Skip to content

Commit c0a81fd

Browse files
nordicjmeivindj-nordic
nordicjm
authored and
eivindj-nordic
committed
sysbuild: Add support for MCUboot hashing algorithm
Allows selecting what hashing algorithm is used, and propagates this information to images. Uses SHA512 by default with ed25519 Signed-off-by: Jamie McCrae <[email protected]>
1 parent 6e11201 commit c0a81fd

File tree

4 files changed

+56
-0
lines changed

4 files changed

+56
-0
lines changed

cmake/image_signing_softdevice.cmake

Lines changed: 7 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -52,6 +52,13 @@ function(softdevice_tasks output_hex output_bin)
5252
# set(imgtool_args --security-counter ${CONFIG_MCUBOOT_HW_DOWNGRADE_PREVENTION_COUNTER_VALUE})
5353
# endif()
5454

55+
# Set proper hash calculation algorithm for signing
56+
if(CONFIG_BOOT_SIGNATURE_TYPE_PURE)
57+
set(imgtool_args --pure ${imgtool_args})
58+
elseif(CONFIG_BOOT_IMG_HASH_ALG_SHA512)
59+
set(imgtool_args --sha 512 ${imgtool_args})
60+
endif()
61+
5562
if(NOT "${keyfile}" STREQUAL "")
5663
set(imgtool_args -k "${keyfile}" ${imgtool_args})
5764
endif()

cmake/sysbuild/image_signing_installer.cmake

Lines changed: 7 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -68,6 +68,13 @@ function(bm_install_tasks output_hex output_bin)
6868
# set(imgtool_args --security-counter ${CONFIG_MCUBOOT_HW_DOWNGRADE_PREVENTION_COUNTER_VALUE})
6969
# endif()
7070

71+
# Set proper hash calculation algorithm for signing
72+
if(SB_CONFIG_BM_BOOT_IMG_HASH_ALG_PURE)
73+
set(imgtool_args --pure ${imgtool_args})
74+
elseif(SB_CONFIG_BM_BOOT_IMG_HASH_ALG_SHA512)
75+
set(imgtool_args --sha 512 ${imgtool_args})
76+
endif()
77+
7178
if(NOT "${keyfile}" STREQUAL "")
7279
set(imgtool_args -k "${keyfile}" ${imgtool_args})
7380
endif()

sysbuild/CMakeLists.txt

Lines changed: 24 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -26,6 +26,30 @@ function(bm_install_setup)
2626
# Enable LTO on MCUboot image
2727
add_overlay_config(mcuboot ${CMAKE_CURRENT_SOURCE_DIR}/image_configurations/lto.conf)
2828

29+
# Set up hash algorithm for MCUboot and images
30+
if(SB_CONFIG_BM_BOOT_IMG_HASH_ALG_SHA256)
31+
set_config_bool(mcuboot CONFIG_BOOT_SIGNATURE_TYPE_PURE n)
32+
set_config_bool(mcuboot CONFIG_BOOT_IMG_HASH_ALG_SHA512 n)
33+
set_config_bool(${DEFAULT_IMAGE} CONFIG_MCUBOOT_BOOTLOADER_SIGNATURE_TYPE_PURE n)
34+
set_config_bool(${DEFAULT_IMAGE} CONFIG_MCUBOOT_BOOTLOADER_USES_SHA512 n)
35+
set_config_bool(${SB_CONFIG_BM_FIRMWARE_LOADER_IMAGE_NAME} CONFIG_MCUBOOT_BOOTLOADER_SIGNATURE_TYPE_PURE n)
36+
set_config_bool(${SB_CONFIG_BM_FIRMWARE_LOADER_IMAGE_NAME} CONFIG_MCUBOOT_BOOTLOADER_USES_SHA512 n)
37+
elseif(SB_CONFIG_BM_BOOT_IMG_HASH_ALG_SHA512)
38+
set_config_bool(mcuboot CONFIG_BOOT_SIGNATURE_TYPE_PURE n)
39+
set_config_bool(mcuboot CONFIG_BOOT_IMG_HASH_ALG_SHA512 y)
40+
set_config_bool(${DEFAULT_IMAGE} CONFIG_MCUBOOT_BOOTLOADER_SIGNATURE_TYPE_PURE n)
41+
set_config_bool(${DEFAULT_IMAGE} CONFIG_MCUBOOT_BOOTLOADER_USES_SHA512 y)
42+
set_config_bool(${SB_CONFIG_BM_FIRMWARE_LOADER_IMAGE_NAME} CONFIG_MCUBOOT_BOOTLOADER_SIGNATURE_TYPE_PURE n)
43+
set_config_bool(${SB_CONFIG_BM_FIRMWARE_LOADER_IMAGE_NAME} CONFIG_MCUBOOT_BOOTLOADER_USES_SHA512 y)
44+
elseif(SB_CONFIG_BM_BOOT_IMG_HASH_ALG_PURE)
45+
set_config_bool(mcuboot CONFIG_BOOT_SIGNATURE_TYPE_PURE y)
46+
set_config_bool(mcuboot CONFIG_BOOT_IMG_HASH_ALG_SHA512 n)
47+
set_config_bool(${DEFAULT_IMAGE} CONFIG_MCUBOOT_BOOTLOADER_SIGNATURE_TYPE_PURE y)
48+
set_config_bool(${DEFAULT_IMAGE} CONFIG_MCUBOOT_BOOTLOADER_USES_SHA512 n)
49+
set_config_bool(${SB_CONFIG_BM_FIRMWARE_LOADER_IMAGE_NAME} CONFIG_MCUBOOT_BOOTLOADER_SIGNATURE_TYPE_PURE y)
50+
set_config_bool(${SB_CONFIG_BM_FIRMWARE_LOADER_IMAGE_NAME} CONFIG_MCUBOOT_BOOTLOADER_USES_SHA512 n)
51+
endif()
52+
2953
if(SB_CONFIG_SOC_SERIES_NRF54LX)
3054
if(SB_CONFIG_BM_BOOTLOADER_MCUBOOT_SIGNATURE_TYPE_NONE)
3155
set_config_bool(mcuboot CONFIG_NRF_SECURITY y)

sysbuild/Kconfig.bm

Lines changed: 18 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -67,6 +67,24 @@ config BM_BOOTLOADER_MCUBOOT_FIRMWARE_LOADER_ENTRANCE_BOOT_MODE
6767

6868
endmenu
6969

70+
choice BM_BOOTLOADER_MCUBOOT_IMG_HASH_ALG
71+
prompt "Hashing algorithm"
72+
default BM_BOOT_IMG_HASH_ALG_SHA512 if BM_BOOTLOADER_MCUBOOT_SIGNATURE_TYPE_ED25519 && SOC_SERIES_NRF54LX
73+
default BM_BOOT_IMG_HASH_ALG_SHA256
74+
75+
config BM_BOOT_IMG_HASH_ALG_SHA256
76+
bool "SHA256"
77+
78+
config BM_BOOT_IMG_HASH_ALG_SHA512
79+
bool "SHA512"
80+
depends on SOC_SERIES_NRF54LX
81+
82+
config BM_BOOT_IMG_HASH_ALG_PURE
83+
bool "Pure (hash of data directly without hash)"
84+
depends on BM_BOOTLOADER_MCUBOOT_SIGNATURE_TYPE_ED25519 && SOC_SERIES_NRF54LX
85+
86+
endchoice
87+
7088
endmenu
7189

7290
endif # BM_BOOTLOADER_MCUBOOT

0 commit comments

Comments
 (0)