Allow bypassing ASN.1 processing of public key for ED25519 #2089
Conversation
…ey import The commit adds MCUBOOT_KEY_IMPORT_BYPASS_ASN configuration option that allows bypassing ASN.1 decoding of ED25519 public key, compiled into MCUboot. When the option is enabled the key will be accessed directly and ASN.1 processing is not compiled in, resulting in smaller footprint of MCUboot, at a cost of reduced detection of invalid key, i.e. public key designated for different method than compiled in. Upstream PR: mcu-tools/mcuboot#2089 Signed-off-by: Dominik Ermel <[email protected]>
…SS_ASN The option enables MCUboot configuration option MCUBOOT_KEY_IMPORT_BYPASS_ASN. Upstream PR: mcu-tools/mcuboot#2089 Signed-off-by: Dominik Ermel <[email protected]>
nordicjm
changed the title
de-nordic
force-pushed
the
ed25519-asn1-bypass
branch
from
1cdb478 to
86e26fa
Compare
…ey import The commit adds MCUBOOT_KEY_IMPORT_BYPASS_ASN configuration option that allows bypassing ASN.1 decoding of ED25519 public key, compiled into MCUboot. When the option is enabled the key will be accessed directly and ASN.1 processing is not compiled in, resulting in smaller footprint of MCUboot, at a cost of reduced detection of invalid key, i.e. public key designated for different method than compiled in. Upstream PR: mcu-tools/mcuboot#2089 Signed-off-by: Dominik Ermel <[email protected]>
…SS_ASN The option enables MCUboot configuration option MCUBOOT_KEY_IMPORT_BYPASS_ASN. Upstream PR: mcu-tools/mcuboot#2089 Signed-off-by: Dominik Ermel <[email protected]>
|
@d3zd3z hej, got time to review? |
|
It looks good to me, I only have:
|
I will implement the changes. |
|
As I already mentioned, the parsing of ECDSA is handled differently in the existing code, but I think your solution is also reliable as the variability in size is only present for the signatures (encoding unsigned values as signed integers). The key is encoded as a bit string with 2 extra bytes (num of unused bits and compression) and its size is deterministic. |
de-nordic
force-pushed
the
ed25519-asn1-bypass
branch
from
86e26fa to
e27d7fa
Compare
I have applied the comment regarding ifdefing includes. |
The commit adds MCUBOOT_KEY_IMPORT_BYPASS_ASN configuration option that allows bypassing ASN.1 decoding of ED25519 public key, compiled into MCUboot. When the option is enabled the key will be accessed directly and ASN.1 processing is not compiled in, resulting in smaller footprint of MCUboot, at a cost of reduced detection of invalid key, i.e. public key designated for different method than compiled in. Signed-off-by: Dominik Ermel <[email protected]>
The option enables MCUboot configuration option MCUBOOT_KEY_IMPORT_BYPASS_ASN. Signed-off-by: Dominik Ermel <[email protected]>
de-nordic
force-pushed
the
ed25519-asn1-bypass
branch
from
e27d7fa to
1da4a11
Compare
Add conditional compilation of ASN.1 decoding of ED25519 key.
This allows to cut out the ASN.1 encoding, which results in reduced flash size.
Comparison on nrf52840dk/nrf52840 build of MCUboot with the ED25519 enabled
Reduces code from 40422 bytes to 39918 bytes, when
-DCONFIG_BOOT_KEY_IMPORT_BYPASS_ASN=yis added.Another benefit of the option is that it is no longer needed to have portion of the mbedTLS, that does the ASN.1 support, enabled when compiling MCUboot with ED25519 for TinyCrypt.