bootutil: Remove P224 curve

Signed-off-by: Roland Mikhel <roland.mikhel@arm.com>
Change-Id: I49fad7ede202de4e3c710bf4aa1df195a310b037

Author: Roland Mikhel

boot/bootutil/CMakeLists.txt

@@ -1,5 +1,5 @@
 #------------------------------------------------------------------------------
-# Copyright (c) 2020, Arm Limited. All rights reserved.
+# Copyright (c) 2020-2023, Arm Limited. All rights reserved.
 #
 # SPDX-License-Identifier: Apache-2.0
 #
@@ -23,7 +23,6 @@ target_sources(bootutil
         src/encrypted.c
         src/fault_injection_hardening.c
         src/fault_injection_hardening_delay_rng_mbedtls.c
-        src/image_ec.c
         src/image_ec256.c
         src/image_ed25519.c
         src/image_rsa.c

boot/bootutil/include/bootutil/caps.h

@@ -1,6 +1,6 @@
 /*
  * Copyright (c) 2017 Linaro Limited
- * Copyright (c) 2021 Arm Limited
+ * Copyright (c) 2021-2023 Arm Limited
  *
  * Licensed under the Apache License, Version 2.0 (the "License");
  * you may not use this file except in compliance with the License.
@@ -34,23 +34,22 @@ extern "C" {
 uint32_t bootutil_get_caps(void);
 
 #define BOOTUTIL_CAP_RSA2048                (1<<0)
-#define BOOTUTIL_CAP_ECDSA_P224             (1<<1)
-#define BOOTUTIL_CAP_ECDSA_P256             (1<<2)
-#define BOOTUTIL_CAP_SWAP_USING_SCRATCH     (1<<3)
-#define BOOTUTIL_CAP_OVERWRITE_UPGRADE      (1<<4)
-#define BOOTUTIL_CAP_ENC_RSA                (1<<5)
-#define BOOTUTIL_CAP_ENC_KW                 (1<<6)
-#define BOOTUTIL_CAP_VALIDATE_PRIMARY_SLOT  (1<<7)
-#define BOOTUTIL_CAP_RSA3072                (1<<8)
-#define BOOTUTIL_CAP_ED25519                (1<<9)
-#define BOOTUTIL_CAP_ENC_EC256              (1<<10)
-#define BOOTUTIL_CAP_SWAP_USING_MOVE        (1<<11)
-#define BOOTUTIL_CAP_DOWNGRADE_PREVENTION   (1<<12)
-#define BOOTUTIL_CAP_ENC_X25519             (1<<13)
-#define BOOTUTIL_CAP_BOOTSTRAP              (1<<14)
-#define BOOTUTIL_CAP_AES256                 (1<<15)
-#define BOOTUTIL_CAP_RAM_LOAD               (1<<16)
-#define BOOTUTIL_CAP_DIRECT_XIP             (1<<17)
+#define BOOTUTIL_CAP_ECDSA_P256             (1<<1)
+#define BOOTUTIL_CAP_SWAP_USING_SCRATCH     (1<<2)
+#define BOOTUTIL_CAP_OVERWRITE_UPGRADE      (1<<3)
+#define BOOTUTIL_CAP_ENC_RSA                (1<<4)
+#define BOOTUTIL_CAP_ENC_KW                 (1<<5)
+#define BOOTUTIL_CAP_VALIDATE_PRIMARY_SLOT  (1<<6)
+#define BOOTUTIL_CAP_RSA3072                (1<<7)
+#define BOOTUTIL_CAP_ED25519                (1<<8)
+#define BOOTUTIL_CAP_ENC_EC256              (1<<9)
+#define BOOTUTIL_CAP_SWAP_USING_MOVE        (1<<10)
+#define BOOTUTIL_CAP_DOWNGRADE_PREVENTION   (1<<11)
+#define BOOTUTIL_CAP_ENC_X25519             (1<<12)
+#define BOOTUTIL_CAP_BOOTSTRAP              (1<<13)
+#define BOOTUTIL_CAP_AES256                 (1<<14)
+#define BOOTUTIL_CAP_RAM_LOAD               (1<<15)
+#define BOOTUTIL_CAP_DIRECT_XIP             (1<<16)
 
 /*
  * Query the number of images this bootloader is configured for.  This

boot/bootutil/include/bootutil/image.h

@@ -3,7 +3,7 @@
  *
  * Copyright (c) 2016-2019 Linaro LTD
  * Copyright (c) 2016-2019 JUUL Labs
- * Copyright (c) 2019-2021 Arm Limited
+ * Copyright (c) 2019-2023 Arm Limited
  *
  * Original license:
  *
@@ -85,7 +85,7 @@ struct flash_area;
 #define IMAGE_TLV_PUBKEY            0x02   /* public key */
 #define IMAGE_TLV_SHA256            0x10   /* SHA256 of image hdr and body */
 #define IMAGE_TLV_RSA2048_PSS       0x20   /* RSA2048 of hash output */
-#define IMAGE_TLV_ECDSA224          0x21   /* ECDSA of hash output */
+#define IMAGE_TLV_ECDSA224          0x21   /* ECDSA of hash output - Not supported anymore */
 #define IMAGE_TLV_ECDSA256          0x22   /* ECDSA of hash output */
 #define IMAGE_TLV_RSA3072_PSS       0x23   /* RSA3072 of hash output */
 #define IMAGE_TLV_ED25519           0x24   /* ed25519 of hash output */

boot/bootutil/src/caps.c

@@ -2,7 +2,7 @@
  * SPDX-License-Identifier: Apache-2.0
  *
  * Copyright (c) 2017 Linaro Limited
- * Copyright (c) 2021 Arm Limited
+ * Copyright (c) 2021-2023 Arm Limited
  *
  * Licensed under the Apache License, Version 2.0 (the "License");
  * you may not use this file except in compliance with the License.
@@ -32,9 +32,6 @@ uint32_t bootutil_get_caps(void)
     res |= BOOTUTIL_CAP_RSA3072;
 #endif
 #endif
-#if defined(MCUBOOT_SIGN_EC)
-    res |= BOOTUTIL_CAP_ECDSA_P224;
-#endif
 #if defined(MCUBOOT_SIGN_EC256)
     res |= BOOTUTIL_CAP_ECDSA_P256;
 #endif

boot/bootutil/src/image_ec.c

@@ -3,7 +3,7 @@
  *
  * Copyright (c) 2017-2019 Linaro LTD
  * Copyright (c) 2016-2019 JUUL Labs
- * Copyright (c) 2019-2020 Arm Limited
+ * Copyright (c) 2019-2023 Arm Limited
  *
  * Original license:
  *
@@ -46,11 +46,11 @@
 #if defined(MCUBOOT_SIGN_RSA)
 #include "mbedtls/rsa.h"
 #endif
-#if defined(MCUBOOT_SIGN_EC) || defined(MCUBOOT_SIGN_EC256)
+#if defined(MCUBOOT_SIGN_EC256)
 #include "mbedtls/ecdsa.h"
 #endif
 #if defined(MCUBOOT_ENC_IMAGES) || defined(MCUBOOT_SIGN_RSA) || \
-    defined(MCUBOOT_SIGN_EC) || defined(MCUBOOT_SIGN_EC256)
+    defined(MCUBOOT_SIGN_EC256)
 #include "mbedtls/asn1.h"
 #endif
 
@@ -169,7 +169,6 @@ bootutil_img_hash(struct enc_key_data *enc_state, int image_index,
  * configured for any signature, don't define this macro.
  */
 #if (defined(MCUBOOT_SIGN_RSA)      + \
-     defined(MCUBOOT_SIGN_EC)       + \
      defined(MCUBOOT_SIGN_EC256)    + \
      defined(MCUBOOT_SIGN_ED25519)) > 1
 #error "Only a single signature type is supported!"
@@ -185,10 +184,6 @@ bootutil_img_hash(struct enc_key_data *enc_state, int image_index,
 #    endif
 #    define SIG_BUF_SIZE (MCUBOOT_SIGN_RSA_LEN / 8)
 #    define EXPECTED_SIG_LEN(x) ((x) == SIG_BUF_SIZE) /* 2048 bits */
-#elif defined(MCUBOOT_SIGN_EC)
-#    define EXPECTED_SIG_TLV IMAGE_TLV_ECDSA224
-#    define SIG_BUF_SIZE 128
-#    define EXPECTED_SIG_LEN(x)  (1) /* always true, ASN.1 will validate */
 #elif defined(MCUBOOT_SIGN_EC256)
 #    define EXPECTED_SIG_TLV IMAGE_TLV_ECDSA256
 #    define SIG_BUF_SIZE 128

boot/bootutil/src/image_validate.c

@@ -37,8 +37,6 @@
 /* Uncomment for ECDSA signatures using curve P-256. */
 #define MCUBOOT_SIGN_EC256
 
-// #define MCUBOOT_SIGN_EC
-
 /*
  * Upgrade mode
  *

boot/cypress/MCUBootApp/config/mcuboot_config/mcuboot_config.h

@@ -85,31 +85,6 @@ const unsigned char rsa_pub_key[] = {
     0xc9, 0x02, 0x03, 0x01, 0x00, 0x01
 };
 const unsigned int rsa_pub_key_len = 270;
-#elif defined(MCUBOOT_SIGN_EC)
-/* Format of PEM :
- * -----BEGIN PUBLIC KEY-----
- * base64encode(DER)
- * -----END PUBLIC KEY----- */
-#if defined(ECC224_KEY_FILE)
-#include ECC224_KEY_FILE
-#else
-#warning "Used default ECC224 ecdsa_pub_key"
-/* It is OEM_PUB_KEY at this moment for debug purposes */
-/* Autogenerated by imgtool.py, do not edit. */
-const unsigned char ecdsa_pub_key[] = {
-    0x30, 0x4e, 0x30, 0x10, 0x06, 0x07, 0x2a, 0x86,
-    0x48, 0xce, 0x3d, 0x02, 0x01, 0x06, 0x05, 0x2b,
-    0x81, 0x04, 0x00, 0x21, 0x03, 0x3a, 0x00, 0x04,
-    0xa5, 0x8b, 0x18, 0xa4, 0x60, 0x37, 0xf7, 0x0d,
-    0x2b, 0x06, 0xba, 0x4b, 0x4c, 0xd7, 0x8d, 0xec,
-    0x2a, 0x32, 0x5a, 0x0e, 0x52, 0xf4, 0x1b, 0x7c,
-    0x99, 0xec, 0x68, 0x5d, 0x05, 0xc3, 0x6b, 0x7b,
-    0x40, 0x9c, 0xaa, 0xac, 0x90, 0xf4, 0xfc, 0xbe,
-    0x98, 0xe5, 0x3e, 0x86, 0x3d, 0x37, 0xbf, 0x45,
-    0x78, 0x92, 0x27, 0xca, 0x69, 0xe6, 0xf2, 0xc5,
-};
-const unsigned int ecdsa_pub_key_len = 80;
-#endif
 #elif defined(MCUBOOT_SIGN_EC256)
 /* Format of PEM :
  * -----BEGIN PUBLIC KEY-----
@@ -141,16 +116,14 @@ const unsigned int ecdsa_pub_key_len = 91;
 #endif
 
 #if defined(MCUBOOT_SIGN_RSA) || \
-    defined(MCUBOOT_SIGN_EC) || \
     defined(MCUBOOT_SIGN_EC256)
 const struct bootutil_key bootutil_keys[] = {
 #if defined(MCUBOOT_SIGN_RSA)
     {
         .key = rsa_pub_key,
         .len = &rsa_pub_key_len,
     },
-#elif defined(MCUBOOT_SIGN_EC) || \
-    defined(MCUBOOT_SIGN_EC256)
+#elif defined(MCUBOOT_SIGN_EC256)
     {
         .key = ecdsa_pub_key,
         .len = &ecdsa_pub_key_len,

boot/cypress/MCUBootApp/keys.c

@@ -134,7 +134,6 @@ set(bootutil_srcs
     ${BOOTUTIL_DIR}/src/encrypted.c
     ${BOOTUTIL_DIR}/src/fault_injection_hardening.c
     ${BOOTUTIL_DIR}/src/fault_injection_hardening_delay_rng_mbedtls.c
-    ${BOOTUTIL_DIR}/src/image_ec.c
     ${BOOTUTIL_DIR}/src/image_ec256.c
     ${BOOTUTIL_DIR}/src/image_ed25519.c
     ${BOOTUTIL_DIR}/src/image_rsa.c

boot/espressif/CMakeLists.txt

@@ -48,9 +48,6 @@
 #if MYNEWT_VAL(BOOTUTIL_SIGN_ED25519)
 #define MCUBOOT_SIGN_ED25519 1
 #endif
-#if MYNEWT_VAL(BOOTUTIL_SIGN_EC)
-#define MCUBOOT_SIGN_EC 1
-#endif
 #if MYNEWT_VAL(BOOTUTIL_ENCRYPT_RSA)
 #define MCUBOOT_ENCRYPT_RSA 1
 #endif

boot/mynewt/mcuboot_config/include/mcuboot_config/mcuboot_config.h

@@ -31,9 +31,6 @@ syscfg.defs:
     BOOTUTIL_SIGN_RSA_LEN:
         description: 'Key size for RSA keys (2048 or 3072).'
         value: 2048
-    BOOTUTIL_SIGN_EC:
-        description: 'Images are signed using ECDSA NIST P-224.'
-        value: 0
     BOOTUTIL_SIGN_EC256:
         description: 'Images are signed using ECDSA NIST P-256.'
         value: 0

boot/mynewt/mcuboot_config/syscfg.yml

@@ -3,7 +3,7 @@
 
   - Copyright (c) 2017-2020 Linaro LTD
   - Copyright (c) 2017-2019 JUUL Labs
-  - Copyright (c) 2019-2021 Arm Limited
+  - Copyright (c) 2019-2023 Arm Limited
 
   - Original license:
 
@@ -107,7 +107,7 @@ struct image_tlv {
 #define IMAGE_TLV_KEYHASH           0x01   /* hash of the public key */
 #define IMAGE_TLV_SHA256            0x10   /* SHA256 of image hdr and body */
 #define IMAGE_TLV_RSA2048_PSS       0x20   /* RSA2048 of hash output */
-#define IMAGE_TLV_ECDSA224          0x21   /* ECDSA of hash output */
+#define IMAGE_TLV_ECDSA224          0x21   /* ECDSA of hash output - Not supported anymore */
 #define IMAGE_TLV_ECDSA256          0x22   /* ECDSA of hash output */
 #define IMAGE_TLV_RSA3072_PSS       0x23   /* RSA3072 of hash output */
 #define IMAGE_TLV_ED25519           0x24   /* ED25519 of hash output */

docs/design.md

@@ -5,10 +5,6 @@ shortcut was taken, and these signatures were padded to make them
 always a fixed length. Unfortunately, this padding was done in a way
 that is not easily reversible. Some crypto libraries (specifically, Mbed
 TLS) are fairly strict about the formatting of the ECDSA signature.
-This currently means that the ECDSA SECP224R1 (EC) signature
-checking code will fail to boot about 1 out of every 256 images,
-because the signature itself will end in a 0x00 byte, and the code
-will remove too much data, invalidating the signature.
 
 There are two ways to fix this: