commit 25ec74669854b7cae6de71f5fcaea377f32a88ce
author Sigvart Hovland <sigvart.m@gmail.com> Mon Mar 11 15:57:21 2019 +0100
committer Fabio Utzig <utzig@utzig.org> Mon Mar 25 07:12:34 2019 -0300
tree b782bb1f8ac5b1556267d13f594a6b0d7a2263fc
parent 65a6ab2735382371634445cd528cb41f350812fa

ext: nrf: Add nrf cc310 glue layer

Add glue layer for using the nrf cc310 to keep the cc310 interface more generic.
Add readme on how to build mcuboot with nrf cc310 support.

Signed-off-by: Sigvart Hovland <sigvart.m@gmail.com>

ext/nrf/README.md

diff --git a/ext/nrf/README.md b/ext/nrf/README.md
new file mode 100644
index 0000000..a22f06a
--- /dev/null
+++ b/ext/nrf/README.md
@@ -0,0 +1,18 @@
+# Building MCUBoot with nRF52840 CC310 enabled
+
+## Pre-prerequisites
+
+Clone [nrfxlib](https://github.com/NordicPlayground/nrfxlib) next to the mcuboot root folder. So that it's located `../nrfxlib` from mcuboots root folder.
+
+## Building
+
+make sure `root-ec-p256.pem` is set as the certificate and that `CONFIG_BOOT_SIGNATURE_TYPE_ECDSA_P256` is selected not `CONFIG_BOOT_SIGNATURE_TYPE_RSA` in `prj.conf` of `boot/zephyr`.
+Since it defaults to tinycrypt you'll have to go into `menuconfig` and change the implementation selection to `cc310` or also set this in `prj.conf`.
+
+```
+mkdir build && cd build
+cmake -GNinja -DBOARD=nrf52840_pca10056
+ninja flash
+```
+
+Build a hello world example in zephyr and sign it with imgtool.py with the `root-ec-p256.pem` and flash it at `FLASH_AREA_IMAGE_0`.

ext/nrf/cc310_glue.c

diff --git a/ext/nrf/cc310_glue.c b/ext/nrf/cc310_glue.c
new file mode 100644
index 0000000..14b9ac6
--- /dev/null
+++ b/ext/nrf/cc310_glue.c
@@ -0,0 +1,62 @@
+/*
+ * Copyright (c) 2019 Nordic Semiconductor ASA
+ *
+ * SPDX-License-Identifier: LicenseRef-BSD-5-Clause-Nordic
+ */
+
+#include "cc310_glue.h"
+
+int cc310_init(void)
+{
+    /* Only initialize once */
+    static bool initialized;
+
+    if (!initialized) {
+        nrf_cc310_enable();
+        if (nrf_cc310_bl_init() != 0) {
+            return -1;
+        }
+        initialized = true;
+        nrf_cc310_disable();
+    }
+
+    return 0;
+}
+
+void cc310_sha256_update(nrf_cc310_bl_hash_context_sha256_t *ctx,
+                         const void *data,
+                         uint32_t data_len)
+{
+    /*
+     * NRF Cryptocell can only read from RAM this allocates a buffer on the stack
+     * if the data provided is not located in RAM.
+     */
+
+    if ((uint32_t) data < CONFIG_SRAM_BASE_ADDRESS) {
+        uint8_t stack_buffer[data_len];
+        uint32_t block_len = data_len;
+        memcpy(stack_buffer, data, block_len);
+        nrf_cc310_bl_hash_sha256_update(ctx, stack_buffer, block_len);
+    } else {
+        nrf_cc310_bl_hash_sha256_update(ctx, data, data_len);
+    }
+};
+
+int cc310_ecdsa_verify_secp256r1(uint8_t *hash,
+                                 uint8_t *public_key,
+                                 uint8_t *signature,
+                                 size_t hash_len)
+{
+        int rc;
+        nrf_cc310_bl_ecdsa_verify_context_secp256r1_t ctx;
+        cc310_init();
+        nrf_cc310_enable();
+        rc = nrf_cc310_bl_ecdsa_verify_secp256r1(&ctx,
+                                                 (nrf_cc310_bl_ecc_public_key_secp256r1_t *) public_key,
+                                                 (nrf_cc310_bl_ecc_signature_secp256r1_t  *) signature,
+                                                 hash,
+                                                 hash_len);
+        nrf_cc310_disable();
+        return rc;
+}
+

ext/nrf/cc310_glue.h

diff --git a/ext/nrf/cc310_glue.h b/ext/nrf/cc310_glue.h
new file mode 100644
index 0000000..db34c34
--- /dev/null
+++ b/ext/nrf/cc310_glue.h
@@ -0,0 +1,58 @@
+/*
+ * Copyright (c) 2019 Nordic Semiconductor ASA
+ *
+ * SPDX-License-Identifier: LicenseRef-BSD-5-Clause-Nordic
+ */
+#ifndef NRF_CC310_GLUE_H__
+#define NRF_CC310_GLUE_H__
+
+#include <nrf.h>
+#include <nrf_cc310_bl_init.h>
+#include <nrf_cc310_bl_hash_sha256.h>
+#include <nrf_cc310_bl_ecdsa_verify_secp256r1.h>
+#include <generated_dts_board.h>
+#include <string.h>
+
+typedef nrf_cc310_bl_hash_context_sha256_t bootutil_sha256_context;
+
+int cc310_ecdsa_verify_secp256r1(uint8_t *hash,
+                                 uint8_t *public_key,
+                                 uint8_t *signature,
+                                 size_t hash_len);
+
+
+int cc310_init(void);
+
+static inline void cc310_sha256_init(nrf_cc310_bl_hash_context_sha256_t *ctx);
+
+void cc310_sha256_update(nrf_cc310_bl_hash_context_sha256_t *ctx,
+                         const void *data,
+                         uint32_t data_len);
+
+static inline void nrf_cc310_enable(void)
+{
+    NRF_CRYPTOCELL->ENABLE=1;
+}
+
+static inline void nrf_cc310_disable(void)
+{
+    NRF_CRYPTOCELL->ENABLE=1;
+}
+
+/* Enable and disable cc310 to reduce power consumption */
+static inline void cc310_sha256_init(nrf_cc310_bl_hash_context_sha256_t * ctx)
+{
+    cc310_init();
+    nrf_cc310_enable();
+    nrf_cc310_bl_hash_sha256_init(ctx);
+}
+
+static inline void cc310_sha256_finalize(bootutil_sha256_context *ctx,
+                                          uint8_t *output)
+{
+    nrf_cc310_bl_hash_sha256_finalize(ctx,
+                                      (nrf_cc310_bl_hash_digest_sha256_t *)output);
+    nrf_cc310_disable();
+}
+
+#endif /* NRF_CC310_GLUE_H__ */