Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

bl_*: Add ED25519 support for nRF54L15 #19159

Open
wants to merge 10 commits into
base: main
Choose a base branch
from
Open

bl_*: Add ED25519 support for nRF54L15 #19159

Show file tree
Hide file tree
Changes from all commits
Commits
Show all changes
10 commits
Select commit Hold shift + click to select a range
355a500
bootloader: bl_crypto: Add PSA SHA512 support
nordicjm Nov 29, 2024
9ebb9ca
bootloader: bl_crypto: Add support for PSA ED25519 signatures
nordicjm Nov 29, 2024
f92e412
bootloader: bl_validation: Make public key and hash optional
nordicjm Nov 29, 2024
fb2a97c
sysbuild: Add support for selecting b0 hash/signature types
nordicjm Nov 29, 2024
d497e07
samples: bootloader: Add nrf54l15dk configuration
nordicjm Nov 29, 2024
137d441
include: bl_crypto: Fix wrong order of parameters
nordicjm Nov 29, 2024
17255a6
fw_info: Fix AT LEAST with underscore
nordicjm Nov 29, 2024
8bdf8af
tests: bootloader: bl_validation: Select Kconfig for sha256
nordicjm Dec 3, 2024
6eb637f
bootloader: bl_crypto: Change wrong comments
nordicjm Dec 3, 2024
6b35112
bootloader: Increase default nRF54L15 partition size
nordicjm Dec 3, 2024
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
10 changes: 8 additions & 2 deletions cmake/sysbuild/debug_keys.cmake
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -6,14 +6,20 @@

string(REPLACE "," ";" PUBLIC_KEY_FILES_LIST "${SB_CONFIG_SECURE_BOOT_PUBLIC_KEY_FILES}")

if(SB_CONFIG_SECURE_BOOT_SIGNATURE_TYPE_ED25519)
set(keygen_algorithm --algorithm ed25519)
else()
set(keygen_algorithm)
endif()

set(PRIV_CMD
${PYTHON_EXECUTABLE}
${ZEPHYR_NRF_MODULE_DIR}/scripts/bootloader/keygen.py --private
${ZEPHYR_NRF_MODULE_DIR}/scripts/bootloader/keygen.py --private ${keygen_algorithm}
)

set(PUB_CMD
${PYTHON_EXECUTABLE}
${ZEPHYR_NRF_MODULE_DIR}/scripts/bootloader/keygen.py --public
${ZEPHYR_NRF_MODULE_DIR}/scripts/bootloader/keygen.py --public ${keygen_algorithm}
)

# Check if PEM file is specified by user, if not, create one a debug key
Expand Down
6 changes: 4 additions & 2 deletions cmake/sysbuild/provision_hex.cmake
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -67,19 +67,21 @@ function(provision application prefix_name)
set(partition_manager_target partition_manager_CPUNET)
set(s0_arg --s0-addr $<TARGET_PROPERTY:${partition_manager_target},PM_APP_ADDRESS>)
set(s1_arg)
set(cpunet_target y)
else()
set(partition_manager_target partition_manager)
set(s0_arg --s0-addr $<TARGET_PROPERTY:${partition_manager_target},PM_S0_ADDRESS>)
set(s1_arg --s1-addr $<TARGET_PROPERTY:${partition_manager_target},PM_S1_ADDRESS>)
set(cpunet_target n)
endif()

if(SB_CONFIG_SECURE_BOOT_DEBUG_NO_VERIFY_HASHES)
set(no_verify_hashes_arg --no-verify-hashes)
endif()

b0_sign_image(${application})
b0_sign_image(${application} ${cpunet_target})
if(NOT (CONFIG_SOC_NRF5340_CPUNET OR "${domain}" STREQUAL "CPUNET") AND SB_CONFIG_SECURE_BOOT_BUILD_S1_VARIANT_IMAGE)
b0_sign_image("s1_image")
b0_sign_image("s1_image" n)
endif()
endif()

Expand Down
141 changes: 103 additions & 38 deletions cmake/sysbuild/sign.cmake
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -14,11 +14,17 @@ function(b0_gen_keys)
set(SIGNATURE_PUBLIC_KEY_FILE ${GENERATED_PATH}/public.pem)
set(SIGNATURE_PUBLIC_KEY_FILE ${GENERATED_PATH}/public.pem PARENT_SCOPE)

if(SB_CONFIG_SECURE_BOOT_SIGNATURE_TYPE_ED25519)
set(keygen_algorithm --algorithm ed25519)
else()
set(keygen_algorithm)
endif()

if(SB_CONFIG_SECURE_BOOT_SIGNING_PYTHON)
set(PUB_GEN_CMD
${PYTHON_EXECUTABLE}
${ZEPHYR_NRF_MODULE_DIR}/scripts/bootloader/keygen.py
--public
--public ${keygen_algorithm}
--in ${SIGNATURE_PRIVATE_KEY_FILE}
--out ${SIGNATURE_PUBLIC_KEY_FILE}
)
Expand Down Expand Up @@ -66,7 +72,7 @@ function(b0_gen_keys)
)
endfunction()

function(b0_sign_image slot)
function(b0_sign_image slot cpunet_target)
set(GENERATED_PATH ${CMAKE_BINARY_DIR}/nrf/subsys/bootloader/generated)

# Get variables for secure boot usage
Expand Down Expand Up @@ -104,6 +110,7 @@ function(b0_sign_image slot)
sysbuild_get(${slot}_crypto_id IMAGE ${slot} VAR CONFIG_SB_VALIDATION_INFO_CRYPTO_ID KCONFIG)
sysbuild_get(${slot}_validation_offset IMAGE ${slot} VAR CONFIG_SB_VALIDATION_METADATA_OFFSET KCONFIG)

set(slot_bin ${${slot}_image_dir}/zephyr/${${slot}_kernel_name}.bin)
set(slot_hex ${${slot}_image_dir}/zephyr/${${slot}_kernel_name}.hex)
set(sign_depends ${${slot}_image_dir}/zephyr/${${slot}_kernel_name}.elf)
set(target_name ${slot})
Expand All @@ -119,6 +126,7 @@ function(b0_sign_image slot)
sysbuild_get(${slot}_crypto_id IMAGE ${target_name} VAR CONFIG_SB_VALIDATION_INFO_CRYPTO_ID KCONFIG)
sysbuild_get(${slot}_validation_offset IMAGE ${target_name} VAR CONFIG_SB_VALIDATION_METADATA_OFFSET KCONFIG)

set(slot_bin ${${target_name}_image_dir}/zephyr/${${target_name}_kernel_name}.bin)
set(slot_hex ${${target_name}_image_dir}/zephyr/${${target_name}_kernel_name}.hex)
set(sign_depends ${target_name} ${${target_name}_image_dir}/zephyr/${${target_name}_kernel_name}.elf)
else()
Expand All @@ -133,36 +141,70 @@ function(b0_sign_image slot)
"This value of SB_VALIDATION_INFO_CRYPTO_ID is not supported")
endif()

set(to_sign ${slot_hex})
set(hash_file ${GENERATED_PATH}/${slot}_firmware.sha256)
set(signature_file ${GENERATED_PATH}/${slot}_firmware.signature)

set(hash_cmd
${PYTHON_EXECUTABLE}
${ZEPHYR_NRF_MODULE_DIR}/scripts/bootloader/hash.py
--in ${to_sign}
> ${hash_file}
)
if(cpunet_target)
set(config_addition NETCORE)
else()
set(config_addition APPCORE)
endif()

if(SB_CONFIG_SECURE_BOOT_${config_addition}_HASH_TYPE_NONE)
set(hash_file ${slot_bin})
set(to_sign ${slot_hex})
elseif(SB_CONFIG_SECURE_BOOT_SIGNATURE_TYPE_ED25519)
set(hash_file ${GENERATED_PATH}/${slot}_firmware.sha512)
set(hash_cmd_type --type sha512)
set(sign_cmd_hash_type sha512)
elseif(SB_CONFIG_SECURE_BOOT_HASH_TYPE_SHA256)
set(hash_file ${GENERATED_PATH}/${slot}_firmware.sha256)
set(hash_cmd_type)
set(sign_cmd_hash_type sha256)
endif()

if(sign_cmd_hash_type)
set(to_sign ${slot_hex})
set(hash_cmd
${PYTHON_EXECUTABLE}
${ZEPHYR_NRF_MODULE_DIR}/scripts/bootloader/hash.py
--in ${to_sign} ${hash_cmd_type}
> ${hash_file}
)
endif()

if(SB_CONFIG_SECURE_BOOT_SIGNING_PYTHON)
if(SB_CONFIG_SECURE_BOOT_SIGNATURE_TYPE_ED25519)
set(sign_cmd_signature_type --algorithm ed25519)
else()
set(sign_cmd_signature_type)
endif()

set(sign_cmd
${PYTHON_EXECUTABLE}
${ZEPHYR_NRF_MODULE_DIR}/scripts/bootloader/do_sign.py
--private-key ${SIGNATURE_PRIVATE_KEY_FILE}
--in ${hash_file}
--in ${hash_file} ${sign_cmd_signature_type}
> ${signature_file}
)
elseif(SB_CONFIG_SECURE_BOOT_SIGNING_OPENSSL)
set(sign_cmd
openssl dgst
-sha256
-sign ${SIGNATURE_PRIVATE_KEY_FILE} ${hash_file} |
${PYTHON_EXECUTABLE}
${ZEPHYR_NRF_MODULE_DIR}/scripts/bootloader/asn1parse.py
--alg ecdsa
--contents signature
> ${signature_file}
)
if(SB_CONFIG_SECURE_BOOT_SIGNATURE_TYPE_ED25519)
set(sign_cmd
openssl pkeyutl -sign -inkey ${SIGNATURE_PRIVATE_KEY_FILE} -rawin -in ${hash_file} > ${signature_file} &&
openssl pkeyutl -verify -pubin -inkey ${SIGNATURE_PRIVATE_KEY_FILE} -rawin -in ${hash_file} -sigfile ${signature_file}
)
else()
set(sign_cmd
openssl dgst
-${sign_cmd_hash_type}
-sign ${SIGNATURE_PRIVATE_KEY_FILE} ${hash_file} |
${PYTHON_EXECUTABLE}
${ZEPHYR_NRF_MODULE_DIR}/scripts/bootloader/asn1parse.py
--alg ecdsa
--contents signature
> ${signature_file}
)
endif()

elseif(SB_CONFIG_SECURE_BOOT_SIGNING_CUSTOM)
set(custom_sign_cmd "${SB_CONFIG_SECURE_BOOT_SIGNING_COMMAND}")
string(CONFIGURE "${custom_sign_cmd}" custom_sign_cmd)
Expand All @@ -177,22 +219,39 @@ function(b0_sign_image slot)
message(WARNING "Unable to parse signing config.")
endif()

add_custom_command(
OUTPUT
${signature_file}
COMMAND
${hash_cmd}
COMMAND
${sign_cmd}
DEPENDS
${sign_depends}
WORKING_DIRECTORY
${PROJECT_BINARY_DIR}
COMMENT
"Creating signature of application"
USES_TERMINAL
COMMAND_EXPAND_LISTS
)
if(sign_cmd_hash_type)
add_custom_command(
OUTPUT
${signature_file}
COMMAND
${hash_cmd}
COMMAND
${sign_cmd}
DEPENDS
${sign_depends}
WORKING_DIRECTORY
${PROJECT_BINARY_DIR}
COMMENT
"Creating signature of application"
USES_TERMINAL
COMMAND_EXPAND_LISTS
)
else()
add_custom_command(
OUTPUT
${signature_file}
COMMAND
${sign_cmd}
DEPENDS
${sign_depends}
WORKING_DIRECTORY
${PROJECT_BINARY_DIR}
COMMENT
"Creating signature of application"
USES_TERMINAL
COMMAND_EXPAND_LISTS
)
endif()

add_custom_target(
${slot}_signature_file_target
Expand All @@ -204,14 +263,20 @@ function(b0_sign_image slot)
cmake_path(GET to_sign FILENAME to_sign_filename)
set(validation_comment "Creating validation for ${to_sign_filename}, storing to ${signed_hex_filename}")

if(SB_CONFIG_SECURE_BOOT_SIGNATURE_TYPE_ED25519)
set(validation_signature_cmd --algorithm ed25519)
else()
set(validation_signature_cmd)
endif()

add_custom_command(
OUTPUT
${signed_hex}
${signed_bin}
COMMAND
${PYTHON_EXECUTABLE}
${ZEPHYR_NRF_MODULE_DIR}/scripts/bootloader/validation_data.py
--input ${to_sign}
--input ${to_sign} ${validation_signature_cmd}
--output-hex ${signed_hex}
--output-bin ${signed_bin}
--offset ${${slot}_validation_offset}
Expand Down
Loading