Skip to content

Add support for multiple same-type signatures with key ID parsing #2305

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Open
wants to merge 4 commits into
base: main
Choose a base branch
from
Open

Add support for multiple same-type signatures with key ID parsing #2305

wants to merge 4 commits into from
+717 −408

Conversation

maulik-arm
Copy link

@maulik-arm maulik-arm commented May 14, 2025
edited
Loading

This PR adds support for signing and verifying images with multiple signatures of the same type (e.g., multiple EC256 signatures), enhancing flexibility in secure boot scenarios. It also introduces Key ID TLV parsing to enable the bootloader to select the correct key from a set of built-in keys.

Motivation

Previously, MCUboot only allowed a single signature per image per signature type. This limited use cases where multiple stakeholders need to sign the same image or when fallback keys are required.
This PR removes that limitation by allowing multiple signatures of the same type.

Use Cases

  • Multi-party signing: e.g., 2 (potentially independent) parties can sign the same image, enabling chain-of-trust across organizational boundaries.
  • Key rotation or backup: include signatures from both the current and next key, or a recovery key.

Changes Included

1. bootutil: Parse key ID TLV for built-in keys

  • Adds support for parsing Key ID TLVs in the image when MCUBOOT_BUILTIN_KEY is enabled.
  • This enables selection of the correct built-in key for verification.

2. imgtool: Add support for multiple signatures and key ID TLVs

  • Enables signing an image with multiple keys of the same type.
  • Adds CLI support for passing multiple --key arguments.
  • Allows optional specification of a key ID per signature, which gets encoded in the TLV.
  • Updates imgtool test suite to verify both multiple signatures and key ID inclusion.

3. bootutil: Add support for verifying multiple same-type signatures

  • Updates signature verification logic to loop through all same-type signature TLVs.
  • When MCUBOOT_BUILTIN_KEY or MCUBOOT_HW_KEY is enabled, the key ID is used to select the appropriate key for verification.

Notes

  • Backwards compatible: Images with a single signature continue to work as before.
  • Only takes effect when config 'MCUBOOT_IMAGE_MULTI_SIG_SUPPORT' is enabled.
  • Designed to work with existing MCUboot signature verification flow with minimal disruption.

davidvincze
davidvincze reviewed May 21, 2025
View reviewed changes
Copy link
Collaborator

@davidvincze davidvincze left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

  1. Please update signature the data member of Image class to signatures.

@nordicjm nordicjm mentioned this pull request May 22, 2025
Closed
@maulik-arm maulik-arm force-pushed the feat/multi-sig-same-type branch from 6ce6e96 to e0027a2 Compare May 23, 2025 11:53
RcColes
RcColes suggested changes Jun 3, 2025
View reviewed changes
@maulik-arm maulik-arm force-pushed the feat/multi-sig-same-type branch 2 times, most recently from 8301988 to 9322025 Compare June 9, 2025 12:21
Anton-TF
Anton-TF reviewed Jun 10, 2025
View reviewed changes
@maulik-arm maulik-arm force-pushed the feat/multi-sig-same-type branch from 9322025 to 291cf66 Compare June 10, 2025 10:56
RcColes
RcColes approved these changes Jun 17, 2025
View reviewed changes
Copy link
Contributor

@RcColes RcColes left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

LGTM

openci-bot pushed a commit to TrustedFirmware-M/trusted-firmware-m that referenced this pull request Jun 19, 2025
@maulik-arm @adeaarm
BL2: Add patches for mcuboot
7474c75 
Until the PR mcu-tools/mcuboot#2305 is merged,
apply the added patches to support multiple signatures in mcuboot.

Signed-off-by: Maulik Patel <maulik.patel@arm.com>
Change-Id: Id8e62b7f332611858508bd445fab99fd7c0259ab
openci-bot pushed a commit to TrustedFirmware-M/trusted-firmware-m that referenced this pull request Jun 19, 2025
@maulik-arm @adeaarm
RSE: BL2: Add multi sign support for MCUBOOT_HW_KEY
19a104c 
By default MCUBOOT_IMAGE_MULTI_SIG_SUPPORT is set to OFF, maintaining
the existing single-signature behavior.

When enabled, RSE secure image is also signed with additional
ROTPK key. And both the signaures are verified during boot.

This patch works with changes to mcuboot for multi-signature support
(PR: mcu-tools/mcuboot#2305)

Signed-off-by: Maulik Patel <maulik.patel@arm.com>
Change-Id: Ic72d1dcfa3f3ada6c4d275281122f6d919a2d8e1
davidvincze
davidvincze reviewed Jun 19, 2025
View reviewed changes
@maulik-arm
bootutil: Parse key id for built in keys
529698d 
When MCUBOOT_BUILTIN_KEY is enabled, the key id TLV entry is added
to the image. Parse this entry while validating the image to identify
the key used to sign the image.

This enables future support for scenarios such as multiple built-in keys
or multi-signature.

Signed-off-by: Maulik Patel <maulik.patel@arm.com>
Change-Id: Ibe26bc2b09e63350f4214719606a5aa4bc1be93c
@maulik-arm
imgtool: Add support for multiple signatures
35bdb7b 
This patch adds support for multiple signatures to single image.
This is useful for scenarios where multiple keys are used to sign
images, allowing for greater flexibility and security in the
image verification process.
The tool command line interface is extended to support multiple
signatures.

The imgtool test suite is updated to test the new functionality.

Change-Id: I285b426671f6ad76472f0a2f8fb3a330f8882c3d
Signed-off-by: Maulik Patel <maulik.patel@arm.com>
@maulik-arm maulik-arm force-pushed the feat/multi-sig-same-type branch from 291cf66 to 6b64341 Compare June 24, 2025 14:16
degjorva pushed a commit to degjorva/trusted-firmware-m that referenced this pull request Jun 25, 2025
@maulik-arm @degjorva
BL2: Add patches for mcuboot
d3a8741 
Until the PR mcu-tools/mcuboot#2305 is merged,
apply the added patches to support multiple signatures in mcuboot.

Signed-off-by: Maulik Patel <maulik.patel@arm.com>
Change-Id: Id8e62b7f332611858508bd445fab99fd7c0259ab
degjorva pushed a commit to degjorva/trusted-firmware-m that referenced this pull request Jun 25, 2025
@maulik-arm @degjorva
RSE: BL2: Add multi sign support for MCUBOOT_HW_KEY
5e7f943 
By default MCUBOOT_IMAGE_MULTI_SIG_SUPPORT is set to OFF, maintaining
the existing single-signature behavior.

When enabled, RSE secure image is also signed with additional
ROTPK key. And both the signaures are verified during boot.

This patch works with changes to mcuboot for multi-signature support
(PR: mcu-tools/mcuboot#2305)

Signed-off-by: Maulik Patel <maulik.patel@arm.com>
Change-Id: Ic72d1dcfa3f3ada6c4d275281122f6d919a2d8e1
davidvincze
davidvincze reviewed Jun 25, 2025
View reviewed changes
@maulik-arm
bootutil: Add support for multi-sign of same type
f0e36e3 
This commit adds functionality to the bootutil library to support
multiple sign verfication of same type when 'MCUBOOT_BUILTIN_KEY' or
'MCUBOOT_HW_KEY' is enabled.

The image_validate.c file is refactored such that:
* bootutil_find_key() find the key is moved to a new file
  bootutil_find_key.c.
* bootutil_image_hash() is moved to a new file bootutil_image_hash.c.
* bootutil_img_security_cnt() is moved to a new file
  bootutil_img_security_cnt.c.

This allows common validation code to be reused for multiple signatures.
All code specific to multi sign is under the option
'MCUBOOT_IMAGE_MULTI_SIG_SUPPORT'.

Furthermore, key id type is updated to uint32_t as per PSA crypto spec.

Signed-off-by: Maulik Patel <maulik.patel@arm.com>
Change-Id: I05c97ac385c5816c812c51feb010028df8412fe5
@maulik-arm
imgtool: Rename key-ids to psa-key-ids
92e6949 
Since the key id concept in the PSA specific, rename the variables
accordingly.

Signed-off-by: Maulik Patel <maulik.patel@arm.com>
Change-Id: I8a8a5ceba5554211f185cc4045a6081b6d407507
@maulik-arm maulik-arm force-pushed the feat/multi-sig-same-type branch from 6b64341 to 92e6949 Compare June 25, 2025 10:09
@davidvincze
Copy link
Collaborator

Thank you @maulik-arm for all the updates!

@davidvincze
Copy link
Collaborator

davidvincze commented Jun 25, 2025
edited
Loading

@maulik-arm I forgot to ask you to add a release note snippet for this major change.
Please see: release-notes.d/00readme.md

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@Anton-TF Anton-TF Anton-TF left review comments

@RcColes RcColes RcColes approved these changes

@davidvincze davidvincze davidvincze approved these changes

@d3zd3z d3zd3z Awaiting requested review from d3zd3z d3zd3z is a code owner

Assignees
No one assigned
Labels
area: core Affects core functionality enhancement
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
4 participants
@maulik-arm @davidvincze @RcColes @Anton-TF