From 3869e760901a27adff47ccaea803a42f1b0169c0 Mon Sep 17 00:00:00 2001 From: David Brown Date: Thu, 2 Feb 2017 08:10:23 -0700 Subject: [PATCH] zephyr: Support RSA, and ECDSA P-256 signing Make it clear in the top-level Makefile how to configure mcuboot for Zephyr for a particular signing algorithm. Currently supported, are the RSA signatures, and ECDSA with the P-256 curve. These configuration lines will select the code built in the bootloader, as well as which public key gets included with the image. This also adds a demo public key for the P-256 signatures. --- Makefile | 27 +++++++++++++- boot/bootutil/src/Makefile | 4 +-- boot/zephyr/include/config-asn1.h | 47 ++++++++++++++++++++++++ boot/zephyr/keys.c | 19 ++++++++++ boot/zephyr/prj-p256.conf | 18 ++++++++++ root-ec-p256.pem | 5 +++ root.pem => root-rsa-2048.pem | 0 sign.sh | 60 ++++++++++++++++++++++--------- 8 files changed, 159 insertions(+), 21 deletions(-) create mode 100644 boot/zephyr/include/config-asn1.h create mode 100644 boot/zephyr/prj-p256.conf create mode 100644 root-ec-p256.pem rename root.pem => root-rsa-2048.pem (100%) diff --git a/Makefile b/Makefile index 525e91ed..529184ac 100644 --- a/Makefile +++ b/Makefile @@ -1,5 +1,30 @@ -BOARD ?= qemu_x86 +# Makefile for building mcuboot as a Zephyr project. + +# These are the main configuration choices, mainly having to do with +# what signature algorithm is desired. Choose one of the blocks +# below, and uncomment the settings after it. + +##### +# RSA +##### CONF_FILE = boot/zephyr/prj.conf +CFLAGS += -DBOOTUTIL_SIGN_RSA + +############# +# ECDSA P-256 +############# +#CONF_FILE = boot/zephyr/prj-p256.conf +#CFLAGS += -DBOOTUTIL_SIGN_EC256 + +############################## +# End of configuration blocks. +############################## + +# The board should be set to one of the targets supported by +# mcuboot/Zephyr. These can be found in ``boot/zephyr/targets`` +BOARD ?= qemu_x86 + +# The source to the Zephyr-specific code lives here. SOURCE_DIR = boot/zephyr # Needed for mbedtls config-boot.h file. diff --git a/boot/bootutil/src/Makefile b/boot/bootutil/src/Makefile index 820d7a6f..2ee44527 100644 --- a/boot/bootutil/src/Makefile +++ b/boot/bootutil/src/Makefile @@ -1,5 +1,3 @@ # Makefile for Zephyr build -ccflags-y += -DBOOTUTIL_SIGN_RSA - -obj-y += loader.o bootutil_misc.o image_validate.o image_rsa.o +obj-y += loader.o bootutil_misc.o image_validate.o image_rsa.o image_ec256.o diff --git a/boot/zephyr/include/config-asn1.h b/boot/zephyr/include/config-asn1.h new file mode 100644 index 00000000..ba5b97c2 --- /dev/null +++ b/boot/zephyr/include/config-asn1.h @@ -0,0 +1,47 @@ +/* + * Configuration of mbedTLS containing only the ASN.1 parser. + * + * Copyright (C) 2006-2015, ARM Limited, All Rights Reserved + * Copyright (C) 2016, Linaro Ltd + * SPDX-License-Identifier: Apache-2.0 + * + * Licensed under the Apache License, Version 2.0 (the "License"); you may + * not use this file except in compliance with the License. + * You may obtain a copy of the License at + * + * http://www.apache.org/licenses/LICENSE-2.0 + * + * Unless required by applicable law or agreed to in writing, software + * distributed under the License is distributed on an "AS IS" BASIS, WITHOUT + * WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. + * See the License for the specific language governing permissions and + * limitations under the License. + * + * This file is part of mbed TLS (https://tls.mbed.org) + */ + +/* + * Minimal configuration for using TLS in the bootloader + * + * - RSA or ECDSA signature verification + */ + +#ifndef MBEDTLS_CONFIG_H +#define MBEDTLS_CONFIG_H + +#define MBEDTLS_PLATFORM_C +#define MBEDTLS_PLATFORM_MEMORY +#define MBEDTLS_MEMORY_BUFFER_ALLOC_C +#define MBEDTLS_PLATFORM_NO_STD_FUNCTIONS + +/* mbed TLS modules */ +#define MBEDTLS_ASN1_PARSE_C +// #define MBEDTLS_ASN1_WRITE_C +// #define MBEDTLS_BIGNUM_C +// #define MBEDTLS_MD_C +// #define MBEDTLS_OID_C +#define MBEDTLS_SHA256_C + +#include "mbedtls/check_config.h" + +#endif /* MBEDTLS_CONFIG_H */ diff --git a/boot/zephyr/keys.c b/boot/zephyr/keys.c index 051eb8a0..9a06f3c0 100644 --- a/boot/zephyr/keys.c +++ b/boot/zephyr/keys.c @@ -19,6 +19,7 @@ #include +#if defined(BOOTUTIL_SIGN_RSA) const unsigned char root_pub_der[] = { 0x30, 0x82, 0x01, 0x0a, 0x02, 0x82, 0x01, 0x01, 0x00, 0xd1, 0x06, 0x08, 0x1a, 0x18, 0x44, 0x2c, 0x18, 0xe8, 0xfb, 0xfd, 0xf7, 0x0d, 0xa3, 0x4f, @@ -45,6 +46,24 @@ const unsigned char root_pub_der[] = { 0xc9, 0x02, 0x03, 0x01, 0x00, 0x01 }; const unsigned int root_pub_der_len = 270; +#elif defined(BOOTUTIL_SIGN_EC256) +const unsigned char root_pub_der[] = { + 0x30, 0x59, 0x30, 0x13, 0x06, 0x07, 0x2a, 0x86, + 0x48, 0xce, 0x3d, 0x02, 0x01, 0x06, 0x08, 0x2a, + 0x86, 0x48, 0xce, 0x3d, 0x03, 0x01, 0x07, 0x03, + 0x42, 0x00, 0x04, 0x2a, 0xcb, 0x40, 0x3c, 0xe8, + 0xfe, 0xed, 0x5b, 0xa4, 0x49, 0x95, 0xa1, 0xa9, + 0x1d, 0xae, 0xe8, 0xdb, 0xbe, 0x19, 0x37, 0xcd, + 0x14, 0xfb, 0x2f, 0x24, 0x57, 0x37, 0xe5, 0x95, + 0x39, 0x88, 0xd9, 0x94, 0xb9, 0xd6, 0x5a, 0xeb, + 0xd7, 0xcd, 0xd5, 0x30, 0x8a, 0xd6, 0xfe, 0x48, + 0xb2, 0x4a, 0x6a, 0x81, 0x0e, 0xe5, 0xf0, 0x7d, + 0x8b, 0x68, 0x34, 0xcc, 0x3a, 0x6a, 0xfc, 0x53, + 0x8e, 0xfa, 0xc1, }; +const unsigned int root_pub_der_len = 91; +#else +#error "No public key available for given signing algorithm." +#endif const struct bootutil_key bootutil_keys[] = { { diff --git a/boot/zephyr/prj-p256.conf b/boot/zephyr/prj-p256.conf new file mode 100644 index 00000000..95b2b7ef --- /dev/null +++ b/boot/zephyr/prj-p256.conf @@ -0,0 +1,18 @@ +CONFIG_CONSOLE_HANDLER=y +CONFIG_SYS_LOG=y +CONFIG_DEBUG=y + +CONFIG_MAIN_STACK_SIZE=10240 +CONFIG_MBEDTLS=y +CONFIG_MBEDTLS_BUILTIN=y +CONFIG_MBEDTLS_CFG_FILE="config-asn1.h" +CONFIG_TINYCRYPT=y +CONFIG_TINYCRYPT_ECC_DSA=y + +### mbedTLS wants a heap +CONFIG_HEAP_MEM_POOL_SIZE=16384 + +CONFIG_FLASH=y + +### Disable Bluetooth by default +# CONFIG_BLUETOOTH is not set diff --git a/root-ec-p256.pem b/root-ec-p256.pem new file mode 100644 index 00000000..2f4accfb --- /dev/null +++ b/root-ec-p256.pem @@ -0,0 +1,5 @@ +-----BEGIN EC PRIVATE KEY----- +MHcCAQEEINeY1S+DASQ701QrflXtTHRhGQCw+VBagk/h6OwGO8/xoAoGCCqGSM49 +AwEHoUQDQgAEKstAPOj+7VukSZWhqR2u6Nu+GTfNFPsvJFc35ZU5iNmUudZa69fN +1TCK1v5IskpqgQ7l8H2LaDTMOmr8U476wQ== +-----END EC PRIVATE KEY----- diff --git a/root.pem b/root-rsa-2048.pem similarity index 100% rename from root.pem rename to root-rsa-2048.pem diff --git a/sign.sh b/sign.sh index 6fe08f51..5c9989e2 100755 --- a/sign.sh +++ b/sign.sh @@ -1,22 +1,48 @@ #! /bin/sh +# This script can be used as an example of how to sign images. + source $(dirname $0)/target.sh -./scripts/zep2newt.py \ - --bin ../zephyr/samples/shell/outdir/$BOARD/zephyr.bin \ - --key root.pem \ - --sig RSA \ - --out shell.signed.bin \ - --vtoff 0x200 \ - --word-size 8 \ - --image-version 3 \ - --bit --pad 0x20000 +# RSA signatures can be made with the signing script in the scripts +# directory. +if true; then + ./scripts/zep2newt.py \ + --bin ../zephyr/samples/shell/outdir/$BOARD/zephyr.bin \ + --key root.pem \ + --sig RSA \ + --out shell.signed.bin \ + --vtoff 0x200 \ + --word-size 8 \ + --image-version 3 \ + --bit --pad 0x20000 -./scripts/zep2newt.py \ - --bin ../zephyr/samples/hello_world/outdir/$BOARD/zephyr.bin \ - --key root.pem \ - --sig RSA \ - --vtoff 0x200 \ - --word-size 8 \ - --image-version 2 \ - --out hello.signed.bin + ./scripts/zep2newt.py \ + --bin ../zephyr/samples/hello_world/outdir/$BOARD/zephyr.bin \ + --key root.pem \ + --sig RSA \ + --vtoff 0x200 \ + --word-size 8 \ + --image-version 2 \ + --out hello.signed.bin +fi + +# Currently, ECDSA signatures need to be made with the imgtool. See +# 'imgtool' for instructions on building the tool. +if false; then + imgtool sign \ + --key root_ec.pem \ + --header-size 0x200 \ + --version 3.0 \ + --align 8 \ + --pad 0x20000 \ + ../zephyr/samples/shell/outdir/$BOARD/zephyr.bin \ + shell.signed.bin + + imgtool sign \ + --key root_ec.pem \ + --header-size 0x200 \ + --version 3.0 \ + ../zephyr/samples/hello_world/outdir/$BOARD/zephyr.bin \ + hello.signed.bin +fi