Added option WOLFBOOT_UNIVERSAL_KEYSTORE

- Allows keys with different algorithms and sizes to be imported/generated
- Skips check for keys matching type/length in keystore

Author: danielinux

include/wolfboot/wolfboot.h

@@ -175,35 +175,53 @@ extern "C" {
  /* Authentication configuration */
  #if defined(WOLFBOOT_NO_SIGN)
  #   define HDR_IMG_TYPE_AUTH HDR_IMG_TYPE_AUTH_NONE
- #   define KEYSTORE_PUBKEY_SIZE KEYSTORE_PUBKEY_SIZE_NONE
+ #   ifndef WOLFBOOT_UNIVERSAL_KEYSTORE
+ #     define KEYSTORE_PUBKEY_SIZE KEYSTORE_PUBKEY_SIZE_NONE
+ #   endif
  #elif defined(WOLFBOOT_SIGN_ED25519)
  #   define HDR_IMG_TYPE_AUTH HDR_IMG_TYPE_AUTH_ED25519
- #   define KEYSTORE_PUBKEY_SIZE KEYSTORE_PUBKEY_SIZE_ED25519
+ #   ifndef WOLFBOOT_UNIVERSAL_KEYSTORE
+ #     define KEYSTORE_PUBKEY_SIZE KEYSTORE_PUBKEY_SIZE_ED25519
+ #   endif
  #elif defined(WOLFBOOT_SIGN_ED448)
  #   define HDR_IMG_TYPE_AUTH HDR_IMG_TYPE_AUTH_ED448
- #   define KEYSTORE_PUBKEY_SIZE KEYSTORE_PUBKEY_SIZE_ED448
+ #   ifndef WOLFBOOT_UNIVERSAL_KEYSTORE
+ #     define KEYSTORE_PUBKEY_SIZE KEYSTORE_PUBKEY_SIZE_ED448
+ #   endif
  #elif defined(WOLFBOOT_SIGN_ECC256)
  #   define HDR_IMG_TYPE_AUTH HDR_IMG_TYPE_AUTH_ECC256
- #   define KEYSTORE_PUBKEY_SIZE KEYSTORE_PUBKEY_SIZE_ECC256
+ #   ifndef WOLFBOOT_UNIVERSAL_KEYSTORE
+ #     define KEYSTORE_PUBKEY_SIZE KEYSTORE_PUBKEY_SIZE_ECC256
+ #   endif
  #elif defined(WOLFBOOT_SIGN_ECC384)
  #   define HDR_IMG_TYPE_AUTH HDR_IMG_TYPE_AUTH_ECC384
- #   define KEYSTORE_PUBKEY_SIZE KEYSTORE_PUBKEY_SIZE_ECC384
+ #   ifndef WOLFBOOT_UNIVERSAL_KEYSTORE
+ #     define KEYSTORE_PUBKEY_SIZE KEYSTORE_PUBKEY_SIZE_ECC384
+ #   endif
  #elif defined(WOLFBOOT_SIGN_ECC521)
  #   define HDR_IMG_TYPE_AUTH HDR_IMG_TYPE_AUTH_ECC521
  #   error "ECC521 curves not yet supported in this version of wolfBoot. " \
            "Please select a valid SIGN= option."
  #elif defined(WOLFBOOT_SIGN_RSA2048)
  #   define HDR_IMG_TYPE_AUTH HDR_IMG_TYPE_AUTH_RSA2048
- #   define KEYSTORE_PUBKEY_SIZE KEYSTORE_PUBKEY_SIZE_RSA2048
+ #   ifndef WOLFBOOT_UNIVERSAL_KEYSTORE
+ #     define KEYSTORE_PUBKEY_SIZE KEYSTORE_PUBKEY_SIZE_RSA2048
+ #   endif
  #elif defined(WOLFBOOT_SIGN_RSA3072)
  #   define HDR_IMG_TYPE_AUTH HDR_IMG_TYPE_AUTH_RSA3072
- #   define KEYSTORE_PUBKEY_SIZE KEYSTORE_PUBKEY_SIZE_RSA3072
+ #   ifndef WOLFBOOT_UNIVERSAL_KEYSTORE
+ #     define KEYSTORE_PUBKEY_SIZE KEYSTORE_PUBKEY_SIZE_RSA3072
+ #   endif
  #elif defined(WOLFBOOT_SIGN_RSA4096)
  #   define HDR_IMG_TYPE_AUTH HDR_IMG_TYPE_AUTH_RSA4096
- #   define KEYSTORE_PUBKEY_SIZE KEYSTORE_PUBKEY_SIZE_RSA4096
+ #   ifndef WOLFBOOT_UNIVERSAL_KEYSTORE
+ #     define KEYSTORE_PUBKEY_SIZE KEYSTORE_PUBKEY_SIZE_RSA4096
+ #   endif
  #elif defined(WOLFBOOT_SIGN_LMS)
  #   define HDR_IMG_TYPE_AUTH HDR_IMG_TYPE_AUTH_LMS
- #   define KEYSTORE_PUBKEY_SIZE KEYSTORE_PUBKEY_SIZE_LMS
+ #   ifndef WOLFBOOT_UNIVERSAL_KEYSTORE
+ #     define KEYSTORE_PUBKEY_SIZE KEYSTORE_PUBKEY_SIZE_LMS
+ #   endif
  #else
  #   error "No valid authentication mechanism selected. " \
            "Please select a valid SIGN= option."

options.mk

@@ -657,6 +657,10 @@ ifeq ($(64BIT),1)
   CFLAGS+=-DWOLFBOOT_64BIT
 endif
 
+ifeq ($(WOLFBOOT_UNIVERSAL_KEYSTORE),1)
+  CFLAGS+=-DWOLFBOOT_UNIVERSAL_KEYSTORE
+endif
+
 ifeq ($(DISK_LOCK),1)
   CFLAGS+=-DWOLFBOOT_ATA_DISK_LOCK
   ifneq ($(DISK_LOCK_PASSWORD),)

tools/config.mk

@@ -53,6 +53,7 @@ ifeq ($(ARCH),)
   MEASURED_BOOT?=0
   WOLFBOOT_TPM_SEAL?=0
   WOLFBOOT_TPM_KEYSTORE?=0
+  WOLFBOOT_UNIVERSAL_KEYSTORE?=0
   TZEN?=0
   WOLFCRYPT_TZ?=0
   WOLFCRYPT_TZ_PKCS11?=0
@@ -91,4 +92,5 @@ CONFIG_VARS:= ARCH TARGET SIGN HASH MCUXSDK MCUXPRESSO MCUXPRESSO_CPU MCUXPRESSO
 	WOLFBOOT_HUGE_STACK FORCE_32BIT\
 	ENCRYPT_WITH_CHACHA ENCRYPT_WITH_AES128 ENCRYPT_WITH_AES256 ARMORED \
 	LMS_LEVELS LMS_HEIGHT LMS_WINTERNITZ \
+	WOLFBOOT_UNIVERSAL_KEYSTORE \
 	ELF

tools/keytools/keygen.c

@@ -98,7 +98,7 @@ static int force = 0;
 static WC_RNG rng;
 
 #ifndef KEYSLOT_MAX_PUBKEY_SIZE
-    #define KEYSLOT_MAX_PUBKEY_SIZE 2048
+    #define KEYSLOT_MAX_PUBKEY_SIZE 576 
 #endif
 
 struct keystore_slot {
@@ -263,6 +263,16 @@ const char KName[][8] = {
     "LMS"
 };
 
+#define MAX_PUBKEYS 64
+#define MAX_KEYPAIRS 64
+static char *imported_pubkeys[MAX_PUBKEYS];
+static int imported_pubkeys_type[MAX_PUBKEYS];
+static int n_imported = 0;
+
+static char *generated_keypairs[MAX_KEYPAIRS];
+static int generated_keypairs_type[MAX_KEYPAIRS];
+static int n_generated = 0;
+
 static uint32_t get_pubkey_size(uint32_t keyType)
 {
     uint32_t size = 0;
@@ -776,11 +786,17 @@ int main(int argc, char** argv)
             key_gen_check(argv[i + 1]);
             i++;
             n_pubkeys++;
+            generated_keypairs[n_generated] = argv[i];
+            generated_keypairs_type[n_generated] = keytype;
+            n_generated++;
             continue;
         }
         else if (strcmp(argv[i], "-i") == 0) {
             i++;
             n_pubkeys++;
+            imported_pubkeys[n_imported] = argv[i];
+            imported_pubkeys_type[n_imported] = keytype;
+            n_imported++;
             continue;
         }
         else if (strcmp(argv[i], "-keystoreDir") == 0) {
@@ -811,17 +827,12 @@ int main(int argc, char** argv)
     wc_InitRng(&rng);
     fprintf(fpub, Cfile_Banner, KName[keytype]);
     fprintf(fpub, Store_hdr, n_pubkeys);
-    for (i = 1; i < argc - 1; i++) {
-        if (strcmp(argv[i], "-i") == 0) {
-            printf("Imp %s\n", argv[i + 1]);
-            key_import(keytype, argv[i + 1]);
-            i++;
-        }
-        else if (strcmp(argv[i], "-g") == 0) {
-            printf("Gen %s\n", argv[i + 1]);
-            key_generate(keytype, argv[i + 1]);
-            i++;
-        }
+
+    for (i = 0; i < n_imported; i++) {
+        key_import(imported_pubkeys_type[i], imported_pubkeys[i]);
+    }
+    for (i = 0; i < n_generated; i++) {
+        key_generate(generated_keypairs_type[i], generated_keypairs[i]);
     }
     wc_FreeRng(&rng);
     fprintf(fpub, Store_footer);