Add rsa+kw testing support to simulator
Allows simulating images signed with RSA-2048 and encrypted with
AES-128-KW.
Signed-off-by: Fabio Utzig <utzig@apache.org>
diff --git a/boot/zephyr/include/config-rsa-kw.h b/boot/zephyr/include/config-rsa-kw.h
new file mode 100644
index 0000000..3568cc0
--- /dev/null
+++ b/boot/zephyr/include/config-rsa-kw.h
@@ -0,0 +1,75 @@
+/*
+ * Minimal configuration for using TLS in the bootloader
+ *
+ * Copyright (C) 2006-2015, ARM Limited, All Rights Reserved
+ * Copyright (C) 2016, Linaro Ltd
+ * SPDX-License-Identifier: Apache-2.0
+ *
+ * Licensed under the Apache License, Version 2.0 (the "License"); you may
+ * not use this file except in compliance with the License.
+ * You may obtain a copy of the License at
+ *
+ * http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS, WITHOUT
+ * WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ *
+ * This file is part of mbed TLS (https://tls.mbed.org)
+ */
+
+/*
+ * Minimal configuration for using TLS in the bootloader
+ *
+ * - RSA signature verification + NIST Keywrapping support
+ */
+
+#ifndef MCUBOOT_MBEDTLS_CONFIG_RSA_KW
+#define MCUBOOT_MBEDTLS_CONFIG_RSA_KW
+
+#ifdef CONFIG_MCUBOOT_SERIAL
+/* Mcuboot uses mbedts-base64 for serial protocol encoding. */
+#define MBEDTLS_BASE64_C
+#endif
+
+/* System support */
+#define MBEDTLS_PLATFORM_C
+#define MBEDTLS_PLATFORM_MEMORY
+#define MBEDTLS_MEMORY_BUFFER_ALLOC_C
+#define MBEDTLS_PLATFORM_NO_STD_FUNCTIONS
+#define MBEDTLS_PLATFORM_EXIT_ALT
+#define MBEDTLS_NO_PLATFORM_ENTROPY
+#define MBEDTLS_NO_DEFAULT_ENTROPY_SOURCES
+#define MBEDTLS_PLATFORM_PRINTF_ALT
+
+#if !defined(CONFIG_ARM)
+#define MBEDTLS_HAVE_ASM
+#endif
+
+#define MBEDTLS_RSA_C
+#define MBEDTLS_PKCS1_V21
+
+/* mbed TLS modules */
+#define MBEDTLS_ASN1_PARSE_C
+#define MBEDTLS_BIGNUM_C
+#define MBEDTLS_MD_C
+#define MBEDTLS_OID_C
+#define MBEDTLS_SHA256_C
+#define MBEDTLS_AES_C
+#define MBEDTLS_CIPHER_C
+#define MBEDTLS_NIST_KW_C
+
+/* Save RAM by adjusting to our exact needs */
+#define MBEDTLS_ECP_MAX_BITS 2048
+#define MBEDTLS_MPI_MAX_SIZE 256
+
+#define MBEDTLS_SSL_MAX_CONTENT_LEN 1024
+
+/* Save ROM and a few bytes of RAM by specifying our own ciphersuite list */
+#define MBEDTLS_SSL_CIPHERSUITES MBEDTLS_TLS_ECJPAKE_WITH_AES_128_CCM_8
+
+#include "mbedtls/check_config.h"
+
+#endif /* MCUBOOT_MBEDTLS_CONFIG_RSA_KW */
diff --git a/sim/mcuboot-sys/build.rs b/sim/mcuboot-sys/build.rs
index c827623..c959bb2 100644
--- a/sim/mcuboot-sys/build.rs
+++ b/sim/mcuboot-sys/build.rs
@@ -115,7 +115,9 @@
conf.file("mbedtls/library/aes.c");
}
- if sig_rsa || enc_rsa {
+ if sig_rsa && enc_kw {
+ conf.define("MBEDTLS_CONFIG_FILE", Some("<config-rsa-kw.h>"));
+ } else if sig_rsa || enc_rsa {
conf.define("MBEDTLS_CONFIG_FILE", Some("<config-rsa.h>"));
} else if sig_ecdsa {
conf.define("MBEDTLS_CONFIG_FILE", Some("<config-asn1.h>"));
diff --git a/sim/src/lib.rs b/sim/src/lib.rs
index 7eb27c5..629b916 100644
--- a/sim/src/lib.rs
+++ b/sim/src/lib.rs
@@ -1183,7 +1183,14 @@
// The TLV in use depends on what kind of signature we are verifying.
#[cfg(feature = "sig-rsa")]
+#[cfg(feature = "enc-kw")]
+fn make_tlv() -> TlvGen {
+ TlvGen::new_rsa_kw()
+}
+
+#[cfg(feature = "sig-rsa")]
#[cfg(not(feature = "enc-rsa"))]
+#[cfg(not(feature = "enc-kw"))]
fn make_tlv() -> TlvGen {
TlvGen::new_rsa_pss()
}
@@ -1205,6 +1212,7 @@
TlvGen::new_sig_enc_rsa()
}
+#[cfg(not(feature = "sig-rsa"))]
#[cfg(feature = "enc-kw")]
fn make_tlv() -> TlvGen {
TlvGen::new_enc_kw()
diff --git a/sim/src/tlv.rs b/sim/src/tlv.rs
index 6931d0b..afc34aa 100644
--- a/sim/src/tlv.rs
+++ b/sim/src/tlv.rs
@@ -107,6 +107,16 @@
}
}
+ #[allow(dead_code)]
+ pub fn new_rsa_kw() -> TlvGen {
+ TlvGen {
+ flags: TlvFlags::ENCRYPTED as u32,
+ kinds: vec![TlvKinds::SHA256, TlvKinds::RSA2048, TlvKinds::ENCKW128],
+ size: 4 + 32 + 4 + 32 + 4 + 256 + 4 + 24,
+ payload: vec![],
+ }
+ }
+
/// Retrieve the header flags for this configuration. This can be called at any time.
pub fn get_flags(&self) -> u32 {
self.flags