Generalize SHA256 code to allow tinycrypt support
When building with ECDSA P-256 as the signature algorithm, we are still
bringing in SHA256 and some ASN.1 code from mbed TLS. Fix part of this
by wrapping the hash functions with general routines (inline functions)
allowing to select between mbed TLS and Tinycrypt for the
implementation.
Update the Zephyr config files so that the Tinycrypt version is used
when building the ECDSA P-256 signing variant.
diff --git a/boot/bootutil/include/bootutil/sha256.h b/boot/bootutil/include/bootutil/sha256.h
new file mode 100644
index 0000000..9bc366c
--- /dev/null
+++ b/boot/bootutil/include/bootutil/sha256.h
@@ -0,0 +1,102 @@
+/*
+ * Licensed to the Apache Software Foundation (ASF) under one
+ * or more contributor license agreements. See the NOTICE file
+ * distributed with this work for additional information
+ * regarding copyright ownership. The ASF licenses this file
+ * to you under the Apache License, Version 2.0 (the
+ * "License"); you may not use this file except in compliance
+ * with the License. You may obtain a copy of the License at
+ *
+ * http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing,
+ * software distributed under the License is distributed on an
+ * "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY
+ * KIND, either express or implied. See the License for the
+ * specific language governing permissions and limitations
+ * under the License.
+ */
+
+/*
+ * This module provides a thin abstraction over some of the crypto
+ * primitives to make it easier to swap out the used crypto library.
+ *
+ * At this point, there are two choices: BOOTUTIL_USE_MBED_TLS, or
+ * BOOTUTIL_USE_TINYCRYPT. It is a compile error there is not exactly
+ * one of these defined.
+ */
+
+#ifndef __BOOTUTIL_CRYPTO_H_
+#define __BOOTUTIL_CRYPTO_H_
+
+#if defined(BOOTUTIL_USE_MBED_TLS) && defined(BOOTUTIL_USE_TINYCRYPT)
+ #error "Cannot define both MBED_TLS and TINYCRYPT"
+#endif
+
+#if !defined(BOOTUTIL_USE_MBED_TLS) && !defined(BOOTUTIL_USE_TINYCRYPT)
+ #error "One of MBED_TLS or TINYCRYPT must be defined"
+#endif
+
+#ifdef BOOTUTIL_USE_MBED_TLS
+ #include <mbedtls/sha256.h>
+#endif /* BOOTUTIL_USE_MBED_TLS */
+
+#ifdef BOOTUTIL_USE_TINYCRYPT
+ #include <tinycrypt/sha256.h>
+#endif /* BOOTUTIL_USE_TINYCRYPT */
+
+#include <stdint.h>
+
+#ifdef __cplusplus
+extern "C" {
+#endif
+
+#ifdef BOOTUTIL_USE_MBED_TLS
+typedef mbedtls_sha256_context bootutil_sha256_context;
+
+static inline void bootutil_sha256_init(bootutil_sha256_context *ctx)
+{
+ mbedtls_sha256_init(ctx);
+ mbedtls_sha256_starts(ctx, 0);
+}
+
+static inline void bootutil_sha256_update(bootutil_sha256_context *ctx,
+ const void *data,
+ uint32_t data_len)
+{
+ mbedtls_sha256_update(ctx, data, data_len);
+}
+
+static inline void bootutil_sha256_finish(bootutil_sha256_context *ctx,
+ uint8_t *output)
+{
+ mbedtls_sha256_finish(ctx, output);
+}
+#endif /* BOOTUTIL_USE_MBED_TLS */
+
+#ifdef BOOTUTIL_USE_TINYCRYPT
+typedef struct tc_sha256_state_struct bootutil_sha256_context;
+static inline void bootutil_sha256_init(bootutil_sha256_context *ctx)
+{
+ tc_sha256_init(ctx);
+}
+
+static inline void bootutil_sha256_update(bootutil_sha256_context *ctx,
+ const void *data,
+ uint32_t data_len)
+{
+ tc_sha256_update(ctx, data, data_len);
+}
+
+static inline void bootutil_sha256_finish(bootutil_sha256_context *ctx,
+ uint8_t *output)
+{
+ tc_sha256_final(output, ctx);
+}
+#endif /* BOOTUTIL_USE_TINYCRYPT */
+
+#ifdef __cplusplus
+}
+#endif
+
+#endif /* __BOOTUTIL_SIGN_KEY_H_ */
diff --git a/boot/bootutil/src/image_validate.c b/boot/bootutil/src/image_validate.c
index c8ee2d6..0e78407 100644
--- a/boot/bootutil/src/image_validate.c
+++ b/boot/bootutil/src/image_validate.c
@@ -26,9 +26,9 @@
#include "hal/hal_flash.h"
#include "flash_map/flash_map.h"
#include "bootutil/image.h"
+#include "bootutil/sha256.h"
#include "bootutil/sign_key.h"
-#include "mbedtls/sha256.h"
#if MYNEWT_VAL(BOOTUTIL_SIGN_RSA)
#include "mbedtls/rsa.h"
#endif
@@ -47,19 +47,18 @@
uint8_t *tmp_buf, uint32_t tmp_buf_sz,
uint8_t *hash_result, uint8_t *seed, int seed_len)
{
- mbedtls_sha256_context sha256_ctx;
+ bootutil_sha256_context sha256_ctx;
uint32_t blk_sz;
uint32_t size;
uint32_t off;
int rc;
- mbedtls_sha256_init(&sha256_ctx);
- mbedtls_sha256_starts(&sha256_ctx, 0);
+ bootutil_sha256_init(&sha256_ctx);
/* in some cases (split image) the hash is seeded with data from
* the loader image */
if(seed && (seed_len > 0)) {
- mbedtls_sha256_update(&sha256_ctx, seed, seed_len);
+ bootutil_sha256_update(&sha256_ctx, seed, seed_len);
}
size = hdr->ih_img_size + hdr->ih_hdr_size;
@@ -78,9 +77,9 @@
if (rc) {
return rc;
}
- mbedtls_sha256_update(&sha256_ctx, tmp_buf, blk_sz);
+ bootutil_sha256_update(&sha256_ctx, tmp_buf, blk_sz);
}
- mbedtls_sha256_finish(&sha256_ctx, hash_result);
+ bootutil_sha256_finish(&sha256_ctx, hash_result);
return 0;
}
diff --git a/boot/zephyr/include/config-asn1.h b/boot/zephyr/include/config-asn1.h
index e772ceb..25d33fb 100644
--- a/boot/zephyr/include/config-asn1.h
+++ b/boot/zephyr/include/config-asn1.h
@@ -40,7 +40,7 @@
// #define MBEDTLS_BIGNUM_C
// #define MBEDTLS_MD_C
// #define MBEDTLS_OID_C
-#define MBEDTLS_SHA256_C
+// #define MBEDTLS_SHA256_C
#include "mbedtls/check_config.h"
diff --git a/boot/zephyr/prj-p256.conf b/boot/zephyr/prj-p256.conf
index a3cf7c0..5bea3d0 100644
--- a/boot/zephyr/prj-p256.conf
+++ b/boot/zephyr/prj-p256.conf
@@ -9,6 +9,7 @@
CONFIG_MBEDTLS_CFG_FILE="config-asn1.h"
CONFIG_TINYCRYPT=y
CONFIG_TINYCRYPT_ECC_DSA=y
+CONFIG_TINYCRYPT_SHA256=y
### mbedTLS wants a heap
CONFIG_HEAP_MEM_POOL_SIZE=16384