zephyr: add option to disable cryptographic check of the image

- Add Kconfig option `CONFIG_BOOT_SIGNATURE_TYPE_NONE`. When y,
  The bootloader will not verify the cryptographic signature of the image
  at boot or prior to upgrade. Image integrity check is retained.

  Images would still need to be processed using `imgtool` however no key
  should be provided to skip cryptographic signature generation.

Signed-off-by: Arvin Farahmand <arvinf@ip-logix.com>
This commit is contained in:
Arvin Farahmand 2020-05-05 11:44:12 -04:00 committed by David Brown
parent f824019956
commit fb5ec1877d
4 changed files with 15 additions and 2 deletions

View File

@ -141,6 +141,16 @@ if(CONFIG_BOOT_SIGNATURE_TYPE_ECDSA_P256 OR CONFIG_BOOT_ENCRYPT_EC256)
zephyr_library_compile_definitions(
MBEDTLS_CONFIG_FILE="${CMAKE_CURRENT_LIST_DIR}/include/mcuboot-mbedtls-cfg.h"
)
elseif(CONFIG_BOOT_SIGNATURE_TYPE_NONE)
zephyr_library_include_directories(
${BOOT_DIR}/zephyr/include
${TINYCRYPT_DIR}/include
)
zephyr_library_sources(
${TINYCRYPT_DIR}/source/sha256.c
${TINYCRYPT_DIR}/source/utils.c
)
elseif(CONFIG_BOOT_SIGNATURE_TYPE_RSA)
# Use mbedTLS provided by Zephyr for RSA signatures. (Its config file
# is set using Kconfig.)

View File

@ -62,6 +62,10 @@ choice
prompt "Signature type"
default BOOT_SIGNATURE_TYPE_RSA
config BOOT_SIGNATURE_TYPE_NONE
bool "No signature; use only hash check"
select BOOT_USE_TINYCRYPT
config BOOT_SIGNATURE_TYPE_RSA
bool "RSA signatures"
select BOOT_USE_MBEDTLS

View File

@ -41,8 +41,6 @@ extern unsigned int ecdsa_pub_key_len;
#define HAVE_KEYS
extern const unsigned char ed25519_pub_key[];
extern unsigned int ed25519_pub_key_len;
#else
#error "No public key available for given signing algorithm."
#endif
/*

View File

@ -15,6 +15,7 @@ CONFIG_BOOT_UPGRADE_ONLY=n
CONFIG_BOOT_BOOTSTRAP=n
### Default to RSA
CONFIG_BOOT_SIGNATURE_TYPE_NONE=n
CONFIG_BOOT_SIGNATURE_TYPE_RSA=y
CONFIG_BOOT_SIGNATURE_TYPE_RSA_LEN=2048
CONFIG_BOOT_SIGNATURE_TYPE_ECDSA_P256=n