Commit Graph

191 Commits

Author SHA1 Message Date
David Brown 47b77c521a imgtool: Fix signing payload type
The 'cryptography' library is pickier about the data it is asked to
sign.  Get the bytes value out of the bytearray for doing the actual
signature.

Signed-off-by: David Brown <david.brown@linaro.org>
2018-01-09 09:41:30 -07:00
David Brown 5e7c6dd58a imgtool: Update RSA code
Replace RSA code with one using the python 'cryptography' library.  This
library is much more complete, and will make adding support for password
protected keys, and separate public keys easier.

There is, however, a significant change brought about by this change:
the private keys are stored in PKCS#8 format, instead of the raw format
that was used previously.  This is a more modern format that has a few
advantages, including: supporting stronger password protection, and
allowing the key type to be determined upon read.

This tool will still support reading the old style public keys, but
other tools that use these keys will need to be updated in order to work
with the new format.

This new code has some unit tests to go along with it for some basic
sanity testing of the code.

Signed-off-by: David Brown <david.brown@linaro.org>
2018-01-09 09:41:30 -07:00
David Brown d4022576e4 imgtool: Remove PKCS1.5 support
Support for PKCS1.5 has been removed from the bootloader for a while
now, remove it as well from the tool.

Signed-off-by: David Brown <david.brown@linaro.org>
2018-01-09 09:41:30 -07:00
David Brown 244547346e imgtool: Move keys to submodule
Move this code into a submodule to prepare to cleanup and enhance the
key management code.

Signed-off-by: David Brown <david.brown@linaro.org>
2018-01-09 09:41:30 -07:00
David Brown b730e2431a assemble.py: Add explicit license declaration
Although this file is likely implicitly licensed under the Apache 2.0
license because of the LICENSE file for this project, make this explicit
in this file.

Signed-off-by: David Brown <david.brown@linaro.org>
2018-01-04 10:36:25 -07:00
David Brown 1314bf3528 imgtool: Add explicit license declarations
Although these files are likely implicitly licensed under the Apache 2.0
license because of the LICENSE file for this project, make this explicit
in these files.

Signed-off-by: David Brown <david.brown@linaro.org>
2017-12-21 13:31:03 -07:00
Fabio Utzig f0e5419535 Use travis env variable to control check-signed-off-by
Instead of trying to determine current branch using git, just rely
on travis to know if this is a PR and if it is not, don't do
signed-off-by checking.

Signed-off-by: Fabio Utzig <utzig@apache.org>
2017-12-06 16:46:58 -07:00
Fabio Utzig efe67ae52d Disable script debugging
Signed-off-by: Fabio Utzig <utzig@apache.org>
2017-12-06 13:46:40 -02:00
Fabio Utzig 5f9fbcc9d0 Only check signed-off-by in PRs
Signed-off-by: Fabio Utzig <utzig@apache.org>
2017-12-06 13:46:40 -02:00
Fabio Utzig 6da40d077b Update to use parent commits
Signed-off-by: Fabio Utzig <utzig@apache.org>
2017-12-05 13:24:03 -02:00
Fabio Utzig 0b56138c8a Besides author also check committer
Signed-off-by: Fabio Utzig <utzig@apache.org>
2017-12-05 13:24:03 -02:00
Fabio Utzig 5101b0f812 Try using tail again
Signed-off-by: Fabio Utzig <utzig@apache.org>
2017-12-05 13:24:03 -02:00
Fabio Utzig 311801775e Fix review issues
- Use git options to remove last commit from list to verify.
- Check each line of a commit for a "Signed-off-by" line.
- Exit with error in the event of no commits in PR!

Signed-off-by: Fabio Utzig <utzig@apache.org>
2017-12-05 13:24:03 -02:00
Fabio Utzig 5b989104a5 Add travis' validation of "Signed-off-by:" line
Signed-off-by: Fabio Utzig <utzig@apache.org>
2017-12-05 13:24:03 -02:00
Fabio Utzig a8f06aaf4d Remove duplicated choices by using existing dict
Signed-off-by: Fabio Utzig <utzig@apache.org>
2017-10-17 20:25:42 -02:00
David Brown cb1bb48bb5 imgtool: Fix ECDSA signatures
Earlier refactoring created a call for get_public_bytes() that was added
to the RSA class, but missed on the ECDSA class.  Add this call so that
ECDSA signatures will work again.

Signed-off-by: David Brown <david.brown@linaro.org>
2017-09-06 16:16:58 -06:00
David Brown 72e7a5176f Change the image header magic
Since we've changed the meaning of several fields in the header, bump
the header to a new magic number.  The fields that are still present are
in the same place, but all of the signature and TLV information is moved
into the TLV itself, which is still immediately after the image.

As of this commit, this defines the new image header/TLV format used for
1.0.

Based on work by Marko Kiiskila <marko@runtime.io>

Signed-off-by: Marko Kiiskila <marko@runtime.io>
Signed-off-by: David Brown <david.brown@linaro.org>
2017-09-06 16:16:58 -06:00
David Brown f5b33d8b9d Place TLV size into TLV itself
To allow the signatures to be replaced, move the size of the TLV into a
small "info" header at the start of the TLV.

Note that this causes image swapping to lose robustness.  This is fixed
by a later commit.

Based on work by Marko Kiiskila <marko@runtime.io>

Signed-off-by: Marko Kiiskila <marko@runtime.io>
Signed-off-by: David Brown <david.brown@linaro.org>
JIRA: MCUB-65
2017-09-06 16:16:58 -06:00
David Brown 43cda33c5a Move key_id from header into TLV
Remove the key_id field from the image header.  There are two problems
with this field.  First, it is only an integer offset, and so causes an
unnecessarily tight coupling between the particular keys built into the
bootloader, and the key that is used to sign.  Second, it makes the
key_id part of the image header, which is included in the signature.
This makes it impossible to later sign the image with a different
signature.

Instead of the key-id, add a TLV KEYHASH entry.  This will hold the
SHA256 of the public key that the signature is against.  Each signature
placed in the TLV should be preceeded by this entry to indicate the
public key used.

The signature check will check each signature, and if the KEYHASH is
known and the signature type is supported, it will be checked.  As long
as at least one signature is considered valid, the image will be
considered signed.  This also allows the image to be signed with
multiple signatures to support having different devices with possibly
different keys compiled into the bootloaders.

Based on work by Marko Kiiskila <marko@runtime.io>

Signed-off-by: Marko Kiiskila <marko@runtime.io>
Signed-off-by: David Brown <david.brown@linaro.org>
2017-09-06 16:16:58 -06:00
David Brown 76528c4406 imgtool: Add rust language support to ECDSA
Generate rust code for ECDSA signatures, when requested (rather than
raising an exception)

Signed-off-by: David Brown <david.brown@linaro.org>
2017-09-06 16:16:58 -06:00
David Brown d36e91acc1 imgtool: Add rust pubkey generation
Add a `--rust` flag to the getpub subcommand to output the public key in
Rust format rather than C.

Signed-off-by: David Brown <david.brown@linaro.org>
2017-09-06 16:16:58 -06:00
David Brown 27648b8344 Renumber the TLV type values
In preparation for moving the signature related values out of the main
image header and into the TLV, renumber the existing TLV values to be
grouped together better.

The SHA256 is moved into the first group, at 0x10, and the signature
values themselves are moved to start with 0x20.

This change is the first in a series of changes toward the new v1.0
image format.  The intermediate results are all internally consistent
(meaning that the simulator, and the builtin imgtool.py will all work
together), but until all patches are applied, the image format is not
valid with any external tools.

Based on work by Marko Kiiskila <marko@runtime.io>.

Signed-off-by: Marko Kiiskila <marko@runtime.io>
Signed-off-by: David Brown <david.brown@linaro.org>
2017-09-06 16:16:58 -06:00
David Brown 8ae61c05a5 imgtool.py: Fix some errors in ecdsa key generation
There are two easy to fix problems with the ecdsa key generation code.

Signed-off-by: David Brown <david.brown@linaro.org>
2017-07-28 12:29:28 -06:00
David Brown 2cf522c3d8 scripts: assemble: Fix problem with missing output
Adding an os.unlink() call to remove the outfile results in an exception
being thrown if the file does not exist.  Fix this by trapping, and
checking for the specific error we get on a missing file.

Signed-off-by: David Brown <david.brown@linaro.org>
2017-07-20 14:55:50 -06:00
David Brown dbc5727902 samples: Add a 'full.bin' target to Zephyr sample
This full.bin target demonstrates how to assemble all of the images into
a single file which can be flashed to the device.  As it is, it will
then boot into the first "primary" image.  The second image will be
present, but will not ever be run.

Signed-off-by: David Brown <david.brown@linaro.org>
2017-07-20 14:55:50 -06:00
Fabio Utzig e08f087ee5 Update imgtool to write trailer in new format
Signed-off-by: Fabio Utzig <utzig@apache.org>
2017-07-06 10:03:55 -06:00
David Brown 3e27386a12 Remove old 'imgtool' and 'zep2newt.py'
Now that script/imgtool.py contains all of the functionality of these
tools, remove the old tools from the tree.  The zep2newt.py was only
able to perform a limited set of signatures.  The 'imgtool' requires a
'Go' toolchain, which has been a hinderance to many users.

Please see `doc/imgtool.md` for directions on how to use this new tool
for image signing.

Signed-off-by: David Brown <david.brown@linaro.org>
2017-06-28 08:29:33 -06:00
David Brown 85d879f195 Merge pull request #60 from d3zd3z/pr/py-header
Make header padding optional
2017-06-13 15:59:27 -04:00
David Brown 2c21f7101b imgtool: Make "included header" optional
The imgtool.py program has been assuming that the input image for
signing has a zero padded place for the header at the beginning of the
image.  This is only true for some platforms.

Instead, make this included header space optional.  By default, prepend
the header to the image.  If `--included-header` is specified to the
sign command, consider the bytes at the beginning of the image to be
padded space for the header.  This option is required for Zephyr builds.
2017-06-13 15:54:45 -04:00
David Brown 0f0c6a808d imgtool: Allow --key to be optional when signing
If the --key is not specified, only the SHA256 hash is added to the TLV.
This is useful for testing configurations, where the crypto has not been
fully configured.  Note that this configuration is not secure, and this
only verifies that the image has not been corrupted.
2017-06-13 15:45:06 -04:00
David Brown efb871f4b2 imgtool: Better version parsing
When parsing versions for the --version argument, allow a field to be
zero.  Also, restrict the build to just an integer to match what we
allow (rather than allow alphabetic, and then failing to parse as an
integer).

In addition, add the missing import of argparse, so that when the
version is invalid, we get nice usage rather than an error about a
missing module.

Jira: MCUB-58
2017-06-08 09:43:55 -06:00
David Brown 4c036158d4 imgtool: Fix key argument
Changing the name of the command line argument changes the name of the
fields used to access it.  Change the keysigning code to reflect this,
avoiding a stack dump when trying to generate keys.
2017-06-07 09:19:21 -06:00
David Brown 07916c3155 imgtool.py: Support PKCS#1.5 v2.1 RSA-PSS
Add support for the RSA-PSS signature algorithm to imgtool.py.  This
algorithm has a strong security proof, and is recommended for all new
designs.  The new algorithm is enabled by default for RSA signatures to
match the default in the bootloader also being changed.
2017-06-07 09:19:21 -06:00
David Brown 23f91ad152 scripts: Initial version of Python imgtool
This is the start of a python implementation of imgtool.  This
implements all of the functionality that was missing in the zep2newt.py
tool, namely creation of keypairs, and converting the public version of
these keys into C code.
2017-06-07 09:19:21 -06:00
Andrew Boie e9470d893a zep2newt.py: recognize x86 padding
Signed-off-by: Andrew Boie <andrew.p.boie@intel.com>
2017-03-15 13:27:57 -07:00
Ricardo Salveti 1a2e4b825b zep2newt.py: use /usr/bin/env when searching for python2
Avoid hardcoding the python2 path by using env python2 instead.

Signed-off-by: Ricardo Salveti <ricardo.salveti@linaro.org>
2017-02-27 22:55:39 -03:00
Marti Bolivar 47c69d0eea scripts: zep2newt: remove unused argument
The --off argument is unused; delete it.

Signed-off-by: Marti Bolivar <marti.bolivar@linaro.org>
2017-02-10 16:44:41 -05:00
Marti Bolivar da223385c5 scripts: zep2newt: delete dead store
Signed-off-by: Marti Bolivar <marti.bolivar@linaro.org>
2017-02-10 16:44:41 -05:00
David Brown 06446dda2c scripts: Allow image version number
Add an --image-version argument to zep2newt.py to allow the major
version number to be set.  This helps make testing easier by having
differing version numbers.
2017-01-23 16:01:01 -07:00
David Brown adec29ebe5 scripts: Remove .pyc file from repo
Add *.pyc to the .gitignore, and remove the file that got mistakenly
checked in.
2017-01-23 15:56:39 -07:00
David Brown 22a6fe32d3 Add some simple scripts for signing/flashing
These are some simple scripts for signing images (with an example with a
hardcoded path), a fixed root key that matches the one checked into the
code, and a few scripts to use the Segger debugger to flash the images.
2017-01-23 15:56:39 -07:00