bootutil: Support for MCUBOOT_BYPASS_KEY_MATCH (6d943d68) · Commits · Wenxi XU / Mcuboot

This MCUboot configuration option turns off matching of public key hash, taken from image TLV, against built in public key. Such verification is not needed when there is only one key built in as the signature verification will reject image signed with unknown key anyway. Enabling the option allows to slightly reduce MCUboot binary size by removing the code that does the key matching. Boot time improvement is not really significant. Signed-off-by:

Dominik Ermel <dominik.ermel@nordicsemi.no>

boot/bootutil/src/image_validate.c

+14 −0

Original line number	Diff line number	Diff line
		@@ -280,6 +280,8 @@ bootutil_img_hash(struct boot_loader_state *state,
		# define KEY_BUF_SIZE (SIG_BUF_SIZE + 24)
		#endif /* !MCUBOOT_HW_KEY */

		#if !defined(MCUBOOT_BYPASS_KEY_MATCH)
		/* Find functions are only needed when key is checked first */
		#if !defined(MCUBOOT_HW_KEY)
		static int
		bootutil_find_key(uint8_t *keyhash, uint8_t keyhash_len)
		@@ -349,6 +351,18 @@ bootutil_find_key(uint8_t image_index, uint8_t *key, uint16_t key_len)
		#endif /* !MCUBOOT_HW_KEY */
		#endif /* !MCUBOOT_BUILTIN_KEY */
		#endif /* EXPECTED_SIG_TLV */
		#else /* !MCUBOOT_BYPASS_KEY_MATCH */
		static inline int
		bootutil_find_key(uint8_t image_index, uint8_t *key, uint16_t key_len)
		{
		(void)image_index;
		(void)key;
		(void)key_len;

		/* There is only one key, so it always matches */
		return 0;
		}
		#endif /* !MCUBOOT_BYPASS_KEY_MATCH */

		/**
		* Reads the value of an image's security counter.

Admin message