Skip to content

Commit 41df52e

Browse files
michalek-nonvlsianpu
authored andcommitted
boot: SHA512 verification
adds TLV and Kconfig to decouple verification from other options. Signed-off-by: Mateusz Michalek <[email protected]> Signed-off-by: Dominik Ermel <[email protected]>
1 parent 7567200 commit 41df52e

File tree

5 files changed

+79
-4
lines changed

5 files changed

+79
-4
lines changed

boot/bootutil/include/bootutil/crypto/sha.h

Lines changed: 11 additions & 4 deletions
Original file line numberDiff line numberDiff line change
@@ -34,13 +34,16 @@
3434
#error "One crypto backend must be defined: either CC310/MBED_TLS/TINYCRYPT/PSA_CRYPTO"
3535
#endif
3636

37-
#if defined(MCUBOOT_SIGN_EC384)
37+
#if defined(MCUBOOT_SHA512)
38+
#define IMAGE_HASH_SIZE (64)
39+
#define EXPECTED_HASH_TLV IMAGE_TLV_SHA512
40+
#elif defined(MCUBOOT_SIGN_EC384)
3841
#define IMAGE_HASH_SIZE (48)
3942
#define EXPECTED_HASH_TLV IMAGE_TLV_SHA384
4043
#else
4144
#define IMAGE_HASH_SIZE (32)
4245
#define EXPECTED_HASH_TLV IMAGE_TLV_SHA256
43-
#endif /* MCUBOOT_SIGN_EC384 */
46+
#endif /* MCUBOOT_SIGN */
4447

4548
/* Universal defines for SHA-256 */
4649
#define BOOTUTIL_CRYPTO_SHA256_BLOCK_SIZE (64)
@@ -82,7 +85,9 @@ typedef psa_hash_operation_t bootutil_sha_context;
8285
static inline int bootutil_sha_init(bootutil_sha_context *ctx)
8386
{
8487
*ctx = psa_hash_operation_init();
85-
#if defined(MCUBOOT_SIGN_EC384)
88+
#if defined(MCUBOOT_SHA512)
89+
psa_status_t status = psa_hash_setup(ctx, PSA_ALG_SHA_512);
90+
#elif defined(MCUBOOT_SIGN_EC384)
8691
psa_status_t status = psa_hash_setup(ctx, PSA_ALG_SHA_384);
8792
#else
8893
psa_status_t status = psa_hash_setup(ctx, PSA_ALG_SHA_256);
@@ -107,7 +112,9 @@ static inline int bootutil_sha_finish(bootutil_sha_context *ctx,
107112
{
108113
size_t hash_length = 0;
109114
/* Assumes the output buffer is at least the expected size of the hash */
110-
#if defined(MCUBOOT_SIGN_EC384)
115+
#if defined(MCUBOOT_SHA512)
116+
return (int)psa_hash_finish(ctx, output, PSA_HASH_LENGTH(PSA_ALG_SHA_512), &hash_length);
117+
#elif defined(MCUBOOT_SIGN_EC384)
111118
return (int)psa_hash_finish(ctx, output, PSA_HASH_LENGTH(PSA_ALG_SHA_384), &hash_length);
112119
#else
113120
return (int)psa_hash_finish(ctx, output, PSA_HASH_LENGTH(PSA_ALG_SHA_256), &hash_length);

boot/bootutil/include/bootutil/image.h

Lines changed: 1 addition & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -96,6 +96,7 @@ struct flash_area;
9696
#define IMAGE_TLV_PUBKEY 0x02 /* public key */
9797
#define IMAGE_TLV_SHA256 0x10 /* SHA256 of image hdr and body */
9898
#define IMAGE_TLV_SHA384 0x11 /* SHA384 of image hdr and body */
99+
#define IMAGE_TLV_SHA512 0x12 /* SHA512 of image hdr and body */
99100
#define IMAGE_TLV_RSA2048_PSS 0x20 /* RSA2048 of hash output */
100101
#define IMAGE_TLV_ECDSA224 0x21 /* ECDSA of hash output - Not supported anymore */
101102
#define IMAGE_TLV_ECDSA_SIG 0x22 /* ECDSA of hash output */

boot/bootutil/src/image_validate.c

Lines changed: 1 addition & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -362,6 +362,7 @@ static const uint16_t allowed_unprot_tlvs[] = {
362362
IMAGE_TLV_PUBKEY,
363363
IMAGE_TLV_SHA256,
364364
IMAGE_TLV_SHA384,
365+
IMAGE_TLV_SHA512,
365366
IMAGE_TLV_RSA2048_PSS,
366367
IMAGE_TLV_ECDSA224,
367368
IMAGE_TLV_ECDSA_SIG,

boot/zephyr/Kconfig

Lines changed: 56 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -24,6 +24,12 @@ config BOOT_USE_MBEDTLS
2424
help
2525
Use mbedTLS for crypto primitives.
2626

27+
config BOOT_USE_PSA_CRYPTO
28+
bool
29+
# Hidden option
30+
help
31+
Hidden option set if using PSA crypt for cryptography functionality
32+
2733
config BOOT_USE_TINYCRYPT
2834
bool
2935
# Hidden option
@@ -67,19 +73,67 @@ config SINGLE_APPLICATION_SLOT
6773
uploading a new application overwrites the one that previously
6874
occupied the area.
6975

76+
config BOOT_IMG_HASH_ALG_SHA256_ALLOW
77+
bool
78+
help
79+
Hidden option set by configurations that allow SHA256
80+
81+
config BOOT_IMG_HASH_ALG_SHA384_ALLOW
82+
bool
83+
help
84+
Hidden option set by configurations that allow SHA384
85+
86+
config BOOT_IMG_HASH_ALG_SHA512_ALLOW
87+
bool
88+
depends on BOOT_USE_PSA_CRYPTO
89+
help
90+
Hidden option set by configurations that allow SHA512
91+
92+
choice BOOT_IMG_HASH_ALG
93+
prompt "Selected image hash algorithm"
94+
default BOOT_IMG_HASH_ALG_SHA256 if BOOT_IMG_HASH_ALG_SHA256_ALLOW
95+
default BOOT_IMG_HASH_ALG_SHA384 if BOOT_IMG_HASH_ALG_SHA384_ALLOW
96+
default BOOT_IMG_HASH_ALG_SHA512 if BOOT_IMG_HASH_ALG_SHA512_ALLOW
97+
help
98+
Hash algorithm used for image verification. Selection
99+
here may be limited by other configurations, like for
100+
example selected cryptographic signature.
101+
102+
config BOOT_IMG_HASH_ALG_SHA256
103+
bool "SHA256"
104+
depends on BOOT_IMG_HASH_ALG_SHA256_ALLOW
105+
help
106+
SHA256 algorithm
107+
108+
config BOOT_IMG_HASH_ALG_SHA384
109+
bool "SHA384"
110+
depends on BOOT_IMG_HASH_ALG_SHA384_ALLOW
111+
help
112+
SHA384 algorithm
113+
114+
config BOOT_IMG_HASH_ALG_SHA512
115+
bool "SHA512"
116+
depends on BOOT_IMG_HASH_ALG_SHA512_ALLOW
117+
help
118+
SHA512 algorithm
119+
120+
endchoice # BOOT_IMG_HASH_ALG
121+
70122
choice BOOT_SIGNATURE_TYPE
71123
prompt "Signature type"
72124
default BOOT_SIGNATURE_TYPE_RSA
73125

74126
config BOOT_SIGNATURE_TYPE_NONE
75127
bool "No signature; use only hash check"
76128
select BOOT_USE_TINYCRYPT
129+
select BOOT_IMG_HASH_ALG_SHA256_ALLOW
77130

78131
config BOOT_SIGNATURE_TYPE_RSA
79132
bool "RSA signatures"
80133
select BOOT_USE_MBEDTLS
81134
select MBEDTLS
82135
select BOOT_ENCRYPTION_SUPPORT
136+
select BOOT_IMG_HASH_ALG_SHA256_ALLOW
83137

84138
if BOOT_SIGNATURE_TYPE_RSA
85139
config BOOT_SIGNATURE_TYPE_RSA_LEN
@@ -91,6 +145,7 @@ endif
91145
config BOOT_SIGNATURE_TYPE_ECDSA_P256
92146
bool "Elliptic curve digital signatures with curve P-256"
93147
select BOOT_ENCRYPTION_SUPPORT
148+
select BOOT_IMG_HASH_ALG_SHA256_ALLOW
94149

95150
if BOOT_SIGNATURE_TYPE_ECDSA_P256
96151
choice BOOT_ECDSA_IMPLEMENTATION
@@ -114,6 +169,7 @@ endif
114169
config BOOT_SIGNATURE_TYPE_ED25519
115170
bool "Edwards curve digital signatures using ed25519"
116171
select BOOT_ENCRYPTION_SUPPORT
172+
select BOOT_IMG_HASH_ALG_SHA256_ALLOW
117173

118174
if BOOT_SIGNATURE_TYPE_ED25519
119175
choice BOOT_ED25519_IMPLEMENTATION

boot/zephyr/include/mcuboot_config/mcuboot_config.h

Lines changed: 10 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -43,6 +43,16 @@
4343
#ifdef CONFIG_BOOT_USE_NRF_CC310_BL
4444
#define MCUBOOT_USE_NRF_CC310_BL
4545
#endif
46+
#elif defined(CONFIG_MBEDTLS_PSA_CRYPTO_CLIENT)
47+
#define MCUBOOT_USE_PSA_CRYPTO
48+
#endif
49+
50+
#ifdef CONFIG_BOOT_IMG_HASH_ALG_SHA512
51+
#define MCUBOOT_SHA512
52+
#endif
53+
54+
#ifdef CONFIG_BOOT_IMG_HASH_ALG_SHA256
55+
#define MCUBOOT_SHA256
4656
#endif
4757

4858
/* Zephyr, regardless of C library used, provides snprintf */

0 commit comments

Comments
 (0)