Skip to content

Commit

Permalink
boot: SHA512 verification
Browse files Browse the repository at this point in the history
adds TLV and Kconfig to decouple verification from
other options.

Signed-off-by: Mateusz Michalek <mateusz.michalek@nordicsemi.no>
  • Loading branch information
michalek-no committed Jun 26, 2024
1 parent 018dc01 commit 9de733a
Show file tree
Hide file tree
Showing 4 changed files with 19 additions and 11 deletions.
17 changes: 8 additions & 9 deletions boot/bootutil/include/bootutil/crypto/sha.h
Original file line number Diff line number Diff line change
Expand Up @@ -34,13 +34,13 @@
#error "One crypto backend must be defined: either CC310/MBED_TLS/TINYCRYPT/PSA_CRYPTO"
#endif

#if defined(MCUBOOT_SIGN_EC384)
#define IMAGE_HASH_SIZE (48)
#define EXPECTED_HASH_TLV IMAGE_TLV_SHA384
#if defined(MCUBOOT_SHA512)
#define IMAGE_HASH_SIZE (64)
#define EXPECTED_HASH_TLV IMAGE_TLV_SHA512
#else
#define IMAGE_HASH_SIZE (32)
#define EXPECTED_HASH_TLV IMAGE_TLV_SHA256
#endif /* MCUBOOT_SIGN_EC384 */
#endif /* MCUBOOT_SIGN */

/* Universal defines for SHA-256 */
#define BOOTUTIL_CRYPTO_SHA256_BLOCK_SIZE (64)
Expand Down Expand Up @@ -82,8 +82,8 @@ typedef psa_hash_operation_t bootutil_sha_context;
static inline int bootutil_sha_init(bootutil_sha_context *ctx)
{
*ctx = psa_hash_operation_init();
#if defined(MCUBOOT_SIGN_EC384)
psa_status_t status = psa_hash_setup(ctx, PSA_ALG_SHA_384);
#if defined(MCUBOOT_SHA512)
psa_status_t status = psa_hash_setup(ctx, PSA_ALG_SHA_512);
#else
psa_status_t status = psa_hash_setup(ctx, PSA_ALG_SHA_256);
#endif
Expand All @@ -107,8 +107,8 @@ static inline int bootutil_sha_finish(bootutil_sha_context *ctx,
{
size_t hash_length = 0;
/* Assumes the output buffer is at least the expected size of the hash */
#if defined(MCUBOOT_SIGN_EC384)
return (int)psa_hash_finish(ctx, output, PSA_HASH_LENGTH(PSA_ALG_SHA_384), &hash_length);
#if defined(MCUBOOT_SHA512)
return (int)psa_hash_finish(ctx, output, PSA_HASH_LENGTH(PSA_ALG_SHA_512), &hash_length);
#else
return (int)psa_hash_finish(ctx, output, PSA_HASH_LENGTH(PSA_ALG_SHA_256), &hash_length);
#endif
Expand All @@ -131,7 +131,6 @@ static inline int bootutil_sha_drop(bootutil_sha_context *ctx)
(void)ctx;
return 0;
}

static inline int bootutil_sha_update(bootutil_sha_context *ctx,
const void *data,
uint32_t data_len)
Expand Down
1 change: 1 addition & 0 deletions boot/bootutil/include/bootutil/image.h
Original file line number Diff line number Diff line change
Expand Up @@ -89,6 +89,7 @@ struct flash_area;
#define IMAGE_TLV_PUBKEY 0x02 /* public key */
#define IMAGE_TLV_SHA256 0x10 /* SHA256 of image hdr and body */
#define IMAGE_TLV_SHA384 0x11 /* SHA384 of image hdr and body */
#define IMAGE_TLV_SHA512 0x12 /* SHA512 of image hdr and body */
#define IMAGE_TLV_RSA2048_PSS 0x20 /* RSA2048 of hash output */
#define IMAGE_TLV_ECDSA224 0x21 /* ECDSA of hash output - Not supported anymore */
#define IMAGE_TLV_ECDSA_SIG 0x22 /* ECDSA of hash output */
Expand Down
6 changes: 4 additions & 2 deletions boot/zephyr/Kconfig
Original file line number Diff line number Diff line change
Expand Up @@ -72,8 +72,10 @@ choice BOOT_SIGNATURE_TYPE
default BOOT_SIGNATURE_TYPE_RSA

config BOOT_SIGNATURE_TYPE_NONE
bool "No signature; use only hash check"
select BOOT_USE_TINYCRYPT
bool "No signature; use only sha256 check"

config BOOT_SIGNATURE_TYPE_NONE_SHA512
bool "No signature; use only sha512 check"

config BOOT_SIGNATURE_TYPE_RSA
bool "RSA signatures"
Expand Down
6 changes: 6 additions & 0 deletions boot/zephyr/include/mcuboot_config/mcuboot_config.h
Original file line number Diff line number Diff line change
Expand Up @@ -43,6 +43,12 @@
#ifdef CONFIG_BOOT_USE_NRF_CC310_BL
#define MCUBOOT_USE_NRF_CC310_BL
#endif
#elif defined(CONFIG_MBEDTLS_PSA_CRYPTO_CLIENT)
#define MCUBOOT_USE_PSA_CRYPTO
#endif

#ifdef CONFIG_BOOT_SIGNATURE_TYPE_NONE_SHA512
#define MCUBOOT_SHA512
#endif

/* Zephyr, regardless of C library used, provides snprintf */
Expand Down

0 comments on commit 9de733a

Please sign in to comment.