[nrf noup] Added BOOT_SIGNATURE_USING_ITS for ecdsa configuration

This configuration has the purpose of using keys provisioned
to the internal trusted storage (ITS). It makes use of the
already existing parts of code for MCUBOOT_BUILTIN_KEY

Signed-off-by: Artur Hadasz <[email protected]>

Author: ahasztag

boot/bootutil/include/bootutil/crypto/ecdsa.h

@@ -473,6 +473,7 @@ static int bootutil_ecdsa_parse_public_key(bootutil_ecdsa_context *ctx,
 }
 #endif /* !MCUBOOT_BUILTIN_KEY */
 
+#if !defined(CONFIG_NRF_BOOT_SIGNATURE_USING_ITS)
 /* Verify the signature against the provided hash. The signature gets parsed from
  * the encoding first, then PSA Crypto has a dedicated API for ECDSA verification
  */
@@ -491,6 +492,55 @@ static inline int bootutil_ecdsa_verify(bootutil_ecdsa_context *ctx,
     return (int) psa_verify_hash(ctx->key_id, PSA_ALG_ECDSA(ctx->required_algorithm),
                                  hash, hlen, reformatted_signature, 2*ctx->curve_byte_count);
 }
+#else /* !CONFIG_NRF_BOOT_SIGNATURE_USING_ITS */
+
+static const psa_key_id_t builtin_key_ids[] =  {
+    0x40022100,
+    0x40022101,
+    0x40022102,
+    0x40022103
+};
+
+#define BOOT_SIGNATURE_BUILTIN_KEY_SLOTS ARRAY_SIZE(builtin_key_ids)
+
+static inline int bootutil_ecdsa_verify(bootutil_ecdsa_context *ctx,
+                                        uint8_t *pk, size_t pk_len,
+                                        uint8_t *hash, size_t hlen,
+                                        uint8_t *sig, size_t slen)
+{
+    (void)pk;
+    (void)pk_len;
+    (void)slen;
+    psa_status_t status = PSA_ERROR_BAD_STATE;
+
+    /* Initialize PSA Crypto */
+    status = psa_crypto_init();
+    if (status != PSA_SUCCESS) {
+        BOOT_LOG_ERR("PSA crypto init failed %d", status);
+        return 1;
+    }
+
+    uint8_t reformatted_signature[96] = {0}; /* Enough for P-384 signature sizes */
+    parse_signature_from_rfc5480_encoding(sig, ctx->curve_byte_count, reformatted_signature);
+
+    status = PSA_ERROR_BAD_STATE;
+
+    for (int i = 0; i < BOOT_SIGNATURE_BUILTIN_KEY_SLOTS; ++i) {
+        psa_key_id_t kid = builtin_key_ids[i];
+
+        status = psa_verify_hash(kid, PSA_ALG_ECDSA(ctx->required_algorithm),
+                                 hash, hlen, reformatted_signature, 2*ctx->curve_byte_count);
+        if (status == PSA_SUCCESS) {
+            break;
+        }
+        BOOT_LOG_ERR("ECDSA signature verification failed %d", status);
+    }
+
+    return status == PSA_SUCCESS ? 0 : 2;
+}
+
+#endif /* !CONFIG_NRF_BOOT_SIGNATURE_USING_ITS */
+
 #elif defined(MCUBOOT_USE_MBED_TLS)
 
 typedef mbedtls_ecdsa_context bootutil_ecdsa_context;

boot/bootutil/src/image_validate.c

@@ -514,7 +514,8 @@ bootutil_img_validate(struct boot_loader_state *state,
 #endif
                      )
 {
-#if (defined(EXPECTED_KEY_TLV) && defined(MCUBOOT_HW_KEY)) || defined(MCUBOOT_HW_ROLLBACK_PROT) || defined(MCUBOOT_DECOMPRESS_IMAGES)
+#if (defined(EXPECTED_KEY_TLV) && defined(MCUBOOT_HW_KEY)) || defined(MCUBOOT_HW_ROLLBACK_PROT) || defined(MCUBOOT_DECOMPRESS_IMAGES) \
+    || defined(MCUBOOT_BUILTIN_KEY)
     int image_index = (state == NULL ? 0 : BOOT_CURR_IMG(state));
 #endif
     uint32_t off;

boot/zephyr/Kconfig

@@ -422,7 +422,14 @@ config BOOT_KMU_KEYS_REVOCATION
 	help
 	  Enabling KMU key revocation backend.
 
-if !BOOT_SIGNATURE_USING_KMU
+config NRF_BOOT_SIGNATURE_USING_ITS
+	bool "Use ITS stored keys for signature verification"
+	depends on NRF_SECURITY
+	help
+	  MCUboot will use keys provisioned to the internal trusted storage for signature
+	  verification instead of compiling in key data from a file.
+
+if !BOOT_SIGNATURE_USING_KMU && !NRF_BOOT_SIGNATURE_USING_ITS
 
 config BOOT_SIGNATURE_KEY_FILE
 	string "PEM key file"

boot/zephyr/include/mcuboot_config/mcuboot_config.h

@@ -68,6 +68,10 @@
 #define MCUBOOT_HW_KEY
 #endif
 
+#ifdef CONFIG_NRF_BOOT_SIGNATURE_USING_ITS
+#define MCUBOOT_BUILTIN_KEY
+#endif
+
 #ifdef CONFIG_BOOT_VALIDATE_SLOT0
 #define MCUBOOT_VALIDATE_PRIMARY_SLOT
 #endif