testplan/zephyr/0001-partial-ECDSA-P256-bootloader-slot-1-bad-sig.patch - mirror/mcuboot - TrustedFirmware Git Browser

 From f261e0e1c7e0876094ed688f5f0923590aca3739 Mon Sep 17 00:00:00 2001
 From: David Brown <david.brown@linaro.org>
 Date: Thu, 27 Jul 2017 10:05:47 -0600
 Subject: [PATCH] partial: ECDSA P256 bootloader, slot 1 bad sig

 This configures the bootloader to require an ECDSA P256 signature, with
 hello2 having an invalid signature.  Slot 0 should boot, but the upgrade
 should not work.
 ---
  Makefile                | 8 ++++----
  bad-ec-p256.pem         | 5 +++++
  samples/zephyr/Makefile | 4 ++--
  3 files changed, 11 insertions(+), 6 deletions(-)
  create mode 100644 bad-ec-p256.pem

 diff --git a/Makefile b/Makefile
 index 1e9ec42..b0adf05 100644
 --- a/Makefile
 +++ b/Makefile
 @@ -9,16 +9,16 @@
  # lines there, and comment out any other blocks.

  # RSA
 -CONF_FILE = boot/zephyr/prj.conf
 -CFLAGS += -DMCUBOOT_SIGN_RSA -DMCUBOOT_USE_MBED_TLS
 +#CONF_FILE = boot/zephyr/prj.conf
 +#CFLAGS += -DMCUBOOT_SIGN_RSA -DMCUBOOT_USE_MBED_TLS

  # Newer uses should use the RSA-PSS signature algorithm.  This define
  # enables (and requires) this type of signature.
  #CFLAGS += -DMCUBOOT_RSA_PKCS1_15

  # ECDSA P-256
 -#CONF_FILE = boot/zephyr/prj-p256.conf
 -#CFLAGS += -DMCUBOOT_SIGN_EC256 -DMCUBOOT_USE_TINYCRYPT
 +CONF_FILE = boot/zephyr/prj-p256.conf
 +CFLAGS += -DMCUBOOT_SIGN_EC256 -DMCUBOOT_USE_TINYCRYPT

  # Enable this option to have the bootloader verify the signature of
  # the primary image upon every boot.  Without it, signature
 diff --git a/bad-ec-p256.pem b/bad-ec-p256.pem
 new file mode 100644
 index 0000000..333f41f
 --- /dev/null
 +++ b/bad-ec-p256.pem
 @@ -0,0 +1,5 @@
 +-----BEGIN EC PRIVATE KEY-----
 +MHcCAQEEILmqmiH6y3EGhLkTcnNtU7hZ1wnc51MIL53npseRX7vJoAoGCCqGSM49
 +AwEHoUQDQgAEcX9ExNjZfsckp6AdutjPjVJsvP6ZZkKfLsGnRpKR+9OpO9/qmJHs
 +ks+ZXo70SEANjWnNlxKNAVci8aUm8UskLw==
 +-----END EC PRIVATE KEY-----
 diff --git a/samples/zephyr/Makefile b/samples/zephyr/Makefile
 index 7678615..02a54da 100644
 --- a/samples/zephyr/Makefile
 +++ b/samples/zephyr/Makefile
 @@ -102,7 +102,7 @@ clean_boot: check
  hello1: check
  	$(MAKE) -C hello1 BOARD=$(BOARD) -j$(nproc)
  	$(IMGTOOL) sign \
 -		--key $(SIGNING_KEY) \
 +		--key ../../root-ec-p256.pem \
  		--header-size $(BOOT_HEADER_LEN) \
  		--align $(FLASH_ALIGNMENT) \
  		--version 1.2 \
 @@ -121,7 +121,7 @@ clean_hello1: check
  hello2: check
  	$(MAKE) -C hello2 BOARD=$(BOARD) -j$(nproc)
  	$(IMGTOOL) sign \
 -		--key $(SIGNING_KEY) \
 +		--key ../../bad-ec-p256.pem \
  		--header-size $(BOOT_HEADER_LEN) \
  		--align $(FLASH_ALIGNMENT) \
  		--version 1.2 \
 --
 2.11.0
	From f261e0e1c7e0876094ed688f5f0923590aca3739 Mon Sep 17 00:00:00 2001
	From: David Brown <david.brown@linaro.org>
	Date: Thu, 27 Jul 2017 10:05:47 -0600
	Subject: [PATCH] partial: ECDSA P256 bootloader, slot 1 bad sig

	This configures the bootloader to require an ECDSA P256 signature, with
	hello2 having an invalid signature. Slot 0 should boot, but the upgrade
	should not work.
	---
	Makefile \| 8 ++++----
	bad-ec-p256.pem \| 5 +++++
	samples/zephyr/Makefile \| 4 ++--
	3 files changed, 11 insertions(+), 6 deletions(-)
	create mode 100644 bad-ec-p256.pem

	diff --git a/Makefile b/Makefile
	index 1e9ec42..b0adf05 100644
	--- a/Makefile
	+++ b/Makefile
	@@ -9,16 +9,16 @@
	# lines there, and comment out any other blocks.

	# RSA
	-CONF_FILE = boot/zephyr/prj.conf
	-CFLAGS += -DMCUBOOT_SIGN_RSA -DMCUBOOT_USE_MBED_TLS
	+#CONF_FILE = boot/zephyr/prj.conf
	+#CFLAGS += -DMCUBOOT_SIGN_RSA -DMCUBOOT_USE_MBED_TLS

	# Newer uses should use the RSA-PSS signature algorithm. This define
	# enables (and requires) this type of signature.
	#CFLAGS += -DMCUBOOT_RSA_PKCS1_15

	# ECDSA P-256
	-#CONF_FILE = boot/zephyr/prj-p256.conf
	-#CFLAGS += -DMCUBOOT_SIGN_EC256 -DMCUBOOT_USE_TINYCRYPT
	+CONF_FILE = boot/zephyr/prj-p256.conf
	+CFLAGS += -DMCUBOOT_SIGN_EC256 -DMCUBOOT_USE_TINYCRYPT

	# Enable this option to have the bootloader verify the signature of
	# the primary image upon every boot. Without it, signature
	diff --git a/bad-ec-p256.pem b/bad-ec-p256.pem
	new file mode 100644
	index 0000000..333f41f
	--- /dev/null
	+++ b/bad-ec-p256.pem
	@@ -0,0 +1,5 @@
	+-----BEGIN EC PRIVATE KEY-----
	+MHcCAQEEILmqmiH6y3EGhLkTcnNtU7hZ1wnc51MIL53npseRX7vJoAoGCCqGSM49
	+AwEHoUQDQgAEcX9ExNjZfsckp6AdutjPjVJsvP6ZZkKfLsGnRpKR+9OpO9/qmJHs
	+ks+ZXo70SEANjWnNlxKNAVci8aUm8UskLw==
	+-----END EC PRIVATE KEY-----
	diff --git a/samples/zephyr/Makefile b/samples/zephyr/Makefile
	index 7678615..02a54da 100644
	--- a/samples/zephyr/Makefile
	+++ b/samples/zephyr/Makefile
	@@ -102,7 +102,7 @@ clean_boot: check
	hello1: check
	$(MAKE) -C hello1 BOARD=$(BOARD) -j$(nproc)
	$(IMGTOOL) sign \
	- --key $(SIGNING_KEY) \
	+ --key ../../root-ec-p256.pem \
	--header-size $(BOOT_HEADER_LEN) \
	--align $(FLASH_ALIGNMENT) \
	--version 1.2 \
	@@ -121,7 +121,7 @@ clean_hello1: check
	hello2: check
	$(MAKE) -C hello2 BOARD=$(BOARD) -j$(nproc)
	$(IMGTOOL) sign \
	- --key $(SIGNING_KEY) \
	+ --key ../../bad-ec-p256.pem \
	--header-size $(BOOT_HEADER_LEN) \
	--align $(FLASH_ALIGNMENT) \
	--version 1.2 \
	--
	2.11.0