commit 641af4530cf0de1990a539d76590b97fd0e272f2
author David Brown <david.brown@linaro.org> Fri Feb 19 12:16:48 2021 -0700
committer David Brown <davidb@davidb.org> Tue Feb 23 10:29:31 2021 -0700
tree 3587d65340750e2ed21ebd4f37d16502220eda81
parent 0c8c8d53257be7454a066e18014b4bedcd545c32

boot: Support Mbed TLS ECDSA for signatures

Add Mbed TLS ECDSA signature verification as an option (in addition to
Tinycrypt and the CC310 hardware version).  Although the Mbed TLS ECDSA
verification code is both larger and slower, this will still save space
if there is another reason that the Mbed TLS code is already being
brought in for another reason (such as certificate management, for
example).

Mbed TLS's ECDSA verification works at a different level than the other
two libraries, so this takes a bit of reworking.  There are some
additional parameters passed to the various functions, and a new define
MCUBOOT_ECDSA_NEED_ASN1_SIG to indicate that the ecdsa verification
wants the original ASN1 signature, not a decoded key.

This adds the boot changes and simulator support to test this configuration.

Signed-off-by: David Brown <david.brown@linaro.org>

sim/Cargo.toml

diff --git a/sim/Cargo.toml b/sim/Cargo.toml
index ac3edba..ddf3b88 100644
--- a/sim/Cargo.toml
+++ b/sim/Cargo.toml
@@ -10,6 +10,7 @@
 sig-rsa = ["mcuboot-sys/sig-rsa"]
 sig-rsa3072 = ["mcuboot-sys/sig-rsa3072"]
 sig-ecdsa = ["mcuboot-sys/sig-ecdsa"]
+sig-ecdsa-mbedtls = ["mcuboot-sys/sig-ecdsa-mbedtls"]
 sig-ed25519 = ["mcuboot-sys/sig-ed25519"]
 overwrite-only = ["mcuboot-sys/overwrite-only"]
 swap-move = ["mcuboot-sys/swap-move"]

sim/mcuboot-sys/Cargo.toml

diff --git a/sim/mcuboot-sys/Cargo.toml b/sim/mcuboot-sys/Cargo.toml
index 829d2ec..19114f9 100644
--- a/sim/mcuboot-sys/Cargo.toml
+++ b/sim/mcuboot-sys/Cargo.toml
@@ -21,6 +21,9 @@
 # Verify ECDSA (secp256r1) signatures.
 sig-ecdsa = []
 
+# Verify ECDSA (secp256r1) signatures using mbed TLS
+sig-ecdsa-mbedtls = []
+
 # Verify ED25519 signatures.
 sig-ed25519 = []
 

sim/mcuboot-sys/build.rs

diff --git a/sim/mcuboot-sys/build.rs b/sim/mcuboot-sys/build.rs
index 36a0dcd..74b19f0 100644
--- a/sim/mcuboot-sys/build.rs
+++ b/sim/mcuboot-sys/build.rs
@@ -12,6 +12,7 @@
     let sig_rsa = env::var("CARGO_FEATURE_SIG_RSA").is_ok();
     let sig_rsa3072 = env::var("CARGO_FEATURE_SIG_RSA3072").is_ok();
     let sig_ecdsa = env::var("CARGO_FEATURE_SIG_ECDSA").is_ok();
+    let sig_ecdsa_mbedtls = env::var("CARGO_FEATURE_SIG_ECDSA_MBEDTLS").is_ok();
     let sig_ed25519 = env::var("CARGO_FEATURE_SIG_ED25519").is_ok();
     let overwrite_only = env::var("CARGO_FEATURE_OVERWRITE_ONLY").is_ok();
     let swap_move = env::var("CARGO_FEATURE_SWAP_MOVE").is_ok();
@@ -97,6 +98,21 @@
 
         conf.file("../../ext/mbedtls-asn1/src/platform_util.c");
         conf.file("../../ext/mbedtls-asn1/src/asn1parse.c");
+    } else if sig_ecdsa_mbedtls {
+        conf.define("MCUBOOT_SIGN_EC256", None);
+        conf.define("MCUBOOT_USE_MBED_TLS", None);
+
+        conf.include("../../ext/mbedtls/crypto/include");
+        conf.file("../../ext/mbedtls/crypto/library/sha256.c");
+        conf.file("csupport/keys.c");
+
+        conf.file("../../ext/mbedtls/crypto/library/asn1parse.c");
+        conf.file("../../ext/mbedtls/crypto/library/bignum.c");
+        conf.file("../../ext/mbedtls/crypto/library/ecdsa.c");
+        conf.file("../../ext/mbedtls/crypto/library/ecp.c");
+        conf.file("../../ext/mbedtls/crypto/library/ecp_curves.c");
+        conf.file("../../ext/mbedtls/crypto/library/platform.c");
+        conf.file("../../ext/mbedtls/crypto/library/platform_util.c");
     } else if sig_ed25519 {
         conf.define("MCUBOOT_SIGN_ED25519", None);
         conf.define("MCUBOOT_USE_TINYCRYPT", None);
@@ -247,6 +263,8 @@
         conf.define("MBEDTLS_CONFIG_FILE", Some("<config-rsa-kw.h>"));
     } else if sig_rsa || sig_rsa3072 || enc_rsa {
         conf.define("MBEDTLS_CONFIG_FILE", Some("<config-rsa.h>"));
+    } else if sig_ecdsa_mbedtls {
+        conf.define("MBEDTLS_CONFIG_FILE", Some("<config-ecdsa.h>"));
     } else if (sig_ecdsa || enc_ec256) && !enc_kw {
         conf.define("MBEDTLS_CONFIG_FILE", Some("<config-asn1.h>"));
     } else if sig_ed25519 || enc_x25519 {
@@ -258,7 +276,7 @@
     conf.file("../../boot/bootutil/src/image_validate.c");
     if sig_rsa || sig_rsa3072 {
         conf.file("../../boot/bootutil/src/image_rsa.c");
-    } else if sig_ecdsa {
+    } else if sig_ecdsa || sig_ecdsa_mbedtls {
         conf.file("../../boot/bootutil/src/image_ec256.c");
     } else if sig_ed25519 {
         conf.file("../../boot/bootutil/src/image_ed25519.c");

sim/mcuboot-sys/csupport/run.c

diff --git a/sim/mcuboot-sys/csupport/run.c b/sim/mcuboot-sys/csupport/run.c
index 03947fa..0133262 100644
--- a/sim/mcuboot-sys/csupport/run.c
+++ b/sim/mcuboot-sys/csupport/run.c
@@ -230,7 +230,8 @@
     struct boot_rsp rsp;
     struct boot_loader_state *state;
 
-#if defined(MCUBOOT_SIGN_RSA)
+#if defined(MCUBOOT_SIGN_RSA) || \
+    (defined(MCUBOOT_SIGN_EC256) && defined(MCUBOOT_USE_MBED_TLS))
     mbedtls_platform_set_calloc_free(calloc, free);
 #endif