Skip to content

Commit f2b6def

Browse files
de-nordicnordicjm
de-nordic
authored and
nordicjm
committed
zephyr: Enable building ed25519 PSA variant with Zephyr
Adds Kconfig option CONFIG_BOOT_ED25519_PSA that allows to switch ed25519 to PSA backend. Signed-off-by: Dominik Ermel <[email protected]>
1 parent 615a9df commit f2b6def

File tree

3 files changed

+110
-17
lines changed

3 files changed

+110
-17
lines changed

boot/bootutil/zephyr/CMakeLists.txt

Lines changed: 11 additions & 5 deletions
Original file line numberDiff line numberDiff line change
@@ -1,4 +1,4 @@
1-
# Copyright (c) 2020 Nordic Semiconductor ASA
1+
# Copyright (c) 2020-2025 Nordic Semiconductor ASA
22
#
33
# SPDX-License-Identifier: Apache-2.0
44

@@ -29,12 +29,18 @@ zephyr_library_link_libraries(MCUBOOT_BOOTUTIL)
2929
target_link_libraries(MCUBOOT_BOOTUTIL INTERFACE zephyr_interface)
3030

3131
if(CONFIG_BOOT_USE_TINYCRYPT)
32-
target_include_directories(MCUBOOT_BOOTUTIL INTERFACE
33-
../../../ext/tinycrypt/lib/include
34-
)
32+
target_include_directories(MCUBOOT_BOOTUTIL INTERFACE
33+
../../../ext/tinycrypt/lib/include
34+
)
35+
endif()
36+
37+
if(CONFIG_BOOT_USE_PSA_CRYPTO)
38+
target_include_directories(MCUBOOT_BOOTUTIL INTERFACE
39+
${ZEPHYR_MBEDTLS_MODULE_DIR}/include
40+
)
3541
endif()
3642

37-
if(CONFIG_BOOT_USE_MBEDTLS)
43+
if(CONFIG_BOOT_USE_MBEDTLS OR CONFIG_BOOT_USE_PSA_CRYPTO)
3844
zephyr_link_libraries(mbedTLS)
3945
endif()
4046
endif()

boot/zephyr/CMakeLists.txt

Lines changed: 30 additions & 11 deletions
Original file line numberDiff line numberDiff line change
@@ -1,7 +1,7 @@
11
# CMakeLists.txt for building mcuboot as a Zephyr project
22
#
33
# Copyright (c) 2017 Open Source Foundries Limited
4-
# Copyright (c) 2023 Nordic Semiconductor ASA
4+
# Copyright (c) 2023-2025 Nordic Semiconductor ASA
55
#
66
# SPDX-License-Identifier: Apache-2.0
77

@@ -58,6 +58,12 @@ zephyr_library_include_directories(
5858
include
5959
)
6060

61+
if(DEFINED CONFIG_MBEDTLS)
62+
zephyr_library_include_directories(
63+
${ZEPHYR_MBEDTLS_MODULE_DIR}/include
64+
)
65+
endif()
66+
6167
# Zephyr port-specific sources.
6268
zephyr_library_sources(
6369
main.c
@@ -109,6 +115,10 @@ zephyr_library_sources(
109115
${BOOT_DIR}/bootutil/src/fault_injection_hardening.c
110116
)
111117

118+
if(DEFINED CONFIG_BOOT_ENCRYPT_X25519 AND DEFINED CONFIG_BOOT_ED25519_PSA)
119+
zephyr_library_sources(${BOOT_DIR}/bootutil/src/encrypted_psa.c)
120+
endif()
121+
112122
if(DEFINED CONFIG_MEASURED_BOOT OR DEFINED CONFIG_BOOT_SHARE_DATA)
113123
zephyr_library_sources(
114124
${BOOT_DIR}/bootutil/src/boot_record.c
@@ -267,19 +277,28 @@ elseif(CONFIG_BOOT_SIGNATURE_TYPE_ED25519 OR CONFIG_BOOT_ENCRYPT_X25519)
267277
${FIAT_DIR}/include/
268278
)
269279

270-
zephyr_library_sources(
271-
${FIAT_DIR}/src/curve25519.c
272-
)
280+
if(NOT CONFIG_BOOT_ED25519_PSA)
281+
zephyr_library_sources(
282+
${FIAT_DIR}/src/curve25519.c
283+
)
284+
else()
285+
zephyr_library_sources(
286+
${MBEDTLS_ASN1_DIR}/src/asn1parse.c
287+
${BOOT_DIR}/bootutil/src/ed25519_psa.c
288+
)
289+
endif()
273290
endif()
274291

275-
if(CONFIG_BOOT_ENCRYPT_EC256 OR CONFIG_BOOT_ENCRYPT_X25519)
276-
zephyr_library_sources(
277-
${TINYCRYPT_DIR}/source/aes_encrypt.c
278-
${TINYCRYPT_DIR}/source/aes_decrypt.c
279-
${TINYCRYPT_DIR}/source/ctr_mode.c
280-
${TINYCRYPT_DIR}/source/hmac.c
281-
${TINYCRYPT_DIR}/source/ecc_dh.c
292+
if(NOT CONFIG_BOOT_ED25519_PSA)
293+
if(CONFIG_BOOT_ENCRYPT_EC256 OR CONFIG_BOOT_ENCRYPT_X25519)
294+
zephyr_library_sources(
295+
${TINYCRYPT_DIR}/source/aes_encrypt.c
296+
${TINYCRYPT_DIR}/source/aes_decrypt.c
297+
${TINYCRYPT_DIR}/source/ctr_mode.c
298+
${TINYCRYPT_DIR}/source/hmac.c
299+
${TINYCRYPT_DIR}/source/ecc_dh.c
282300
)
301+
endif()
283302
endif()
284303

285304
if(CONFIG_BOOT_ENCRYPT_EC256)

boot/zephyr/Kconfig

Lines changed: 69 additions & 1 deletion
Original file line numberDiff line numberDiff line change
@@ -72,6 +72,60 @@ config BOOT_AES_MBEDTLS_DEPENDENCIES
7272

7373
endif
7474

75+
if BOOT_USE_PSA_CRYPTO
76+
77+
config BOOT_PSA_IMG_HASH_ALG_SHA256_DEPENDENCIES
78+
bool
79+
default y if BOOT_IMG_HASH_ALG_SHA256
80+
select PSA_WANT_ALG_SHA_256
81+
help
82+
Dependencies for hashing with SHA256
83+
84+
config BOOT_ED25519_PSA_DEPENDENCIES
85+
bool
86+
select PSA_WANT_ALG_SHA_256
87+
select PSA_WANT_ALG_SHA_512
88+
select PSA_WANT_ALG_PURE_EDDSA
89+
# Seems that upstream mbedTLS does not have TE
90+
#select PSA_WANT_ECC_TWISTED_EDWARDS_255
91+
select PSA_WANT_ECC_MONTGOMERY_255
92+
select PSA_WANT_KEY_TYPE_ECC_KEY_PAIR_IMPORT
93+
help
94+
Dependencies for ed25519 signature
95+
96+
if BOOT_ENCRYPT_IMAGE
97+
98+
config BOOT_X25519_PSA_DEPENDENCIES
99+
bool
100+
select PSA_WANT_ALG_ECDH
101+
select PSA_WANT_ALG_HMAC
102+
select PSA_WANT_ALG_HKDF
103+
select PSA_WANT_ALG_CTR
104+
select PSA_WANT_KEY_TYPE_ECC_KEY_PAIR_IMPORT
105+
select PSA_WANT_KEY_TYPE_DERIVE
106+
select PSA_WANT_KEY_TYPE_AES
107+
select PSA_WANT_ECC_MONTGOMERY_255
108+
help
109+
Dependencies for x25519 shared-random key encryption and AES
110+
encryption. The PSA_WANT_ALG_CTR and PSA_WANT_KEY_TYPE_AES
111+
enable Counter based block cipher and AES key, and algorithm support,
112+
to use with it; the others are used for shared key decryption
113+
and derivation.
114+
115+
endif # BOOT_ENCRYPT_IMAGE
116+
117+
if MBEDTLS_ENABLE_HEAP
118+
119+
config MBEDTLS_HEAP_SIZE
120+
default 2048 if BOOT_USE_PSA_CRYPTO
121+
help
122+
The PSA internals need to be able to allocate memory for operation
123+
and it uses mbedTLS heap for that.
124+
125+
endif # MBEDTLS_ENABLE_HEAP
126+
127+
endif # BOOT_USE_PSA_CRYPTO
128+
75129
menu "MCUBoot settings"
76130

77131
config SINGLE_APPLICATION_SLOT
@@ -153,6 +207,7 @@ config BOOT_SIGNATURE_TYPE_PURE_ALLOW
153207

154208
choice BOOT_SIGNATURE_TYPE
155209
prompt "Signature type"
210+
default BOOT_SIGNATURE_TYPE_ED25519 if SOC_NRF54L15_CPUAPP
156211
default BOOT_SIGNATURE_TYPE_RSA
157212

158213
config BOOT_SIGNATURE_TYPE_NONE
@@ -228,17 +283,30 @@ config BOOT_SIGNATURE_TYPE_PURE
228283
choice BOOT_ED25519_IMPLEMENTATION
229284
prompt "Ecdsa implementation"
230285
default BOOT_ED25519_TINYCRYPT
286+
231287
config BOOT_ED25519_TINYCRYPT
232288
bool "Use tinycrypt"
233289
select BOOT_USE_TINYCRYPT
234290
select BOOT_IMG_HASH_ALG_SHA512_ALLOW
291+
235292
config BOOT_ED25519_MBEDTLS
236293
bool "Use mbedTLS"
237294
select BOOT_USE_MBEDTLS
238295
select MBEDTLS
239296
select MBEDTLS_ASN1_PARSE_C if MBEDTLS_BUILTIN
240297
select BOOT_AES_MBEDTLS_DEPENDENCIES if MBEDTLS_BUILTIN && BOOT_ENCRYPT_IMAGE
241298

299+
config BOOT_ED25519_PSA
300+
bool "Use PSA crypto"
301+
select MBEDTLS
302+
select BOOT_USE_PSA_CRYPTO
303+
select MBEDTLS_PSA_CRYPTO_C
304+
select MBEDTLS_ASN1_PARSE_C if MBEDTLS_BUILTIN
305+
select PSA_CRYPTO_CLIENT
306+
select PSA_CRYPTO_C
307+
select BOOT_ED25519_PSA_DEPENDENCIES
308+
select BOOT_X25519_PSA_DEPENDENCIES if BOOT_ENCRYPT_IMAGE
309+
242310
endchoice
243311
endif
244312

@@ -286,7 +354,7 @@ config MCUBOOT_CLEANUP_RAM
286354
if MBEDTLS
287355

288356
config MBEDTLS_CFG_FILE
289-
default "config-tls-generic.h" if MBEDTLS_BUILTIN
357+
default "config-tls-generic.h" if MBEDTLS_BUILTIN || BOOT_USE_PSA_CRYPTO
290358
default "mcuboot-mbedtls-cfg.h" if BOOT_USE_MBEDTLS
291359

292360
endif

0 commit comments

Comments
 (0)