Revert "[nrf noup] Added BOOT_SIGNATURE_USING_ITS for ecdsa configuration"

This reverts commit d69621e.

Signed-off-by: Tomasz Chyrowicz <[email protected]>

Author: tomchy

boot/bootutil/include/bootutil/crypto/ecdsa.h

@@ -473,7 +473,6 @@ static int bootutil_ecdsa_parse_public_key(bootutil_ecdsa_context *ctx,
 }
 #endif /* !MCUBOOT_BUILTIN_KEY */
 
-#if !defined(CONFIG_NRF_BOOT_SIGNATURE_USING_ITS)
 /* Verify the signature against the provided hash. The signature gets parsed from
  * the encoding first, then PSA Crypto has a dedicated API for ECDSA verification
  */
@@ -492,55 +491,6 @@ static inline int bootutil_ecdsa_verify(bootutil_ecdsa_context *ctx,
     return (int) psa_verify_hash(ctx->key_id, PSA_ALG_ECDSA(ctx->required_algorithm),
                                  hash, hlen, reformatted_signature, 2*ctx->curve_byte_count);
 }
-#else /* !CONFIG_NRF_BOOT_SIGNATURE_USING_ITS */
-
-static const psa_key_id_t builtin_key_ids[] =  {
-    0x40022100,
-    0x40022101,
-    0x40022102,
-    0x40022103
-};
-
-#define BOOT_SIGNATURE_BUILTIN_KEY_SLOTS ARRAY_SIZE(builtin_key_ids)
-
-static inline int bootutil_ecdsa_verify(bootutil_ecdsa_context *ctx,
-                                        uint8_t *pk, size_t pk_len,
-                                        uint8_t *hash, size_t hlen,
-                                        uint8_t *sig, size_t slen)
-{
-    (void)pk;
-    (void)pk_len;
-    (void)slen;
-    psa_status_t status = PSA_ERROR_BAD_STATE;
-
-    /* Initialize PSA Crypto */
-    status = psa_crypto_init();
-    if (status != PSA_SUCCESS) {
-        BOOT_LOG_ERR("PSA crypto init failed %d", status);
-        return 1;
-    }
-
-    uint8_t reformatted_signature[96] = {0}; /* Enough for P-384 signature sizes */
-    parse_signature_from_rfc5480_encoding(sig, ctx->curve_byte_count, reformatted_signature);
-
-    status = PSA_ERROR_BAD_STATE;
-
-    for (int i = 0; i < BOOT_SIGNATURE_BUILTIN_KEY_SLOTS; ++i) {
-        psa_key_id_t kid = builtin_key_ids[i];
-
-        status = psa_verify_hash(kid, PSA_ALG_ECDSA(ctx->required_algorithm),
-                                 hash, hlen, reformatted_signature, 2*ctx->curve_byte_count);
-        if (status == PSA_SUCCESS) {
-            break;
-        }
-        BOOT_LOG_ERR("ECDSA signature verification failed %d", status);
-    }
-
-    return status == PSA_SUCCESS ? 0 : 2;
-}
-
-#endif /* !CONFIG_NRF_BOOT_SIGNATURE_USING_ITS */
-
 #elif defined(MCUBOOT_USE_MBED_TLS)
 
 typedef mbedtls_ecdsa_context bootutil_ecdsa_context;

boot/bootutil/src/image_validate.c

@@ -514,8 +514,7 @@ bootutil_img_validate(struct boot_loader_state *state,
 #endif
                      )
 {
-#if (defined(EXPECTED_KEY_TLV) && defined(MCUBOOT_HW_KEY)) || defined(MCUBOOT_HW_ROLLBACK_PROT) || defined(MCUBOOT_DECOMPRESS_IMAGES) \
-    || defined(MCUBOOT_BUILTIN_KEY)
+#if (defined(EXPECTED_KEY_TLV) && defined(MCUBOOT_HW_KEY)) || defined(MCUBOOT_HW_ROLLBACK_PROT) || defined(MCUBOOT_DECOMPRESS_IMAGES)
     int image_index = (state == NULL ? 0 : BOOT_CURR_IMG(state));
 #endif
     uint32_t off;

boot/zephyr/Kconfig

@@ -422,14 +422,7 @@ config BOOT_KMU_KEYS_REVOCATION
 	help
 	  Enabling KMU key revocation backend.
 
-config NRF_BOOT_SIGNATURE_USING_ITS
-	bool "Use ITS stored keys for signature verification"
-	depends on NRF_SECURITY
-	help
-	  MCUboot will use keys provisioned to the internal trusted storage for signature
-	  verification instead of compiling in key data from a file.
-
-if !BOOT_SIGNATURE_USING_KMU && !NRF_BOOT_SIGNATURE_USING_ITS
+if !BOOT_SIGNATURE_USING_KMU
 
 config BOOT_SIGNATURE_KEY_FILE
 	string "PEM key file"

boot/zephyr/include/mcuboot_config/mcuboot_config.h

@@ -68,10 +68,6 @@
 #define MCUBOOT_HW_KEY
 #endif
 
-#ifdef CONFIG_NRF_BOOT_SIGNATURE_USING_ITS
-#define MCUBOOT_BUILTIN_KEY
-#endif
-
 #ifdef CONFIG_BOOT_VALIDATE_SLOT0
 #define MCUBOOT_VALIDATE_PRIMARY_SLOT
 #endif