commit 6c553d6741ab02977f8c13f69277ffba4fd84a97
author Fabio Utzig <utzig@apache.org> Thu May 06 19:56:18 2021 -0300
committer Fabio Utzig <utzig@utzig.org> Thu May 06 21:05:47 2021 -0300
tree ecd84e2c0160f114fbb7b5dea349e46224d3a3b3
parent 74c3bab496fe2ba3e7ed1128b2e06871b9fb4abb

sim: add Mbed TLS EC256 encrypted image support

Add new feature that allows testing EC256 encrypted images using the
Mbed TLS backend.

Move config-ecdsa.h to config-ec.h because definitions are very similar
between ECDSA and ECDH with Mbed TLS so resort to a single config file.

Add new feature and fix the build; add proper Mbed TLS memory
initialization when enc-ec256-mbedtls is used.

Signed-off-by: Fabio Utzig <utzig@apache.org>

boot/zephyr/include/config-ec.h

diff --git a/boot/zephyr/include/config-ecdsa.h b/boot/zephyr/include/config-ec.h
similarity index 97%
rename from boot/zephyr/include/config-ecdsa.h
rename to boot/zephyr/include/config-ec.h
index 6ae1ada..99c5aee 100644
--- a/boot/zephyr/include/config-ecdsa.h
+++ b/boot/zephyr/include/config-ec.h
@@ -53,6 +53,7 @@
 #endif
 
 #define MBEDTLS_ECDSA_C
+#define MBEDTLS_ECDH_C
 
 /* mbed TLS modules */
 #define MBEDTLS_ASN1_PARSE_C
@@ -77,7 +78,7 @@
 
 #define MBEDTLS_MPI_MAX_SIZE             32
 
-#define MBEDTLS_SSL_MAX_CONTENT_LEN 1024
+#define MBEDTLS_SSL_MAX_CONTENT_LEN      1024
 
 /* Save ROM and a few bytes of RAM by specifying our own ciphersuite list */
 #define MBEDTLS_SSL_CIPHERSUITES MBEDTLS_TLS_ECJPAKE_WITH_AES_128_CCM_8

sim/Cargo.toml

diff --git a/sim/Cargo.toml b/sim/Cargo.toml
index ddf3b88..ea4dcc9 100644
--- a/sim/Cargo.toml
+++ b/sim/Cargo.toml
@@ -18,6 +18,7 @@
 enc-rsa = ["mcuboot-sys/enc-rsa"]
 enc-kw = ["mcuboot-sys/enc-kw"]
 enc-ec256 = ["mcuboot-sys/enc-ec256"]
+enc-ec256-mbedtls = ["mcuboot-sys/enc-ec256-mbedtls"]
 enc-x25519 = ["mcuboot-sys/enc-x25519"]
 bootstrap = ["mcuboot-sys/bootstrap"]
 multiimage = ["mcuboot-sys/multiimage"]

sim/mcuboot-sys/Cargo.toml

diff --git a/sim/mcuboot-sys/Cargo.toml b/sim/mcuboot-sys/Cargo.toml
index 19114f9..ac203f1 100644
--- a/sim/mcuboot-sys/Cargo.toml
+++ b/sim/mcuboot-sys/Cargo.toml
@@ -44,6 +44,9 @@
 # Encrypt image in the secondary slot using ECIES-P256
 enc-ec256 = []
 
+# Encrypt image in the secondary slot using ECIES-P256 using Mbed TLS
+enc-ec256-mbedtls = []
+
 # Encrypt image in the secondary slot using ECIES-X25519
 enc-x25519 = []
 

sim/mcuboot-sys/build.rs

diff --git a/sim/mcuboot-sys/build.rs b/sim/mcuboot-sys/build.rs
index 74b19f0..df8c67e 100644
--- a/sim/mcuboot-sys/build.rs
+++ b/sim/mcuboot-sys/build.rs
@@ -21,6 +21,7 @@
     let enc_rsa = env::var("CARGO_FEATURE_ENC_RSA").is_ok();
     let enc_kw = env::var("CARGO_FEATURE_ENC_KW").is_ok();
     let enc_ec256 = env::var("CARGO_FEATURE_ENC_EC256").is_ok();
+    let enc_ec256_mbedtls = env::var("CARGO_FEATURE_ENC_EC256_MBEDTLS").is_ok();
     let enc_x25519 = env::var("CARGO_FEATURE_ENC_X25519").is_ok();
     let bootstrap = env::var("CARGO_FEATURE_BOOTSTRAP").is_ok();
     let multiimage = env::var("CARGO_FEATURE_MULTIIMAGE").is_ok();
@@ -230,6 +231,26 @@
         conf.file("../../ext/tinycrypt/lib/source/ctr_mode.c");
         conf.file("../../ext/tinycrypt/lib/source/hmac.c");
         conf.file("../../ext/tinycrypt/lib/source/ecc_dh.c");
+    } else if enc_ec256_mbedtls {
+        conf.define("MCUBOOT_ENCRYPT_EC256", None);
+        conf.define("MCUBOOT_ENC_IMAGES", None);
+        conf.define("MCUBOOT_USE_MBED_TLS", None);
+        conf.define("MCUBOOT_SWAP_SAVE_ENCTLV", None);
+
+        conf.include("../../ext/mbedtls/crypto/include");
+
+        conf.file("../../boot/bootutil/src/encrypted.c");
+        conf.file("../../ext/mbedtls/crypto/library/sha256.c");
+        conf.file("../../ext/mbedtls/crypto/library/asn1parse.c");
+        conf.file("../../ext/mbedtls/crypto/library/bignum.c");
+        conf.file("../../ext/mbedtls/crypto/library/ecdh.c");
+        conf.file("../../ext/mbedtls/crypto/library/md.c");
+        conf.file("../../ext/mbedtls/crypto/library/aes.c");
+        conf.file("../../ext/mbedtls/crypto/library/ecp.c");
+        conf.file("../../ext/mbedtls/crypto/library/ecp_curves.c");
+        conf.file("../../ext/mbedtls/crypto/library/platform.c");
+        conf.file("../../ext/mbedtls/crypto/library/platform_util.c");
+        conf.file("csupport/keys.c");
     }
 
     if enc_x25519 {
@@ -263,8 +284,8 @@
         conf.define("MBEDTLS_CONFIG_FILE", Some("<config-rsa-kw.h>"));
     } else if sig_rsa || sig_rsa3072 || enc_rsa {
         conf.define("MBEDTLS_CONFIG_FILE", Some("<config-rsa.h>"));
-    } else if sig_ecdsa_mbedtls {
-        conf.define("MBEDTLS_CONFIG_FILE", Some("<config-ecdsa.h>"));
+    } else if sig_ecdsa_mbedtls || enc_ec256_mbedtls {
+        conf.define("MBEDTLS_CONFIG_FILE", Some("<config-ec.h>"));
     } else if (sig_ecdsa || enc_ec256) && !enc_kw {
         conf.define("MBEDTLS_CONFIG_FILE", Some("<config-asn1.h>"));
     } else if sig_ed25519 || enc_x25519 {

sim/mcuboot-sys/csupport/run.c

diff --git a/sim/mcuboot-sys/csupport/run.c b/sim/mcuboot-sys/csupport/run.c
index 0133262..2bea140 100644
--- a/sim/mcuboot-sys/csupport/run.c
+++ b/sim/mcuboot-sys/csupport/run.c
@@ -231,7 +231,8 @@
     struct boot_loader_state *state;
 
 #if defined(MCUBOOT_SIGN_RSA) || \
-    (defined(MCUBOOT_SIGN_EC256) && defined(MCUBOOT_USE_MBED_TLS))
+    (defined(MCUBOOT_SIGN_EC256) && defined(MCUBOOT_USE_MBED_TLS)) ||\
+    (defined(MCUBOOT_ENCRYPT_EC256) && defined(MCUBOOT_USE_MBED_TLS))
     mbedtls_platform_set_calloc_free(calloc, free);
 #endif