@@ -137,6 +137,14 @@ config BOOT_IMG_HASH_ALG_SHA512
137137
138138endchoice # BOOT_IMG_HASH_ALG
139139
140+ config BOOT_SIGNATURE_TYPE_PURE_ALLOW
141+ bool
142+ help
143+ Hidden option set by configurations that allow Pure variant,
144+ for example ed25519. The pure variant means that image
145+ signature is calculated over entire image instead of hash
146+ of an image.
147+
140148choice BOOT_SIGNATURE_TYPE
141149 prompt "Signature type"
142150 default BOOT_SIGNATURE_TYPE_RSA
@@ -188,10 +196,28 @@ endif
188196
189197config BOOT_SIGNATURE_TYPE_ED25519
190198 bool "Edwards curve digital signatures using ed25519"
191- select BOOT_ENCRYPTION_SUPPORT
192- select BOOT_IMG_HASH_ALG_SHA256_ALLOW
199+ select BOOT_ENCRYPTION_SUPPORT if !BOOT_SIGNATURE_TYPE_PURE
200+ select BOOT_IMG_HASH_ALG_SHA256_ALLOW if !BOOT_SIGNATURE_TYPE_PURE
201+ # The SHA is used only for key hashing, not for images.
202+ select BOOT_SIGNATURE_TYPE_PURE_ALLOW
203+ help
204+ This is ed25519 signature calculated over SHA512 of SHA256 of application
205+ image.
206+ To check signature over entire image directly, rather than hash,
207+ select BOOT_SIGNATURE_TYPE_PURE.
193208
194209if BOOT_SIGNATURE_TYPE_ED25519
210+
211+ config BOOT_SIGNATURE_TYPE_PURE
212+ bool "Use Pure signature of image"
213+ depends on BOOT_SIGNATURE_TYPE_PURE_ALLOW
214+ help
215+ The Pure signature is calculated directly over image rather than
216+ hash of an image, as the BOOT_SIGNATURE_TYPE_ED25519 does by
217+ default.
218+ Image to be verified needs to be accessible through memory address
219+ space that cryptography functions can access via pointers.
220+
195221choice BOOT_ED25519_IMPLEMENTATION
196222 prompt "Ecdsa implementation"
197223 default BOOT_ED25519_TINYCRYPT
0 commit comments