Skip to content

Commit 2ff8e8e

Browse files
de-nordicnvlsianpu
de-nordic
authored and
nvlsianpu
committed
[nrf fromtree] zephyr: Enable building ed25519 PSA variant with Zephyr
Adds Kconfig option CONFIG_BOOT_ED25519_PSA that allows to switch ed25519 to PSA backend. Signed-off-by: Dominik Ermel <[email protected]> (cherry picked from commit f2b6def)
1 parent 6938931 commit 2ff8e8e

File tree

3 files changed

+110
-17
lines changed

3 files changed

+110
-17
lines changed

boot/bootutil/zephyr/CMakeLists.txt

Lines changed: 11 additions & 5 deletions
Original file line numberDiff line numberDiff line change
@@ -1,4 +1,4 @@
1-
# Copyright (c) 2020 Nordic Semiconductor ASA
1+
# Copyright (c) 2020-2025 Nordic Semiconductor ASA
22
#
33
# SPDX-License-Identifier: Apache-2.0
44

@@ -29,12 +29,18 @@ zephyr_library_link_libraries(MCUBOOT_BOOTUTIL)
2929
target_link_libraries(MCUBOOT_BOOTUTIL INTERFACE zephyr_interface)
3030

3131
if(CONFIG_BOOT_USE_TINYCRYPT)
32-
target_include_directories(MCUBOOT_BOOTUTIL INTERFACE
33-
../../../ext/tinycrypt/lib/include
34-
)
32+
target_include_directories(MCUBOOT_BOOTUTIL INTERFACE
33+
../../../ext/tinycrypt/lib/include
34+
)
35+
endif()
36+
37+
if(CONFIG_BOOT_USE_PSA_CRYPTO)
38+
target_include_directories(MCUBOOT_BOOTUTIL INTERFACE
39+
${ZEPHYR_MBEDTLS_MODULE_DIR}/include
40+
)
3541
endif()
3642

37-
if(CONFIG_BOOT_USE_MBEDTLS)
43+
if(CONFIG_BOOT_USE_MBEDTLS OR CONFIG_BOOT_USE_PSA_CRYPTO)
3844
zephyr_link_libraries(mbedTLS)
3945
endif()
4046
endif()

boot/zephyr/CMakeLists.txt

Lines changed: 30 additions & 11 deletions
Original file line numberDiff line numberDiff line change
@@ -1,7 +1,7 @@
11
# CMakeLists.txt for building mcuboot as a Zephyr project
22
#
33
# Copyright (c) 2017 Open Source Foundries Limited
4-
# Copyright (c) 2023 Nordic Semiconductor ASA
4+
# Copyright (c) 2023-2025 Nordic Semiconductor ASA
55
#
66
# SPDX-License-Identifier: Apache-2.0
77

@@ -50,6 +50,12 @@ zephyr_library_include_directories(
5050
include
5151
)
5252

53+
if(DEFINED CONFIG_MBEDTLS)
54+
zephyr_library_include_directories(
55+
${ZEPHYR_MBEDTLS_MODULE_DIR}/include
56+
)
57+
endif()
58+
5359
# Zephyr port-specific sources.
5460
zephyr_library_sources(
5561
main.c
@@ -101,6 +107,10 @@ zephyr_library_sources(
101107
${BOOT_DIR}/bootutil/src/fault_injection_hardening.c
102108
)
103109

110+
if(DEFINED CONFIG_BOOT_ENCRYPT_X25519 AND DEFINED CONFIG_BOOT_ED25519_PSA)
111+
zephyr_library_sources(${BOOT_DIR}/bootutil/src/encrypted_psa.c)
112+
endif()
113+
104114
if(DEFINED CONFIG_MEASURED_BOOT OR DEFINED CONFIG_BOOT_SHARE_DATA)
105115
zephyr_library_sources(
106116
${BOOT_DIR}/bootutil/src/boot_record.c
@@ -249,19 +259,28 @@ elseif(CONFIG_BOOT_SIGNATURE_TYPE_ED25519 OR CONFIG_BOOT_ENCRYPT_X25519)
249259
${FIAT_DIR}/include/
250260
)
251261

252-
zephyr_library_sources(
253-
${FIAT_DIR}/src/curve25519.c
254-
)
262+
if(NOT CONFIG_BOOT_ED25519_PSA)
263+
zephyr_library_sources(
264+
${FIAT_DIR}/src/curve25519.c
265+
)
266+
else()
267+
zephyr_library_sources(
268+
${MBEDTLS_ASN1_DIR}/src/asn1parse.c
269+
${BOOT_DIR}/bootutil/src/ed25519_psa.c
270+
)
271+
endif()
255272
endif()
256273

257-
if(CONFIG_BOOT_ENCRYPT_EC256 OR CONFIG_BOOT_ENCRYPT_X25519)
258-
zephyr_library_sources(
259-
${TINYCRYPT_DIR}/source/aes_encrypt.c
260-
${TINYCRYPT_DIR}/source/aes_decrypt.c
261-
${TINYCRYPT_DIR}/source/ctr_mode.c
262-
${TINYCRYPT_DIR}/source/hmac.c
263-
${TINYCRYPT_DIR}/source/ecc_dh.c
274+
if(NOT CONFIG_BOOT_ED25519_PSA)
275+
if(CONFIG_BOOT_ENCRYPT_EC256 OR CONFIG_BOOT_ENCRYPT_X25519)
276+
zephyr_library_sources(
277+
${TINYCRYPT_DIR}/source/aes_encrypt.c
278+
${TINYCRYPT_DIR}/source/aes_decrypt.c
279+
${TINYCRYPT_DIR}/source/ctr_mode.c
280+
${TINYCRYPT_DIR}/source/hmac.c
281+
${TINYCRYPT_DIR}/source/ecc_dh.c
264282
)
283+
endif()
265284
endif()
266285

267286
if(CONFIG_BOOT_ENCRYPT_EC256)

boot/zephyr/Kconfig

Lines changed: 69 additions & 1 deletion
Original file line numberDiff line numberDiff line change
@@ -75,6 +75,60 @@ config BOOT_AES_MBEDTLS_DEPENDENCIES
7575

7676
endif
7777

78+
if BOOT_USE_PSA_CRYPTO
79+
80+
config BOOT_PSA_IMG_HASH_ALG_SHA256_DEPENDENCIES
81+
bool
82+
default y if BOOT_IMG_HASH_ALG_SHA256
83+
select PSA_WANT_ALG_SHA_256
84+
help
85+
Dependencies for hashing with SHA256
86+
87+
config BOOT_ED25519_PSA_DEPENDENCIES
88+
bool
89+
select PSA_WANT_ALG_SHA_256
90+
select PSA_WANT_ALG_SHA_512
91+
select PSA_WANT_ALG_PURE_EDDSA
92+
# Seems that upstream mbedTLS does not have TE
93+
#select PSA_WANT_ECC_TWISTED_EDWARDS_255
94+
select PSA_WANT_ECC_MONTGOMERY_255
95+
select PSA_WANT_KEY_TYPE_ECC_KEY_PAIR_IMPORT
96+
help
97+
Dependencies for ed25519 signature
98+
99+
if BOOT_ENCRYPT_IMAGE
100+
101+
config BOOT_X25519_PSA_DEPENDENCIES
102+
bool
103+
select PSA_WANT_ALG_ECDH
104+
select PSA_WANT_ALG_HMAC
105+
select PSA_WANT_ALG_HKDF
106+
select PSA_WANT_ALG_CTR
107+
select PSA_WANT_KEY_TYPE_ECC_KEY_PAIR_IMPORT
108+
select PSA_WANT_KEY_TYPE_DERIVE
109+
select PSA_WANT_KEY_TYPE_AES
110+
select PSA_WANT_ECC_MONTGOMERY_255
111+
help
112+
Dependencies for x25519 shared-random key encryption and AES
113+
encryption. The PSA_WANT_ALG_CTR and PSA_WANT_KEY_TYPE_AES
114+
enable Counter based block cipher and AES key, and algorithm support,
115+
to use with it; the others are used for shared key decryption
116+
and derivation.
117+
118+
endif # BOOT_ENCRYPT_IMAGE
119+
120+
if MBEDTLS_ENABLE_HEAP
121+
122+
config MBEDTLS_HEAP_SIZE
123+
default 2048 if BOOT_USE_PSA_CRYPTO
124+
help
125+
The PSA internals need to be able to allocate memory for operation
126+
and it uses mbedTLS heap for that.
127+
128+
endif # MBEDTLS_ENABLE_HEAP
129+
130+
endif # BOOT_USE_PSA_CRYPTO
131+
78132
menu "MCUBoot settings"
79133

80134
config SINGLE_APPLICATION_SLOT
@@ -156,6 +210,7 @@ config BOOT_SIGNATURE_TYPE_PURE_ALLOW
156210

157211
choice BOOT_SIGNATURE_TYPE
158212
prompt "Signature type"
213+
default BOOT_SIGNATURE_TYPE_ED25519 if SOC_NRF54L15_CPUAPP
159214
default BOOT_SIGNATURE_TYPE_RSA
160215

161216
config BOOT_SIGNATURE_TYPE_NONE
@@ -231,17 +286,30 @@ config BOOT_SIGNATURE_TYPE_PURE
231286
choice BOOT_ED25519_IMPLEMENTATION
232287
prompt "Ecdsa implementation"
233288
default BOOT_ED25519_TINYCRYPT
289+
234290
config BOOT_ED25519_TINYCRYPT
235291
bool "Use tinycrypt"
236292
select BOOT_USE_TINYCRYPT
237293
select BOOT_IMG_HASH_ALG_SHA512_ALLOW
294+
238295
config BOOT_ED25519_MBEDTLS
239296
bool "Use mbedTLS"
240297
select BOOT_USE_MBEDTLS
241298
select MBEDTLS
242299
select MBEDTLS_ASN1_PARSE_C if MBEDTLS_BUILTIN
243300
select BOOT_AES_MBEDTLS_DEPENDENCIES if MBEDTLS_BUILTIN && BOOT_ENCRYPT_IMAGE
244301

302+
config BOOT_ED25519_PSA
303+
bool "Use PSA crypto"
304+
select MBEDTLS
305+
select BOOT_USE_PSA_CRYPTO
306+
select MBEDTLS_PSA_CRYPTO_C
307+
select MBEDTLS_ASN1_PARSE_C if MBEDTLS_BUILTIN
308+
select PSA_CRYPTO_CLIENT
309+
select PSA_CRYPTO_C
310+
select BOOT_ED25519_PSA_DEPENDENCIES
311+
select BOOT_X25519_PSA_DEPENDENCIES if BOOT_ENCRYPT_IMAGE
312+
245313
endchoice
246314
endif
247315

@@ -289,7 +357,7 @@ config MCUBOOT_CLEANUP_RAM
289357
if MBEDTLS
290358

291359
config MBEDTLS_CFG_FILE
292-
default "config-tls-generic.h" if MBEDTLS_BUILTIN
360+
default "config-tls-generic.h" if MBEDTLS_BUILTIN || BOOT_USE_PSA_CRYPTO
293361
default "mcuboot-mbedtls-cfg.h" if BOOT_USE_MBEDTLS
294362

295363
endif

0 commit comments

Comments
 (0)