Update sim to run ecdsa sig + kw enc

This adds the functionality to build/run testing on images that were
signed using ECDSA and encrypted with KW, using tinycrypt.

Also when it this mode, ecdsa+kw, adds the Mbed-TLS submodule to the
build because the simulator needs to use the Mbed-TLS keywrapping
infrastructure to generate the keys sent to the image.

Signed-off-by: Fabio Utzig <utzig@apache.org>

sim/mcuboot-sys/build.rs

@@ -54,7 +54,9 @@ fn main() {
         conf.define("MCUBOOT_SIGN_EC256", None);
         conf.define("MCUBOOT_USE_TINYCRYPT", None);
 
-        conf.include("../../ext/mbedtls/include");
+        if !enc_kw {
+            conf.include("../../ext/mbedtls/include");
+        }
         conf.include("../../ext/tinycrypt/lib/include");
 
         conf.file("csupport/keys.c");
@@ -65,6 +67,7 @@ fn main() {
         conf.file("../../ext/tinycrypt/lib/source/ecc_dsa.c");
         conf.file("../../ext/tinycrypt/lib/source/ecc_platform_specific.c");
 
+        conf.file("../../ext/mbedtls/src/platform_util.c");
         conf.file("../../ext/mbedtls/src/asn1parse.c");
     } else {
         // Neither signature type, only verify sha256. The default
@@ -104,27 +107,40 @@ fn main() {
     if enc_kw {
         conf.define("MCUBOOT_ENCRYPT_KW", None);
         conf.define("MCUBOOT_ENC_IMAGES", None);
-        conf.define("MCUBOOT_USE_MBED_TLS", None);
 
         conf.file("../../boot/bootutil/src/encrypted.c");
         conf.file("csupport/keys.c");
 
-        conf.include("mbedtls/include");
-        conf.file("mbedtls/library/sha256.c");
+        if sig_rsa {
+            conf.file("mbedtls/library/sha256.c");
+        }
 
+        /* Simulator uses Mbed-TLS to wrap keys */
+        conf.include("mbedtls/include");
         conf.file("mbedtls/library/platform.c");
         conf.file("mbedtls/library/platform_util.c");
         conf.file("mbedtls/library/nist_kw.c");
         conf.file("mbedtls/library/cipher.c");
         conf.file("mbedtls/library/cipher_wrap.c");
         conf.file("mbedtls/library/aes.c");
+
+        if sig_ecdsa {
+            conf.define("MCUBOOT_USE_TINYCRYPT", None);
+
+            conf.include("../../ext/tinycrypt/lib/include");
+
+            conf.file("../../ext/tinycrypt/lib/source/utils.c");
+            conf.file("../../ext/tinycrypt/lib/source/sha256.c");
+            conf.file("../../ext/tinycrypt/lib/source/aes_encrypt.c");
+            conf.file("../../ext/tinycrypt/lib/source/aes_decrypt.c");
+        }
     }
 
     if sig_rsa && enc_kw {
         conf.define("MBEDTLS_CONFIG_FILE", Some("<config-rsa-kw.h>"));
     } else if sig_rsa || enc_rsa {
         conf.define("MBEDTLS_CONFIG_FILE", Some("<config-rsa.h>"));
-    } else if sig_ecdsa {
+    } else if sig_ecdsa && !enc_kw {
         conf.define("MBEDTLS_CONFIG_FILE", Some("<config-asn1.h>"));
     } else if enc_kw {
         conf.define("MBEDTLS_CONFIG_FILE", Some("<config-kw.h>"));

sim/src/lib.rs

@@ -1196,6 +1196,13 @@ fn make_tlv() -> TlvGen {
 }
 
 #[cfg(feature = "sig-ecdsa")]
+#[cfg(feature = "enc-kw")]
+fn make_tlv() -> TlvGen {
+    TlvGen::new_ecdsa_kw()
+}
+
+#[cfg(feature = "sig-ecdsa")]
+#[cfg(not(feature = "enc-kw"))]
 fn make_tlv() -> TlvGen {
     TlvGen::new_ecdsa()
 }
@@ -1213,6 +1220,7 @@ fn make_tlv() -> TlvGen {
 }
 
 #[cfg(not(feature = "sig-rsa"))]
+#[cfg(not(feature = "sig-ecdsa"))]
 #[cfg(feature = "enc-kw")]
 fn make_tlv() -> TlvGen {
     TlvGen::new_enc_kw()

sim/src/tlv.rs

@@ -117,6 +117,16 @@ impl TlvGen {
         }
     }
 
+    #[allow(dead_code)]
+    pub fn new_ecdsa_kw() -> TlvGen {
+        TlvGen {
+            flags: TlvFlags::ENCRYPTED as u32,
+            kinds: vec![TlvKinds::SHA256, TlvKinds::ECDSA256, TlvKinds::ENCKW128],
+            size: 4 + 32 + 4 + 32 + 4 + 72 + 4 + 24,
+            payload: vec![],
+        }
+    }
+
     /// Retrieve the header flags for this configuration.  This can be called at any time.
     pub fn get_flags(&self) -> u32 {
         self.flags