Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

bl_*: Add ED25519 support for nRF54L15 #19159

Open
wants to merge 10 commits into
base: main
Choose a base branch
from
Open

bl_*: Add ED25519 support for nRF54L15 #19159

wants to merge 10 commits into from

Conversation

nordicjm
Copy link
Contributor

@nordicjm nordicjm commented Nov 29, 2024
edited by fundakol
Loading

Adds support for ED25519 and SHA512, enables ED25519 by default on nRF54L15. Includes #18959

Requires child/parent support be removed first

test_boot: ed25519-tests

@nordicjm nordicjm requested review from a team as code owners November 29, 2024 12:01
@github-actions github-actions bot added the changelog-entry-required Update changelog before merge. Remove label if entry is not needed or already added. label Nov 29, 2024
@NordicBuilder
Copy link
Contributor

NordicBuilder commented Nov 29, 2024
edited
Loading

CI Information

To view the history of this post, clich the 'edited' button above
Build number: 20

Inputs:

Sources:

sdk-nrf: PR head: 6b35112223d072363f5529237cead54a0f087744

more details

sdk-nrf:

PR head: 6b35112223d072363f5529237cead54a0f087744
merge base: 82d3d2677adf85c5b9645b34f69e787fb25ff2f3
target head (main): cb7eeac725130b0a50981bce4f65405656c4a644
Diff

Github labels

Enabled Name Description
ci-disabled Disable the ci execution
ci-all-test Run all of ci, no test spec filtering will be done
ci-force-downstream Force execution of downstream even if twister fails
ci-run-twister Force run twister
ci-run-zephyr-twister Force run zephyr twister
List of changed files detected by CI (17) 
cmake
│  ├── sysbuild
│  │  ├── debug_keys.cmake
│  │  ├── provision_hex.cmake
│  │  │ sign.cmake
include
│  │ bl_crypto.h
samples
│  ├── bootloader
│  │  ├── boards
│  │  │  │ nrf54l15dk_nrf54l15_cpuapp.conf
subsys
│  ├── bootloader
│  │  ├── Kconfig
│  │  ├── bl_crypto
│  │  │  ├── CMakeLists.txt
│  │  │  ├── Kconfig
│  │  │  ├── bl_crypto.c
│  │  │  ├── bl_crypto_ed25519.c
│  │  │  │ bl_crypto_sha512.c
│  │  ├── bl_validation
│  │  │  ├── Kconfig
│  │  │  │ bl_validation.c
│  ├── fw_info
│  │  │ Kconfig.template.fw_info_ext_api
sysbuild
│  ├── CMakeLists.txt
│  │ Kconfig.secureboot
tests
│  ├── subsys
│  │  ├── bootloader
│  │  │  ├── bl_validation
│  │  │  │  │ prj.conf

Outputs:

Toolchain

Version: 342151af73
Build docker image: docker-dtr.nordicsemi.no/sw-production/ncs-build:342151af73_912848a074

Test Spec & Results: ✅ Success; ❌ Failure; 🟠 Queued; 🟡 Progress; ◻️ Skipped; ⚠️ Quarantine

  • ◻️ Toolchain - Skipped: existing toolchain is used
  • ✅ Build twister
  • ❌ Integration tests
    • ✅ test-sdk-audio - Skipped: Job was skipped as it succeeded in a previous run
    • ✅ desktop52_verification - Skipped: Job was skipped as it succeeded in a previous run
    • ❌ test-fw-nrfconnect-boot
    • ❌ test-fw-nrfconnect-apps
    • ✅ test_ble_nrf_config
    • ✅ test-fw-nrfconnect-ble_mesh - Skipped: Job was skipped as it succeeded in a previous run
    • ✅ test-fw-nrfconnect-ble_samples - Skipped: Job was skipped as it succeeded in a previous run
    • ✅ test-fw-nrfconnect-chip - Skipped: Job was skipped as it succeeded in a previous run
    • ✅ test-fw-nrfconnect-nfc - Skipped: Job was skipped as it succeeded in a previous run
    • ✅ test-fw-nrfconnect-nrf-iot_libmodem-nrf - Skipped: Job was skipped as it succeeded in a previous run
    • ✅ test-fw-nrfconnect-nrf-iot_serial_lte_modem - Skipped: Job was skipped as it succeeded in a previous run
    • ✅ test-fw-nrfconnect-nrf-iot_zephyr_lwm2m - Skipped: Job was skipped as it succeeded in a previous run
    • ✅ test-fw-nrfconnect-nrf-iot_samples - Skipped: Job was skipped as it succeeded in a previous run
    • ✅ test-fw-nrfconnect-nrf-iot_lwm2m - Skipped: Job was skipped as it succeeded in a previous run
    • ✅ doc-internal - Skipped: Job was skipped as it succeeded in a previous run
    • ✅ test-fw-nrfconnect-nrf-iot_thingy91 - Skipped: Job was skipped as it succeeded in a previous run
    • ✅ test-fw-nrfconnect-nrf_crypto - Skipped: Job was skipped as it succeeded in a previous run
    • ✅ test-fw-nrfconnect-rpc - Skipped: Job was skipped as it succeeded in a previous run
    • ✅ test-fw-nrfconnect-rs
    • ✅ test-fw-nrfconnect-fem
    • ✅ test-fw-nrfconnect-tfm - Skipped: Job was skipped as it succeeded in a previous run
    • ✅ test-fw-nrfconnect-thread - Skipped: Job was skipped as it succeeded in a previous run
    • ✅ test-fw-nrfconnect-zigbee - Skipped: Job was skipped as it succeeded in a previous run
    • ✅ test-sdk-find-my - Skipped: Job was skipped as it succeeded in a previous run
    • ✅ test-fw-nrfconnect-nrf-iot_mosh - Skipped: Job was skipped as it succeeded in a previous run
    • ✅ test-fw-nrfconnect-nrf-iot_positioning - Skipped: Job was skipped as it succeeded in a previous run
    • ✅ test-sdk-sidewalk - Skipped: Job was skipped as it succeeded in a previous run
    • ✅ test-sdk-wifi - Skipped: Job was skipped as it succeeded in a previous run
    • ✅ test-low-level - Skipped: Job was skipped as it succeeded in a previous run
    • ✅ test-sdk-pmic-samples
    • ❌ test-sdk-mcuboot
    • ✅ test-sdk-dfu - Skipped: Job was skipped as it succeeded in a previous run
    • ✅ test-fw-nrfconnect-ps - Skipped: Job was skipped as it succeeded in a previous run
    • ✅ test-secdom-samples-public - Skipped: Job was skipped as it succeeded in a previous run
    • ⚠️ test-fw-nrfconnect-fw-update
    • ⚠️ test-fw-nrfconnect-nrf-iot_cloud

Note: This message is automatically posted and updated by the CI

@NordicBuilder
Copy link
Contributor

You can find the documentation preview for this PR at this link. It will be updated about 10 minutes after the documentation build succeeds.

Note: This comment is automatically posted by the Documentation Publish GitHub Action.

@nordicjm nordicjm force-pushed the ed25519nsibpr branch 10 times, most recently from 1439d7e to c2812fd Compare December 4, 2024 10:27
@nordicjm nordicjm requested a review from a team as a code owner December 4, 2024 10:27
@nordicjm nordicjm force-pushed the ed25519nsibpr branch 3 times, most recently from c907725 to 4f7f146 Compare December 4, 2024 11:41
@NordicBuilder
Copy link
Contributor

NordicBuilder commented Dec 4, 2024
edited
Loading

Memory footprint analysis revealed the following potential issues

sample.matter.template.debug[nrf7002dk/nrf5340/cpuapp]: High ROM usage: 912202[B] - link (cc: @kkasperczyk-no @ArekBalysNordic @markaj-nordic)
sample.matter.template.release[nrf7002dk/nrf5340/cpuapp]: High ROM usage: 821126[B] - link (cc: @kkasperczyk-no @ArekBalysNordic @markaj-nordic)

Note: This message is automatically posted and updated by the CI (latest/sdk-nrf/PR-19159/20)

@nordicjm nordicjm added this to the 3.0.0 milestone Dec 5, 2024
de-nordic
de-nordic reviewed Dec 5, 2024
View reviewed changes
subsys/bootloader/bl_crypto/Kconfig
Comment on lines +134 to +158
select PSA_WANT_ALG_PURE_EDDSA
select PSA_WANT_ECC_TWISTED_EDWARDS_255
select PSA_WANT_KEY_TYPE_ECC_KEY_PAIR_IMPORT
Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

I have these probably selected for SHA512 in MCUboot but they should not be needed, they are just required by ED25519, sha itself does not need them.
As far as I understand we are using KMU here so the _IMPORT should not be needed at all.

Copy link
Contributor Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

This Kconfig is actually not used

nvlsianpu
nvlsianpu reviewed Dec 16, 2024
View reviewed changes
Copy link
Contributor

@nvlsianpu nvlsianpu left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

note for me
sysbuild: Add support for selecting b0 hash/signature types

include/bl_crypto.h
#endif


Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

unwanted newline

sysbuild/Kconfig.secureboot

config SECURE_BOOT_APPCORE_SUPPORTED_HASH_HARDWARE
bool
default y if SECURE_BOOT_HASH_TYPE_SHA256 && (SOC_SERIES_NRF91X || SOC_NRF52840)
Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

might be ...&& HAS_HW_NRF_CC310

Copy link
Contributor Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

No such Kconfig in a sysbuild context, there is no devicetree

sysbuild/Kconfig.secureboot

config SECURE_BOOT_APPCORE_SUPPORTED_SIGNATURE_HARDWARE
bool
default y if SECURE_BOOT_SIGNATURE_TYPE_ECDSA && (SOC_SERIES_NRF91X || SOC_NRF52840)
Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

as above

nvlsianpu
nvlsianpu reviewed Dec 17, 2024
View reviewed changes
sysbuild/Kconfig.secureboot
Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Not to be fixed by this PR:
I'm start thinking about misleading of the secure_boot name. It's NSIB under the hood. Also SB acronym is used elsewhere.
MCUboot is also another bootloader which also can be claimed to be secure bootloader - which might cause some concerns around the name.
Probably it's no time of today to change this.

@nordicjm
bootloader: bl_crypto: Add PSA SHA512 support
355a500 
Adds support for using SHA512 signatures using PSA crypto

Signed-off-by: Jamie McCrae <[email protected]>
@nordicjm
bootloader: bl_crypto: Add support for PSA ED25519 signatures
9ebb9ca 
Adds support for ED25519 signatures using PSA crypto

Signed-off-by: Jamie McCrae <[email protected]>
@nordicjm
bootloader: bl_validation: Make public key and hash optional
f92e412 
Makes these fields optional for configurations where they are
not needed

Signed-off-by: Jamie McCrae <[email protected]>
@nordicjm
sysbuild: Add support for selecting b0 hash/signature types
fb2a97c 
Adds support for allowing the hash and signature type to be
selected, and adds support for ED25519 on nrf54l15

Signed-off-by: Jamie McCrae <[email protected]>
@nordicjm
samples: bootloader: Add nrf54l15dk configuration
d497e07 
Adds a default configuration file which uses ED25519 with KMU
support

Signed-off-by: Jamie McCrae <[email protected]>
@nordicjm
include: bl_crypto: Fix wrong order of parameters
137d441 
The parameters listed are wrong

Signed-off-by: Jamie McCrae <[email protected]>
@nordicjm
fw_info: Fix AT LEAST with underscore
17255a6 
Prevents compliance from complaining

Signed-off-by: Jamie McCrae <[email protected]>
@nordicjm
tests: bootloader: bl_validation: Select Kconfig for sha256
8bdf8af 
Selects the Kconfig to enable the hash field be present in the
output

Signed-off-by: Jamie McCrae <[email protected]>
@nordicjm
bootloader: bl_crypto: Change wrong comments
6eb637f 
The comments for no SHA256 and no secp256r1 wrongly stated that
these are disabled, this however is not true, the fields are
accessed and must still be present, therefore explain that whilst
they might not be checked, they are still required to be present

Signed-off-by: Jamie McCrae <[email protected]>
@nordicjm
bootloader: Increase default nRF54L15 partition size
6b35112 
Increases the size to account for the larger image which has
CRACEN support

Signed-off-by: Jamie McCrae <[email protected]>
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@de-nordic de-nordic de-nordic left review comments

@nvlsianpu nvlsianpu nvlsianpu left review comments

@tejlmand tejlmand tejlmand approved these changes

At least 2 approving reviews are required to merge this pull request.

Assignees
No one assigned
Labels
changelog-entry-required Update changelog before merge. Remove label if entry is not needed or already added.
Projects
None yet
Milestone
3.0.0
Development

Successfully merging this pull request may close these issues.
5 participants
@nordicjm @NordicBuilder @tejlmand @nvlsianpu @de-nordic