adds PureEdDSA where image signature is calculated over image directly, rather than hash
adds support for calculating sha directly on storage, rather than loading chunks to memory
Note that mentioned below Kconfig options have proper MCUBOOT_ identifiers in code, but it is easier to communicate change by using them in examples.
Both commits provide support only on devices that are within address space.
There is possibility to extend both commits to work with external devices via features like XIP, where external device can be mapped to internal address space, but this is not approached here.
The PureEdDSA change adds TLV that marks the image as signed with Pure signature and logic in MCUboot that rejects images without the TLV, when expected by MCUboot. The change also slightly improves security of devices, specifically if the verification can be done by dedicated coprocessor.
Both solutions slightly improve performance as they cut on additional processing.
In case when the sha512 is enabled with ed25519, the size of ROM, as build for the nrf52840dk, drops from 40486 to 39414, but there is visible slowdown in boot; for the sha256 the command line was:
west build -d builds/sha_on_board_256 -b nrf52840dk/nrf52840 bootloader/mcuboot/boot/zephyr/ -DCONFIG_BOOT_SIGNATURE_TYPE_ED25519=y -DCONFIG_BOOT_ED25519_TINYCRYPT=y -DCONFIG_BOOT_IMG_HASH_ALG_SHA256=y
for the 512, the change was in the last config:
west build -d builds/sha_on_board_512 -b nrf52840dk/nrf52840 bootloader/mcuboot/boot/zephyr/ -DCONFIG_BOOT_SIGNATURE_TYPE_ED25519=y -DCONFIG_BOOT_ED25519_TINYCRYPT=y -DCONFIG_BOOT_IMG_HASH_ALG_SHA512=y
Enabling the option CONFIG_MCUBOOT_HASH_STORAGE_DIRECTLY, that comes with second commit, reduces code by another ~50 bytes.
Enabling the CONFIG_BOOT_SIGNATURE_TYPE_PURE, provided by the third commit, shaves off additional ~150 bytes.
While SHA directly on device and in RAM works with the same image signed for specified sha, the PureEdDSA requires special signature processing via imgtool and lacks HASH TLV.
de-nordic
commented
20 hours ago
Three commits:
Note that mentioned below Kconfig options have proper MCUBOOT_ identifiers in code, but it is easier to communicate change by using them in examples.
Both commits provide support only on devices that are within address space. There is possibility to extend both commits to work with external devices via features like XIP, where external device can be mapped to internal address space, but this is not approached here.
The PureEdDSA change adds TLV that marks the image as signed with Pure signature and logic in MCUboot that rejects images without the TLV, when expected by MCUboot. The change also slightly improves security of devices, specifically if the verification can be done by dedicated coprocessor.
Both solutions slightly improve performance as they cut on additional processing.
The PureEdDSA commit requires imgtool change: https://github.com/mcu-tools/mcuboot/pull/2063
Notes on stats:
for the 512, the change was in the last config:
Enabling the option
CONFIG_MCUBOOT_HASH_STORAGE_DIRECTLY, that comes with second commit, reduces code by another ~50 bytes.Enabling the
CONFIG_BOOT_SIGNATURE_TYPE_PURE, provided by the third commit, shaves off additional ~150 bytes.While SHA directly on device and in RAM works with the same image signed for specified sha, the PureEdDSA requires special signature processing via imgtool and lacks HASH TLV.