bootutil: Remove P224 curve
Signed-off-by: Roland Mikhel <roland.mikhel@arm.com>
Change-Id: I49fad7ede202de4e3c710bf4aa1df195a310b037
diff --git a/boot/bootutil/CMakeLists.txt b/boot/bootutil/CMakeLists.txt
index b23131e..534ca11 100644
--- a/boot/bootutil/CMakeLists.txt
+++ b/boot/bootutil/CMakeLists.txt
@@ -1,5 +1,5 @@
#------------------------------------------------------------------------------
-# Copyright (c) 2020, Arm Limited. All rights reserved.
+# Copyright (c) 2020-2023, Arm Limited. All rights reserved.
#
# SPDX-License-Identifier: Apache-2.0
#
@@ -23,7 +23,6 @@
src/encrypted.c
src/fault_injection_hardening.c
src/fault_injection_hardening_delay_rng_mbedtls.c
- src/image_ec.c
src/image_ec256.c
src/image_ed25519.c
src/image_rsa.c
diff --git a/boot/bootutil/include/bootutil/caps.h b/boot/bootutil/include/bootutil/caps.h
index 4452897..3c0ffb3 100644
--- a/boot/bootutil/include/bootutil/caps.h
+++ b/boot/bootutil/include/bootutil/caps.h
@@ -1,6 +1,6 @@
/*
* Copyright (c) 2017 Linaro Limited
- * Copyright (c) 2021 Arm Limited
+ * Copyright (c) 2021-2023 Arm Limited
*
* Licensed under the Apache License, Version 2.0 (the "License");
* you may not use this file except in compliance with the License.
@@ -34,23 +34,22 @@
uint32_t bootutil_get_caps(void);
#define BOOTUTIL_CAP_RSA2048 (1<<0)
-#define BOOTUTIL_CAP_ECDSA_P224 (1<<1)
-#define BOOTUTIL_CAP_ECDSA_P256 (1<<2)
-#define BOOTUTIL_CAP_SWAP_USING_SCRATCH (1<<3)
-#define BOOTUTIL_CAP_OVERWRITE_UPGRADE (1<<4)
-#define BOOTUTIL_CAP_ENC_RSA (1<<5)
-#define BOOTUTIL_CAP_ENC_KW (1<<6)
-#define BOOTUTIL_CAP_VALIDATE_PRIMARY_SLOT (1<<7)
-#define BOOTUTIL_CAP_RSA3072 (1<<8)
-#define BOOTUTIL_CAP_ED25519 (1<<9)
-#define BOOTUTIL_CAP_ENC_EC256 (1<<10)
-#define BOOTUTIL_CAP_SWAP_USING_MOVE (1<<11)
-#define BOOTUTIL_CAP_DOWNGRADE_PREVENTION (1<<12)
-#define BOOTUTIL_CAP_ENC_X25519 (1<<13)
-#define BOOTUTIL_CAP_BOOTSTRAP (1<<14)
-#define BOOTUTIL_CAP_AES256 (1<<15)
-#define BOOTUTIL_CAP_RAM_LOAD (1<<16)
-#define BOOTUTIL_CAP_DIRECT_XIP (1<<17)
+#define BOOTUTIL_CAP_ECDSA_P256 (1<<1)
+#define BOOTUTIL_CAP_SWAP_USING_SCRATCH (1<<2)
+#define BOOTUTIL_CAP_OVERWRITE_UPGRADE (1<<3)
+#define BOOTUTIL_CAP_ENC_RSA (1<<4)
+#define BOOTUTIL_CAP_ENC_KW (1<<5)
+#define BOOTUTIL_CAP_VALIDATE_PRIMARY_SLOT (1<<6)
+#define BOOTUTIL_CAP_RSA3072 (1<<7)
+#define BOOTUTIL_CAP_ED25519 (1<<8)
+#define BOOTUTIL_CAP_ENC_EC256 (1<<9)
+#define BOOTUTIL_CAP_SWAP_USING_MOVE (1<<10)
+#define BOOTUTIL_CAP_DOWNGRADE_PREVENTION (1<<11)
+#define BOOTUTIL_CAP_ENC_X25519 (1<<12)
+#define BOOTUTIL_CAP_BOOTSTRAP (1<<13)
+#define BOOTUTIL_CAP_AES256 (1<<14)
+#define BOOTUTIL_CAP_RAM_LOAD (1<<15)
+#define BOOTUTIL_CAP_DIRECT_XIP (1<<16)
/*
* Query the number of images this bootloader is configured for. This
diff --git a/boot/bootutil/include/bootutil/image.h b/boot/bootutil/include/bootutil/image.h
index fa33732..95692fb 100644
--- a/boot/bootutil/include/bootutil/image.h
+++ b/boot/bootutil/include/bootutil/image.h
@@ -3,7 +3,7 @@
*
* Copyright (c) 2016-2019 Linaro LTD
* Copyright (c) 2016-2019 JUUL Labs
- * Copyright (c) 2019-2021 Arm Limited
+ * Copyright (c) 2019-2023 Arm Limited
*
* Original license:
*
@@ -85,7 +85,7 @@
#define IMAGE_TLV_PUBKEY 0x02 /* public key */
#define IMAGE_TLV_SHA256 0x10 /* SHA256 of image hdr and body */
#define IMAGE_TLV_RSA2048_PSS 0x20 /* RSA2048 of hash output */
-#define IMAGE_TLV_ECDSA224 0x21 /* ECDSA of hash output */
+#define IMAGE_TLV_ECDSA224 0x21 /* ECDSA of hash output - Not supported anymore */
#define IMAGE_TLV_ECDSA256 0x22 /* ECDSA of hash output */
#define IMAGE_TLV_RSA3072_PSS 0x23 /* RSA3072 of hash output */
#define IMAGE_TLV_ED25519 0x24 /* ed25519 of hash output */
diff --git a/boot/bootutil/src/caps.c b/boot/bootutil/src/caps.c
index f44ab02..63bcd64 100644
--- a/boot/bootutil/src/caps.c
+++ b/boot/bootutil/src/caps.c
@@ -2,7 +2,7 @@
* SPDX-License-Identifier: Apache-2.0
*
* Copyright (c) 2017 Linaro Limited
- * Copyright (c) 2021 Arm Limited
+ * Copyright (c) 2021-2023 Arm Limited
*
* Licensed under the Apache License, Version 2.0 (the "License");
* you may not use this file except in compliance with the License.
@@ -32,9 +32,6 @@
res |= BOOTUTIL_CAP_RSA3072;
#endif
#endif
-#if defined(MCUBOOT_SIGN_EC)
- res |= BOOTUTIL_CAP_ECDSA_P224;
-#endif
#if defined(MCUBOOT_SIGN_EC256)
res |= BOOTUTIL_CAP_ECDSA_P256;
#endif
diff --git a/boot/bootutil/src/image_ec.c b/boot/bootutil/src/image_ec.c
deleted file mode 100644
index 2d92afb..0000000
--- a/boot/bootutil/src/image_ec.c
+++ /dev/null
@@ -1,130 +0,0 @@
-/*
- * SPDX-License-Identifier: Apache-2.0
- *
- * Copyright (c) 2016-2018 JUUL Labs
- * Copyright (C) 2021 Arm Limited
- *
- * Original license:
- *
- * Licensed to the Apache Software Foundation (ASF) under one
- * or more contributor license agreements. See the NOTICE file
- * distributed with this work for additional information
- * regarding copyright ownership. The ASF licenses this file
- * to you under the Apache License, Version 2.0 (the
- * "License"); you may not use this file except in compliance
- * with the License. You may obtain a copy of the License at
- *
- * http://www.apache.org/licenses/LICENSE-2.0
- *
- * Unless required by applicable law or agreed to in writing,
- * software distributed under the License is distributed on an
- * "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY
- * KIND, either express or implied. See the License for the
- * specific language governing permissions and limitations
- * under the License.
- */
-
-#include <string.h>
-
-#include "mcuboot_config/mcuboot_config.h"
-
-#ifdef MCUBOOT_SIGN_EC
-#include "bootutil/sign_key.h"
-
-#include "mbedtls/ecdsa.h"
-#include "mbedtls/oid.h"
-#include "mbedtls/asn1.h"
-
-#include "bootutil/crypto/common.h"
-#include "bootutil_priv.h"
-
-/*
- * Declaring these like this adds NULL termination.
- */
-static const uint8_t ec_pubkey_oid[] = MBEDTLS_OID_EC_ALG_UNRESTRICTED;
-static const uint8_t ec_secp224r1_oid[] = MBEDTLS_OID_EC_GRP_SECP224R1;
-
-/*
- * Parse the public key used for signing.
- */
-static int
-bootutil_parse_eckey(mbedtls_ecdsa_context *ctx, uint8_t **p, uint8_t *end)
-{
- size_t len;
- mbedtls_asn1_buf alg;
- mbedtls_asn1_buf param;
-
- if (mbedtls_asn1_get_tag(p, end, &len,
- MBEDTLS_ASN1_CONSTRUCTED | MBEDTLS_ASN1_SEQUENCE)) {
- return -1;
- }
- end = *p + len;
-
- if (mbedtls_asn1_get_alg(p, end, &alg, ¶m)) {
- return -2;
- }
- if (alg.len != sizeof(ec_pubkey_oid) - 1 ||
- memcmp(alg.p, ec_pubkey_oid, sizeof(ec_pubkey_oid) - 1)) {
- return -3;
- }
- if (param.len != sizeof(ec_secp224r1_oid) - 1||
- memcmp(param.p, ec_secp224r1_oid, sizeof(ec_secp224r1_oid) - 1)) {
- return -4;
- }
-
- if (mbedtls_ecp_group_load(&ctx->MBEDTLS_CONTEXT_MEMBER(grp), MBEDTLS_ECP_DP_SECP224R1)) {
- return -5;
- }
-
- if (mbedtls_asn1_get_bitstring_null(p, end, &len)) {
- return -6;
- }
- if (*p + len != end) {
- return -7;
- }
-
- if (mbedtls_ecp_point_read_binary(&ctx->MBEDTLS_CONTEXT_MEMBER(grp), &ctx->MBEDTLS_CONTEXT_MEMBER(Q), *p, end - *p)) {
- return -8;
- }
-
- if (mbedtls_ecp_check_pubkey(&ctx->MBEDTLS_CONTEXT_MEMBER(grp), &ctx->MBEDTLS_CONTEXT_MEMBER(Q))) {
- return -9;
- }
- return 0;
-}
-
-static int
-bootutil_cmp_sig(mbedtls_ecdsa_context *ctx, uint8_t *hash, uint32_t hlen,
- uint8_t *sig, size_t slen)
-{
- return mbedtls_ecdsa_read_signature(ctx, hash, hlen, sig, slen);
-}
-
-int
-bootutil_verify_sig(uint8_t *hash, uint32_t hlen, uint8_t *sig, size_t slen,
- uint8_t key_id)
-{
- int rc;
- uint8_t *cp;
- uint8_t *end;
- mbedtls_ecdsa_context ctx;
-
- mbedtls_ecdsa_init(&ctx);
-
- cp = (uint8_t *)bootutil_keys[key_id].key;
- end = cp + *bootutil_keys[key_id].len;
-
- rc = bootutil_parse_eckey(&ctx, &cp, end);
- if (rc) {
- return -1;
- }
-
- while (sig[slen - 1] == '\0') {
- slen--;
- }
- rc = bootutil_cmp_sig(&ctx, hash, hlen, sig, slen);
- mbedtls_ecdsa_free(&ctx);
-
- return rc;
-}
-#endif /* MCUBOOT_SIGN_EC */
diff --git a/boot/bootutil/src/image_validate.c b/boot/bootutil/src/image_validate.c
index a866281..07e0e85 100644
--- a/boot/bootutil/src/image_validate.c
+++ b/boot/bootutil/src/image_validate.c
@@ -3,7 +3,7 @@
*
* Copyright (c) 2017-2019 Linaro LTD
* Copyright (c) 2016-2019 JUUL Labs
- * Copyright (c) 2019-2020 Arm Limited
+ * Copyright (c) 2019-2023 Arm Limited
*
* Original license:
*
@@ -46,11 +46,11 @@
#if defined(MCUBOOT_SIGN_RSA)
#include "mbedtls/rsa.h"
#endif
-#if defined(MCUBOOT_SIGN_EC) || defined(MCUBOOT_SIGN_EC256)
+#if defined(MCUBOOT_SIGN_EC256)
#include "mbedtls/ecdsa.h"
#endif
#if defined(MCUBOOT_ENC_IMAGES) || defined(MCUBOOT_SIGN_RSA) || \
- defined(MCUBOOT_SIGN_EC) || defined(MCUBOOT_SIGN_EC256)
+ defined(MCUBOOT_SIGN_EC256)
#include "mbedtls/asn1.h"
#endif
@@ -169,7 +169,6 @@
* configured for any signature, don't define this macro.
*/
#if (defined(MCUBOOT_SIGN_RSA) + \
- defined(MCUBOOT_SIGN_EC) + \
defined(MCUBOOT_SIGN_EC256) + \
defined(MCUBOOT_SIGN_ED25519)) > 1
#error "Only a single signature type is supported!"
@@ -185,10 +184,6 @@
# endif
# define SIG_BUF_SIZE (MCUBOOT_SIGN_RSA_LEN / 8)
# define EXPECTED_SIG_LEN(x) ((x) == SIG_BUF_SIZE) /* 2048 bits */
-#elif defined(MCUBOOT_SIGN_EC)
-# define EXPECTED_SIG_TLV IMAGE_TLV_ECDSA224
-# define SIG_BUF_SIZE 128
-# define EXPECTED_SIG_LEN(x) (1) /* always true, ASN.1 will validate */
#elif defined(MCUBOOT_SIGN_EC256)
# define EXPECTED_SIG_TLV IMAGE_TLV_ECDSA256
# define SIG_BUF_SIZE 128