Zephyr ECDSA P-256 support

Makefile

@@ -1,5 +1,35 @@
-BOARD ?= qemu_x86
+# Makefile for building mcuboot as a Zephyr project.
+
+# Configuration choices.
+
+#####################
+# Signature algorithm
+#####################
+# Choose one of RSA or ECDSA P-256 blocks, and uncomment the config
+# lines there, and comment out any other blocks.
+
+# RSA
 CONF_FILE = boot/zephyr/prj.conf
+CFLAGS += -DBOOTUTIL_SIGN_RSA
+
+# ECDSA P-256
+#CONF_FILE = boot/zephyr/prj-p256.conf
+#CFLAGS += -DBOOTUTIL_SIGN_EC256
+
+# Enable this option to have the bootloader verify the signature of
+# the primary image upon every boot.  Without it, signature
+# verification only happens on upgrade.
+CFLAGS += -DBOOTUTIL_VALIDATE_SLOT0
+
+##############################
+# End of configuration blocks.
+##############################
+
+# The board should be set to one of the targets supported by
+# mcuboot/Zephyr.  These can be found in ``boot/zephyr/targets``
+BOARD ?= qemu_x86
+
+# The source to the Zephyr-specific code lives here.
 SOURCE_DIR = boot/zephyr
 
 # Needed for mbedtls config-boot.h file.

boot/bootutil/src/Makefile

@@ -1,5 +1,3 @@
 # Makefile for Zephyr build
 
-ccflags-y += -DBOOTUTIL_SIGN_RSA
-
-obj-y += loader.o bootutil_misc.o image_validate.o image_rsa.o
+obj-y += loader.o bootutil_misc.o image_validate.o image_rsa.o image_ec256.o

boot/bootutil/src/image_ec256.c

@@ -122,7 +122,7 @@ tinycrypt_decode_sig(uint32_t r[NUM_ECC_DIGITS], uint32_t s[NUM_ECC_DIGITS],
     if (rc) {
         return -1;
     }
-    if (cp + len != end) {
+    if (cp + len > end) {
         return -2;
     }
     rc = tinycrypt_read_bigint(r, &cp, end);

boot/zephyr/include/config-asn1.h

@@ -0,0 +1,47 @@
+/*
+ *  Configuration of mbedTLS containing only the ASN.1 parser.
+ *
+ *  Copyright (C) 2006-2015, ARM Limited, All Rights Reserved
+ *  Copyright (C) 2016, Linaro Ltd
+ *  SPDX-License-Identifier: Apache-2.0
+ *
+ *  Licensed under the Apache License, Version 2.0 (the "License"); you may
+ *  not use this file except in compliance with the License.
+ *  You may obtain a copy of the License at
+ *
+ *  http://www.apache.org/licenses/LICENSE-2.0
+ *
+ *  Unless required by applicable law or agreed to in writing, software
+ *  distributed under the License is distributed on an "AS IS" BASIS, WITHOUT
+ *  WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ *  See the License for the specific language governing permissions and
+ *  limitations under the License.
+ *
+ *  This file is part of mbed TLS (https://tls.mbed.org)
+ */
+
+/*
+ * Minimal configuration for using TLS in the bootloader
+ *
+ * - RSA or ECDSA signature verification
+ */
+
+#ifndef MBEDTLS_CONFIG_H
+#define MBEDTLS_CONFIG_H
+
+#define MBEDTLS_PLATFORM_C
+#define MBEDTLS_PLATFORM_MEMORY
+#define MBEDTLS_MEMORY_BUFFER_ALLOC_C
+#define MBEDTLS_PLATFORM_NO_STD_FUNCTIONS
+
+/* mbed TLS modules */
+#define MBEDTLS_ASN1_PARSE_C
+// #define MBEDTLS_ASN1_WRITE_C
+// #define MBEDTLS_BIGNUM_C
+// #define MBEDTLS_MD_C
+// #define MBEDTLS_OID_C
+#define MBEDTLS_SHA256_C
+
+#include "mbedtls/check_config.h"
+
+#endif /* MBEDTLS_CONFIG_H */

boot/zephyr/keys.c

@@ -19,6 +19,7 @@
 
 #include <bootutil/sign_key.h>
 
+#if defined(BOOTUTIL_SIGN_RSA)
 const unsigned char root_pub_der[] = {
   0x30, 0x82, 0x01, 0x0a, 0x02, 0x82, 0x01, 0x01, 0x00, 0xd1, 0x06, 0x08,
   0x1a, 0x18, 0x44, 0x2c, 0x18, 0xe8, 0xfb, 0xfd, 0xf7, 0x0d, 0xa3, 0x4f,
@@ -45,6 +46,24 @@ const unsigned char root_pub_der[] = {
   0xc9, 0x02, 0x03, 0x01, 0x00, 0x01
 };
 const unsigned int root_pub_der_len = 270;
+#elif defined(BOOTUTIL_SIGN_EC256)
+const unsigned char root_pub_der[] = {
+	0x30, 0x59, 0x30, 0x13, 0x06, 0x07, 0x2a, 0x86,
+	0x48, 0xce, 0x3d, 0x02, 0x01, 0x06, 0x08, 0x2a,
+	0x86, 0x48, 0xce, 0x3d, 0x03, 0x01, 0x07, 0x03,
+	0x42, 0x00, 0x04, 0x2a, 0xcb, 0x40, 0x3c, 0xe8,
+	0xfe, 0xed, 0x5b, 0xa4, 0x49, 0x95, 0xa1, 0xa9,
+	0x1d, 0xae, 0xe8, 0xdb, 0xbe, 0x19, 0x37, 0xcd,
+	0x14, 0xfb, 0x2f, 0x24, 0x57, 0x37, 0xe5, 0x95,
+	0x39, 0x88, 0xd9, 0x94, 0xb9, 0xd6, 0x5a, 0xeb,
+	0xd7, 0xcd, 0xd5, 0x30, 0x8a, 0xd6, 0xfe, 0x48,
+	0xb2, 0x4a, 0x6a, 0x81, 0x0e, 0xe5, 0xf0, 0x7d,
+	0x8b, 0x68, 0x34, 0xcc, 0x3a, 0x6a, 0xfc, 0x53,
+	0x8e, 0xfa, 0xc1, };
+const unsigned int root_pub_der_len = 91;
+#else
+#error "No public key available for given signing algorithm."
+#endif
 
 const struct bootutil_key bootutil_keys[] = {
 	{

boot/zephyr/prj-p256.conf

@@ -0,0 +1,18 @@
+CONFIG_CONSOLE_HANDLER=y
+CONFIG_SYS_LOG=y
+CONFIG_DEBUG=y
+
+CONFIG_MAIN_STACK_SIZE=10240
+CONFIG_MBEDTLS=y
+CONFIG_MBEDTLS_BUILTIN=y
+CONFIG_MBEDTLS_CFG_FILE="config-asn1.h"
+CONFIG_TINYCRYPT=y
+CONFIG_TINYCRYPT_ECC_DSA=y
+
+### mbedTLS wants a heap
+CONFIG_HEAP_MEM_POOL_SIZE=16384
+
+CONFIG_FLASH=y
+
+### Disable Bluetooth by default
+# CONFIG_BLUETOOTH is not set

root-ec-p256.pem

@@ -0,0 +1,5 @@
+-----BEGIN EC PRIVATE KEY-----
+MHcCAQEEINeY1S+DASQ701QrflXtTHRhGQCw+VBagk/h6OwGO8/xoAoGCCqGSM49
+AwEHoUQDQgAEKstAPOj+7VukSZWhqR2u6Nu+GTfNFPsvJFc35ZU5iNmUudZa69fN
+1TCK1v5IskpqgQ7l8H2LaDTMOmr8U476wQ==
+-----END EC PRIVATE KEY-----

sign.sh

@@ -1,22 +1,48 @@
 #! /bin/sh
 
+# This script can be used as an example of how to sign images.
+
 source $(dirname $0)/target.sh
 
-./scripts/zep2newt.py \
-    --bin ../zephyr/samples/shell/outdir/$BOARD/zephyr.bin \
-    --key root.pem \
-    --sig RSA \
-    --out shell.signed.bin \
-    --vtoff 0x200 \
-    --word-size 8 \
-    --image-version 3 \
-    --bit --pad 0x20000
+# RSA signatures can be made with the signing script in the scripts
+# directory.
+if true; then
+	./scripts/zep2newt.py \
+	    --bin ../zephyr/samples/shell/outdir/$BOARD/zephyr.bin \
+	    --key root.pem \
+	    --sig RSA \
+	    --out shell.signed.bin \
+	    --vtoff 0x200 \
+	    --word-size 8 \
+	    --image-version 3 \
+	    --bit --pad 0x20000
+
+	./scripts/zep2newt.py \
+	    --bin ../zephyr/samples/hello_world/outdir/$BOARD/zephyr.bin \
+	    --key root.pem \
+	    --sig RSA \
+	    --vtoff 0x200 \
+	    --word-size 8 \
+	    --image-version 2 \
+	    --out hello.signed.bin
+fi
+
+# Currently, ECDSA signatures need to be made with the imgtool.  See
+# 'imgtool' for instructions on building the tool.
+if false; then
+	imgtool sign \
+		--key root_ec.pem \
+		--header-size 0x200 \
+		--version 3.0 \
+		--align 8 \
+		--pad 0x20000 \
+		../zephyr/samples/shell/outdir/$BOARD/zephyr.bin \
+		shell.signed.bin
 
-./scripts/zep2newt.py \
-    --bin ../zephyr/samples/hello_world/outdir/$BOARD/zephyr.bin \
-    --key root.pem \
-    --sig RSA \
-    --vtoff 0x200 \
-    --word-size 8 \
-    --image-version 2 \
-    --out hello.signed.bin
+	imgtool sign \
+		--key root_ec.pem \
+		--header-size 0x200 \
+		--version 3.0 \
+		../zephyr/samples/hello_world/outdir/$BOARD/zephyr.bin \
+		hello.signed.bin
+fi