diff --git a/boot/bootutil/CMakeLists.txt b/boot/bootutil/CMakeLists.txt index b23131e9..534ca113 100644 --- a/boot/bootutil/CMakeLists.txt +++ b/boot/bootutil/CMakeLists.txt @@ -1,5 +1,5 @@ #------------------------------------------------------------------------------ -# Copyright (c) 2020, Arm Limited. All rights reserved. +# Copyright (c) 2020-2023, Arm Limited. All rights reserved. # # SPDX-License-Identifier: Apache-2.0 # @@ -23,7 +23,6 @@ target_sources(bootutil src/encrypted.c src/fault_injection_hardening.c src/fault_injection_hardening_delay_rng_mbedtls.c - src/image_ec.c src/image_ec256.c src/image_ed25519.c src/image_rsa.c diff --git a/boot/bootutil/include/bootutil/caps.h b/boot/bootutil/include/bootutil/caps.h index 4452897a..3c0ffb36 100644 --- a/boot/bootutil/include/bootutil/caps.h +++ b/boot/bootutil/include/bootutil/caps.h @@ -1,6 +1,6 @@ /* * Copyright (c) 2017 Linaro Limited - * Copyright (c) 2021 Arm Limited + * Copyright (c) 2021-2023 Arm Limited * * Licensed under the Apache License, Version 2.0 (the "License"); * you may not use this file except in compliance with the License. @@ -34,23 +34,22 @@ extern "C" { uint32_t bootutil_get_caps(void); #define BOOTUTIL_CAP_RSA2048 (1<<0) -#define BOOTUTIL_CAP_ECDSA_P224 (1<<1) -#define BOOTUTIL_CAP_ECDSA_P256 (1<<2) -#define BOOTUTIL_CAP_SWAP_USING_SCRATCH (1<<3) -#define BOOTUTIL_CAP_OVERWRITE_UPGRADE (1<<4) -#define BOOTUTIL_CAP_ENC_RSA (1<<5) -#define BOOTUTIL_CAP_ENC_KW (1<<6) -#define BOOTUTIL_CAP_VALIDATE_PRIMARY_SLOT (1<<7) -#define BOOTUTIL_CAP_RSA3072 (1<<8) -#define BOOTUTIL_CAP_ED25519 (1<<9) -#define BOOTUTIL_CAP_ENC_EC256 (1<<10) -#define BOOTUTIL_CAP_SWAP_USING_MOVE (1<<11) -#define BOOTUTIL_CAP_DOWNGRADE_PREVENTION (1<<12) -#define BOOTUTIL_CAP_ENC_X25519 (1<<13) -#define BOOTUTIL_CAP_BOOTSTRAP (1<<14) -#define BOOTUTIL_CAP_AES256 (1<<15) -#define BOOTUTIL_CAP_RAM_LOAD (1<<16) -#define BOOTUTIL_CAP_DIRECT_XIP (1<<17) +#define BOOTUTIL_CAP_ECDSA_P256 (1<<1) +#define BOOTUTIL_CAP_SWAP_USING_SCRATCH (1<<2) +#define BOOTUTIL_CAP_OVERWRITE_UPGRADE (1<<3) +#define BOOTUTIL_CAP_ENC_RSA (1<<4) +#define BOOTUTIL_CAP_ENC_KW (1<<5) +#define BOOTUTIL_CAP_VALIDATE_PRIMARY_SLOT (1<<6) +#define BOOTUTIL_CAP_RSA3072 (1<<7) +#define BOOTUTIL_CAP_ED25519 (1<<8) +#define BOOTUTIL_CAP_ENC_EC256 (1<<9) +#define BOOTUTIL_CAP_SWAP_USING_MOVE (1<<10) +#define BOOTUTIL_CAP_DOWNGRADE_PREVENTION (1<<11) +#define BOOTUTIL_CAP_ENC_X25519 (1<<12) +#define BOOTUTIL_CAP_BOOTSTRAP (1<<13) +#define BOOTUTIL_CAP_AES256 (1<<14) +#define BOOTUTIL_CAP_RAM_LOAD (1<<15) +#define BOOTUTIL_CAP_DIRECT_XIP (1<<16) /* * Query the number of images this bootloader is configured for. This diff --git a/boot/bootutil/include/bootutil/image.h b/boot/bootutil/include/bootutil/image.h index fa33732d..95692fbc 100644 --- a/boot/bootutil/include/bootutil/image.h +++ b/boot/bootutil/include/bootutil/image.h @@ -3,7 +3,7 @@ * * Copyright (c) 2016-2019 Linaro LTD * Copyright (c) 2016-2019 JUUL Labs - * Copyright (c) 2019-2021 Arm Limited + * Copyright (c) 2019-2023 Arm Limited * * Original license: * @@ -85,7 +85,7 @@ struct flash_area; #define IMAGE_TLV_PUBKEY 0x02 /* public key */ #define IMAGE_TLV_SHA256 0x10 /* SHA256 of image hdr and body */ #define IMAGE_TLV_RSA2048_PSS 0x20 /* RSA2048 of hash output */ -#define IMAGE_TLV_ECDSA224 0x21 /* ECDSA of hash output */ +#define IMAGE_TLV_ECDSA224 0x21 /* ECDSA of hash output - Not supported anymore */ #define IMAGE_TLV_ECDSA256 0x22 /* ECDSA of hash output */ #define IMAGE_TLV_RSA3072_PSS 0x23 /* RSA3072 of hash output */ #define IMAGE_TLV_ED25519 0x24 /* ed25519 of hash output */ diff --git a/boot/bootutil/src/caps.c b/boot/bootutil/src/caps.c index f44ab023..63bcd645 100644 --- a/boot/bootutil/src/caps.c +++ b/boot/bootutil/src/caps.c @@ -2,7 +2,7 @@ * SPDX-License-Identifier: Apache-2.0 * * Copyright (c) 2017 Linaro Limited - * Copyright (c) 2021 Arm Limited + * Copyright (c) 2021-2023 Arm Limited * * Licensed under the Apache License, Version 2.0 (the "License"); * you may not use this file except in compliance with the License. @@ -32,9 +32,6 @@ uint32_t bootutil_get_caps(void) res |= BOOTUTIL_CAP_RSA3072; #endif #endif -#if defined(MCUBOOT_SIGN_EC) - res |= BOOTUTIL_CAP_ECDSA_P224; -#endif #if defined(MCUBOOT_SIGN_EC256) res |= BOOTUTIL_CAP_ECDSA_P256; #endif diff --git a/boot/bootutil/src/image_ec.c b/boot/bootutil/src/image_ec.c deleted file mode 100644 index 2d92afb0..00000000 --- a/boot/bootutil/src/image_ec.c +++ /dev/null @@ -1,130 +0,0 @@ -/* - * SPDX-License-Identifier: Apache-2.0 - * - * Copyright (c) 2016-2018 JUUL Labs - * Copyright (C) 2021 Arm Limited - * - * Original license: - * - * Licensed to the Apache Software Foundation (ASF) under one - * or more contributor license agreements. See the NOTICE file - * distributed with this work for additional information - * regarding copyright ownership. The ASF licenses this file - * to you under the Apache License, Version 2.0 (the - * "License"); you may not use this file except in compliance - * with the License. You may obtain a copy of the License at - * - * http://www.apache.org/licenses/LICENSE-2.0 - * - * Unless required by applicable law or agreed to in writing, - * software distributed under the License is distributed on an - * "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY - * KIND, either express or implied. See the License for the - * specific language governing permissions and limitations - * under the License. - */ - -#include - -#include "mcuboot_config/mcuboot_config.h" - -#ifdef MCUBOOT_SIGN_EC -#include "bootutil/sign_key.h" - -#include "mbedtls/ecdsa.h" -#include "mbedtls/oid.h" -#include "mbedtls/asn1.h" - -#include "bootutil/crypto/common.h" -#include "bootutil_priv.h" - -/* - * Declaring these like this adds NULL termination. - */ -static const uint8_t ec_pubkey_oid[] = MBEDTLS_OID_EC_ALG_UNRESTRICTED; -static const uint8_t ec_secp224r1_oid[] = MBEDTLS_OID_EC_GRP_SECP224R1; - -/* - * Parse the public key used for signing. - */ -static int -bootutil_parse_eckey(mbedtls_ecdsa_context *ctx, uint8_t **p, uint8_t *end) -{ - size_t len; - mbedtls_asn1_buf alg; - mbedtls_asn1_buf param; - - if (mbedtls_asn1_get_tag(p, end, &len, - MBEDTLS_ASN1_CONSTRUCTED | MBEDTLS_ASN1_SEQUENCE)) { - return -1; - } - end = *p + len; - - if (mbedtls_asn1_get_alg(p, end, &alg, ¶m)) { - return -2; - } - if (alg.len != sizeof(ec_pubkey_oid) - 1 || - memcmp(alg.p, ec_pubkey_oid, sizeof(ec_pubkey_oid) - 1)) { - return -3; - } - if (param.len != sizeof(ec_secp224r1_oid) - 1|| - memcmp(param.p, ec_secp224r1_oid, sizeof(ec_secp224r1_oid) - 1)) { - return -4; - } - - if (mbedtls_ecp_group_load(&ctx->MBEDTLS_CONTEXT_MEMBER(grp), MBEDTLS_ECP_DP_SECP224R1)) { - return -5; - } - - if (mbedtls_asn1_get_bitstring_null(p, end, &len)) { - return -6; - } - if (*p + len != end) { - return -7; - } - - if (mbedtls_ecp_point_read_binary(&ctx->MBEDTLS_CONTEXT_MEMBER(grp), &ctx->MBEDTLS_CONTEXT_MEMBER(Q), *p, end - *p)) { - return -8; - } - - if (mbedtls_ecp_check_pubkey(&ctx->MBEDTLS_CONTEXT_MEMBER(grp), &ctx->MBEDTLS_CONTEXT_MEMBER(Q))) { - return -9; - } - return 0; -} - -static int -bootutil_cmp_sig(mbedtls_ecdsa_context *ctx, uint8_t *hash, uint32_t hlen, - uint8_t *sig, size_t slen) -{ - return mbedtls_ecdsa_read_signature(ctx, hash, hlen, sig, slen); -} - -int -bootutil_verify_sig(uint8_t *hash, uint32_t hlen, uint8_t *sig, size_t slen, - uint8_t key_id) -{ - int rc; - uint8_t *cp; - uint8_t *end; - mbedtls_ecdsa_context ctx; - - mbedtls_ecdsa_init(&ctx); - - cp = (uint8_t *)bootutil_keys[key_id].key; - end = cp + *bootutil_keys[key_id].len; - - rc = bootutil_parse_eckey(&ctx, &cp, end); - if (rc) { - return -1; - } - - while (sig[slen - 1] == '\0') { - slen--; - } - rc = bootutil_cmp_sig(&ctx, hash, hlen, sig, slen); - mbedtls_ecdsa_free(&ctx); - - return rc; -} -#endif /* MCUBOOT_SIGN_EC */ diff --git a/boot/bootutil/src/image_validate.c b/boot/bootutil/src/image_validate.c index a866281f..07e0e858 100644 --- a/boot/bootutil/src/image_validate.c +++ b/boot/bootutil/src/image_validate.c @@ -3,7 +3,7 @@ * * Copyright (c) 2017-2019 Linaro LTD * Copyright (c) 2016-2019 JUUL Labs - * Copyright (c) 2019-2020 Arm Limited + * Copyright (c) 2019-2023 Arm Limited * * Original license: * @@ -46,11 +46,11 @@ #if defined(MCUBOOT_SIGN_RSA) #include "mbedtls/rsa.h" #endif -#if defined(MCUBOOT_SIGN_EC) || defined(MCUBOOT_SIGN_EC256) +#if defined(MCUBOOT_SIGN_EC256) #include "mbedtls/ecdsa.h" #endif #if defined(MCUBOOT_ENC_IMAGES) || defined(MCUBOOT_SIGN_RSA) || \ - defined(MCUBOOT_SIGN_EC) || defined(MCUBOOT_SIGN_EC256) + defined(MCUBOOT_SIGN_EC256) #include "mbedtls/asn1.h" #endif @@ -169,7 +169,6 @@ bootutil_img_hash(struct enc_key_data *enc_state, int image_index, * configured for any signature, don't define this macro. */ #if (defined(MCUBOOT_SIGN_RSA) + \ - defined(MCUBOOT_SIGN_EC) + \ defined(MCUBOOT_SIGN_EC256) + \ defined(MCUBOOT_SIGN_ED25519)) > 1 #error "Only a single signature type is supported!" @@ -185,10 +184,6 @@ bootutil_img_hash(struct enc_key_data *enc_state, int image_index, # endif # define SIG_BUF_SIZE (MCUBOOT_SIGN_RSA_LEN / 8) # define EXPECTED_SIG_LEN(x) ((x) == SIG_BUF_SIZE) /* 2048 bits */ -#elif defined(MCUBOOT_SIGN_EC) -# define EXPECTED_SIG_TLV IMAGE_TLV_ECDSA224 -# define SIG_BUF_SIZE 128 -# define EXPECTED_SIG_LEN(x) (1) /* always true, ASN.1 will validate */ #elif defined(MCUBOOT_SIGN_EC256) # define EXPECTED_SIG_TLV IMAGE_TLV_ECDSA256 # define SIG_BUF_SIZE 128 diff --git a/boot/cypress/MCUBootApp/config/mcuboot_config/mcuboot_config.h b/boot/cypress/MCUBootApp/config/mcuboot_config/mcuboot_config.h index e925717b..7f8472b3 100644 --- a/boot/cypress/MCUBootApp/config/mcuboot_config/mcuboot_config.h +++ b/boot/cypress/MCUBootApp/config/mcuboot_config/mcuboot_config.h @@ -37,8 +37,6 @@ /* Uncomment for ECDSA signatures using curve P-256. */ #define MCUBOOT_SIGN_EC256 -// #define MCUBOOT_SIGN_EC - /* * Upgrade mode * diff --git a/boot/cypress/MCUBootApp/keys.c b/boot/cypress/MCUBootApp/keys.c index 4dbd5afe..20c0332f 100644 --- a/boot/cypress/MCUBootApp/keys.c +++ b/boot/cypress/MCUBootApp/keys.c @@ -85,31 +85,6 @@ const unsigned char rsa_pub_key[] = { 0xc9, 0x02, 0x03, 0x01, 0x00, 0x01 }; const unsigned int rsa_pub_key_len = 270; -#elif defined(MCUBOOT_SIGN_EC) -/* Format of PEM : - * -----BEGIN PUBLIC KEY----- - * base64encode(DER) - * -----END PUBLIC KEY----- */ -#if defined(ECC224_KEY_FILE) -#include ECC224_KEY_FILE -#else -#warning "Used default ECC224 ecdsa_pub_key" -/* It is OEM_PUB_KEY at this moment for debug purposes */ -/* Autogenerated by imgtool.py, do not edit. */ -const unsigned char ecdsa_pub_key[] = { - 0x30, 0x4e, 0x30, 0x10, 0x06, 0x07, 0x2a, 0x86, - 0x48, 0xce, 0x3d, 0x02, 0x01, 0x06, 0x05, 0x2b, - 0x81, 0x04, 0x00, 0x21, 0x03, 0x3a, 0x00, 0x04, - 0xa5, 0x8b, 0x18, 0xa4, 0x60, 0x37, 0xf7, 0x0d, - 0x2b, 0x06, 0xba, 0x4b, 0x4c, 0xd7, 0x8d, 0xec, - 0x2a, 0x32, 0x5a, 0x0e, 0x52, 0xf4, 0x1b, 0x7c, - 0x99, 0xec, 0x68, 0x5d, 0x05, 0xc3, 0x6b, 0x7b, - 0x40, 0x9c, 0xaa, 0xac, 0x90, 0xf4, 0xfc, 0xbe, - 0x98, 0xe5, 0x3e, 0x86, 0x3d, 0x37, 0xbf, 0x45, - 0x78, 0x92, 0x27, 0xca, 0x69, 0xe6, 0xf2, 0xc5, -}; -const unsigned int ecdsa_pub_key_len = 80; -#endif #elif defined(MCUBOOT_SIGN_EC256) /* Format of PEM : * -----BEGIN PUBLIC KEY----- @@ -141,7 +116,6 @@ const unsigned int ecdsa_pub_key_len = 91; #endif #if defined(MCUBOOT_SIGN_RSA) || \ - defined(MCUBOOT_SIGN_EC) || \ defined(MCUBOOT_SIGN_EC256) const struct bootutil_key bootutil_keys[] = { #if defined(MCUBOOT_SIGN_RSA) @@ -149,8 +123,7 @@ const struct bootutil_key bootutil_keys[] = { .key = rsa_pub_key, .len = &rsa_pub_key_len, }, -#elif defined(MCUBOOT_SIGN_EC) || \ - defined(MCUBOOT_SIGN_EC256) +#elif defined(MCUBOOT_SIGN_EC256) { .key = ecdsa_pub_key, .len = &ecdsa_pub_key_len, diff --git a/boot/espressif/CMakeLists.txt b/boot/espressif/CMakeLists.txt index 5f79d324..a235e004 100644 --- a/boot/espressif/CMakeLists.txt +++ b/boot/espressif/CMakeLists.txt @@ -134,7 +134,6 @@ set(bootutil_srcs ${BOOTUTIL_DIR}/src/encrypted.c ${BOOTUTIL_DIR}/src/fault_injection_hardening.c ${BOOTUTIL_DIR}/src/fault_injection_hardening_delay_rng_mbedtls.c - ${BOOTUTIL_DIR}/src/image_ec.c ${BOOTUTIL_DIR}/src/image_ec256.c ${BOOTUTIL_DIR}/src/image_ed25519.c ${BOOTUTIL_DIR}/src/image_rsa.c diff --git a/boot/mynewt/mcuboot_config/include/mcuboot_config/mcuboot_config.h b/boot/mynewt/mcuboot_config/include/mcuboot_config/mcuboot_config.h index f02e40d5..7bf42ca5 100644 --- a/boot/mynewt/mcuboot_config/include/mcuboot_config/mcuboot_config.h +++ b/boot/mynewt/mcuboot_config/include/mcuboot_config/mcuboot_config.h @@ -48,9 +48,6 @@ #if MYNEWT_VAL(BOOTUTIL_SIGN_ED25519) #define MCUBOOT_SIGN_ED25519 1 #endif -#if MYNEWT_VAL(BOOTUTIL_SIGN_EC) -#define MCUBOOT_SIGN_EC 1 -#endif #if MYNEWT_VAL(BOOTUTIL_ENCRYPT_RSA) #define MCUBOOT_ENCRYPT_RSA 1 #endif diff --git a/boot/mynewt/mcuboot_config/syscfg.yml b/boot/mynewt/mcuboot_config/syscfg.yml index b2e58689..a6c9714a 100644 --- a/boot/mynewt/mcuboot_config/syscfg.yml +++ b/boot/mynewt/mcuboot_config/syscfg.yml @@ -31,9 +31,6 @@ syscfg.defs: BOOTUTIL_SIGN_RSA_LEN: description: 'Key size for RSA keys (2048 or 3072).' value: 2048 - BOOTUTIL_SIGN_EC: - description: 'Images are signed using ECDSA NIST P-224.' - value: 0 BOOTUTIL_SIGN_EC256: description: 'Images are signed using ECDSA NIST P-256.' value: 0 diff --git a/docs/design.md b/docs/design.md index d1b70382..7a192cd1 100755 --- a/docs/design.md +++ b/docs/design.md @@ -3,7 +3,7 @@ - Copyright (c) 2017-2020 Linaro LTD - Copyright (c) 2017-2019 JUUL Labs - - Copyright (c) 2019-2021 Arm Limited + - Copyright (c) 2019-2023 Arm Limited - Original license: @@ -107,7 +107,7 @@ struct image_tlv { #define IMAGE_TLV_KEYHASH 0x01 /* hash of the public key */ #define IMAGE_TLV_SHA256 0x10 /* SHA256 of image hdr and body */ #define IMAGE_TLV_RSA2048_PSS 0x20 /* RSA2048 of hash output */ -#define IMAGE_TLV_ECDSA224 0x21 /* ECDSA of hash output */ +#define IMAGE_TLV_ECDSA224 0x21 /* ECDSA of hash output - Not supported anymore */ #define IMAGE_TLV_ECDSA256 0x22 /* ECDSA of hash output */ #define IMAGE_TLV_RSA3072_PSS 0x23 /* RSA3072 of hash output */ #define IMAGE_TLV_ED25519 0x24 /* ED25519 of hash output */ diff --git a/docs/ecdsa.md b/docs/ecdsa.md index 50ca9616..d3a5a258 100644 --- a/docs/ecdsa.md +++ b/docs/ecdsa.md @@ -5,10 +5,6 @@ shortcut was taken, and these signatures were padded to make them always a fixed length. Unfortunately, this padding was done in a way that is not easily reversible. Some crypto libraries (specifically, Mbed TLS) are fairly strict about the formatting of the ECDSA signature. -This currently means that the ECDSA SECP224R1 (EC) signature -checking code will fail to boot about 1 out of every 256 images, -because the signature itself will end in a 0x00 byte, and the code -will remove too much data, invalidating the signature. There are two ways to fix this: diff --git a/docs/signed_images.md b/docs/signed_images.md index c1edcfb5..bcc201b8 100644 --- a/docs/signed_images.md +++ b/docs/signed_images.md @@ -53,12 +53,7 @@ openssl rsa -in image_sign.pem -pubout -out image_sign_pub.der -outform DER -RSA Now the public key is in file called image_sign_pub.der. -For ECDSA224 these commands are similar. - -openssl ecparam -name secp224r1 -genkey -noout -out image_sign.pem -openssl ec -in image_sign.pem -pubout -outform DER -out image_sign_pub.der - -And then the ECDSA256. +For ECDSA256 these commands are similar. openssl ecparam -name prime256v1 -genkey -noout -out image_sign.pem openssl ec -in image_sign.pem -pubout -outform DER -out image_sign_pub.der @@ -102,5 +97,4 @@ file After you've created the key package, you must include it in the build for bootloader. So modify the pkg.yml for apps/boot to include it. -The syscfg variable to enable ECDSA224 is BOOTUTIL_SIGN_EC, and -BOOTUTIL_SIGN_EC256 for ECDS256. +The syscfg variable to enable ECDSA256 is BOOTUTIL_SIGN_EC256. diff --git a/testplan/mynewt/keys/ec/pkg.yml b/testplan/mynewt/keys/ec/pkg.yml deleted file mode 100644 index 2b3256b4..00000000 --- a/testplan/mynewt/keys/ec/pkg.yml +++ /dev/null @@ -1,3 +0,0 @@ -pkg.name: keys/ec -pkg.author: "Apache Mynewt " -pkg.homepage: "http://mynewt.apache.org/" diff --git a/testplan/mynewt/keys/ec/src/keys.c b/testplan/mynewt/keys/ec/src/keys.c deleted file mode 100644 index 81505eb4..00000000 --- a/testplan/mynewt/keys/ec/src/keys.c +++ /dev/null @@ -1,18 +0,0 @@ -#include -static unsigned char key[] = { - 0x30, 0x4e, 0x30, 0x10, 0x06, 0x07, 0x2a, 0x86, 0x48, 0xce, 0x3d, 0x02, - 0x01, 0x06, 0x05, 0x2b, 0x81, 0x04, 0x00, 0x21, 0x03, 0x3a, 0x00, 0x04, - 0xa0, 0x8c, 0x5a, 0xd6, 0x98, 0x20, 0x1a, 0xd5, 0xb9, 0xc4, 0xfd, 0x7f, - 0xa5, 0xd3, 0x08, 0xca, 0x00, 0x91, 0x5e, 0xc6, 0x92, 0x49, 0xce, 0x18, - 0xc5, 0x64, 0x17, 0xed, 0xbf, 0x63, 0xd0, 0xcd, 0xb8, 0xf7, 0xff, 0x29, - 0x25, 0x35, 0x5a, 0x7a, 0x20, 0x30, 0xc9, 0x26, 0x95, 0xb2, 0x57, 0xd1, - 0x46, 0x0d, 0x69, 0x18, 0x13, 0xc9, 0x7d, 0xb3 -}; -static unsigned int key_len = 80; -const struct bootutil_key bootutil_keys[] = { - [0] = { - .key = key, - .len = &key_len, - }, -}; -const int bootutil_key_cnt = 1; diff --git a/testplan/mynewt/keys/pkg.yml b/testplan/mynewt/keys/pkg.yml index e7e73e34..82d0e84b 100644 --- a/testplan/mynewt/keys/pkg.yml +++ b/testplan/mynewt/keys/pkg.yml @@ -5,8 +5,5 @@ pkg.homepage: "http://mynewt.apache.org/" pkg.deps.BOOTUTIL_SIGN_RSA: - keys/rsa -pkg.deps.BOOTUTIL_SIGN_EC: - - keys/ec - pkg.deps.BOOTUTIL_SIGN_EC256: - keys/ec256