From 23347f490ddb1740c4f1866c5ae8c9440d935e2d Mon Sep 17 00:00:00 2001 From: Dominik Ermel Date: Wed, 9 Oct 2024 14:34:19 +0000 Subject: [PATCH 1/3] sysbuild: MCUboot with ED25519 and KMU via PSA support The commit will enforce building nrf54l15 with PSA enabled ED25519, with CONFIG_NRF_SECURITY=y. The commit adds SB_CONFIG_MCUBOOT_SIGNATURE_USING_KMU that allows to build MCUboot for signature verification via KMU instead of compiled in keys. Signed-off-by: Dominik Ermel --- sysbuild/CMakeLists.txt | 11 +++++++++++ sysbuild/Kconfig.mcuboot | 7 +++++++ 2 files changed, 18 insertions(+) diff --git a/sysbuild/CMakeLists.txt b/sysbuild/CMakeLists.txt index bc1ec1621f6b..2275b62579ec 100644 --- a/sysbuild/CMakeLists.txt +++ b/sysbuild/CMakeLists.txt @@ -226,6 +226,17 @@ function(${SYSBUILD_CURRENT_MODULE_NAME}_pre_cmake) endif() endforeach() + # The NRF54LX goes with PSA crypto by default + if(SB_CONFIG_SOC_SERIES_NRF54LX AND SB_CONFIG_BOOT_SIGNATURE_TYPE_ED25519) + set_config_bool(mcuboot CONFIG_NRF_SECURITY y) + + if(SB_CONFIG_MCUBOOT_SIGNATURE_USING_KMU) + set_config_bool(mcuboot CONFIG_BOOT_SIGNATURE_USING_KMU y) + else() + set_config_bool(mcuboot CONFIG_BOOT_SIGNATURE_USING_KMU n) + endif() + endif() + # A v1 board doesn't define board qualifiers, thus below test will just test the pure board # name for a v1 board. A v2 board will match against the board qualifier. if("${BOARD}${BOARD_QUALIFIERS}" MATCHES "(_|/)ns$") diff --git a/sysbuild/Kconfig.mcuboot b/sysbuild/Kconfig.mcuboot index f45915616f1e..b6d1bd5f2091 100644 --- a/sysbuild/Kconfig.mcuboot +++ b/sysbuild/Kconfig.mcuboot @@ -147,6 +147,13 @@ config MCUBOOT_FPROTECT_ALLOW_COMBINED_REGIONS default y depends on SOC_SERIES_NRF54LX && !SECURE_BOOT_APPCORE +config MCUBOOT_SIGNATURE_USING_KMU + bool "Use KMU stored keys for signature verification" + depends on SOC_SERIES_NRF54LX + depends on BOOT_SIGNATURE_TYPE_ED25519 + help + The device needs to be provisioned with proper set of keys. + endif config MCUBOOT_USE_ALL_AVAILABLE_RAM From 42ab56f896be08a226763e0e8236871ca9ff80b6 Mon Sep 17 00:00:00 2001 From: Andrzej Puzdrowski Date: Mon, 4 Nov 2024 16:00:39 +0100 Subject: [PATCH 2/3] sysbuild/mcuboot: ed25519 pure signature integration Added integration of signing image with the pure signature: - New SB_CONFIG_BOOT_SIGNATURE_TYPE_PURE switch for enabling pure signature. - enforced sha512 for ed25519 on nRF54l target - requests pure signature from imgtool.py Signed-off-by: Andrzej Puzdrowski Signed-off-by: Dominik Ermel --- cmake/sysbuild/image_signing.cmake | 12 +++++++++++- subsys/bootloader/Kconfig | 10 ++++++++++ sysbuild/CMakeLists.txt | 10 ++++++++++ sysbuild/Kconfig.mcuboot | 10 ++++++++++ 4 files changed, 41 insertions(+), 1 deletion(-) diff --git a/cmake/sysbuild/image_signing.cmake b/cmake/sysbuild/image_signing.cmake index 9ab1e3085712..f85fe5d513fc 100644 --- a/cmake/sysbuild/image_signing.cmake +++ b/cmake/sysbuild/image_signing.cmake @@ -57,7 +57,9 @@ function(zephyr_mcuboot_tasks) # back on mcuboot/scripts/imgtool.py. We exclude the system imgtool when # compressed image support is enabled due to needing a version of imgtool # that has features not in the most recent public release. - if(IMGTOOL AND NOT CONFIG_MCUBOOT_COMPRESSED_IMAGE_SUPPORT_ENABLED) + if(IMGTOOL AND + (NOT CONFIG_MCUBOOT_COMPRESSED_IMAGE_SUPPORT_ENABLED AND + NOT (CONFIG_SOC_SERIES_NRF54LX AND CONFIG_MCUBOOT_BOOTLOADER_SIGNATURE_TYPE_ED25519))) set(imgtool_path "${IMGTOOL}") elseif(DEFINED ZEPHYR_MCUBOOT_MODULE_DIR) set(IMGTOOL_PY "${ZEPHYR_MCUBOOT_MODULE_DIR}/scripts/imgtool.py") @@ -120,6 +122,14 @@ function(zephyr_mcuboot_tasks) set(imgtool_hex_extra) endif() + if(CONFIG_SOC_SERIES_NRF54LX AND CONFIG_MCUBOOT_BOOTLOADER_SIGNATURE_TYPE_ED25519) + if(NOT CONFIG_MCUBOOT_BOOTLOADER_SIGNATURE_TYPE_PURE) + set(imgtool_extra --sha 512 ${imgtool_extra}) + else() + set(imgtool_extra --pure ${imgtool_extra}) + endif() + endif() + if(CONFIG_MCUBOOT_HARDWARE_DOWNGRADE_PREVENTION) set(imgtool_extra --security-counter ${CONFIG_MCUBOOT_HW_DOWNGRADE_PREVENTION_COUNTER_VALUE} ${imgtool_extra}) endif() diff --git a/subsys/bootloader/Kconfig b/subsys/bootloader/Kconfig index 1d2948fe5c32..9176bed0c492 100644 --- a/subsys/bootloader/Kconfig +++ b/subsys/bootloader/Kconfig @@ -243,4 +243,14 @@ config MCUBOOT_COMPRESSED_IMAGE_SUPPORT_ENABLED help This is a Kconfig which is informative only, the value should not be changed. +config MCUBOOT_BOOTLOADER_SIGNATURE_TYPE_ED25519 + bool "Use ED25519 signature" + help + This is a Kconfig which is informative only, the value should not be changed. + +config MCUBOOT_BOOTLOADER_SIGNATURE_TYPE_PURE + bool "Signature is verified over an image rather than sha of an image" + help + This is a Kconfig which is informative only, the value should not be changed. + endmenu diff --git a/sysbuild/CMakeLists.txt b/sysbuild/CMakeLists.txt index 2275b62579ec..42f841986f13 100644 --- a/sysbuild/CMakeLists.txt +++ b/sysbuild/CMakeLists.txt @@ -229,12 +229,22 @@ function(${SYSBUILD_CURRENT_MODULE_NAME}_pre_cmake) # The NRF54LX goes with PSA crypto by default if(SB_CONFIG_SOC_SERIES_NRF54LX AND SB_CONFIG_BOOT_SIGNATURE_TYPE_ED25519) set_config_bool(mcuboot CONFIG_NRF_SECURITY y) + set_config_bool(mcuboot CONFIG_BOOT_IMG_HASH_ALG_SHA512 y) + set_config_bool(${DEFAULT_IMAGE} CONFIG_MCUBOOT_BOOTLOADER_SIGNATURE_TYPE_ED25519 y) if(SB_CONFIG_MCUBOOT_SIGNATURE_USING_KMU) set_config_bool(mcuboot CONFIG_BOOT_SIGNATURE_USING_KMU y) else() set_config_bool(mcuboot CONFIG_BOOT_SIGNATURE_USING_KMU n) endif() + + if(SB_CONFIG_BOOT_SIGNATURE_TYPE_PURE) + set_config_bool(mcuboot CONFIG_BOOT_SIGNATURE_TYPE_PURE y) + set_config_bool(${DEFAULT_IMAGE} CONFIG_MCUBOOT_BOOTLOADER_SIGNATURE_TYPE_PURE y) + else() + set_config_bool(mcuboot CONFIG_BOOT_SIGNATURE_TYPE_PURE n) + set_config_bool(${DEFAULT_IMAGE} CONFIG_MCUBOOT_BOOTLOADER_SIGNATURE_TYPE_PURE n) + endif() endif() # A v1 board doesn't define board qualifiers, thus below test will just test the pure board diff --git a/sysbuild/Kconfig.mcuboot b/sysbuild/Kconfig.mcuboot index b6d1bd5f2091..b72c2043b69d 100644 --- a/sysbuild/Kconfig.mcuboot +++ b/sysbuild/Kconfig.mcuboot @@ -147,6 +147,16 @@ config MCUBOOT_FPROTECT_ALLOW_COMBINED_REGIONS default y depends on SOC_SERIES_NRF54LX && !SECURE_BOOT_APPCORE +config BOOT_SIGNATURE_TYPE_PURE + bool "Verify signature directly over image" + depends on SOC_SERIES_NRF54LX + depends on BOOT_SIGNATURE_TYPE_ED25519 + help + The image signature will be verified over image rather than + hash of an image. + This option is currently only supported with ED25519 and configurations + where both image slots are within internal SoC device storage. + config MCUBOOT_SIGNATURE_USING_KMU bool "Use KMU stored keys for signature verification" depends on SOC_SERIES_NRF54LX From c91653c2f405efd6385641230b559d919b45831d Mon Sep 17 00:00:00 2001 From: Dominik Ermel Date: Wed, 6 Nov 2024 14:51:18 +0000 Subject: [PATCH 3/3] tests: kmu: Switch from MCUboot Kconfigs to sysbuild Select KMU via sysbuild. Signed-off-by: Dominik Ermel --- tests/subsys/kmu/hello_for_kmu/sysbuild.conf | 1 + tests/subsys/kmu/hello_for_kmu/sysbuild/mcuboot.conf | 1 - 2 files changed, 1 insertion(+), 1 deletion(-) diff --git a/tests/subsys/kmu/hello_for_kmu/sysbuild.conf b/tests/subsys/kmu/hello_for_kmu/sysbuild.conf index 096f1babba86..8b2053216e5d 100644 --- a/tests/subsys/kmu/hello_for_kmu/sysbuild.conf +++ b/tests/subsys/kmu/hello_for_kmu/sysbuild.conf @@ -5,3 +5,4 @@ # SB_CONFIG_BOOTLOADER_MCUBOOT=y SB_CONFIG_BOOT_SIGNATURE_TYPE_ED25519=y +SB_CONFIG_MCUBOOT_SIGNATURE_USING_KMU=y diff --git a/tests/subsys/kmu/hello_for_kmu/sysbuild/mcuboot.conf b/tests/subsys/kmu/hello_for_kmu/sysbuild/mcuboot.conf index 6a283595121c..da89eb04130e 100644 --- a/tests/subsys/kmu/hello_for_kmu/sysbuild/mcuboot.conf +++ b/tests/subsys/kmu/hello_for_kmu/sysbuild/mcuboot.conf @@ -7,7 +7,6 @@ CONFIG_NRF_SECURITY=y CONFIG_MBEDTLS=n CONFIG_BOOT_ED25519_PSA=y CONFIG_PM_PARTITION_SIZE_MCUBOOT=0x10000 -CONFIG_BOOT_SIGNATURE_USING_KMU=y # can be removed after merging #18487 CONFIG_MBEDTLS_THREADING_C=n