Add ECDSA signature support to PSA Crypto backend

.github/workflows/sim.yaml

@@ -44,6 +44,7 @@ jobs:
         - "sig-rsa validate-primary-slot ram-load multiimage"
         - "sig-rsa validate-primary-slot direct-xip multiimage"
         - "sig-ecdsa hw-rollback-protection multiimage"
+        - "sig-ecdsa-psa,sig-ecdsa-psa sig-p384"
         - "ram-load enc-aes256-kw multiimage"
         - "ram-load enc-aes256-kw sig-ecdsa-mbedtls multiimage"
     runs-on: ubuntu-latest

boot/bootutil/include/bootutil/caps.h

@@ -52,6 +52,7 @@ uint32_t bootutil_get_caps(void);
 #define BOOTUTIL_CAP_RAM_LOAD               (1<<16)
 #define BOOTUTIL_CAP_DIRECT_XIP             (1<<17)
 #define BOOTUTIL_CAP_HW_ROLLBACK_PROT       (1<<18)
+#define BOOTUTIL_CAP_ECDSA_P384             (1<<19)
 
 /*
  * Query the number of images this bootloader is configured for.  This

boot/bootutil/include/bootutil/crypto/sha256.h → boot/bootutil/include/bootutil/crypto/sha.h

@@ -18,8 +18,8 @@
  * the MCUBOOT_USE_PSA_CRYPTO will take precedence.
  */
 
-#ifndef __BOOTUTIL_CRYPTO_SHA256_H_
-#define __BOOTUTIL_CRYPTO_SHA256_H_
+#ifndef __BOOTUTIL_CRYPTO_SHA_H_
+#define __BOOTUTIL_CRYPTO_SHA_H_
 
 #include "mcuboot_config/mcuboot_config.h"
 #include "mcuboot_config/mcuboot_logging.h"
@@ -34,8 +34,16 @@
     #error "One crypto backend must be defined: either CC310/MBED_TLS/TINYCRYPT/PSA_CRYPTO"
 #endif
 
+#if defined(MCUBOOT_SIGN_EC384)
+    #define IMAGE_HASH_SIZE (48)
+    #define EXPECTED_HASH_TLV IMAGE_TLV_SHA384
+#else
+    #define IMAGE_HASH_SIZE (32)
+    #define EXPECTED_HASH_TLV IMAGE_TLV_SHA256
+#endif /* MCUBOOT_SIGN_EC384 */
+
 /* Universal defines for SHA-256 */
-#define BOOTUTIL_CRYPTO_SHA256_BLOCK_SIZE (64)
+#define BOOTUTIL_CRYPTO_SHA256_BLOCK_SIZE  (64)
 #define BOOTUTIL_CRYPTO_SHA256_DIGEST_SIZE (32)
 
 #if defined(MCUBOOT_USE_PSA_CRYPTO)
@@ -69,119 +77,129 @@ extern "C" {
 
 #if defined(MCUBOOT_USE_PSA_CRYPTO)
 
-typedef psa_hash_operation_t bootutil_sha256_context;
+typedef psa_hash_operation_t bootutil_sha_context;
 
-static inline int bootutil_sha256_init(bootutil_sha256_context *ctx)
+static inline int bootutil_sha_init(bootutil_sha_context *ctx)
 {
     *ctx = psa_hash_operation_init();
-    return (int)psa_hash_setup(ctx, PSA_ALG_SHA_256);
+#if defined(MCUBOOT_SIGN_EC384)
+    psa_status_t status = psa_hash_setup(ctx, PSA_ALG_SHA_384);
+#else
+    psa_status_t status = psa_hash_setup(ctx, PSA_ALG_SHA_256);
+#endif
+    return (int)status;
 }
 
-static inline int bootutil_sha256_drop(bootutil_sha256_context *ctx)
+static inline int bootutil_sha_drop(bootutil_sha_context *ctx)
 {
     return (int)psa_hash_abort(ctx);
 }
 
-static inline int bootutil_sha256_update(bootutil_sha256_context *ctx,
-                                         const void *data,
-                                         uint32_t data_len)
+static inline int bootutil_sha_update(bootutil_sha_context *ctx,
+                                      const void *data,
+                                      uint32_t data_len)
 {
     return (int)psa_hash_update(ctx, data, data_len);
 }
 
-static inline int bootutil_sha256_finish(bootutil_sha256_context *ctx,
-                                          uint8_t *output)
+static inline int bootutil_sha_finish(bootutil_sha_context *ctx,
+                                      uint8_t *output)
 {
     size_t hash_length = 0;
     /* Assumes the output buffer is at least the expected size of the hash */
+#if defined(MCUBOOT_SIGN_EC384)
+    return (int)psa_hash_finish(ctx, output, PSA_HASH_LENGTH(PSA_ALG_SHA_384), &hash_length);
+#else
     return (int)psa_hash_finish(ctx, output, PSA_HASH_LENGTH(PSA_ALG_SHA_256), &hash_length);
+#endif
 }
 
 #elif defined(MCUBOOT_USE_MBED_TLS)
 
-typedef mbedtls_sha256_context bootutil_sha256_context;
+typedef mbedtls_sha256_context bootutil_sha_context;
 
-static inline int bootutil_sha256_init(bootutil_sha256_context *ctx)
+static inline int bootutil_sha_init(bootutil_sha_context *ctx)
 {
     mbedtls_sha256_init(ctx);
     return mbedtls_sha256_starts_ret(ctx, 0);
 }
 
-static inline int bootutil_sha256_drop(bootutil_sha256_context *ctx)
+static inline int bootutil_sha_drop(bootutil_sha_context *ctx)
 {
     /* XXX: config defines MBEDTLS_PLATFORM_NO_STD_FUNCTIONS so no need to free */
     /* (void)mbedtls_sha256_free(ctx); */
     (void)ctx;
     return 0;
 }
 
-static inline int bootutil_sha256_update(bootutil_sha256_context *ctx,
-                                         const void *data,
-                                         uint32_t data_len)
+static inline int bootutil_sha_update(bootutil_sha_context *ctx,
+                                      const void *data,
+                                      uint32_t data_len)
 {
     return mbedtls_sha256_update_ret(ctx, data, data_len);
 }
 
-static inline int bootutil_sha256_finish(bootutil_sha256_context *ctx,
-                                          uint8_t *output)
+static inline int bootutil_sha_finish(bootutil_sha_context *ctx,
+                                      uint8_t *output)
 {
     return mbedtls_sha256_finish_ret(ctx, output);
 }
 
 #endif /* MCUBOOT_USE_MBED_TLS */
 
 #if defined(MCUBOOT_USE_TINYCRYPT)
-typedef struct tc_sha256_state_struct bootutil_sha256_context;
-static inline int bootutil_sha256_init(bootutil_sha256_context *ctx)
+typedef struct tc_sha256_state_struct bootutil_sha_context;
+
+static inline int bootutil_sha_init(bootutil_sha_context *ctx)
 {
     tc_sha256_init(ctx);
     return 0;
 }
 
-static inline int bootutil_sha256_drop(bootutil_sha256_context *ctx)
+static inline int bootutil_sha_drop(bootutil_sha_context *ctx)
 {
     (void)ctx;
     return 0;
 }
 
-static inline int bootutil_sha256_update(bootutil_sha256_context *ctx,
-                                         const void *data,
-                                         uint32_t data_len)
+static inline int bootutil_sha_update(bootutil_sha_context *ctx,
+                                      const void *data,
+                                      uint32_t data_len)
 {
     return tc_sha256_update(ctx, data, data_len);
 }
 
-static inline int bootutil_sha256_finish(bootutil_sha256_context *ctx,
-                                          uint8_t *output)
+static inline int bootutil_sha_finish(bootutil_sha_context *ctx,
+                                      uint8_t *output)
 {
     return tc_sha256_final(output, ctx);
 }
 #endif /* MCUBOOT_USE_TINYCRYPT */
 
 #if defined(MCUBOOT_USE_CC310)
-static inline int bootutil_sha256_init(bootutil_sha256_context *ctx)
+static inline int bootutil_sha_init(bootutil_sha_context *ctx)
 {
     cc310_sha256_init(ctx);
     return 0;
 }
 
-static inline int bootutil_sha256_drop(bootutil_sha256_context *ctx)
+static inline int bootutil_sha_drop(bootutil_sha_context *ctx)
 {
     (void)ctx;
     nrf_cc310_disable();
     return 0;
 }
 
-static inline int bootutil_sha256_update(bootutil_sha256_context *ctx,
-                                          const void *data,
-                                          uint32_t data_len)
+static inline int bootutil_sha_update(bootutil_sha_context *ctx,
+                                      const void *data,
+                                      uint32_t data_len)
 {
     cc310_sha256_update(ctx, data, data_len);
     return 0;
 }
 
-static inline int bootutil_sha256_finish(bootutil_sha256_context *ctx,
-                                          uint8_t *output)
+static inline int bootutil_sha_finish(bootutil_sha_context *ctx,
+                                      uint8_t *output)
 {
     cc310_sha256_finalize(ctx, output);
     return 0;
@@ -192,4 +210,4 @@ static inline int bootutil_sha256_finish(bootutil_sha256_context *ctx,
 }
 #endif
 
-#endif /* __BOOTUTIL_CRYPTO_SHA256_H_ */
+#endif /* __BOOTUTIL_CRYPTO_SHA_H_ */

boot/bootutil/include/bootutil/image.h

@@ -80,7 +80,6 @@ struct flash_area;
  * Image trailer TLV types.
  *
  * Signature is generated by computing signature over the image hash.
- * Currently the only image hash type is SHA256.
  *
  * Signature comes in the form of 2 TLVs.
  *   1st on identifies the public key which should be used to verify it.
@@ -89,6 +88,7 @@ struct flash_area;
 #define IMAGE_TLV_KEYHASH           0x01   /* hash of the public key */
 #define IMAGE_TLV_PUBKEY            0x02   /* public key */
 #define IMAGE_TLV_SHA256            0x10   /* SHA256 of image hdr and body */
+#define IMAGE_TLV_SHA384            0x11   /* SHA384 of image hdr and body */
 #define IMAGE_TLV_RSA2048_PSS       0x20   /* RSA2048 of hash output */
 #define IMAGE_TLV_ECDSA224          0x21   /* ECDSA of hash output - Not supported anymore */
 #define IMAGE_TLV_ECDSA_SIG         0x22   /* ECDSA of hash output */

boot/bootutil/src/boot_record.c

@@ -1,5 +1,5 @@
 /*
- * Copyright (c) 2018-2021 Arm Limited
+ * Copyright (c) 2018-2023 Arm Limited
  * Copyright (c) 2020 Linaro Limited
  *
  * Licensed under the Apache License, Version 2.0 (the "License");
@@ -22,6 +22,7 @@
 #include <string.h>
 
 #include "mcuboot_config/mcuboot_config.h"
+#include "bootutil/crypto/sha.h"
 
 #if defined(MCUBOOT_MEASURED_BOOT) || defined(MCUBOOT_DATA_SHARING)
 #include "bootutil/boot_record.h"
@@ -132,7 +133,7 @@ boot_save_boot_status(uint8_t sw_module,
     uint16_t type;
     uint16_t ias_minor;
     size_t record_len = 0;
-    uint8_t image_hash[32]; /* SHA256 - 32 Bytes */
+    uint8_t image_hash[IMAGE_HASH_SIZE];
     uint8_t buf[MAX_BOOT_RECORD_SZ];
     bool boot_record_found = false;
     bool hash_found = false;
@@ -170,7 +171,7 @@ boot_save_boot_status(uint8_t sw_module,
             record_len = len;
             boot_record_found = true;
 
-        } else if (type == IMAGE_TLV_SHA256) {
+        } else if (type == EXPECTED_HASH_TLV) {
             /* Get the image's hash value from the manifest section. */
             if (len > sizeof(image_hash)) {
                 return -1;

boot/bootutil/src/caps.c

@@ -35,6 +35,9 @@ uint32_t bootutil_get_caps(void)
 #if defined(MCUBOOT_SIGN_EC256)
     res |= BOOTUTIL_CAP_ECDSA_P256;
 #endif
+#if defined(MCUBOOT_SIGN_EC384)
+    res |= BOOTUTIL_CAP_ECDSA_P384;
+#endif
 #if defined(MCUBOOT_SIGN_ED25519)
     res |= BOOTUTIL_CAP_ED25519;
 #endif

boot/bootutil/src/encrypted.c

@@ -30,7 +30,7 @@
 #endif
 
 #if defined(MCUBOOT_ENCRYPT_EC256) || defined(MCUBOOT_ENCRYPT_X25519)
-#include "bootutil/crypto/sha256.h"
+#include "bootutil/crypto/sha.h"
 #include "bootutil/crypto/hmac_sha256.h"
 #include "mbedtls/oid.h"
 #include "mbedtls/asn1.h"

boot/bootutil/src/image_rsa.c

@@ -43,7 +43,7 @@
  */
 #if !defined(MCUBOOT_USE_PSA_CRYPTO)
 
-#include "bootutil/crypto/sha256.h"
+#include "bootutil/crypto/sha.h"
 
 /*
  * Constants for this particular constrained implementation of
@@ -86,17 +86,17 @@ static const uint8_t pss_zeros[8] = {0};
 static void
 pss_mgf1(uint8_t *mask, const uint8_t *hash)
 {
-    bootutil_sha256_context ctx;
+    bootutil_sha_context ctx;
     uint8_t counter[4] = { 0, 0, 0, 0 };
     uint8_t htmp[PSS_HLEN];
     int count = PSS_MASK_LEN;
     int bytes;
 
     while (count > 0) {
-        bootutil_sha256_init(&ctx);
-        bootutil_sha256_update(&ctx, hash, PSS_HLEN);
-        bootutil_sha256_update(&ctx, counter, 4);
-        bootutil_sha256_finish(&ctx, htmp);
+        bootutil_sha_init(&ctx);
+        bootutil_sha_update(&ctx, hash, PSS_HLEN);
+        bootutil_sha_update(&ctx, counter, 4);
+        bootutil_sha_finish(&ctx, htmp);
 
         counter[3]++;
 
@@ -109,7 +109,7 @@ pss_mgf1(uint8_t *mask, const uint8_t *hash)
         count -= bytes;
     }
 
-    bootutil_sha256_drop(&ctx);
+    bootutil_sha_drop(&ctx);
 }
 
 /*
@@ -121,7 +121,7 @@ static fih_ret
 bootutil_cmp_rsasig(bootutil_rsa_context *ctx, uint8_t *hash, uint32_t hlen,
   uint8_t *sig, size_t slen)
 {
-    bootutil_sha256_context shactx;
+    bootutil_sha_context shactx;
     uint8_t em[MBEDTLS_MPI_MAX_SIZE];
     uint8_t db_mask[PSS_MASK_LEN];
     uint8_t h2[PSS_HLEN];
@@ -221,12 +221,12 @@ bootutil_cmp_rsasig(bootutil_rsa_context *ctx, uint8_t *hash, uint32_t hlen,
     /* Step 12.  Let M' = 0x00 00 00 00 00 00 00 00 || mHash || salt; */
 
     /* Step 13.  Let H' = Hash(M') */
-    bootutil_sha256_init(&shactx);
-    bootutil_sha256_update(&shactx, pss_zeros, 8);
-    bootutil_sha256_update(&shactx, hash, PSS_HLEN);
-    bootutil_sha256_update(&shactx, &db_mask[PSS_MASK_SALT_POS], PSS_SLEN);
-    bootutil_sha256_finish(&shactx, h2);
-    bootutil_sha256_drop(&shactx);
+    bootutil_sha_init(&shactx);
+    bootutil_sha_update(&shactx, pss_zeros, 8);
+    bootutil_sha_update(&shactx, hash, PSS_HLEN);
+    bootutil_sha_update(&shactx, &db_mask[PSS_MASK_SALT_POS], PSS_SLEN);
+    bootutil_sha_finish(&shactx, h2);
+    bootutil_sha_drop(&shactx);
 
     /* Step 14.  If H = H', output "consistent".  Otherwise, output
      * "inconsistent". */