provisioning: Add ECDSA provisioning capability

Provides the changeability of the signing method at
`application/<app>/CmakeLists.txt`, under `AWS_OTA_SIGNATURE_TYPE`.
Provides support for EC_P256, EC_P384, RSA_2048 and RSA_3072.

Separates the signing algorithm/keys used for TF-M and the NS side.

Signed-off-by: Gergely Korcsák <[email protected]>

Author: gergelykarm

.gitlab-ci.yml

@@ -76,6 +76,7 @@ workflow:
           build/${APP}_merged.elf \
           build/${APP}-update_signed.bin \
           build/update-signature.txt \
+          build/CMakeCache.txt \
           applications/${APP_UNDERSCORED}/configs/aws_configs
       fi
 
@@ -252,6 +253,7 @@ test-blinky-output:
         tar xf ${TARGET}_${APP}_${TOOLCHAIN}_${INFERENCE}_${AUDIO}_${CONN_STACK}_${PSA_CRYPTO_IMPLEMENTATION}_build.tar.gz
       fi
     - export APP_UNDERSCORED=$(echo ${APP} | tr '-' '_')
+    - export SIGNING_ALGO=$(cat build/CMakeCache.txt | grep AWS_OTA_SIGNATURE_TYPE | sed s/.*=// | sed s/-.*//)
     - |
       if [[ $AUDIO == "VSI" ]]; then
         pytest -s tools/tests/test_applications.py \
@@ -261,6 +263,7 @@ test-blinky-output:
         --credentials-path "applications/${APP_UNDERSCORED}/configs/aws_configs" \
         --merged-elf-name "${APP}_merged.elf" \
         --signed-update-bin-name "${APP}-update_signed.bin" \
+        --signing-algo ${SIGNING_ALGO} \
         --timeout-seconds 2700 \
         --pass-output-file "applications/${APP_UNDERSCORED}/tests/${TARGET}_pass_output.log" \
         --fail-output-file "applications/${APP_UNDERSCORED}/tests/fail_output.log" \
@@ -273,6 +276,7 @@ test-blinky-output:
         --credentials-path "applications/${APP_UNDERSCORED}/configs/aws_configs" \
         --merged-elf-name "${APP}_merged.elf" \
         --signed-update-bin-name "${APP}-update_signed.bin" \
+        --signing-algo ${SIGNING_ALGO} \
         --timeout-seconds 1800 \
         --pass-output-file "applications/${APP_UNDERSCORED}/tests/${TARGET}_pass_output.log" \
         --fail-output-file "applications/${APP_UNDERSCORED}/tests/fail_output.log"
@@ -283,6 +287,7 @@ test-blinky-output:
         --credentials-path "applications/${APP_UNDERSCORED}/configs/aws_configs" \
         --merged-elf-name "${APP}_merged.elf" \
         --signed-update-bin-name "${APP}-update_signed.bin" \
+        --signing-algo ${SIGNING_ALGO} \
         --timeout-seconds 2700 \
         --pass-output-file "applications/${APP_UNDERSCORED}/tests/${TARGET}_pass_output.log" \
         --fail-output-file "applications/${APP_UNDERSCORED}/tests/fail_output.log"

applications/freertos_iot_libraries_tests/CMakeLists.txt

@@ -4,6 +4,8 @@
 
 cmake_minimum_required(VERSION 3.21.0 FATAL_ERROR)
 
+set(AWS_OTA_SIGNATURE_TYPE  "RSA-3072" CACHE STRING "Supported algorithms for signature validation [RSA-2048, RSA-3072, EC-P256, EC-P384]")
+
 # From: ota-for-aws-iot-embedded-sdk/source/include/ota_appversion32.h
 # struct version
 # {
@@ -51,6 +53,7 @@ list(APPEND CMAKE_MODULE_PATH ${IOT_REFERENCE_ARM_CORSTONE3XX_SOURCE_DIR}/bsp/cm
 list(APPEND CMAKE_MODULE_PATH ${IOT_REFERENCE_ARM_CORSTONE3XX_SOURCE_DIR}/components/aws_iot/cmake)
 list(APPEND CMAKE_MODULE_PATH ${IOT_REFERENCE_ARM_CORSTONE3XX_SOURCE_DIR}/components/security/trusted_firmware-m/integration/cmake)
 include(SetLinkerOptions)
+include(AWSIoTHelpers)
 include(GenerateAWSUpdateDigestAndSignature)
 include(MergeTfmImages)
 include(SignTfmImage)

applications/freertos_iot_libraries_tests/main.c

@@ -173,7 +173,7 @@ int main( void )
 
         LogInfo( ( "Device key provisioning succeeded \n" ) );
 
-        psa_status_t uxStatus = xOtaProvisionCodeSigningKey( &xOTACodeVerifyKeyHandle, 3072 );
+        psa_status_t uxStatus = xOtaProvisionCodeSigningKey( &xOTACodeVerifyKeyHandle, AWS_OTA_SIGNATURE_KEY_LEN );
 
         if( uxStatus != PSA_SUCCESS )
         {

applications/helpers/provisioning/CMakeLists.txt

@@ -23,8 +23,6 @@ else()
         fri-bsp
     )
 
-    ExternalProject_Get_Property(trusted_firmware-m-build BINARY_DIR)
-
     if(FREERTOS_LIBRARIES_INTEGRATION_TESTS EQUAL 1)
         set(
             CODE_SIGNING_PUBLIC_KEY_PEM_PATH
@@ -33,13 +31,14 @@ else()
     else()
         set(
             CODE_SIGNING_PUBLIC_KEY_PEM_PATH
-            ${BINARY_DIR}/api_ns/image_signing/keys/image_ns_signing_public_key.pem
+            ${AWS_OTA_SIGNATURE_PUBLIC_KEY_PATH}
         )
     endif()
 
     add_custom_command(OUTPUT ${CMAKE_CURRENT_BINARY_DIR}/aws_clientcredential_keys.h
         DEPENDS ${AWS_CLIENT_PRIVATE_KEY_PEM_PATH}
         DEPENDS ${AWS_CLIENT_CERTIFICATE_PEM_PATH}
+        DEPENDS aws_ota_signing_keys
         COMMAND
             ${Python3_EXECUTABLE} ${IOT_REFERENCE_ARM_CORSTONE3XX_SOURCE_DIR}/tools/scripts/generate_credentials_header.py
                 ${CMAKE_CURRENT_BINARY_DIR}
@@ -89,4 +88,13 @@ else()
         freertos_kernel
         mbedtls
     )
+
+    target_compile_definitions(provisioning-lib
+        PUBLIC
+            $<$<STREQUAL:${AWS_OTA_SIG_TYPE},RSA>:AWS_OTA_SIGN_RSA>
+            $<$<STREQUAL:${AWS_OTA_SIG_TYPE},EC>:AWS_OTA_SIGN_ECDSA>
+            $<$<STREQUAL:${AWS_OTA_SIG_TYPE},EC>:AWS_OTA_ECDSA_HEADER_SIZE=26>
+
+            AWS_OTA_SIGNATURE_KEY_LEN=${AWS_OTA_SIG_LEN}
+    )
 endif() # BUILD_TESTING AND NOT CMAKE_CROSS_COMPILING

applications/helpers/provisioning/dev_mode_key_provisioning.c

@@ -1382,10 +1382,17 @@ int xOtaProvisionCodeSigningKey( psa_key_handle_t * pxKeyHandle,
     size_t xPubKeyDerLength = DER_FORMAT_BUFFER_LENGTH;
     size_t xPubKeyPemLength = strlen( ( const char * ) pxProvisioningParamsBundle->codeSigningPublicKey );
     int result = 0;
+    psa_status_t status = PSA_SUCCESS;
     psa_key_attributes_t attributes = PSA_KEY_ATTRIBUTES_INIT;
-    mbedtls_pk_context xMbedPkContext = { 0 };
 
-    mbedtls_pk_init( &xMbedPkContext );
+    #ifdef AWS_OTA_SIGN_RSA
+    mbedtls_pk_context xMbedPkContext = { 0 };
+    #elif AWS_OTA_SIGN_ECDSA
+        uint8_t * pucPubKeyDerFormatBufferEcdsaAligned = pucPubKeyDerFormatBuffer + AWS_OTA_ECDSA_HEADER_SIZE;
+        size_t xPubKeyDerLengthEcdsaAligned;
+    #else /* ifdef AWS_OTA_SIGN_RSA */
+    #error "Unknown crypto algorithm, supportted algorithms are EC and RSA!"
+    #endif
 
     result = convert_pem_to_der( ( const unsigned char * ) pxProvisioningParamsBundle->codeSigningPublicKey,
                                  xPubKeyPemLength,
@@ -1394,59 +1401,73 @@ int xOtaProvisionCodeSigningKey( psa_key_handle_t * pxKeyHandle,
 
     if( result != 0 )
     {
-        goto exit;
+        return result;
     }
 
-    /*
-     * From mbedtls 3.6.0 release note:
-     *
-     * Default behavior changes
-     * psa_import_key() now only accepts RSA keys in the PSA standard formats.
-     * The undocumented ability to import other formats (PKCS#8, SubjectPublicKey,
-     * PEM) accepted by the pkparse module has been removed. Applications that
-     * need these formats can call mbedtls_pk_parse_{public,}key() followed by
-     * mbedtls_pk_import_into_psa().
-     */
-
-    result = mbedtls_pk_parse_public_key( &xMbedPkContext,
-                                          ( const unsigned char * ) pucPubKeyDerFormatBuffer,
-                                          xPubKeyDerLength );
-
-    if( result != 0 )
-    {
-        goto exit;
-    }
-
-    result = mbedtls_pk_get_psa_attributes( &xMbedPkContext,
-                                            PSA_KEY_USAGE_VERIFY_HASH,
-                                            &attributes );
-
-    if( result != 0 )
-    {
-        goto exit;
-    }
-
-    #ifdef PSA_CRYPTO_IMPLEMENTATION_MBEDTLS
-        psa_set_key_lifetime( &attributes, PSA_KEY_LIFETIME_VOLATILE );
-    #endif
+    #ifdef AWS_OTA_SIGN_RSA
+        mbedtls_pk_init( &xMbedPkContext );
+
+        /*
+         * From mbedtls 3.6.0 release note:
+         *
+         * Default behavior changes
+         * psa_import_key() now only accepts RSA keys in the PSA standard formats.
+         * The undocumented ability to import other formats (PKCS#8, SubjectPublicKey,
+         * PEM) accepted by the pkparse module has been removed. Applications that
+         * need these formats can call mbedtls_pk_parse_{public,}key() followed by
+         * mbedtls_pk_import_into_psa().
+         */
+        result = mbedtls_pk_parse_public_key( &xMbedPkContext,
+                                              ( const unsigned char * ) pucPubKeyDerFormatBuffer,
+                                              xPubKeyDerLength );
+
+        if( result != 0 )
+        {
+            mbedtls_pk_free( &xMbedPkContext );
+            return result;
+        }
 
-    psa_set_key_algorithm( &attributes, PSA_ALG_RSA_PSS_ANY_SALT( PSA_ALG_SHA_256 ) );
-    psa_set_key_bits( &attributes, keyBits );
+        result = mbedtls_pk_get_psa_attributes( &xMbedPkContext,
+                                                PSA_KEY_USAGE_VERIFY_HASH,
+                                                &attributes );
 
-    result = mbedtls_pk_import_into_psa( &xMbedPkContext,
-                                         &attributes,
-                                         pxKeyHandle );
+        if( result != 0 )
+        {
+            mbedtls_pk_free( &xMbedPkContext );
+            return result;
+        }
 
-    if( result != 0 )
-    {
+        #ifdef PSA_CRYPTO_IMPLEMENTATION_MBEDTLS
+            psa_set_key_lifetime( &attributes, PSA_KEY_LIFETIME_VOLATILE );
+        #endif
+
+        psa_set_key_bits( &attributes, keyBits );
+        psa_set_key_algorithm( &attributes, PSA_ALG_RSA_PSS_ANY_SALT( PSA_ALG_SHA_256 ) );
+        status = mbedtls_pk_import_into_psa( &xMbedPkContext,
+                                             &attributes,
+                                             pxKeyHandle );
+    #elif AWS_OTA_SIGN_ECDSA
+        xPubKeyDerLengthEcdsaAligned = xPubKeyDerLength - AWS_OTA_ECDSA_HEADER_SIZE;
+        #ifdef PSA_CRYPTO_IMPLEMENTATION_MBEDTLS
+            psa_set_key_lifetime( &attributes, PSA_KEY_LIFETIME_VOLATILE );
+        #endif
+        psa_set_key_bits( &attributes, keyBits );
+        psa_set_key_usage_flags( &attributes, PSA_KEY_USAGE_VERIFY_HASH );
+        psa_set_key_algorithm( &attributes, PSA_ALG_ECDSA( PSA_ALG_SHA_256 ) );
+        psa_set_key_type( &attributes, PSA_KEY_TYPE_ECC_PUBLIC_KEY( PSA_ECC_FAMILY_SECP_R1 ) );
+        status = psa_import_key( &attributes, ( const uint8_t * ) pucPubKeyDerFormatBufferEcdsaAligned,
+                                 xPubKeyDerLengthEcdsaAligned, pxKeyHandle );
+    #endif /* ifdef AWS_OTA_SIGN_RSA */
+
+    if( status != PSA_SUCCESS )
+    {
+        #ifdef AWS_OTA_SIGN_RSA
+            mbedtls_pk_free( &xMbedPkContext );
+        #endif
         *pxKeyHandle = NULL;
-        goto exit;
     }
 
-exit:
-    mbedtls_pk_free( &xMbedPkContext );
-
-    return result;
+    return status;
 }
 
 UBaseType_t uxIsDeviceProvisioned( void )

applications/keyword_detection/CMakeLists.txt

@@ -4,11 +4,10 @@
 
 cmake_minimum_required(VERSION 3.21.0 FATAL_ERROR)
 
-set(ML_INFERENCE_ENGINE "ETHOS" CACHE STRING "Machine Learning inference engine (ETHOS | SOFTWARE)")
-
-set(AUDIO_SOURCE "ROM" CACHE STRING "Source of audio data (ROM | VSI)")
-
-set(APPLICATION_PATH "${IOT_REFERENCE_ARM_CORSTONE3XX_SOURCE_DIR}/applications/keyword_detection" CACHE STRING "Path to the application folder")
+set(ML_INFERENCE_ENGINE     "ETHOS" CACHE STRING "Machine Learning inference engine (ETHOS | SOFTWARE)")
+set(AUDIO_SOURCE            "ROM"   CACHE STRING "Source of audio data (ROM | VSI)")
+set(APPLICATION_PATH        "${IOT_REFERENCE_ARM_CORSTONE3XX_SOURCE_DIR}/applications/keyword_detection" CACHE STRING "Path to the application folder")
+set(AWS_OTA_SIGNATURE_TYPE  "RSA-3072" CACHE STRING "Supported algorithms for signature validation [RSA-2048, RSA-3072, EC-P256, EC-P384]")
 
 # From: ota-for-aws-iot-embedded-sdk/source/include/ota_appversion32.h
 # struct version
@@ -68,6 +67,7 @@ list(APPEND CMAKE_MODULE_PATH ${IOT_REFERENCE_ARM_CORSTONE3XX_SOURCE_DIR}/compon
 list(APPEND CMAKE_MODULE_PATH ${IOT_REFERENCE_ARM_CORSTONE3XX_SOURCE_DIR}/components/security/trusted_firmware-m/integration/cmake)
 include(SetupMlEmbeddedEvaluationKitLibraries)
 include(ConvertAudioSourceToCode)
+include(AWSIoTHelpers)
 include(GenerateAWSUpdateDigestAndSignature)
 include(MergeTfmImages)
 include(SignTfmImage)

applications/keyword_detection/main.c

@@ -196,7 +196,7 @@ int main( void )
 
         LogInfo( ( "Device key provisioning succeeded \n" ) );
 
-        psa_status_t uxStatus = xOtaProvisionCodeSigningKey( &xOTACodeVerifyKeyHandle, 3072 );
+        psa_status_t uxStatus = xOtaProvisionCodeSigningKey( &xOTACodeVerifyKeyHandle, AWS_OTA_SIGNATURE_KEY_LEN );
 
         if( uxStatus != PSA_SUCCESS )
         {

applications/object_detection/CMakeLists.txt

@@ -4,11 +4,10 @@
 
 cmake_minimum_required(VERSION 3.21.0 FATAL_ERROR)
 
-set(ML_INFERENCE_ENGINE "ETHOS" CACHE STRING "Machine Learning inference engine (ETHOS)")
-
-set(AUDIO_SOURCE "ROM" CACHE STRING "Source of audio data (ROM | VSI)")
-
-set(APPLICATION_PATH "${IOT_REFERENCE_ARM_CORSTONE3XX_SOURCE_DIR}/applications/object_detection" CACHE STRING "Path to the application folder")
+set(ML_INFERENCE_ENGINE     "ETHOS" CACHE STRING "Machine Learning inference engine (ETHOS)")
+set(AUDIO_SOURCE            "ROM"   CACHE STRING "Source of audio data (ROM | VSI)")
+set(APPLICATION_PATH        "${IOT_REFERENCE_ARM_CORSTONE3XX_SOURCE_DIR}/applications/object_detection" CACHE STRING "Path to the application folder")
+set(AWS_OTA_SIGNATURE_TYPE  "RSA-3072" CACHE STRING "Supported algorithms for signature validation [RSA-2048, RSA-3072, EC-P256, EC-P384]")
 
 # From: ota-for-aws-iot-embedded-sdk/source/include/ota_appversion32.h
 # struct version
@@ -67,6 +66,7 @@ list(APPEND CMAKE_MODULE_PATH ${IOT_REFERENCE_ARM_CORSTONE3XX_SOURCE_DIR}/compon
 list(APPEND CMAKE_MODULE_PATH ${IOT_REFERENCE_ARM_CORSTONE3XX_SOURCE_DIR}/components/ai/ml_embedded_evaluation_kit/integration/cmake)
 list(APPEND CMAKE_MODULE_PATH ${IOT_REFERENCE_ARM_CORSTONE3XX_SOURCE_DIR}/components/security/trusted_firmware-m/integration/cmake)
 include(SetupMlEmbeddedEvaluationKitLibraries)
+include(AWSIoTHelpers)
 include(GenerateAWSUpdateDigestAndSignature)
 include(MergeTfmImages)
 include(SignTfmImage)

applications/object_detection/main.c

@@ -184,7 +184,7 @@ int main( void )
 
         LogInfo( ( "Device key provisioning succeeded \n" ) );
 
-        uxStatus = xOtaProvisionCodeSigningKey( &xOTACodeVerifyKeyHandle, 3072 );
+        uxStatus = xOtaProvisionCodeSigningKey( &xOTACodeVerifyKeyHandle, AWS_OTA_SIGNATURE_KEY_LEN );
 
         if( uxStatus != PSA_SUCCESS )
         {

applications/speech_recognition/CMakeLists.txt

@@ -4,11 +4,10 @@
 
 cmake_minimum_required(VERSION 3.21.0 FATAL_ERROR)
 
-set(ML_INFERENCE_ENGINE "ETHOS" CACHE STRING "Machine Learning inference engine (ETHOS)")
-
-set(AUDIO_SOURCE "ROM" CACHE STRING "Source of audio data (ROM | VSI)")
-
-set(APPLICATION_PATH "${IOT_REFERENCE_ARM_CORSTONE3XX_SOURCE_DIR}/applications/speech_recognition" CACHE STRING "Path to the application folder")
+set(ML_INFERENCE_ENGINE     "ETHOS" CACHE STRING "Machine Learning inference engine (ETHOS)")
+set(AUDIO_SOURCE            "ROM"   CACHE STRING "Source of audio data (ROM | VSI)")
+set(APPLICATION_PATH        "${IOT_REFERENCE_ARM_CORSTONE3XX_SOURCE_DIR}/applications/speech_recognition" CACHE STRING "Path to the application folder")
+set(AWS_OTA_SIGNATURE_TYPE  "RSA-3072" CACHE STRING "Supported algorithms for signature validation [RSA-2048, RSA-3072, EC-P256, EC-P384]")
 
 # From: ota-for-aws-iot-embedded-sdk/source/include/ota_appversion32.h
 # struct version
@@ -68,6 +67,7 @@ list(APPEND CMAKE_MODULE_PATH ${IOT_REFERENCE_ARM_CORSTONE3XX_SOURCE_DIR}/compon
 list(APPEND CMAKE_MODULE_PATH ${IOT_REFERENCE_ARM_CORSTONE3XX_SOURCE_DIR}/components/security/trusted_firmware-m/integration/cmake)
 include(SetupMlEmbeddedEvaluationKitLibraries)
 include(ConvertAudioSourceToCode)
+include(AWSIoTHelpers)
 include(GenerateAWSUpdateDigestAndSignature)
 include(MergeTfmImages)
 include(SignTfmImage)