zephyr: Support RSA, and ECDSA P-256 signing

Make it clear in the top-level Makefile how to configure mcuboot for
Zephyr for a particular signing algorithm.  Currently supported, are the
RSA signatures, and ECDSA with the P-256 curve.  These configuration
lines will select the code built in the bootloader, as well as which
public key gets included with the image.

This also adds a demo public key for the P-256 signatures.
This commit is contained in:
David Brown 2017-02-02 08:10:23 -07:00
parent baff96ff23
commit 3869e76090
8 changed files with 159 additions and 21 deletions

View File

@ -1,5 +1,30 @@
BOARD ?= qemu_x86
# Makefile for building mcuboot as a Zephyr project.
# These are the main configuration choices, mainly having to do with
# what signature algorithm is desired. Choose one of the blocks
# below, and uncomment the settings after it.
#####
# RSA
#####
CONF_FILE = boot/zephyr/prj.conf
CFLAGS += -DBOOTUTIL_SIGN_RSA
#############
# ECDSA P-256
#############
#CONF_FILE = boot/zephyr/prj-p256.conf
#CFLAGS += -DBOOTUTIL_SIGN_EC256
##############################
# End of configuration blocks.
##############################
# The board should be set to one of the targets supported by
# mcuboot/Zephyr. These can be found in ``boot/zephyr/targets``
BOARD ?= qemu_x86
# The source to the Zephyr-specific code lives here.
SOURCE_DIR = boot/zephyr
# Needed for mbedtls config-boot.h file.

View File

@ -1,5 +1,3 @@
# Makefile for Zephyr build
ccflags-y += -DBOOTUTIL_SIGN_RSA
obj-y += loader.o bootutil_misc.o image_validate.o image_rsa.o
obj-y += loader.o bootutil_misc.o image_validate.o image_rsa.o image_ec256.o

View File

@ -0,0 +1,47 @@
/*
* Configuration of mbedTLS containing only the ASN.1 parser.
*
* Copyright (C) 2006-2015, ARM Limited, All Rights Reserved
* Copyright (C) 2016, Linaro Ltd
* SPDX-License-Identifier: Apache-2.0
*
* Licensed under the Apache License, Version 2.0 (the "License"); you may
* not use this file except in compliance with the License.
* You may obtain a copy of the License at
*
* http://www.apache.org/licenses/LICENSE-2.0
*
* Unless required by applicable law or agreed to in writing, software
* distributed under the License is distributed on an "AS IS" BASIS, WITHOUT
* WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
* See the License for the specific language governing permissions and
* limitations under the License.
*
* This file is part of mbed TLS (https://tls.mbed.org)
*/
/*
* Minimal configuration for using TLS in the bootloader
*
* - RSA or ECDSA signature verification
*/
#ifndef MBEDTLS_CONFIG_H
#define MBEDTLS_CONFIG_H
#define MBEDTLS_PLATFORM_C
#define MBEDTLS_PLATFORM_MEMORY
#define MBEDTLS_MEMORY_BUFFER_ALLOC_C
#define MBEDTLS_PLATFORM_NO_STD_FUNCTIONS
/* mbed TLS modules */
#define MBEDTLS_ASN1_PARSE_C
// #define MBEDTLS_ASN1_WRITE_C
// #define MBEDTLS_BIGNUM_C
// #define MBEDTLS_MD_C
// #define MBEDTLS_OID_C
#define MBEDTLS_SHA256_C
#include "mbedtls/check_config.h"
#endif /* MBEDTLS_CONFIG_H */

View File

@ -19,6 +19,7 @@
#include <bootutil/sign_key.h>
#if defined(BOOTUTIL_SIGN_RSA)
const unsigned char root_pub_der[] = {
0x30, 0x82, 0x01, 0x0a, 0x02, 0x82, 0x01, 0x01, 0x00, 0xd1, 0x06, 0x08,
0x1a, 0x18, 0x44, 0x2c, 0x18, 0xe8, 0xfb, 0xfd, 0xf7, 0x0d, 0xa3, 0x4f,
@ -45,6 +46,24 @@ const unsigned char root_pub_der[] = {
0xc9, 0x02, 0x03, 0x01, 0x00, 0x01
};
const unsigned int root_pub_der_len = 270;
#elif defined(BOOTUTIL_SIGN_EC256)
const unsigned char root_pub_der[] = {
0x30, 0x59, 0x30, 0x13, 0x06, 0x07, 0x2a, 0x86,
0x48, 0xce, 0x3d, 0x02, 0x01, 0x06, 0x08, 0x2a,
0x86, 0x48, 0xce, 0x3d, 0x03, 0x01, 0x07, 0x03,
0x42, 0x00, 0x04, 0x2a, 0xcb, 0x40, 0x3c, 0xe8,
0xfe, 0xed, 0x5b, 0xa4, 0x49, 0x95, 0xa1, 0xa9,
0x1d, 0xae, 0xe8, 0xdb, 0xbe, 0x19, 0x37, 0xcd,
0x14, 0xfb, 0x2f, 0x24, 0x57, 0x37, 0xe5, 0x95,
0x39, 0x88, 0xd9, 0x94, 0xb9, 0xd6, 0x5a, 0xeb,
0xd7, 0xcd, 0xd5, 0x30, 0x8a, 0xd6, 0xfe, 0x48,
0xb2, 0x4a, 0x6a, 0x81, 0x0e, 0xe5, 0xf0, 0x7d,
0x8b, 0x68, 0x34, 0xcc, 0x3a, 0x6a, 0xfc, 0x53,
0x8e, 0xfa, 0xc1, };
const unsigned int root_pub_der_len = 91;
#else
#error "No public key available for given signing algorithm."
#endif
const struct bootutil_key bootutil_keys[] = {
{

18
boot/zephyr/prj-p256.conf Normal file
View File

@ -0,0 +1,18 @@
CONFIG_CONSOLE_HANDLER=y
CONFIG_SYS_LOG=y
CONFIG_DEBUG=y
CONFIG_MAIN_STACK_SIZE=10240
CONFIG_MBEDTLS=y
CONFIG_MBEDTLS_BUILTIN=y
CONFIG_MBEDTLS_CFG_FILE="config-asn1.h"
CONFIG_TINYCRYPT=y
CONFIG_TINYCRYPT_ECC_DSA=y
### mbedTLS wants a heap
CONFIG_HEAP_MEM_POOL_SIZE=16384
CONFIG_FLASH=y
### Disable Bluetooth by default
# CONFIG_BLUETOOTH is not set

5
root-ec-p256.pem Normal file
View File

@ -0,0 +1,5 @@
-----BEGIN EC PRIVATE KEY-----
MHcCAQEEINeY1S+DASQ701QrflXtTHRhGQCw+VBagk/h6OwGO8/xoAoGCCqGSM49
AwEHoUQDQgAEKstAPOj+7VukSZWhqR2u6Nu+GTfNFPsvJFc35ZU5iNmUudZa69fN
1TCK1v5IskpqgQ7l8H2LaDTMOmr8U476wQ==
-----END EC PRIVATE KEY-----

60
sign.sh
View File

@ -1,22 +1,48 @@
#! /bin/sh
# This script can be used as an example of how to sign images.
source $(dirname $0)/target.sh
./scripts/zep2newt.py \
--bin ../zephyr/samples/shell/outdir/$BOARD/zephyr.bin \
--key root.pem \
--sig RSA \
--out shell.signed.bin \
--vtoff 0x200 \
--word-size 8 \
--image-version 3 \
--bit --pad 0x20000
# RSA signatures can be made with the signing script in the scripts
# directory.
if true; then
./scripts/zep2newt.py \
--bin ../zephyr/samples/shell/outdir/$BOARD/zephyr.bin \
--key root.pem \
--sig RSA \
--out shell.signed.bin \
--vtoff 0x200 \
--word-size 8 \
--image-version 3 \
--bit --pad 0x20000
./scripts/zep2newt.py \
--bin ../zephyr/samples/hello_world/outdir/$BOARD/zephyr.bin \
--key root.pem \
--sig RSA \
--vtoff 0x200 \
--word-size 8 \
--image-version 2 \
--out hello.signed.bin
./scripts/zep2newt.py \
--bin ../zephyr/samples/hello_world/outdir/$BOARD/zephyr.bin \
--key root.pem \
--sig RSA \
--vtoff 0x200 \
--word-size 8 \
--image-version 2 \
--out hello.signed.bin
fi
# Currently, ECDSA signatures need to be made with the imgtool. See
# 'imgtool' for instructions on building the tool.
if false; then
imgtool sign \
--key root_ec.pem \
--header-size 0x200 \
--version 3.0 \
--align 8 \
--pad 0x20000 \
../zephyr/samples/shell/outdir/$BOARD/zephyr.bin \
shell.signed.bin
imgtool sign \
--key root_ec.pem \
--header-size 0x200 \
--version 3.0 \
../zephyr/samples/hello_world/outdir/$BOARD/zephyr.bin \
hello.signed.bin
fi