diff --git a/boot/bootutil/include/bootutil/crypto/ecdsa_p256.h b/boot/bootutil/include/bootutil/crypto/ecdsa_p256.h index 6b5b31567..eedb81a44 100644 --- a/boot/bootutil/include/bootutil/crypto/ecdsa_p256.h +++ b/boot/bootutil/include/bootutil/crypto/ecdsa_p256.h @@ -14,6 +14,7 @@ #if (defined(MCUBOOT_USE_TINYCRYPT) + \ defined(MCUBOOT_USE_CC310) + \ + defined(MCUBOOT_USE_NRF_EXTERNAL_CRYPTO) + \ defined(MCUBOOT_USE_MBED_TLS)) != 1 #error "One crypto backend must be defined: either CC310, TINYCRYPT, or MBED_TLS" #endif @@ -35,6 +36,11 @@ #define BOOTUTIL_CRYPTO_ECDSA_P256_HASH_SIZE (4 * 8) #endif +#if defined(MCUBOOT_USE_NRF_EXTERNAL_CRYPTO) + #include + #define BOOTUTIL_CRYPTO_ECDSA_P256_HASH_SIZE (4 * 8) +#endif /* MCUBOOT_USE_NRF_EXTERNAL_CRYPTO */ + #ifdef __cplusplus extern "C" { #endif @@ -158,6 +164,43 @@ static inline int bootutil_ecdsa_p256_verify(bootutil_ecdsa_p256_context *ctx, } #endif /* MCUBOOT_USE_MBED_TLS */ +#if defined(MCUBOOT_USE_NRF_EXTERNAL_CRYPTO) +typedef uintptr_t bootutil_ecdsa_p256_context; + +static inline void bootutil_ecdsa_p256_init(bootutil_ecdsa_p256_context *ctx) +{ + (void)ctx; +} + +static inline void bootutil_ecdsa_p256_drop(bootutil_ecdsa_p256_context *ctx) +{ + (void)ctx; +} + +static inline int bootutil_ecdsa_p256_verify(bootutil_ecdsa_p256_context *ctx, + uint8_t *pk, size_t pk_len, + uint8_t *hash, + uint8_t *sig, size_t sig_len) +{ + (void)ctx; + (void)pk_len; + (void)sig_len; + + /* As described on the compact representation in IETF protocols, + * the first byte of the key defines if the ECC points are + * compressed (0x2 or 0x3) or uncompressed (0x4). + * We only support uncompressed keys. + */ + if (pk[0] != 0x04) + return -1; + + pk++; + + return bl_secp256r1_validate(hash, BOOTUTIL_CRYPTO_ECDSA_P256_HASH_SIZE, + pk, sig); +} +#endif /* MCUBOOT_USE_NRF_EXTERNAL_CRYPTO */ + #ifdef __cplusplus } #endif diff --git a/boot/bootutil/include/bootutil/crypto/sha256.h b/boot/bootutil/include/bootutil/crypto/sha256.h index b45cd6316..c5534e61d 100644 --- a/boot/bootutil/include/bootutil/crypto/sha256.h +++ b/boot/bootutil/include/bootutil/crypto/sha256.h @@ -22,6 +22,7 @@ #if (defined(MCUBOOT_USE_MBED_TLS) + \ defined(MCUBOOT_USE_TINYCRYPT) + \ + defined(MCUBOOT_USE_NRF_EXTERNAL_CRYPTO) + \ defined(MCUBOOT_USE_CC310)) != 1 #error "One crypto backend must be defined: either CC310, MBED_TLS or TINYCRYPT" #endif @@ -139,6 +140,37 @@ static inline int bootutil_sha256_finish(bootutil_sha256_context *ctx, } #endif /* MCUBOOT_USE_CC310 */ +#if defined(MCUBOOT_USE_NRF_EXTERNAL_CRYPTO) + +#include + +typedef bl_sha256_ctx_t bootutil_sha256_context; + +static inline void bootutil_sha256_init(bootutil_sha256_context *ctx) +{ + bl_sha256_init(ctx); +} + +static inline void bootutil_sha256_drop(bootutil_sha256_context *ctx) +{ + (void)ctx; +} + +static inline int bootutil_sha256_update(bootutil_sha256_context *ctx, + const void *data, + uint32_t data_len) +{ + return bl_sha256_update(ctx, data, data_len); +} + +static inline int bootutil_sha256_finish(bootutil_sha256_context *ctx, + uint8_t *output) +{ + bl_sha256_finalize(ctx, output); + return 0; +} +#endif /* MCUBOOT_USE_NRF_EXTERNAL_CRYPTO */ + #ifdef __cplusplus } #endif diff --git a/boot/bootutil/src/image_ec256.c b/boot/bootutil/src/image_ec256.c index 196d59319..542159ef6 100644 --- a/boot/bootutil/src/image_ec256.c +++ b/boot/bootutil/src/image_ec256.c @@ -34,8 +34,11 @@ #if defined(MCUBOOT_USE_CC310) || defined(MCUBOOT_USE_MBED_TLS) #define NUM_ECC_BYTES (256 / 8) #endif +#ifdef MCUBOOT_USE_NRF_EXTERNAL_CRYPTO +#define NUM_ECC_BYTES (256 / 8) +#endif #if defined(MCUBOOT_USE_TINYCRYPT) || defined(MCUBOOT_USE_CC310) || \ - defined(MCUBOOT_USE_MBED_TLS) + defined(MCUBOOT_USE_MBED_TLS) || defined (MCUBOOT_USE_NRF_EXTERNAL_CRYPTO) #include "bootutil/sign_key.h" #include "mbedtls/oid.h" diff --git a/boot/zephyr/CMakeLists.txt b/boot/zephyr/CMakeLists.txt index aa97f42c8..1867b6533 100644 --- a/boot/zephyr/CMakeLists.txt +++ b/boot/zephyr/CMakeLists.txt @@ -155,6 +155,8 @@ if(CONFIG_BOOT_SIGNATURE_TYPE_ECDSA_P256 OR CONFIG_BOOT_ENCRYPT_EC256 OR CONFIG_ zephyr_library_sources(${NRF_DIR}/cc310_glue.c) zephyr_library_include_directories(${NRF_DIR}) zephyr_link_libraries(nrfxlib_crypto) + elseif(CONFIG_BOOT_USE_NRF_EXTERNAL_CRYPTO) + zephyr_include_directories(${BL_CRYPTO_DIR}/../include) endif() # Since here we are not using Zephyr's mbedTLS but rather our own, we need diff --git a/boot/zephyr/external_crypto.conf b/boot/zephyr/external_crypto.conf new file mode 100644 index 000000000..8181ad51c --- /dev/null +++ b/boot/zephyr/external_crypto.conf @@ -0,0 +1,20 @@ +# +# Copyright (c) 2021 Nordic Semiconductor ASA +# +# SPDX-License-Identifier: LicenseRef-Nordic-5-Clause +# + +# These configurations should be used when using nrf/samples/bootloader +# as the immutable bootloader (B0), and MCUBoot as the second stage updateable +# bootloader. + +# Set ECDSA as signing mechanism +CONFIG_BOOT_SIGNATURE_TYPE_ECDSA_P256=y + +# Use crypto backend from B0 +CONFIG_BOOT_NRF_EXTERNAL_CRYPTO=y +CONFIG_SECURE_BOOT_CRYPTO=y +CONFIG_SB_CRYPTO_CLIENT_ECDSA_SECP256R1=y +CONFIG_SB_CRYPTO_CLIENT_SHA256=y +CONFIG_BL_SHA256_EXT_API_REQUIRED=y +CONFIG_BL_SECP256R1_EXT_API_REQUIRED=y diff --git a/boot/zephyr/include/mcuboot_config/mcuboot_config.h b/boot/zephyr/include/mcuboot_config/mcuboot_config.h index 10926876d..db259a4de 100644 --- a/boot/zephyr/include/mcuboot_config/mcuboot_config.h +++ b/boot/zephyr/include/mcuboot_config/mcuboot_config.h @@ -39,9 +39,8 @@ #define MCUBOOT_USE_TINYCRYPT #elif defined(CONFIG_BOOT_USE_CC310) #define MCUBOOT_USE_CC310 -#ifdef CONFIG_BOOT_USE_NRF_CC310_BL -#define MCUBOOT_USE_NRF_CC310_BL -#endif +#elif defined(CONFIG_BOOT_USE_NRF_EXTERNAL_CRYPTO) +#define MCUBOOT_USE_NRF_EXTERNAL_CRYPTO #endif /* Zephyr, regardless of C library used, provides snprintf */