently supported, are the RSA signatures, and ECDSA with the P-256 curve. These configuration lines will select the code built in the bootloader, as well as which public key gets included with the image. This also adds a demo public key for the P-256 signatures.
This commit is contained in:
parent
baff96ff23
commit
3869e76090
27
Makefile
27
Makefile
|
@ -1,5 +1,30 @@
|
|||
BOARD ?= qemu_x86
|
||||
# Makefile for building mcuboot as a Zephyr project.
|
||||
|
||||
# These are the main configuration choices, mainly having to do with
|
||||
# what signature algorithm is desired. Choose one of the blocks
|
||||
# below, and uncomment the settings after it.
|
||||
|
||||
#####
|
||||
# RSA
|
||||
#####
|
||||
CONF_FILE = boot/zephyr/prj.conf
|
||||
CFLAGS += -DBOOTUTIL_SIGN_RSA
|
||||
|
||||
#############
|
||||
# ECDSA P-256
|
||||
#############
|
||||
#CONF_FILE = boot/zephyr/prj-p256.conf
|
||||
#CFLAGS += -DBOOTUTIL_SIGN_EC256
|
||||
|
||||
##############################
|
||||
# End of configuration blocks.
|
||||
##############################
|
||||
|
||||
# The board should be set to one of the targets supported by
|
||||
# mcuboot/Zephyr. These can be found in ``boot/zephyr/targets``
|
||||
BOARD ?= qemu_x86
|
||||
|
||||
# The source to the Zephyr-specific code lives here.
|
||||
SOURCE_DIR = boot/zephyr
|
||||
|
||||
# Needed for mbedtls config-boot.h file.
|
||||
|
|
|
@ -1,5 +1,3 @@
|
|||
# Makefile for Zephyr build
|
||||
|
||||
ccflags-y += -DBOOTUTIL_SIGN_RSA
|
||||
|
||||
obj-y += loader.o bootutil_misc.o image_validate.o image_rsa.o
|
||||
obj-y += loader.o bootutil_misc.o image_validate.o image_rsa.o image_ec256.o
|
||||
|
|
|
@ -0,0 +1,47 @@
|
|||
/*
|
||||
* Configuration of mbedTLS containing only the ASN.1 parser.
|
||||
*
|
||||
* Copyright (C) 2006-2015, ARM Limited, All Rights Reserved
|
||||
* Copyright (C) 2016, Linaro Ltd
|
||||
* SPDX-License-Identifier: Apache-2.0
|
||||
*
|
||||
* Licensed under the Apache License, Version 2.0 (the "License"); you may
|
||||
* not use this file except in compliance with the License.
|
||||
* You may obtain a copy of the License at
|
||||
*
|
||||
* http://www.apache.org/licenses/LICENSE-2.0
|
||||
*
|
||||
* Unless required by applicable law or agreed to in writing, software
|
||||
* distributed under the License is distributed on an "AS IS" BASIS, WITHOUT
|
||||
* WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
|
||||
* See the License for the specific language governing permissions and
|
||||
* limitations under the License.
|
||||
*
|
||||
* This file is part of mbed TLS (https://tls.mbed.org)
|
||||
*/
|
||||
|
||||
/*
|
||||
* Minimal configuration for using TLS in the bootloader
|
||||
*
|
||||
* - RSA or ECDSA signature verification
|
||||
*/
|
||||
|
||||
#ifndef MBEDTLS_CONFIG_H
|
||||
#define MBEDTLS_CONFIG_H
|
||||
|
||||
#define MBEDTLS_PLATFORM_C
|
||||
#define MBEDTLS_PLATFORM_MEMORY
|
||||
#define MBEDTLS_MEMORY_BUFFER_ALLOC_C
|
||||
#define MBEDTLS_PLATFORM_NO_STD_FUNCTIONS
|
||||
|
||||
/* mbed TLS modules */
|
||||
#define MBEDTLS_ASN1_PARSE_C
|
||||
// #define MBEDTLS_ASN1_WRITE_C
|
||||
// #define MBEDTLS_BIGNUM_C
|
||||
// #define MBEDTLS_MD_C
|
||||
// #define MBEDTLS_OID_C
|
||||
#define MBEDTLS_SHA256_C
|
||||
|
||||
#include "mbedtls/check_config.h"
|
||||
|
||||
#endif /* MBEDTLS_CONFIG_H */
|
|
@ -19,6 +19,7 @@
|
|||
|
||||
#include <bootutil/sign_key.h>
|
||||
|
||||
#if defined(BOOTUTIL_SIGN_RSA)
|
||||
const unsigned char root_pub_der[] = {
|
||||
0x30, 0x82, 0x01, 0x0a, 0x02, 0x82, 0x01, 0x01, 0x00, 0xd1, 0x06, 0x08,
|
||||
0x1a, 0x18, 0x44, 0x2c, 0x18, 0xe8, 0xfb, 0xfd, 0xf7, 0x0d, 0xa3, 0x4f,
|
||||
|
@ -45,6 +46,24 @@ const unsigned char root_pub_der[] = {
|
|||
0xc9, 0x02, 0x03, 0x01, 0x00, 0x01
|
||||
};
|
||||
const unsigned int root_pub_der_len = 270;
|
||||
#elif defined(BOOTUTIL_SIGN_EC256)
|
||||
const unsigned char root_pub_der[] = {
|
||||
0x30, 0x59, 0x30, 0x13, 0x06, 0x07, 0x2a, 0x86,
|
||||
0x48, 0xce, 0x3d, 0x02, 0x01, 0x06, 0x08, 0x2a,
|
||||
0x86, 0x48, 0xce, 0x3d, 0x03, 0x01, 0x07, 0x03,
|
||||
0x42, 0x00, 0x04, 0x2a, 0xcb, 0x40, 0x3c, 0xe8,
|
||||
0xfe, 0xed, 0x5b, 0xa4, 0x49, 0x95, 0xa1, 0xa9,
|
||||
0x1d, 0xae, 0xe8, 0xdb, 0xbe, 0x19, 0x37, 0xcd,
|
||||
0x14, 0xfb, 0x2f, 0x24, 0x57, 0x37, 0xe5, 0x95,
|
||||
0x39, 0x88, 0xd9, 0x94, 0xb9, 0xd6, 0x5a, 0xeb,
|
||||
0xd7, 0xcd, 0xd5, 0x30, 0x8a, 0xd6, 0xfe, 0x48,
|
||||
0xb2, 0x4a, 0x6a, 0x81, 0x0e, 0xe5, 0xf0, 0x7d,
|
||||
0x8b, 0x68, 0x34, 0xcc, 0x3a, 0x6a, 0xfc, 0x53,
|
||||
0x8e, 0xfa, 0xc1, };
|
||||
const unsigned int root_pub_der_len = 91;
|
||||
#else
|
||||
#error "No public key available for given signing algorithm."
|
||||
#endif
|
||||
|
||||
const struct bootutil_key bootutil_keys[] = {
|
||||
{
|
||||
|
|
|
@ -0,0 +1,18 @@
|
|||
CONFIG_CONSOLE_HANDLER=y
|
||||
CONFIG_SYS_LOG=y
|
||||
CONFIG_DEBUG=y
|
||||
|
||||
CONFIG_MAIN_STACK_SIZE=10240
|
||||
CONFIG_MBEDTLS=y
|
||||
CONFIG_MBEDTLS_BUILTIN=y
|
||||
CONFIG_MBEDTLS_CFG_FILE="config-asn1.h"
|
||||
CONFIG_TINYCRYPT=y
|
||||
CONFIG_TINYCRYPT_ECC_DSA=y
|
||||
|
||||
### mbedTLS wants a heap
|
||||
CONFIG_HEAP_MEM_POOL_SIZE=16384
|
||||
|
||||
CONFIG_FLASH=y
|
||||
|
||||
### Disable Bluetooth by default
|
||||
# CONFIG_BLUETOOTH is not set
|
|
@ -0,0 +1,5 @@
|
|||
-----BEGIN EC PRIVATE KEY-----
|
||||
MHcCAQEEINeY1S+DASQ701QrflXtTHRhGQCw+VBagk/h6OwGO8/xoAoGCCqGSM49
|
||||
AwEHoUQDQgAEKstAPOj+7VukSZWhqR2u6Nu+GTfNFPsvJFc35ZU5iNmUudZa69fN
|
||||
1TCK1v5IskpqgQ7l8H2LaDTMOmr8U476wQ==
|
||||
-----END EC PRIVATE KEY-----
|
60
sign.sh
60
sign.sh
|
@ -1,22 +1,48 @@
|
|||
#! /bin/sh
|
||||
|
||||
# This script can be used as an example of how to sign images.
|
||||
|
||||
source $(dirname $0)/target.sh
|
||||
|
||||
./scripts/zep2newt.py \
|
||||
--bin ../zephyr/samples/shell/outdir/$BOARD/zephyr.bin \
|
||||
--key root.pem \
|
||||
--sig RSA \
|
||||
--out shell.signed.bin \
|
||||
--vtoff 0x200 \
|
||||
--word-size 8 \
|
||||
--image-version 3 \
|
||||
--bit --pad 0x20000
|
||||
# RSA signatures can be made with the signing script in the scripts
|
||||
# directory.
|
||||
if true; then
|
||||
./scripts/zep2newt.py \
|
||||
--bin ../zephyr/samples/shell/outdir/$BOARD/zephyr.bin \
|
||||
--key root.pem \
|
||||
--sig RSA \
|
||||
--out shell.signed.bin \
|
||||
--vtoff 0x200 \
|
||||
--word-size 8 \
|
||||
--image-version 3 \
|
||||
--bit --pad 0x20000
|
||||
|
||||
./scripts/zep2newt.py \
|
||||
--bin ../zephyr/samples/hello_world/outdir/$BOARD/zephyr.bin \
|
||||
--key root.pem \
|
||||
--sig RSA \
|
||||
--vtoff 0x200 \
|
||||
--word-size 8 \
|
||||
--image-version 2 \
|
||||
--out hello.signed.bin
|
||||
./scripts/zep2newt.py \
|
||||
--bin ../zephyr/samples/hello_world/outdir/$BOARD/zephyr.bin \
|
||||
--key root.pem \
|
||||
--sig RSA \
|
||||
--vtoff 0x200 \
|
||||
--word-size 8 \
|
||||
--image-version 2 \
|
||||
--out hello.signed.bin
|
||||
fi
|
||||
|
||||
# Currently, ECDSA signatures need to be made with the imgtool. See
|
||||
# 'imgtool' for instructions on building the tool.
|
||||
if false; then
|
||||
imgtool sign \
|
||||
--key root_ec.pem \
|
||||
--header-size 0x200 \
|
||||
--version 3.0 \
|
||||
--align 8 \
|
||||
--pad 0x20000 \
|
||||
../zephyr/samples/shell/outdir/$BOARD/zephyr.bin \
|
||||
shell.signed.bin
|
||||
|
||||
imgtool sign \
|
||||
--key root_ec.pem \
|
||||
--header-size 0x200 \
|
||||
--version 3.0 \
|
||||
../zephyr/samples/hello_world/outdir/$BOARD/zephyr.bin \
|
||||
hello.signed.bin
|
||||
fi
|
||||
|
|
Loading…
Reference in New Issue