zephyr: migrate signature type to Kconfig
Handle the CONFIG_BOOT_SIGNATURE_TYPE_xxx values in Zephyr's
mcuboot_config.h by converting them into the platform-agnostic MCUboot
definitions.
This requires some changes to the way the release test Makefile is
structured, since Kconfig symbols cannot be set from the command line.
Instead, use the OVERLAY_CONFIG feature of the Zephyr build system,
which allows specifying extra fragments to merge into the final
.config. (This is an orthogonal mechanism to setting CONF_FILE; it is
used by Zephyr's CI script sanitycheck to add additional fragments, so
it's appropriate for use by MCUboot's testing scripts as well.)
We additionally need to move to a single prj.conf file due to a
dependency issue. We can no longer determine CONF_FILE from the
signature type, since that is now determined from the final .config or
autoconf.h, which is a build output that depends on CONF_FILE.
To move to a single prj.conf:
- delete prj-p256.conf and adjust prj.conf to serve both signature types
- add a top-level mbedTLS configuration file which dispatches to
the right sub-header depending on the key type
- as a side effect, have the simulator pick the right config file
depending on the case
This fixes and cleans up quite a bit of the signature type handling,
which had become something of a mess over time. For example, it fixes
a bug in ECDSA mode's configuration that wasn't actually selecting
config-asn1.h, and forces the simulator to use the same mbedTLS
configuration file as builds for real hardware.
Finally, we also have to move the mbedTLS vs. TinyCrypt choice into
mcuboot_config.h at the same time as well, since CMakeLists.txt was
making that decision based on the signature type.
Signed-off-by: Marti Bolivar <marti@opensourcefoundries.com>
diff --git a/boot/zephyr/keys.c b/boot/zephyr/keys.c
index 56b78df..467a0a1 100644
--- a/boot/zephyr/keys.c
+++ b/boot/zephyr/keys.c
@@ -19,7 +19,17 @@
#include <bootutil/sign_key.h>
+/*
+ * Even though this is in principle a Zephyr-specific file, the
+ * simulator builds it and uses it as well. Because of that, we can't
+ * use Kconfig symbols for key types, and have to rely on the MCUBoot
+ * symbols (which Zephyr provides via this header, and the simulator
+ * provides via the compiler command line).
+ */
+#include <mcuboot_config/mcuboot_config.h>
+
#if defined(MCUBOOT_SIGN_RSA)
+#define HAVE_KEYS
const unsigned char root_pub_der[] = {
0x30, 0x82, 0x01, 0x0a, 0x02, 0x82, 0x01, 0x01, 0x00, 0xd1, 0x06, 0x08,
0x1a, 0x18, 0x44, 0x2c, 0x18, 0xe8, 0xfb, 0xfd, 0xf7, 0x0d, 0xa3, 0x4f,
@@ -47,6 +57,7 @@
};
const unsigned int root_pub_der_len = 270;
#elif defined(MCUBOOT_SIGN_EC256)
+#define HAVE_KEYS
const unsigned char root_pub_der[] = {
0x30, 0x59, 0x30, 0x13, 0x06, 0x07, 0x2a, 0x86,
0x48, 0xce, 0x3d, 0x02, 0x01, 0x06, 0x08, 0x2a,
@@ -65,7 +76,7 @@
#error "No public key available for given signing algorithm."
#endif
-#if defined(MCUBOOT_SIGN_RSA) || defined(MCUBOOT_SIGN_EC256)
+#if defined(HAVE_KEYS)
const struct bootutil_key bootutil_keys[] = {
{
.key = root_pub_der,