[nrf noup] boot: bootutil: Add shared crypto for ECDSA and SHA

* Add functions for ecdsa_verify_secp256r1 and sha256 to use the shared crypto API * Add Kconfig and CMake variables for selecting shared crypto when using ecdsa * Add custom section to project for placing the API section in the correct location in flash * Add kconfig fragment for using external crypto Signed-off-by: Sigvart Hovland <sigvart.m@gmail.com> Signed-off-by: Martí Bolívar <marti.bolivar@nordicsemi.no> Signed-off-by: Emil Obalski <emil.obalski@nordicsemi.no> Signed-off-by: Andrzej Puzdrowski <andrzej.puzdrowski@nordicsemi.no> Signed-off-by: Håkon Øye Amundsen <haakon.amundsen@nordicsemi.no> Signed-off-by: Ioannis Glaropoulos <Ioannis.Glaropoulos@nordicsemi.no> Signed-off-by: Trond Einar Snekvik <Trond.Einar.Snekvik@nordicsemi.no> Signed-off-by: Georgios Vasilakis <georgios.vasilakis@nordicsemi.no> Signed-off-by: Johann Fischer <johann.fischer@nordicsemi.no> Signed-off-by: Torsten Rasmussen <Torsten.Rasmussen@nordicsemi.no> Signed-off-by: Jamie McCrae <jamie.mccrae@nordicsemi.no> (cherry picked from commit 4340902)
de-nordic · Sep 6, 2022 · 2576bf3 · 2576bf3
1 parent ae87eb5
commit 2576bf3
Show file tree

Hide file tree

Showing 6 changed files with 103 additions and 4 deletions.
diff --git a/boot/bootutil/include/bootutil/crypto/ecdsa_p256.h b/boot/bootutil/include/bootutil/crypto/ecdsa_p256.h
@@ -14,6 +14,7 @@
 
 #if (defined(MCUBOOT_USE_TINYCRYPT) + \
      defined(MCUBOOT_USE_CC310) + \
+     defined(MCUBOOT_USE_NRF_EXTERNAL_CRYPTO) + \
      defined(MCUBOOT_USE_MBED_TLS)) != 1
     #error "One crypto backend must be defined: either CC310, TINYCRYPT, or MBED_TLS"
 #endif
@@ -35,6 +36,11 @@
     #define BOOTUTIL_CRYPTO_ECDSA_P256_HASH_SIZE (4 * 8)
 #endif
 
+#if defined(MCUBOOT_USE_NRF_EXTERNAL_CRYPTO)
+    #include <bl_crypto.h>
+    #define BOOTUTIL_CRYPTO_ECDSA_P256_HASH_SIZE (4 * 8)
+#endif /* MCUBOOT_USE_NRF_EXTERNAL_CRYPTO */
+
 #ifdef __cplusplus
 extern "C" {
 #endif
@@ -158,6 +164,43 @@ static inline int bootutil_ecdsa_p256_verify(bootutil_ecdsa_p256_context *ctx,
 }
 #endif /* MCUBOOT_USE_MBED_TLS */
 
+#if defined(MCUBOOT_USE_NRF_EXTERNAL_CRYPTO)
+typedef uintptr_t bootutil_ecdsa_p256_context;
+
+static inline void bootutil_ecdsa_p256_init(bootutil_ecdsa_p256_context *ctx)
+{
+    (void)ctx;
+}
+
+static inline void bootutil_ecdsa_p256_drop(bootutil_ecdsa_p256_context *ctx)
+{
+    (void)ctx;
+}
+
+static inline int bootutil_ecdsa_p256_verify(bootutil_ecdsa_p256_context *ctx,
+                                             uint8_t *pk, size_t pk_len,
+                                             uint8_t *hash,
+                                             uint8_t *sig, size_t sig_len)
+{
+    (void)ctx;
+    (void)pk_len;
+    (void)sig_len;
+
+	/* As described on the compact representation in IETF protocols,
+	 * the first byte of the key defines if the ECC points are
+	 * compressed (0x2 or 0x3) or uncompressed (0x4).
+	 * We only support uncompressed keys.
+	 */
+	if (pk[0] != 0x04)
+		return -1;
+
+	pk++;
+
+    return bl_secp256r1_validate(hash, BOOTUTIL_CRYPTO_ECDSA_P256_HASH_SIZE,
+                                 pk, sig);
+}
+#endif /* MCUBOOT_USE_NRF_EXTERNAL_CRYPTO */
+
 #ifdef __cplusplus
 }
 #endif

diff --git a/boot/bootutil/include/bootutil/crypto/sha256.h b/boot/bootutil/include/bootutil/crypto/sha256.h
@@ -22,6 +22,7 @@
 
 #if (defined(MCUBOOT_USE_MBED_TLS) + \
      defined(MCUBOOT_USE_TINYCRYPT) + \
+     defined(MCUBOOT_USE_NRF_EXTERNAL_CRYPTO) + \
      defined(MCUBOOT_USE_CC310)) != 1
     #error "One crypto backend must be defined: either CC310, MBED_TLS or TINYCRYPT"
 #endif
@@ -139,6 +140,37 @@ static inline int bootutil_sha256_finish(bootutil_sha256_context *ctx,
 }
 #endif /* MCUBOOT_USE_CC310 */
 
+#if defined(MCUBOOT_USE_NRF_EXTERNAL_CRYPTO)
+
+#include <bl_crypto.h>
+
+typedef bl_sha256_ctx_t bootutil_sha256_context;
+
+static inline void bootutil_sha256_init(bootutil_sha256_context *ctx)
+{
+    bl_sha256_init(ctx);
+}
+
+static inline void bootutil_sha256_drop(bootutil_sha256_context *ctx)
+{
+    (void)ctx;
+}
+
+static inline int bootutil_sha256_update(bootutil_sha256_context *ctx,
+                                          const void *data,
+                                          uint32_t data_len)
+{
+    return bl_sha256_update(ctx, data, data_len);
+}
+
+static inline int bootutil_sha256_finish(bootutil_sha256_context *ctx,
+                                          uint8_t *output)
+{
+    bl_sha256_finalize(ctx, output);
+    return 0;
+}
+#endif /* MCUBOOT_USE_NRF_EXTERNAL_CRYPTO */
+
 #ifdef __cplusplus
 }
 #endif

diff --git a/boot/bootutil/src/image_ec256.c b/boot/bootutil/src/image_ec256.c
@@ -34,8 +34,11 @@
 #if defined(MCUBOOT_USE_CC310) || defined(MCUBOOT_USE_MBED_TLS)
 #define NUM_ECC_BYTES (256 / 8)
 #endif
+#ifdef MCUBOOT_USE_NRF_EXTERNAL_CRYPTO
+#define NUM_ECC_BYTES (256 / 8)
+#endif
 #if defined(MCUBOOT_USE_TINYCRYPT) || defined(MCUBOOT_USE_CC310) || \
-    defined(MCUBOOT_USE_MBED_TLS)
+    defined(MCUBOOT_USE_MBED_TLS) || defined (MCUBOOT_USE_NRF_EXTERNAL_CRYPTO)
 #include "bootutil/sign_key.h"
 
 #include "mbedtls/oid.h"

diff --git a/boot/zephyr/CMakeLists.txt b/boot/zephyr/CMakeLists.txt
@@ -168,6 +168,8 @@ if(CONFIG_BOOT_SIGNATURE_TYPE_ECDSA_P256 OR CONFIG_BOOT_ENCRYPT_EC256 OR CONFIG_
     zephyr_library_sources(${NRF_DIR}/cc310_glue.c)
     zephyr_library_include_directories(${NRF_DIR})
     zephyr_link_libraries(nrfxlib_crypto)
+  elseif(CONFIG_BOOT_USE_NRF_EXTERNAL_CRYPTO)
+    zephyr_include_directories(${BL_CRYPTO_DIR}/../include)
   endif()
 
   # Since here we are not using Zephyr's mbedTLS but rather our own, we need

diff --git a/boot/zephyr/external_crypto.conf b/boot/zephyr/external_crypto.conf
@@ -0,0 +1,20 @@
+#
+# Copyright (c) 2021 Nordic Semiconductor ASA
+#
+# SPDX-License-Identifier: LicenseRef-BSD-5-Clause-Nordic
+#
+
+# These configurations should be used when using nrf/samples/bootloader
+# as the immutable bootloader (B0), and MCUBoot as the second stage updateable
+# bootloader.
+
+# Set ECDSA as signing mechanism
+CONFIG_BOOT_SIGNATURE_TYPE_ECDSA_P256=y
+
+# Use crypto backend from B0
+CONFIG_BOOT_NRF_EXTERNAL_CRYPTO=y
+CONFIG_SECURE_BOOT_CRYPTO=y
+CONFIG_SB_CRYPTO_CLIENT_ECDSA_SECP256R1=y
+CONFIG_SB_CRYPTO_CLIENT_SHA256=y
+CONFIG_BL_SHA256_EXT_API_REQUIRED=y
+CONFIG_BL_SECP256R1_EXT_API_REQUIRED=y
diff --git a/boot/zephyr/include/mcuboot_config/mcuboot_config.h b/boot/zephyr/include/mcuboot_config/mcuboot_config.h
@@ -37,9 +37,8 @@
 #define MCUBOOT_USE_TINYCRYPT
 #elif defined(CONFIG_BOOT_USE_CC310)
 #define MCUBOOT_USE_CC310
-#ifdef CONFIG_BOOT_USE_NRF_CC310_BL
-#define MCUBOOT_USE_NRF_CC310_BL
-#endif
+#elif defined(CONFIG_BOOT_USE_NRF_EXTERNAL_CRYPTO)
+#define MCUBOOT_USE_NRF_EXTERNAL_CRYPTO
 #endif
 
 /* Zephyr, regardless of C library used, provides snprintf */