[nrf fromtree] boot: SHA512 verification #336
Merged
Conversation
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
nordicjm
reviewed
Sep 26, 2024
Comment on lines
644
to
652
| /* As described on the compact representation in IETF protocols, | ||
| * the first byte of the key defines if the ECC points are | ||
| * compressed (0x2 or 0x3) or uncompressed (0x4). | ||
| * We only support uncompressed keys. | ||
| */ | ||
| if (pk[0] != 0x04) | ||
| return -1; | ||
|
|
||
| pk++; |
There was a problem hiding this comment.
wild indent, and use brackets for if
There was a problem hiding this comment.
That is in one of noups already. I can post separate fix for that.
adds TLV and Kconfig to decouple verification from other options. Signed-off-by: Mateusz Michalek <mateusz.michalek@nordicsemi.no> Signed-off-by: Dominik Ermel <dominik.ermel@nordicsemi.no> (cherry picked from commit 41df52e)
* Add functions for ecdsa_verify_secp256r1 and sha256 to use the shared crypto API * Add Kconfig and CMake variables for selecting shared crypto when using ecdsa * Add custom section to project for placing the API section in the correct location in flash * Add kconfig fragment for using external crypto Signed-off-by: Sigvart Hovland <sigvart.m@gmail.com> Signed-off-by: Martí Bolívar <marti.bolivar@nordicsemi.no> Signed-off-by: Emil Obalski <emil.obalski@nordicsemi.no> Signed-off-by: Andrzej Puzdrowski <andrzej.puzdrowski@nordicsemi.no> Signed-off-by: Håkon Øye Amundsen <haakon.amundsen@nordicsemi.no> Signed-off-by: Ioannis Glaropoulos <Ioannis.Glaropoulos@nordicsemi.no> Signed-off-by: Trond Einar Snekvik <Trond.Einar.Snekvik@nordicsemi.no> Signed-off-by: Georgios Vasilakis <georgios.vasilakis@nordicsemi.no> Signed-off-by: Johann Fischer <johann.fischer@nordicsemi.no> Signed-off-by: Torsten Rasmussen <Torsten.Rasmussen@nordicsemi.no> Signed-off-by: Jamie McCrae <jamie.mccrae@nordicsemi.no> Signed-off-by: Dominik Ermel <dominik.ermel@nordicsemi.no> (cherry picked from commit 55683e3) (cherry picked from commit 0faa8b2) (cherry picked from commit a42e9cc) (cherry picked from commit 895c76b) (cherry picked from commit ff53382) (cherry picked from commit cc42516)
Fixed hash algorithm defaults to SHA256 in case no key provided. Verification improved by adding check for key - tlv mismatch, VerifyResult.KEY_MISMATCH added to indicate this case. Multiple styling fixes and import optimisation, exception handling. Signed-off-by: Rustam Ismayilov <rustam.ismayilov@arm.com> Change-Id: I61a588de5b39678707c0179f4edaa411ceb67c8e (cherry picked from commit 36f8bf3) Signed-off-by: Dominik Ermel <dominik.ermel@nordicsemi.no>
Defaults to false. Signed-off-by: Mateusz Wielgos <mateusz.wielgos@emerson.com> (cherry picked from commit dc03055) Signed-off-by: Dominik Ermel <dominik.ermel@nordicsemi.no>
The adds support for hashing image with SHA512, to allow SHA512-ED25519-SHA512 signature. To support above --sha parameter has been added that can take value: auto, 256, 384, 512 to select sha, where auto brings the default behaviour, or current, behaviour. The sha provided here is tested against key so not all combinations are supported. Upstream PR: mcu-tools/mcuboot#2048 Signed-off-by: Dominik Ermel <dominik.ermel@nordicsemi.no>
nordicjm
approved these changes
Sep 26, 2024
nvlsianpu
approved these changes
Sep 26, 2024
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.
adds TLV and Kconfig to decouple verification from
other options.
There are two important commits:
[nrf fromtree] boot: SHA512 verification
[nrf fromlist] imgtool: Add support for calculating SHA512
all the others commits are revert and bring back of noup commits that cause conflicts and required cherry-picks.