Add rsa+kw testing support to simulator

Allows simulating images signed with RSA-2048 and encrypted with AES-128-KW. Signed-off-by: Fabio Utzig <utzig@apache.org>
2018-12-18 17:20:19 -02:00 · 2018-12-18 17:20:19 -02:00 · 251ef1d98a
parent 338a19f70d
commit 251ef1d98a
4 changed files with 96 additions and 1 deletions
--- a/boot/zephyr/include/config-rsa-kw.h
+++ b/boot/zephyr/include/config-rsa-kw.h
@ -0,0 +1,75 @@
+/*
+ *  Minimal configuration for using TLS in the bootloader
+ *
+ *  Copyright (C) 2006-2015, ARM Limited, All Rights Reserved
+ *  Copyright (C) 2016, Linaro Ltd
+ *  SPDX-License-Identifier: Apache-2.0
+ *
+ *  Licensed under the Apache License, Version 2.0 (the "License"); you may
+ *  not use this file except in compliance with the License.
+ *  You may obtain a copy of the License at
+ *
+ *  http://www.apache.org/licenses/LICENSE-2.0
+ *
+ *  Unless required by applicable law or agreed to in writing, software
+ *  distributed under the License is distributed on an "AS IS" BASIS, WITHOUT
+ *  WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ *  See the License for the specific language governing permissions and
+ *  limitations under the License.
+ *
+ *  This file is part of mbed TLS (https://tls.mbed.org)
+ */
+
+/*
+ * Minimal configuration for using TLS in the bootloader
+ *
+ * - RSA signature verification + NIST Keywrapping support
+ */
+
+#ifndef MCUBOOT_MBEDTLS_CONFIG_RSA_KW
+#define MCUBOOT_MBEDTLS_CONFIG_RSA_KW
+
+#ifdef CONFIG_MCUBOOT_SERIAL
+/* Mcuboot uses mbedts-base64 for serial protocol encoding. */
+#define MBEDTLS_BASE64_C
+#endif
+
+/* System support */
+#define MBEDTLS_PLATFORM_C
+#define MBEDTLS_PLATFORM_MEMORY
+#define MBEDTLS_MEMORY_BUFFER_ALLOC_C
+#define MBEDTLS_PLATFORM_NO_STD_FUNCTIONS
+#define MBEDTLS_PLATFORM_EXIT_ALT
+#define MBEDTLS_NO_PLATFORM_ENTROPY
+#define MBEDTLS_NO_DEFAULT_ENTROPY_SOURCES
+#define MBEDTLS_PLATFORM_PRINTF_ALT
+
+#if !defined(CONFIG_ARM)
+#define MBEDTLS_HAVE_ASM
+#endif
+
+#define MBEDTLS_RSA_C
+#define MBEDTLS_PKCS1_V21
+
+/* mbed TLS modules */
+#define MBEDTLS_ASN1_PARSE_C
+#define MBEDTLS_BIGNUM_C
+#define MBEDTLS_MD_C
+#define MBEDTLS_OID_C
+#define MBEDTLS_SHA256_C
+#define MBEDTLS_AES_C
+#define MBEDTLS_CIPHER_C
+#define MBEDTLS_NIST_KW_C
+
+/* Save RAM by adjusting to our exact needs */
+#define MBEDTLS_ECP_MAX_BITS             2048
+#define MBEDTLS_MPI_MAX_SIZE              256
+
+#define MBEDTLS_SSL_MAX_CONTENT_LEN 1024
+
+/* Save ROM and a few bytes of RAM by specifying our own ciphersuite list */
+#define MBEDTLS_SSL_CIPHERSUITES MBEDTLS_TLS_ECJPAKE_WITH_AES_128_CCM_8
+
+#include "mbedtls/check_config.h"
+
+#endif /* MCUBOOT_MBEDTLS_CONFIG_RSA_KW */
--- a/sim/mcuboot-sys/build.rs
+++ b/sim/mcuboot-sys/build.rs
@ -115,7 +115,9 @@ fn main() {
        conf.file("mbedtls/library/aes.c");
    }

-    if sig_rsa || enc_rsa {
+    if sig_rsa && enc_kw {
+        conf.define("MBEDTLS_CONFIG_FILE", Some("<config-rsa-kw.h>"));
+    } else if sig_rsa || enc_rsa {
        conf.define("MBEDTLS_CONFIG_FILE", Some("<config-rsa.h>"));
    } else if sig_ecdsa {
        conf.define("MBEDTLS_CONFIG_FILE", Some("<config-asn1.h>"));
--- a/sim/src/lib.rs
+++ b/sim/src/lib.rs
@ -1182,8 +1182,15 @@ fn install_image(flashmap: &mut SimFlashMap, slots: &[SlotInfo], slot: usize, le
 }

 // The TLV in use depends on what kind of signature we are verifying.
+#[cfg(feature = "sig-rsa")]
+#[cfg(feature = "enc-kw")]
+fn make_tlv() -> TlvGen {
+    TlvGen::new_rsa_kw()
+}
+
 #[cfg(feature = "sig-rsa")]
 #[cfg(not(feature = "enc-rsa"))]
+#[cfg(not(feature = "enc-kw"))]
 fn make_tlv() -> TlvGen {
    TlvGen::new_rsa_pss()
 }
@ -1205,6 +1212,7 @@ fn make_tlv() -> TlvGen {
    TlvGen::new_sig_enc_rsa()
 }

+#[cfg(not(feature = "sig-rsa"))]
 #[cfg(feature = "enc-kw")]
 fn make_tlv() -> TlvGen {
    TlvGen::new_enc_kw()
--- a/sim/src/tlv.rs
+++ b/sim/src/tlv.rs
@ -107,6 +107,16 @@ impl TlvGen {
        }
    }

+    #[allow(dead_code)]
+    pub fn new_rsa_kw() -> TlvGen {
+        TlvGen {
+            flags: TlvFlags::ENCRYPTED as u32,
+            kinds: vec![TlvKinds::SHA256, TlvKinds::RSA2048, TlvKinds::ENCKW128],
+            size: 4 + 32 + 4 + 32 + 4 + 256 + 4 + 24,
+            payload: vec![],
+        }
+    }
+
    /// Retrieve the header flags for this configuration.  This can be called at any time.
    pub fn get_flags(&self) -> u32 {
        self.flags