bootutil/crypto: Builtin ECDSA key support for PSA Crypto backend

Enable the usage of builtin keys in the ECDSA verification module with
the PSA Crypto API based cryptographic backend.
This way parsing and importing the verification keys can also be avoided.

Change-Id: I6ada1ef8ed04a3f12c228ef399e3a7b8ebc7fb5e
Signed-off-by: David Vincze <david.vincze@arm.com>
This commit is contained in:
David Vincze 2024-04-03 12:38:34 +02:00 committed by David Brown
parent e369784ba4
commit f06bc71180
2 changed files with 48 additions and 3 deletions

View File

@ -1,7 +1,7 @@
/* /*
* SPDX-License-Identifier: Apache-2.0 * SPDX-License-Identifier: Apache-2.0
* *
* Copyright (c) 2023 Arm Limited * Copyright (c) 2023-2024 Arm Limited
*/ */
/* /*
@ -386,9 +386,26 @@ static const uint8_t Secp384r1[] = {0x06, 0x05, 0x2b, 0x81, 0x04, 0x00, 0x22};
static inline void bootutil_ecdsa_init(bootutil_ecdsa_context *ctx) static inline void bootutil_ecdsa_init(bootutil_ecdsa_context *ctx)
{ {
#if !defined(MCUBOOT_BUILTIN_KEY)
ctx->key_id = PSA_KEY_ID_NULL; ctx->key_id = PSA_KEY_ID_NULL;
ctx->curve_byte_count = 0; ctx->curve_byte_count = 0;
ctx->required_algorithm = 0; ctx->required_algorithm = 0;
#else /* !MCUBOOT_BUILTIN_KEY */
/* The incoming key ID is equal to the image index. The key ID value must be
* shifted (by one in this case) because zero is reserved (PSA_KEY_ID_NULL)
* and considered invalid.
*/
ctx->key_id++; /* Make sure it is not equal to 0. */
#if defined(MCUBOOT_SIGN_EC256)
ctx->curve_byte_count = 32;
ctx->required_algorithm = PSA_ALG_SHA_256;
#endif /* MCUBOOT_SIGN_EC256 */
#if defined(MCUBOOT_SIGN_EC384)
ctx->curve_byte_count = 48;
ctx->required_algorithm = PSA_ALG_SHA_384;
#endif /* MCUBOOT_SIGN_EC384 */
#endif /* !MCUBOOT_BUILTIN_KEY */
} }
static inline void bootutil_ecdsa_drop(bootutil_ecdsa_context *ctx) static inline void bootutil_ecdsa_drop(bootutil_ecdsa_context *ctx)
@ -398,6 +415,7 @@ static inline void bootutil_ecdsa_drop(bootutil_ecdsa_context *ctx)
} }
} }
#if !defined(MCUBOOT_BUILTIN_KEY)
/* /*
* Parse a ECDSA public key with format specified in RFC5280 et al. * Parse a ECDSA public key with format specified in RFC5280 et al.
* *
@ -442,6 +460,7 @@ static int bootutil_ecdsa_parse_public_key(bootutil_ecdsa_context *ctx,
return (int)psa_import_key(&key_attributes, *cp, key_size, &ctx->key_id); return (int)psa_import_key(&key_attributes, *cp, key_size, &ctx->key_id);
} }
#endif /* !MCUBOOT_BUILTIN_KEY */
/* Verify the signature against the provided hash. The signature gets parsed from /* Verify the signature against the provided hash. The signature gets parsed from
* the encoding first, then PSA Crypto has a dedicated API for ECDSA verification * the encoding first, then PSA Crypto has a dedicated API for ECDSA verification

View File

@ -3,7 +3,7 @@
* *
* Copyright (c) 2016-2019 JUUL Labs * Copyright (c) 2016-2019 JUUL Labs
* Copyright (c) 2017 Linaro LTD * Copyright (c) 2017 Linaro LTD
* Copyright (C) 2021-2023 Arm Limited * Copyright (C) 2021-2024 Arm Limited
* *
* Original license: * Original license:
* *
@ -35,6 +35,7 @@
#include "bootutil/fault_injection_hardening.h" #include "bootutil/fault_injection_hardening.h"
#include "bootutil/crypto/ecdsa.h" #include "bootutil/crypto/ecdsa.h"
#if !defined(MCUBOOT_BUILTIN_KEY)
fih_ret fih_ret
bootutil_verify_sig(uint8_t *hash, uint32_t hlen, uint8_t *sig, size_t slen, bootutil_verify_sig(uint8_t *hash, uint32_t hlen, uint8_t *sig, size_t slen,
uint8_t key_id) uint8_t key_id)
@ -65,5 +66,30 @@ out:
FIH_RET(fih_rc); FIH_RET(fih_rc);
} }
#else /* !MCUBOOT_BUILTIN_KEY */
fih_ret
bootutil_verify_sig(uint8_t *hash, uint32_t hlen, uint8_t *sig, size_t slen,
uint8_t key_id)
{
int rc;
bootutil_ecdsa_context ctx;
FIH_DECLARE(fih_rc, FIH_FAILURE);
/* Use builtin key for image verification, no key parsing is required. */
ctx.key_id = key_id;
bootutil_ecdsa_init(&ctx);
/* The public key pointer and key size can be omitted. */
rc = bootutil_ecdsa_verify(&ctx, NULL, 0, hash, hlen, sig, slen);
fih_rc = fih_ret_encode_zero_equality(rc);
if (FIH_NOT_EQ(fih_rc, FIH_SUCCESS)) {
FIH_SET(fih_rc, FIH_FAILURE);
}
bootutil_ecdsa_drop(&ctx);
FIH_RET(fih_rc);
}
#endif /* MCUBOOT_BUILTIN_KEY */
#endif /* MCUBOOT_SIGN_EC256 || MCUBOOT_SIGN_EC384 */ #endif /* MCUBOOT_SIGN_EC256 || MCUBOOT_SIGN_EC384 */