Commit Graph

14 Commits

Author SHA1 Message Date
Fabio Utzig 6f4d8f8597 bootutil: allow RSA encryption keys without DP/DQ/QP
Allow runtime generation of CRT params when not available in the
embedded private key. Also remove parsing/calculation of CRT
parameters when CRT was disabled in the config (mbedTLS does not
use those in this case).

Signed-off-by: Fabio Utzig <utzig@apache.org>
2019-12-17 16:26:53 -03:00
Fabio Utzig 105b59a9b9 Add Zephyr config for RSA-3072
Signed-off-by: Fabio Utzig <utzig@apache.org>
2019-05-16 14:01:19 -03:00
Fabio Utzig 4541b53a3a Increase Zephyr mempool size for encrypted images
For Zephyr the default mbedTLS mempool size for RSA-2048 signing was not
enough to allow for the calculations done by RSA-2048-OAEP (encrypted
images), so when encrypted image support is enabled, increase it to a
value that is known to work.

Signed-off-by: Fabio Utzig <utzig@apache.org>
2018-12-17 14:41:02 -02:00
Marti Bolivar a4818a5565 zephyr: migrate signature type to Kconfig
Handle the CONFIG_BOOT_SIGNATURE_TYPE_xxx values in Zephyr's
mcuboot_config.h by converting them into the platform-agnostic MCUboot
definitions.

This requires some changes to the way the release test Makefile is
structured, since Kconfig symbols cannot be set from the command line.

Instead, use the OVERLAY_CONFIG feature of the Zephyr build system,
which allows specifying extra fragments to merge into the final
.config. (This is an orthogonal mechanism to setting CONF_FILE; it is
used by Zephyr's CI script sanitycheck to add additional fragments, so
it's appropriate for use by MCUboot's testing scripts as well.)

We additionally need to move to a single prj.conf file due to a
dependency issue. We can no longer determine CONF_FILE from the
signature type, since that is now determined from the final .config or
autoconf.h, which is a build output that depends on CONF_FILE.

To move to a single prj.conf:

- delete prj-p256.conf and adjust prj.conf to serve both signature types
- add a top-level mbedTLS configuration file which dispatches to
  the right sub-header depending on the key type
- as a side effect, have the simulator pick the right config file
  depending on the case

This fixes and cleans up quite a bit of the signature type handling,
which had become something of a mess over time. For example, it fixes
a bug in ECDSA mode's configuration that wasn't actually selecting
config-asn1.h, and forces the simulator to use the same mbedTLS
configuration file as builds for real hardware.

Finally, we also have to move the mbedTLS vs. TinyCrypt choice into
mcuboot_config.h at the same time as well, since CMakeLists.txt was
making that decision based on the signature type.

Signed-off-by: Marti Bolivar <marti@opensourcefoundries.com>
2018-04-25 18:44:03 -03:00
Andrzej Puzdrowski 268cdd0e09 fix warnings while building along with serial recovery
Following warnings were fixed within this patch:

 'isspace' macro should take an int value

 function 'bs_reset' should return void

 redefinition of 'MBEDTLS_CONFIG_FILE' macro while
 it is already defined by the zephyr build system.

Signed-off-by: Andrzej Puzdrowski <andrzej.puzdrowski@nordicsemi.no>
2018-04-10 08:16:35 -03:00
Fabio Utzig 84ed794d14 Fix configuration when RSA signature is used
This defines the correct "mbedtls" config files in both ECDSA256 and RSA
modes.

Signed-off-by: Fabio Utzig <utzig@apache.org>
2018-02-16 16:31:38 -07:00
Ding Tao b664a082aa zephyr: mbedtls: Fix compile error no such file or directory
Upstream zephyr will automatically link mbedtls when CONFIG_MBEDTLS is
enabled.

If user chose to use ECDSA_P256 as signature type, will get a compile
error message in file ${ZEPHYR_BASE}/ext/lib/crypto/mbedtls/zephyr_init.c:
    fatal error: config-asn1.h: No such file or directory

Fix this by disable CONFIG_MBEDTLS  when ECDSA_P256 signature type is
selected.

Signed-off-by: Ding Tao <miyatsu@qq.com>
2018-02-14 13:55:23 -02:00
Fabio Utzig 28ee5b0ea9 Add Zephyr support for bundled mbed-tls ASN1 parser
When using EC256 for signing, Zephyr now uses the bundled tinycrypt
and mbed-tls ASN1 parser instead of relying on the one provided by
the OS.

Signed-off-by: Fabio Utzig <utzig@apache.org>
2017-12-21 13:32:59 -07:00
David Brown e9771ef62f Fix ECDSA Zephyr configuration of mbed TLS
The Zephyr configuration was enabling the memory buffer allocator (but
not using it) without defining enough other features to allow it to
compile (undefined reference to `exit()`).

Disable the memory buffer allocator when just using the ASN.1 library,
and conditionalize the heap itself to avoid using the RAM for that.

Signed-off-by: David Brown <david.brown@linaro.org>
2017-11-14 19:12:53 -07:00
David Brown 0bae965fd8 Zephyr: Use mbed TLS allocator
Instead of the overly-simplistic allocator in Zephyr, use the still
simplistic allocator in mbed TLS.

On K64f, this saves 848 bytes of text, 44 bytes of data, and 208 bytes
of bss.

Signed-off-by: David Brown <david.brown@linaro.org>
2017-10-30 22:33:08 -06:00
David Brown 74b3c58f53 zephyr: Add braces around single lines
The coding guidelines for mcuboot specify using braces around all
single-line constructs.  Add these to those lines missing this.
2017-04-11 17:59:05 -06:00
David Brown 0d0652a10f zephyr: use indentation consistent across mcuboot
The original Zephyr platform support files use tabs for indentation
(to match the Zephyr project).  Since this code is all together, and
will be used as the basis for other platforms, fix this indentation to
match that used by the rest of mynewt.

This change is clean with respect to "git show -b", and only changes
the indentation of the beginning of lines.
2017-04-11 17:59:04 -06:00
Ricardo Salveti 7cf3d9ec91 zephyr: use SYS_LOG instead of printk
Easier to manage and can be easily disabled via config.

Signed-off-by: Ricardo Salveti <ricardo.salveti@linaro.org>
2017-01-19 19:51:35 -02:00
David Brown 299245d7de zephyr: Move code under 'boot' directory
The Zephyr build systems makes some assumptions about the directory
layout, and encounters problems if the necessary path contains "../..".
To help this, place the zephyr directory next to the bootutil directory
so that the Makefile can just refer to "../bootutil".  This keeps all of
the build artifacts under the proper top-level directory.
2017-01-10 09:49:47 -07:00