boot: Add hardware key support
This change enables the public key (used for image authentication) to
be removed from MCUboot and be appended to the image instead. In this
case the key or its hash must be provisioned to the device and MCUboot
must be able to retrieve the key-hash from the hardware to compare it
with the calculated hash of the public key from the image manifest in
order to verify its validity before image authentication.
The source of this change:
https://review.trustedfirmware.org/c/trusted-firmware-m/+/1581
Change-Id: I36fe699732e0e4c113eaed331c22e707c722ed6e
Signed-off-by: David Vincze <david.vincze@linaro.org>
diff --git a/boot/zephyr/Kconfig b/boot/zephyr/Kconfig
index 31b6db3..374aef0 100644
--- a/boot/zephyr/Kconfig
+++ b/boot/zephyr/Kconfig
@@ -1,4 +1,4 @@
-# Copyright (c) 2017 Linaro Limited
+# Copyright (c) 2017-2020 Linaro Limited
# Copyright (c) 2020 Arm Limited
#
# SPDX-License-Identifier: Apache-2.0
@@ -128,6 +128,15 @@
config MBEDTLS_CFG_FILE
default "mcuboot-mbedtls-cfg.h"
+config BOOT_HW_KEY
+ bool "Use HW key for image verification"
+ default n
+ help
+ Use HW key for image verification, otherwise the public key is embedded
+ in MCUBoot. If enabled the public key is appended to the signed image
+ and requires the hash of the public key to be provisioned to the device
+ beforehand.
+
config BOOT_VALIDATE_SLOT0
bool "Validate image in the primary slot on every boot"
default y