TrustedFirmware Git Browser
Code Review Sign In
review.trustedfirmware.org / mirror / mcuboot / f4e904d4beee1645a01e0cec87350e025e5c3a0f
commitf4e904d4beee1645a01e0cec87350e025e5c3a0f[log] [tgz]
authorDavid Brown <david.brown@linaro.org>Wed May 31 13:21:39 2017 -0600
committerDavid Brown <david.brown@linaro.org>Tue Jun 13 16:02:48 2017 -0400
treeaab2e4505a231a9eba7c02bb0e09a8a71263dba0
parent85d879f195f23f6a8daa0c09957a01f887e96d72 [diff]
rsa: Add support for RSA-PSS

The PKCS#1 standards, which define RSA signatures, are currently at
version 2.2.  Starting in v2.1, the standard defines a new signature
method RSA-PSS, which has a stronger security proof than the signature
method used in earlier versions.  The standard recommends that RSA-PSS
be used in new designs, instead of the older algorithm.

This patch implements RSA-PSS verification for a specific set of
parameters:

    - RSA-2048
    - SHA256 for both the message digest and the internal hash
    - 32-byte salt
    - 2047 bit message

Although RSA-PSS supports other parameters, due to size constraints,
this verificatino code only supports these specific parameters, and
signatures with other parameters will be considered invalid.

To encourage the use of the more secure algorithm, the default build
configuration is RSA-PSS.  BOOTUTIL_RSA_PKCS1_15 needs to be defined in
order to support the older signature algorithm.
5 files changed
tree: aab2e4505a231a9eba7c02bb0e09a8a71263dba0
  1. boot/
  2. doc/
  3. imgtool/
  4. scripts/
  5. sim/
  6. .gitignore
  7. .travis.yml
  8. build_boot.sh
  9. Makefile
  10. project.yml
  11. README-zephyr.rst
  12. README.md
  13. repository.yml
  14. root-ec-p256.pem
  15. root-rsa-2048.pem
  16. sign.sh
README.md

mcuboot

Overview

MCUBoot is a secure bootloader for 32-bit MCUs. The goal of MCUBoot is to define a common infrastructure for the bootloader, system flash layout on microcontroller systems, and to provide a secure bootloader that enables easy software upgrade.

MCUboot is operating system and hardware independent, and relies on hardware porting layers from the operating system it works with. Currently mcuboot works with both the Apache Mynewt, and Zephyr operating systems, but more ports are planned in the future.

Roadmap

The MCUBoot project was originally taken from the Apache Mynewt operating system, which had secure boot and software upgrade functionality instrinsic to it. Currently development is heads down on a first release of MCUboot that works across both the Zephyr operating system and Apache Mynewt operating system.

For more information on what's being planned, and worked on, please visit:

https://runtimeco.atlassian.net/projects/MCUB/summary

Browsing

Information and documentation on the bootloader is stored within the source, and on confluence:

https://runtimeco.atlassian.net/wiki/discover/all-updates

For more information in the source, here are some pointers:

  • boot/bootutil: The core of the bootloader itself.
  • boot/boot_serial: Support for serial upgrade within the bootloader itself.
  • boot/zephyr: Port of the bootloader to Zephyr
  • imgtool: A tool to securely sign firmware images for booting by mcuboot.
  • sim: A bootloader simulator for testing and regression

Joining

Developers welcome! To join in the discussion, please join the developer mailing list:

http://lists.runtime.co/mailman/listinfo/dev-mcuboot_lists.runtime.co