boot: Add hardware key support
This change enables the public key (used for image authentication) to
be removed from MCUboot and be appended to the image instead. In this
case the key or its hash must be provisioned to the device and MCUboot
must be able to retrieve the key-hash from the hardware to compare it
with the calculated hash of the public key from the image manifest in
order to verify its validity before image authentication.
The source of this change:
https://review.trustedfirmware.org/c/trusted-firmware-m/+/1581
Change-Id: I36fe699732e0e4c113eaed331c22e707c722ed6e
Signed-off-by: David Vincze <david.vincze@linaro.org>
diff --git a/boot/zephyr/keys.c b/boot/zephyr/keys.c
index 47943c9..d5aeba4 100644
--- a/boot/zephyr/keys.c
+++ b/boot/zephyr/keys.c
@@ -28,6 +28,7 @@
*/
#include <mcuboot_config/mcuboot_config.h>
+#if !defined(MCUBOOT_HW_KEY)
#if defined(MCUBOOT_SIGN_RSA)
#define HAVE_KEYS
extern const unsigned char rsa_pub_key[];
@@ -65,7 +66,17 @@
},
};
const int bootutil_key_cnt = 1;
-#endif
+#endif /* HAVE_KEYS */
+#else
+unsigned int pub_key_len;
+struct bootutil_key bootutil_keys[1] = {
+ {
+ .key = 0,
+ .len = &pub_key_len,
+ }
+};
+const int bootutil_key_cnt = 1;
+#endif /* !MCUBOOT_HW_KEY */
#if defined(MCUBOOT_ENCRYPT_RSA)
unsigned char enc_priv_key[] = {