sysbuild/mcuboot: ed25519 pure signature integration

Added integration of signing image with the pure signature:
- New SB_CONFIG_BOOT_SIGNATURE_TYPE_PURE switch for enabling pure
signature.
- enforced sha512 for ed25519 on nRF54l target
- requests pure signature from imgtool.py

Signed-off-by: Andrzej Puzdrowski <[email protected]>
Signed-off-by: Dominik Ermel <[email protected]>
(cherry picked from commit cfded62)

Author: nvlsianpu

cmake/sysbuild/image_signing.cmake

@@ -57,7 +57,9 @@ function(zephyr_mcuboot_tasks)
   # back on mcuboot/scripts/imgtool.py. We exclude the system imgtool when
   # compressed image support is enabled due to needing a version of imgtool
   # that has features not in the most recent public release.
-  if(IMGTOOL AND NOT CONFIG_MCUBOOT_COMPRESSED_IMAGE_SUPPORT_ENABLED)
+  if(IMGTOOL AND
+     (NOT CONFIG_MCUBOOT_COMPRESSED_IMAGE_SUPPORT_ENABLED AND
+      NOT (CONFIG_SOC_SERIES_NRF54LX AND CONFIG_MCUBOOT_BOOTLOADER_SIGNATURE_TYPE_ED25519)))
     set(imgtool_path "${IMGTOOL}")
   elseif(DEFINED ZEPHYR_MCUBOOT_MODULE_DIR)
     set(IMGTOOL_PY "${ZEPHYR_MCUBOOT_MODULE_DIR}/scripts/imgtool.py")
@@ -120,6 +122,14 @@ function(zephyr_mcuboot_tasks)
     set(imgtool_hex_extra)
   endif()
 
+  if(CONFIG_SOC_SERIES_NRF54LX AND CONFIG_MCUBOOT_BOOTLOADER_SIGNATURE_TYPE_ED25519)
+    if(NOT CONFIG_MCUBOOT_BOOTLOADER_SIGNATURE_TYPE_PURE)
+      set(imgtool_extra --sha 512 ${imgtool_extra})
+    else()
+      set(imgtool_extra --pure ${imgtool_extra})
+    endif()
+  endif()
+
   if(CONFIG_MCUBOOT_HARDWARE_DOWNGRADE_PREVENTION)
     set(imgtool_extra --security-counter ${CONFIG_MCUBOOT_HW_DOWNGRADE_PREVENTION_COUNTER_VALUE} ${imgtool_extra})
   endif()

subsys/bootloader/Kconfig

@@ -243,4 +243,14 @@ config MCUBOOT_COMPRESSED_IMAGE_SUPPORT_ENABLED
 	help
 	  This is a Kconfig which is informative only, the value should not be changed.
 
+config MCUBOOT_BOOTLOADER_SIGNATURE_TYPE_ED25519
+	bool "Use ED25519 signature"
+	help
+	  This is a Kconfig which is informative only, the value should not be changed.
+
+config MCUBOOT_BOOTLOADER_SIGNATURE_TYPE_PURE
+	bool "Signature is verified over an image rather than sha of an image"
+	help
+	  This is a Kconfig which is informative only, the value should not be changed.
+
 endmenu

sysbuild/CMakeLists.txt

@@ -229,12 +229,22 @@ function(${SYSBUILD_CURRENT_MODULE_NAME}_pre_cmake)
     # The NRF54LX goes with PSA crypto by default
     if(SB_CONFIG_SOC_SERIES_NRF54LX AND SB_CONFIG_BOOT_SIGNATURE_TYPE_ED25519)
       set_config_bool(mcuboot CONFIG_NRF_SECURITY y)
+      set_config_bool(mcuboot CONFIG_BOOT_IMG_HASH_ALG_SHA512 y)
+      set_config_bool(${DEFAULT_IMAGE} CONFIG_MCUBOOT_BOOTLOADER_SIGNATURE_TYPE_ED25519 y)
 
       if(SB_CONFIG_MCUBOOT_SIGNATURE_USING_KMU)
         set_config_bool(mcuboot CONFIG_BOOT_SIGNATURE_USING_KMU y)
       else()
         set_config_bool(mcuboot CONFIG_BOOT_SIGNATURE_USING_KMU n)
       endif()
+
+      if(SB_CONFIG_BOOT_SIGNATURE_TYPE_PURE)
+        set_config_bool(mcuboot CONFIG_BOOT_SIGNATURE_TYPE_PURE y)
+        set_config_bool(${DEFAULT_IMAGE} CONFIG_MCUBOOT_BOOTLOADER_SIGNATURE_TYPE_PURE y)
+      else()
+        set_config_bool(mcuboot CONFIG_BOOT_SIGNATURE_TYPE_PURE n)
+        set_config_bool(${DEFAULT_IMAGE} CONFIG_MCUBOOT_BOOTLOADER_SIGNATURE_TYPE_PURE n)
+      endif()
     endif()
 
     # A v1 board doesn't define board qualifiers, thus below test will just test the pure board

sysbuild/Kconfig.mcuboot

@@ -147,6 +147,16 @@ config MCUBOOT_FPROTECT_ALLOW_COMBINED_REGIONS
 	default y
 	depends on SOC_SERIES_NRF54LX && !SECURE_BOOT_APPCORE
 
+config BOOT_SIGNATURE_TYPE_PURE
+	bool "Verify signature directly over image"
+	depends on SOC_SERIES_NRF54LX
+	depends on BOOT_SIGNATURE_TYPE_ED25519
+	help
+	  The image signature will be verified over image rather than
+	  hash of an image.
+	  This option is currently only supported with ED25519 and configurations
+	  where both image slots are within internal SoC device storage.
+
 config MCUBOOT_SIGNATURE_USING_KMU
 	bool "Use KMU stored keys for signature verification"
 	depends on SOC_SERIES_NRF54LX