espressif: Enable signature verification (RSA, EC256 and ED25519)

# Copyright (c) 2021 Espressif Systems (Shanghai) Co., Ltd.

#

# SPDX-License-Identifier: Apache-2.0

cmake_minimum_required(VERSION 3.13)

if (NOT DEFINED MCUBOOT_TARGET)

        string(REGEX REPLACE "^[ ]+" "" config ${config})

        string(REGEX MATCH "^[^=]+" CONFIG_NAME ${config})

        string(REPLACE "${CONFIG_NAME}=" "" CONFIG_VALUE ${config})

        if (NOT ("${CONFIG_VALUE}" STREQUAL "n"

            OR "${CONFIG_VALUE}" STREQUAL "N"))

            add_definitions(-D${CONFIG_NAME}=${CONFIG_VALUE})

            set(${CONFIG_NAME} ${CONFIG_VALUE})

        endif()

    endif()

endforeach()

set(MCUBOOT_ROOT_DIR ${CMAKE_CURRENT_LIST_DIR}/../..)

set(BOOTUTIL_DIR ${MCUBOOT_ROOT_DIR}/boot/bootutil)

set(MBEDTLS_DIR ${MCUBOOT_ROOT_DIR}/ext/mbedtls)

set(ESPRESSIF_PORT_DIR ${CMAKE_CURRENT_LIST_DIR})

if (DEFINED CONFIG_ESP_SIGN_RSA)

    if ("${MCUBOOT_TARGET}" STREQUAL "esp32s2" OR

        "${MCUBOOT_TARGET}" STREQUAL "esp32c3")

        message(FATAL_ERROR "RSA signature verification is currently not supported on the target")

    endif()

    include(${CMAKE_CURRENT_LIST_DIR}/include/crypto_config/rsa.cmake)

elseif (DEFINED CONFIG_ESP_SIGN_EC256)

    include(${CMAKE_CURRENT_LIST_DIR}/include/crypto_config/ec256.cmake)

elseif (DEFINED CONFIG_ESP_SIGN_ED25519)

    if ("${MCUBOOT_TARGET}" STREQUAL "esp32c3")

        message(FATAL_ERROR "ED25519 signature verification is currently not supported on the target")

    endif()

    include(${CMAKE_CURRENT_LIST_DIR}/include/crypto_config/ed25519.cmake)

else()

    # No signature verification

    set(TINYCRYPT_DIR ${MCUBOOT_ROOT_DIR}/ext/tinycrypt/lib)

    set(CRYPTO_INC

        ${TINYCRYPT_DIR}/include

        )

    set(crypto_srcs

        ${TINYCRYPT_DIR}/source/sha256.c

        ${TINYCRYPT_DIR}/source/utils.c

        )

endif()

if(DEFINED CONFIG_ESP_SIGN_KEY_FILE)

    if(IS_ABSOLUTE ${CONFIG_ESP_SIGN_KEY_FILE})

        set(KEY_FILE ${CONFIG_ESP_SIGN_KEY_FILE})

    else()

        set(KEY_FILE ${MCUBOOT_ROOT_DIR}/${CONFIG_ESP_SIGN_KEY_FILE})

    endif()

    message("MCUBoot bootloader key file: ${KEY_FILE}")

    set(GENERATED_PUBKEY ${CMAKE_CURRENT_BINARY_DIR}/autogen-pubkey.c)

        add_custom_command(

            OUTPUT ${GENERATED_PUBKEY}

            COMMAND

            ${PYTHON_EXECUTABLE}

            ${MCUBOOT_ROOT_DIR}/scripts/imgtool.py

            getpub

            -k

            ${KEY_FILE}

            > ${GENERATED_PUBKEY}

            DEPENDS ${KEY_FILE}

        )

    list(APPEND crypto_srcs ${GENERATED_PUBKEY})

endif()

set(bootutil_srcs

    ${BOOTUTIL_DIR}/src/boot_record.c

    ${BOOTUTIL_DIR}/src/tlv.c

    )

set(mbedtls_srcs

    ${MBEDTLS_DIR}/library/sha256.c

    ${MBEDTLS_DIR}/library/platform_util.c

    )

set(CFLAGS

    "-Wno-frame-address"

    "-Wall"

    ${APP_EXECUTABLE}

    PUBLIC

    ${bootutil_srcs}

    ${mbedtls_srcs}

    ${crypto_srcs}

    ${CMAKE_CURRENT_LIST_DIR}/port/esp_mcuboot.c

    ${CMAKE_CURRENT_LIST_DIR}/port/esp_loader.c

    ${CMAKE_CURRENT_LIST_DIR}/os.c

    )

target_include_directories(

    ${APP_EXECUTABLE}

    PUBLIC

    ${BOOTUTIL_DIR}/include

    ${MBEDTLS_DIR}/include

    ${CRYPTO_INC}

    ${CMAKE_CURRENT_LIST_DIR}/include

    )

# Copyright (c) 2021 Espressif Systems (Shanghai) Co., Ltd.

#

# SPDX-License-Identifier: Apache-2.0

CONFIG_ESP_BOOTLOADER_SIZE=0xF000

CONFIG_ESP_APPLICATION_PRIMARY_START_ADDRESS=0x10000

CONFIG_ESP_APPLICATION_SIZE=0x100000

CONFIG_ESP_MCUBOOT_WDT_ENABLE=y

CONFIG_ESP_SCRATCH_OFFSET=0x210000

CONFIG_ESP_SCRATCH_SIZE=0x40000

# CONFIG_ESP_SIGN_EC256=y

# CONFIG_ESP_SIGN_ED25519=n

# CONFIG_ESP_SIGN_RSA=n

# CONFIG_ESP_SIGN_RSA_LEN=2048

# Use Tinycrypt lib for EC256 or ED25519 signing

# CONFIG_ESP_USE_TINYCRYPT=y

# Use Mbed TLS lib for RSA image signing

# CONFIG_ESP_USE_MBEDTLS=n

# It is strongly recommended to generate a new signing key

# using imgtool instead of use the existent sample

# CONFIG_ESP_SIGN_KEY_FILE=root-ec-p256.pem

/*

 * Signature types

 *

 * You must choose exactly one signature type.

 * You must choose exactly one signature type - check bootloader.conf

 * configuration file

 */

/* Uncomment for RSA signature support */

/* #define MCUBOOT_SIGN_RSA */

/* Uncomment for ECDSA signatures using curve P-256. */

/* #define MCUBOOT_SIGN_EC256 */

#if defined(CONFIG_ESP_SIGN_RSA)

#define MCUBOOT_SIGN_RSA

#  if (CONFIG_ESP_SIGN_RSA_LEN != 2048 && \

       CONFIG_ESP_SIGN_RSA_LEN != 3072)

#    error "Invalid RSA key size (must be 2048 or 3072)"

#  else

#    define MCUBOOT_SIGN_RSA_LEN CONFIG_ESP_SIGN_RSA_LEN

#  endif

#elif defined(CONFIG_ESP_SIGN_EC256)

#define MCUBOOT_SIGN_EC256

#elif defined(CONFIG_ESP_SIGN_ED25519)

#define MCUBOOT_SIGN_ED25519

#endif

/*

 * Upgrade mode

 *

/*

 * Cryptographic settings

 *

 * You must choose between mbedTLS and Tinycrypt as source of

 * You must choose between Mbed TLS and Tinycrypt as source of

 * cryptographic primitives. Other cryptographic settings are also

 * available.

 */

/* Uncomment to use ARM's mbedTLS cryptographic primitives */

/* Uncomment to use Mbed TLS cryptographic primitives */

#if defined(CONFIG_ESP_USE_MBEDTLS)

#define MCUBOOT_USE_MBED_TLS

/* Uncomment to use Tinycrypt's. */

/* #define MCUBOOT_USE_TINYCRYPT */

#else

/* MCUboot requires the definition of a crypto lib,

 * using Tinycrypt as default */

#define MCUBOOT_USE_TINYCRYPT

#endif

/*

 * Always check the signature of the image in the primary slot before booting,

# Copyright (c) 2021 Espressif Systems (Shanghai) Co., Ltd.

#

# SPDX-License-Identifier: Apache-2.0

set(MBEDTLS_ASN1_DIR "${MCUBOOT_ROOT_DIR}/ext/mbedtls-asn1")

set(CRYPTO_INC

    ${MBEDTLS_ASN1_DIR}/include

    )

set(crypto_srcs

    # Additionally pull in just the ASN.1 parser from Mbed TLS.

    ${MBEDTLS_ASN1_DIR}/src/asn1parse.c

    ${MBEDTLS_ASN1_DIR}/src/platform_util.c

    )

if (DEFINED CONFIG_ESP_USE_MBEDTLS)

    message(FATAL_ERROR "EC256 signature verification using Mbed TLS lib is not supported")

elseif (DEFINED CONFIG_ESP_USE_TINYCRYPT)

    set(TINYCRYPT_DIR ${MCUBOOT_ROOT_DIR}/ext/tinycrypt/lib)

    list(APPEND CRYPTO_INC

        ${TINYCRYPT_DIR}/include

        )

    list(APPEND crypto_srcs

        ${ESPRESSIF_PORT_DIR}/keys.c

        ${TINYCRYPT_DIR}/source/utils.c

        ${TINYCRYPT_DIR}/source/sha256.c

        ${TINYCRYPT_DIR}/source/ecc.c

        ${TINYCRYPT_DIR}/source/ecc_dsa.c

        )

endif()

 No newline at end of file

# Copyright (c) 2021 Espressif Systems (Shanghai) Co., Ltd.

#

# SPDX-License-Identifier: Apache-2.0

set(MBEDTLS_ASN1_DIR "${MCUBOOT_ROOT_DIR}/ext/mbedtls-asn1")

set(CRYPTO_INC

    ${MBEDTLS_ASN1_DIR}/include

    )

set(crypto_srcs

    # Additionally pull in just the ASN.1 parser from Mbed TLS.

    ${MBEDTLS_ASN1_DIR}/src/asn1parse.c

    ${MBEDTLS_ASN1_DIR}/src/platform_util.c

    )

if (DEFINED CONFIG_ESP_USE_MBEDTLS)

    message(FATAL_ERROR "ED25519 image signing using Mbed TLS lib is not supported")

elseif (DEFINED CONFIG_ESP_USE_TINYCRYPT)

    set(TINYCRYPT_DIR ${MCUBOOT_ROOT_DIR}/ext/tinycrypt/lib)

    set(TINYCRYPT512_DIR ${MCUBOOT_ROOT_DIR}/ext/tinycrypt-sha512/lib)

    list(APPEND CRYPTO_INC

        ${TINYCRYPT_DIR}/include

        ${TINYCRYPT512_DIR}/include

        )

    list(APPEND crypto_srcs

        ${ESPRESSIF_PORT_DIR}/keys.c

        ${TINYCRYPT_DIR}/source/utils.c

        ${TINYCRYPT_DIR}/source/sha256.c

        ${TINYCRYPT512_DIR}/source/sha512.c

        ${MCUBOOT_ROOT_DIR}/ext/fiat/src/curve25519.c

        )

endif()

 No newline at end of file