bl_*: Add ED25519 support #19159
bl_*: Add ED25519 support #19159
Conversation
github-actions
bot
added
the
changelog-entry-required
nordicjm
force-pushed
the
ed25519nsibpr
branch
from
200e1ca to
a07eb95
Compare
CI InformationTo view the history of this post, clich the 'edited' button above Inputs:Sources:more detailsGithub labels
List of changed files detected by CI (0)Outputs:ToolchainVersion: Test Spec & Results: ✅ Success; ❌ Failure; 🟠 Queued; 🟡 Progress; ◻️ Skipped;
|
|
You can find the documentation preview for this PR at this link. It will be updated about 10 minutes after the documentation build succeeds. Note: This comment is automatically posted by the Documentation Publish GitHub Action. |
nordicjm
force-pushed
the
ed25519nsibpr
branch
10 times, most recently
from
1439d7e to
c2812fd
Compare
nordicjm
force-pushed
the
ed25519nsibpr
branch
3 times, most recently
from
c907725 to
4f7f146
Compare
Memory footprint analysis revealed the following potential issuessample.matter.template.debug[nrf7002dk/nrf5340/cpuapp]: High ROM usage: 912202[B] - link (cc: @kkasperczyk-no @ArekBalysNordic @markaj-nordic) Note: This message is automatically posted and updated by the CI (latest/sdk-nrf/PR-19159/20) |
nordicjm
force-pushed
the
ed25519nsibpr
branch
from
4f7f146 to
ab149da
Compare
| select PSA_WANT_ALG_PURE_EDDSA | ||
| select PSA_WANT_ECC_TWISTED_EDWARDS_255 | ||
| select PSA_WANT_KEY_TYPE_ECC_KEY_PAIR_IMPORT |
There was a problem hiding this comment.
I have these probably selected for SHA512 in MCUboot but they should not be needed, they are just required by ED25519, sha itself does not need them.
As far as I understand we are using KMU here so the _IMPORT should not be needed at all.
There was a problem hiding this comment.
This Kconfig is actually not used
| #endif | ||
|
|
||
|
|
|
|
||
| config SECURE_BOOT_APPCORE_SUPPORTED_HASH_HARDWARE | ||
| bool | ||
| default y if SECURE_BOOT_HASH_TYPE_SHA256 && (SOC_SERIES_NRF91X || SOC_NRF52840) |
There was a problem hiding this comment.
might be ...&& HAS_HW_NRF_CC310
There was a problem hiding this comment.
No such Kconfig in a sysbuild context, there is no devicetree
|
|
||
| config SECURE_BOOT_APPCORE_SUPPORTED_SIGNATURE_HARDWARE | ||
| bool | ||
| default y if SECURE_BOOT_SIGNATURE_TYPE_ECDSA && (SOC_SERIES_NRF91X || SOC_NRF52840) |
There was a problem hiding this comment.
Not to be fixed by this PR:
I'm start thinking about misleading of the secure_boot name. It's NSIB under the hood. Also SB acronym is used elsewhere.
MCUboot is also another bootloader which also can be claimed to be secure bootloader - which might cause some concerns around the name.
Probably it's no time of today to change this.
nordicjm
force-pushed
the
ed25519nsibpr
branch
from
ab149da to
6b35112
Compare
Adds support for using SHA512 signatures using PSA crypto Signed-off-by: Jamie McCrae <[email protected]>
Adds support for ED25519 signatures using PSA crypto Signed-off-by: Jamie McCrae <[email protected]>
Makes these fields optional for configurations where they are not needed Signed-off-by: Jamie McCrae <[email protected]>
Does not add support for allowing the hash and signature type to be selected, also does not add support for ED25519 on nrf54l15 Signed-off-by: Jamie McCrae <[email protected]>
nordicjm
force-pushed
the
ed25519nsibpr
branch
from
6b35112 to
c60938f
Compare
nordicjm
changed the title
|
You can find the documentation preview for this PR here. |
The parameters listed are wrong Signed-off-by: Jamie McCrae <[email protected]>
Prevents compliance from complaining Signed-off-by: Jamie McCrae <[email protected]>
Selects the Kconfig to enable the hash field be present in the output Signed-off-by: Jamie McCrae <[email protected]>
The comments for no SHA256 and no secp256r1 wrongly stated that these are disabled, this however is not true, the fields are accessed and must still be present, therefore explain that whilst they might not be checked, they are still required to be present Signed-off-by: Jamie McCrae <[email protected]>
nordicjm
force-pushed
the
ed25519nsibpr
branch
2 times, most recently
from
84b4b0b to
7de4594
Compare
|
|
Changes seams to be as expected by me. FYI @gchwier +++ b/sysbuild/Kconfig.secureboot
@@ -37,7 +37,6 @@ config SECURE_BOOT_APPCORE_SUPPORTED_HASH_NONE
config SECURE_BOOT_APPCORE_SUPPORTED_SIGNATURE_HARDWARE
bool
default y if SECURE_BOOT_SIGNATURE_TYPE_ECDSA && (SOC_SERIES_NRF91X || SOC_NRF52840)
- default y if SECURE_BOOT_SIGNATURE_TYPE_ED25519 && SOC_NRF54L15_CPUAPP
config SECURE_BOOT_APPCORE_SUPPORTED_SIGNATURE_SOFTWARE
bool
@@ -204,7 +203,6 @@ config SECURE_BOOT_SUPPORTED_SIGNATURE_ECDSA
config SECURE_BOOT_SUPPORTED_SIGNATURE_ED25519
bool
- default y if SOC_NRF54L15_CPUAPP
choice SECURE_BOOT_HASH_TYPE
prompt "Hash type"+++ b/subsys/bootloader/Kconfig
@@ -73,7 +74,7 @@ config PM_PARTITION_SIZE_B0_IMAGE
default 0x7800 if !B0_MIN_PARTITION_SIZE && (SOC_NRF5340_CPUNET)
default FPROTECT_BLOCK_SIZE if SOC_SERIES_NRF91X || SOC_NRF5340_CPUAPP
default 0x3800 if SOC_NRF5340_CPUNET
- default 0x9800 if SOC_NRF54L15_CPUAPP
+ default 0x7800 if SOC_NRF54L15_CPUAPP
default 0x7000 if !B0_MIN_PARTITION_SIZE
default 0x4000
help
@@ -103,6 +104,13 @@ config SB_CLEANUP_RAM
help
Sets contents of memory to 0 before jumping to application. |
Does not adds support for ED25519 and SHA512, does not enable ED25519 by default on nRF54L15.
test_boot: ed25519-tests