Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

bl_*: Add ED25519 support #19159

Merged
merged 8 commits into from
Mar 12, 2025
Merged

bl_*: Add ED25519 support #19159

merged 8 commits into from
Mar 12, 2025

Conversation

nordicjm
Copy link
Contributor

@nordicjm nordicjm commented Nov 29, 2024

Does not adds support for ED25519 and SHA512, does not enable ED25519 by default on nRF54L15.

test_boot: ed25519-tests

@nordicjm nordicjm requested review from a team as code owners November 29, 2024 12:01
@github-actions github-actions bot added the changelog-entry-required Update changelog before merge. Remove label if entry is not needed or already added. label Nov 29, 2024
@NordicBuilder
Copy link
Contributor

NordicBuilder commented Nov 29, 2024

CI Information

To view the history of this post, clich the 'edited' button above
Build number: 28

Inputs:

Sources:

sdk-nrf: PR head: 049b16af46faff93a29ef7503f6f1f8bcdc91194

more details

sdk-nrf:

PR head: 049b16af46faff93a29ef7503f6f1f8bcdc91194
merge base: cb05da3917f70589396ceebf7e43e0e5fcf03395
target head (main): edc738d351e3397410f453fcdf2a82014afb9990
Diff

Github labels

Enabled Name Description
ci-disabled Disable the ci execution
ci-all-test Run all of ci, no test spec filtering will be done
ci-force-downstream Force execution of downstream even if twister fails
ci-run-twister Force run twister
ci-run-zephyr-twister Force run zephyr twister
List of changed files detected by CI (15)
cmake
│  ├── sysbuild
│  │  ├── debug_keys.cmake
│  │  ├── provision_hex.cmake
│  │  │ sign.cmake
include
│  │ bl_crypto.h
subsys
│  ├── bootloader
│  │  ├── bl_crypto
│  │  │  ├── CMakeLists.txt
│  │  │  ├── Kconfig
│  │  │  ├── bl_crypto.c
│  │  │  ├── bl_crypto_ed25519.c
│  │  │  │ bl_crypto_sha512.c
│  │  ├── bl_validation
│  │  │  ├── Kconfig
│  │  │  │ bl_validation.c
│  ├── fw_info
│  │  │ Kconfig.template.fw_info_ext_api
sysbuild
│  ├── CMakeLists.txt
│  │ Kconfig.secureboot
tests
│  ├── subsys
│  │  ├── bootloader
│  │  │  ├── bl_validation
│  │  │  │  │ prj.conf

Outputs:

Toolchain

Version: acee3b0b2b
Build docker image: docker-dtr.nordicsemi.no/sw-production/ncs-build:acee3b0b2b_e579f9fbe6

Test Spec & Results: ✅ Success; ❌ Failure; 🟠 Queued; 🟡 Progress; ◻️ Skipped; ⚠️ Quarantine

  • ◻️ Toolchain - Skipped: existing toolchain is used
  • ✅ Build twister - Skipped: Skipping Build & Test as it succeeded in a previous run: 26
  • ❌ Integration tests
    • ✅ test-sdk-audio - Skipped: Job was skipped as it succeeded in a previous run
    • ✅ desktop52_verification - Skipped: Job was skipped as it succeeded in a previous run
    • ❌ test-fw-nrfconnect-boot - Error: Error starting job: No item named latest/sub/test-fw-nrfconnect-boot/ed25519-tests found
    • ✅ test-fw-nrfconnect-apps - Skipped: Job was skipped as it succeeded in a previous run
    • ✅ test-fw-nrfconnect-ble_mesh - Skipped: Job was skipped as it succeeded in a previous run
    • ✅ test-fw-nrfconnect-ble_samples - Skipped: Job was skipped as it succeeded in a previous run
    • ✅ test-fw-nrfconnect-chip - Skipped: Job was skipped as it succeeded in a previous run
    • ✅ test-fw-nrfconnect-nfc - Skipped: Job was skipped as it succeeded in a previous run
    • ✅ test-fw-nrfconnect-nrf-iot_cloud - Skipped: Job was skipped as it succeeded in a previous run
    • ✅ test-fw-nrfconnect-nrf-iot_libmodem-nrf - Skipped: Job was skipped as it succeeded in a previous run
    • ✅ test-fw-nrfconnect-nrf-iot_serial_lte_modem - Skipped: Job was skipped as it succeeded in a previous run
    • ✅ test-fw-nrfconnect-nrf-iot_zephyr_lwm2m - Skipped: Job was skipped as it succeeded in a previous run
    • ✅ test-fw-nrfconnect-nrf-iot_samples - Skipped: Job was skipped as it succeeded in a previous run
    • ✅ test-fw-nrfconnect-nrf-iot_lwm2m - Skipped: Job was skipped as it succeeded in a previous run
    • ✅ doc-internal - Skipped: Job was skipped as it succeeded in a previous run
    • ✅ test-fw-nrfconnect-nrf-iot_thingy91 - Skipped: Job was skipped as it succeeded in a previous run
    • ✅ test-fw-nrfconnect-nrf_crypto - Skipped: Job was skipped as it succeeded in a previous run
    • ✅ test-fw-nrfconnect-proprietary_esb - Skipped: Job was skipped as it succeeded in a previous run
    • ✅ test-fw-nrfconnect-rpc - Skipped: Job was skipped as it succeeded in a previous run
    • ❌ test-fw-nrfconnect-rs
    • ✅ test-fw-nrfconnect-fem - Skipped: Job was skipped as it succeeded in a previous run
    • ✅ test-fw-nrfconnect-tfm - Skipped: Job was skipped as it succeeded in a previous run
    • ✅ test-fw-nrfconnect-thread - Skipped: Job was skipped as it succeeded in a previous run
    • ✅ test-fw-nrfconnect-zigbee - Skipped: Job was skipped as it succeeded in a previous run
    • ✅ test-sdk-find-my - Skipped: Job was skipped as it succeeded in a previous run
    • ✅ test-fw-nrfconnect-nrf-iot_mosh - Skipped: Job was skipped as it succeeded in a previous run
    • ✅ test-fw-nrfconnect-nrf-iot_positioning - Skipped: Job was skipped as it succeeded in a previous run
    • ✅ test-sdk-sidewalk - Skipped: Job was skipped as it succeeded in a previous run
    • ✅ test-sdk-wifi - Skipped: Job was skipped as it succeeded in a previous run
    • ✅ test-low-level - Skipped: Job was skipped as it succeeded in a previous run
    • ✅ test-sdk-pmic-samples - Skipped: Job was skipped as it succeeded in a previous run
    • ✅ test-sdk-mcuboot - Skipped: Job was skipped as it succeeded in a previous run
    • ✅ test-sdk-dfu - Skipped: Job was skipped as it succeeded in a previous run
    • ✅ test-fw-nrfconnect-ps - Skipped: Job was skipped as it succeeded in a previous run
    • ✅ test-secdom-samples-public - Skipped: Job was skipped as it succeeded in a previous run
    • ⚠️ test-fw-nrfconnect-fw-update

Note: This message is automatically posted and updated by the CI

@NordicBuilder
Copy link
Contributor

You can find the documentation preview for this PR at this link. It will be updated about 10 minutes after the documentation build succeeds.

Note: This comment is automatically posted by the Documentation Publish GitHub Action.

@nordicjm nordicjm force-pushed the ed25519nsibpr branch 10 times, most recently from 1439d7e to c2812fd Compare December 4, 2024 10:27
@nordicjm nordicjm requested a review from a team as a code owner December 4, 2024 10:27
@nordicjm nordicjm force-pushed the ed25519nsibpr branch 4 times, most recently from 4f7f146 to ab149da Compare December 4, 2024 13:08
@nordicjm nordicjm added this to the 3.0.0 milestone Dec 5, 2024
Comment on lines +134 to +158
select PSA_WANT_ALG_PURE_EDDSA
select PSA_WANT_ECC_TWISTED_EDWARDS_255
select PSA_WANT_KEY_TYPE_ECC_KEY_PAIR_IMPORT
Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

I have these probably selected for SHA512 in MCUboot but they should not be needed, they are just required by ED25519, sha itself does not need them.
As far as I understand we are using KMU here so the _IMPORT should not be needed at all.

Copy link
Contributor Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

This Kconfig is actually not used

Copy link
Contributor

@nvlsianpu nvlsianpu left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

note for me
sysbuild: Add support for selecting b0 hash/signature types

#endif


Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

unwanted newline


config SECURE_BOOT_APPCORE_SUPPORTED_HASH_HARDWARE
bool
default y if SECURE_BOOT_HASH_TYPE_SHA256 && (SOC_SERIES_NRF91X || SOC_NRF52840)
Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

might be ...&& HAS_HW_NRF_CC310

Copy link
Contributor Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

No such Kconfig in a sysbuild context, there is no devicetree


config SECURE_BOOT_APPCORE_SUPPORTED_SIGNATURE_HARDWARE
bool
default y if SECURE_BOOT_SIGNATURE_TYPE_ECDSA && (SOC_SERIES_NRF91X || SOC_NRF52840)
Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

as above

Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Not to be fixed by this PR:
I'm start thinking about misleading of the secure_boot name. It's NSIB under the hood. Also SB acronym is used elsewhere.
MCUboot is also another bootloader which also can be claimed to be secure bootloader - which might cause some concerns around the name.
Probably it's no time of today to change this.

@nordicjm
Copy link
Contributor Author

@nordicjm nordicjm added the DNM label Feb 26, 2025
@nordicjm nordicjm changed the title bl_*: Add ED25519 support for nRF54L15 bl_*: Add ED25519 support Feb 26, 2025
Copy link

You can find the documentation preview for this PR here.

@nordicjm nordicjm force-pushed the ed25519nsibpr branch 2 times, most recently from 84b4b0b to 7de4594 Compare February 26, 2025 12:21
@nvlsianpu
Copy link
Contributor

Changes seams to be as expected by me. FYI @gchwier

+++ b/sysbuild/Kconfig.secureboot
@@ -37,7 +37,6 @@ config SECURE_BOOT_APPCORE_SUPPORTED_HASH_NONE
 config SECURE_BOOT_APPCORE_SUPPORTED_SIGNATURE_HARDWARE
        bool
        default y if SECURE_BOOT_SIGNATURE_TYPE_ECDSA && (SOC_SERIES_NRF91X || SOC_NRF52840)
-       default y if SECURE_BOOT_SIGNATURE_TYPE_ED25519 && SOC_NRF54L15_CPUAPP
 
 config SECURE_BOOT_APPCORE_SUPPORTED_SIGNATURE_SOFTWARE
        bool
@@ -204,7 +203,6 @@ config SECURE_BOOT_SUPPORTED_SIGNATURE_ECDSA
 
 config SECURE_BOOT_SUPPORTED_SIGNATURE_ED25519
        bool
-       default y if SOC_NRF54L15_CPUAPP
 
 choice SECURE_BOOT_HASH_TYPE
        prompt "Hash type"
+++ b/subsys/bootloader/Kconfig
@@ -73,7 +74,7 @@ config PM_PARTITION_SIZE_B0_IMAGE
        default 0x7800 if !B0_MIN_PARTITION_SIZE && (SOC_NRF5340_CPUNET)
        default FPROTECT_BLOCK_SIZE if SOC_SERIES_NRF91X || SOC_NRF5340_CPUAPP
        default 0x3800 if SOC_NRF5340_CPUNET
-       default 0x9800 if SOC_NRF54L15_CPUAPP
+       default 0x7800 if SOC_NRF54L15_CPUAPP
        default 0x7000 if !B0_MIN_PARTITION_SIZE
        default 0x4000
        help
@@ -103,6 +104,13 @@ config SB_CLEANUP_RAM
        help
          Sets contents of memory to 0 before jumping to application.

Adds support for using SHA512 signatures using PSA crypto

Signed-off-by: Jamie McCrae <jamie.mccrae@nordicsemi.no>
Adds support for ED25519 signatures using PSA crypto

Signed-off-by: Jamie McCrae <jamie.mccrae@nordicsemi.no>
Makes these fields optional for configurations where they are
not needed

Signed-off-by: Jamie McCrae <jamie.mccrae@nordicsemi.no>
Does not add support for allowing the hash and signature type to
be selected, also does not add support for ED25519 on nrf54l15

Signed-off-by: Jamie McCrae <jamie.mccrae@nordicsemi.no>
The parameters listed are wrong

Signed-off-by: Jamie McCrae <jamie.mccrae@nordicsemi.no>
Prevents compliance from complaining

Signed-off-by: Jamie McCrae <jamie.mccrae@nordicsemi.no>
Selects the Kconfig to enable the hash field be present in the
output

Signed-off-by: Jamie McCrae <jamie.mccrae@nordicsemi.no>
The comments for no SHA256 and no secp256r1 wrongly stated that
these are disabled, this however is not true, the fields are
accessed and must still be present, therefore explain that whilst
they might not be checked, they are still required to be present

Signed-off-by: Jamie McCrae <jamie.mccrae@nordicsemi.no>
@nordicjm nordicjm removed the DNM label Mar 12, 2025
Copy link
Contributor

@gchwier gchwier left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Tested on downstream with disabled Fprotect.
Added scenarios with provisioning KMU keys for NSIB, upgrading APP with mcumgr, and upgrading MCUboot firmware (s1_image) - tests PASSED

One thing to be mentioned:
Copied from another task: "Once NSIB recognize an image as invalid - then it mark it as permanently invalid. this means that such image will be never revisited for verification by NSIB. This cause problem when Device was not provisioned before west flash (which resets the board), which cause that NSIB permanently invalidated images before user might attempt to populate KMU."

@carlescufi carlescufi merged commit 5444288 into nrfconnect:main Mar 12, 2025
13 of 15 checks passed
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
changelog-entry-required Update changelog before merge. Remove label if entry is not needed or already added.
Projects
None yet
Development

Successfully merging this pull request may close these issues.

7 participants