-
Notifications
You must be signed in to change notification settings - Fork 671
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
EC256 encryption is broken when building MCUboot for Zephyr #1758
Comments
@de-nordic When I'm building with west and Is it the same error that you encountered? |
I was building for the |
Regarding the Mbed TLS builds nobody probably bothers, I do not even think people try to figure out whether Mbed TLS or TinyCrypt will be used because it is hard to figure out which encryption/signature will compile with which library.
that happens with TinyCrypt not Mbed TLS, which the combination of options disable. That was one of the issues I have mentioned - configuration requires magic skills: if you have preferred lib, or it is provided by system anyway, it is hard impossible to figure out combination of options to build. And it is not possible to have mix, maybe somebody would like for some reason, where you have ECB encryption and RSA signature because then you have lib collision. |
I already thought about a feature matrix in the documentation, but an automatic config check would be much better.
Yes, I saw that from the CMake files... that it uses TinyCrypt for ECDSA and MbedTLS for RSA. I think it's not documented.
Is it the |
The problem with
Not only. There is ifdef party in headers like sha256.h, while we should have some plug-in architecture for crypto with MCUboot headers defining the API, we have a mess. Now if you would like to support some other lib or maybe hardware accelerated Mbed TLS there are more ifdefs going to happen in sha256.h and other headers. The, lets call it, entropy of MCUboot code as a project increases , CI can not keep up, and configuration is harder and harder to follow.
No I was wrong, the fix was 018b770 Anyway, this issue can be closed as there is no issue with ECB, if TinyCrypt support is enough - which is default. |
I'm glad to hear that. :)
Yes, lately we were trying to mitigate and reverse this a bit with the crypto module refactorings (while adding the new PSA Crypto backend) towards a more modularized code structure with a cleaner API. I know there is still work to be done but the direction is good I think.
If a saw it correctly Zephyr only supports TinyCrypt with ECDSA.
I also share this concern, I'd be happy to continue this discussion in another topic/issue. The |
Follow-up discussion: #1770 |
Original report of this issue (from #1734 (comment)):
The text was updated successfully, but these errors were encountered: