CI: Upgrade artifact actions

.github/workflows/backport.yml

@@ -0,0 +1,31 @@
+name: Backport
+on:
+  pull_request_target:
+    types:
+      - closed
+      - labeled
+    branches:
+      - main
+
+jobs:
+  backport:
+    name: Backport
+    runs-on: ubuntu-22.04
+    # Only react to merged PRs for security reasons.
+    # See https://docs.github.com/en/actions/using-workflows/events-that-trigger-workflows#pull_request_target.
+    if: >
+      github.event.pull_request.merged &&
+      (
+        github.event.action == 'closed' ||
+        (
+          github.event.action == 'labeled' &&
+          contains(github.event.label.name, 'backport')
+        )
+      )
+    steps:
+      - name: Backport
+        uses: zephyrproject-rtos/[email protected]
+        with:
+          github_token: ${{ secrets.NCS_GITHUB_TOKEN }}
+          issue_labels: Backport
+          labels_template: '["Backport"]'

.github/workflows/commit-tags.yml

@@ -0,0 +1,28 @@
+name: Commit tags
+
+on:
+  pull_request:
+    types: [synchronize, opened, reopened, edited, labeled, unlabeled,
+            milestoned, demilestoned, assigned, unassigned, ready_for_review,
+            review_requested]
+
+jobs:
+  commit_tags:
+    runs-on: ubuntu-22.04
+    name: Run commit tags checks on patch series (PR)
+    steps:
+    - name: Update PATH for west
+      run: |
+        echo "$HOME/.local/bin" >> $GITHUB_PATH
+
+    - name: Checkout the code
+      uses: actions/checkout@v3
+      with:
+        ref: ${{ github.event.pull_request.head.sha }}
+        fetch-depth: 0
+
+    - name: Run the commit tags
+      uses: nrfconnect/action-commit-tags@main
+      with:
+        target: .
+        upstream: mcu-tools/mcuboot/main

.github/workflows/imgtool.yaml

@@ -35,13 +35,14 @@ jobs:
         pipenv run pip install pytest -e .
         pipenv run pytest --junitxml=../junit/pytest-results-${{ matrix.python-version }}.xml
     - name: Upload test results
-      uses: actions/upload-artifact@v3
+      uses: actions/upload-artifact@v4
       if: always()
       with:
         name: pytest-results-${{ matrix.python-version }}
         path: |
           junit/pytest-results-${{ matrix.python-version }}*.xml
         if-no-files-found: ignore
+        overwrite: true
   environment:
     if: ${{ github.event_name == 'push' }}
     runs-on: ubuntu-latest

boot/boot_serial/src/boot_serial.c

@@ -81,6 +81,17 @@ BOOT_LOG_MODULE_DECLARE(mcuboot);
 #define ARRAY_SIZE ZCBOR_ARRAY_SIZE
 #endif
 
+#if defined(MCUBOOT_SHA512)
+    #define IMAGE_HASH_SIZE (64)
+    #define IMAGE_SHA_TLV   IMAGE_TLV_SHA512
+#elif defined(MCUBOOT_SIGN_EC384)
+    #define IMAGE_HASH_SIZE (48)
+    #define IMAGE_SHA_TLV   IMAGE_TLV_SHA384
+#else
+    #define IMAGE_HASH_SIZE (32)
+    #define IMAGE_SHA_TLV   IMAGE_TLV_SHA256
+#endif
+
 #ifndef MCUBOOT_SERIAL_MAX_RECEIVE_SIZE
 #define MCUBOOT_SERIAL_MAX_RECEIVE_SIZE 512
 #endif
@@ -91,7 +102,7 @@ BOOT_LOG_MODULE_DECLARE(mcuboot);
 #define BOOT_SERIAL_IMAGE_STATE_SIZE_MAX 0
 #endif
 #ifdef MCUBOOT_SERIAL_IMG_GRP_HASH
-#define BOOT_SERIAL_HASH_SIZE_MAX 36
+#define BOOT_SERIAL_HASH_SIZE_MAX (IMAGE_HASH_SIZE + 4)
 #else
 #define BOOT_SERIAL_HASH_SIZE_MAX 0
 #endif
@@ -263,7 +274,7 @@ bs_list(char *buf, int len)
     const struct flash_area *fap;
     uint8_t image_index;
 #ifdef MCUBOOT_SERIAL_IMG_GRP_HASH
-    uint8_t hash[32];
+    uint8_t hash[IMAGE_HASH_SIZE];
 #endif
 
     zcbor_map_start_encode(cbor_state, 1);
@@ -336,7 +347,7 @@ bs_list(char *buf, int len)
             }
 
 #ifdef MCUBOOT_SERIAL_IMG_GRP_HASH
-            /* Retrieve SHA256 hash of image for identification */
+            /* Retrieve hash of image for identification */
             rc = boot_serial_get_hash(&hdr, fap, hash);
 #endif
 
@@ -440,7 +451,7 @@ bs_set(char *buf, int len)
      */
     uint8_t image_index = 0;
     size_t decoded = 0;
-    uint8_t hash[32];
+    uint8_t hash[IMAGE_HASH_SIZE];
     bool confirm;
     struct zcbor_string img_hash;
     bool ok;
@@ -523,7 +534,7 @@ bs_set(char *buf, int len)
                 }
             }
 
-            /* Retrieve SHA256 hash of image for identification */
+            /* Retrieve hash of image for identification */
             rc = boot_serial_get_hash(&hdr, fap, hash);
             flash_area_close(fap);
 
@@ -1467,9 +1478,9 @@ static int boot_serial_get_hash(const struct image_header *hdr,
             break;
         }
 
-        if (type == IMAGE_TLV_SHA256) {
+        if (type == IMAGE_SHA_TLV) {
             /* Get the image's hash value from the manifest section. */
-            if (len != 32) {
+            if (len != IMAGE_HASH_SIZE) {
                 return -1;
             }
 

boot/boot_serial/src/boot_serial_encryption.c

@@ -171,7 +171,7 @@ decrypt_region_inplace(struct boot_loader_state *state,
                     blk_sz = tlv_off - (off + bytes_copied);
                 }
             }
-            boot_encrypt(BOOT_CURR_ENC(state), slot,
+            boot_enc_decrypt(BOOT_CURR_ENC(state), slot,
                     (off + bytes_copied + idx) - hdr->ih_hdr_size, blk_sz,
                     blk_off, &buf[idx]);
         }

boot/bootutil/include/bootutil/crypto/aes_ctr.h

@@ -15,8 +15,8 @@
 #include "mcuboot_config/mcuboot_config.h"
 
 #if (defined(MCUBOOT_USE_MBED_TLS) + \
-     defined(MCUBOOT_USE_TINYCRYPT)) != 1
-    #error "One crypto backend must be defined: either MBED_TLS or TINYCRYPT"
+     defined(MCUBOOT_USE_TINYCRYPT) + defined(MCUBOOT_USE_PSA_CRYPTO)) != 1
+    #error "One crypto backend must be defined: either MBED_TLS or TINYCRYPT or PSA"
 #endif
 
 #if defined(MCUBOOT_USE_MBED_TLS)
@@ -38,12 +38,46 @@
     #define BOOTUTIL_CRYPTO_AES_CTR_BLOCK_SIZE TC_AES_BLOCK_SIZE
 #endif /* MCUBOOT_USE_TINYCRYPT */
 
+
+#if defined(MCUBOOT_USE_PSA_CRYPTO)
+    #include <psa/crypto.h>
+    #include "bootutil/enc_key_public.h"
+    #define BOOTUTIL_CRYPTO_AES_CTR_KEY_SIZE BOOT_ENC_KEY_SIZE
+    #define BOOTUTIL_CRYPTO_AES_CTR_BLOCK_SIZE (16)
+#endif
+
 #include <stdint.h>
 
 #ifdef __cplusplus
 extern "C" {
 #endif
 
+#if defined(MCUBOOT_USE_PSA_CRYPTO)
+typedef struct {
+	/* Fixme: This should not be, here, psa_key_id should be passed */
+	uint8_t key[BOOT_ENC_KEY_SIZE];
+} bootutil_aes_ctr_context;
+
+void bootutil_aes_ctr_init(bootutil_aes_ctr_context *ctx);
+
+static inline void bootutil_aes_ctr_drop(bootutil_aes_ctr_context *ctx)
+{
+    memset(ctx, 0, sizeof(ctx));
+}
+
+static inline int bootutil_aes_ctr_set_key(bootutil_aes_ctr_context *ctx, const uint8_t *k)
+{
+    memcpy(ctx->key, k, sizeof(ctx->key));
+
+    return 0;
+}
+
+int bootutil_aes_ctr_encrypt(bootutil_aes_ctr_context *ctx, uint8_t *counter,
+        const uint8_t *m, uint32_t mlen, size_t blk_off, uint8_t *c);
+int bootutil_aes_ctr_decrypt(bootutil_aes_ctr_context *ctx, uint8_t *counter,
+        const uint8_t *c, uint32_t clen, size_t blk_off, uint8_t *m);
+#endif
+
 #if defined(MCUBOOT_USE_MBED_TLS)
 typedef mbedtls_aes_context bootutil_aes_ctr_context;
 static inline void bootutil_aes_ctr_init(bootutil_aes_ctr_context *ctx)

boot/bootutil/include/bootutil/crypto/ecdsa.h

@@ -34,6 +34,7 @@
 
 #if (defined(MCUBOOT_USE_TINYCRYPT) + \
      defined(MCUBOOT_USE_CC310) + \
+     defined(MCUBOOT_USE_NRF_EXTERNAL_CRYPTO) + \
      defined(MCUBOOT_USE_PSA_OR_MBED_TLS)) != 1
     #error "One crypto backend must be defined: either CC310/TINYCRYPT/MBED_TLS/PSA_CRYPTO"
 #endif
@@ -70,12 +71,18 @@
 #include "bootutil/sign_key.h"
 #include "common.h"
 
+#if defined(MCUBOOT_USE_NRF_EXTERNAL_CRYPTO)
+    #include <bl_crypto.h>
+    #define NUM_ECC_BYTES (256 / 8)
+#endif /* MCUBOOT_USE_NRF_EXTERNAL_CRYPTO */
+
 #ifdef __cplusplus
 extern "C" {
 #endif
 
 #if (defined(MCUBOOT_USE_TINYCRYPT) || defined(MCUBOOT_USE_MBED_TLS) || \
-     defined(MCUBOOT_USE_CC310)) && !defined(MCUBOOT_USE_PSA_CRYPTO)
+     defined(MCUBOOT_USE_CC310) || defined(MCUBOOT_USE_NRF_EXTERNAL_CRYPTO)) \
+     && !defined(MCUBOOT_USE_PSA_CRYPTO)
 /*
  * Declaring these like this adds NULL termination.
  */
@@ -127,8 +134,6 @@ static int bootutil_import_key(uint8_t **cp, uint8_t *end)
 }
 #endif /* (MCUBOOT_USE_TINYCRYPT || MCUBOOT_USE_MBED_TLS || MCUBOOT_USE_CC310) && !MCUBOOT_USE_PSA_CRYPTO */
 
-#if defined(MCUBOOT_USE_TINYCRYPT)
-#ifndef MCUBOOT_ECDSA_NEED_ASN1_SIG
 /*
  * cp points to ASN1 string containing an integer.
  * Verify the tag, and that the length is 32 bytes. Helper function.
@@ -178,8 +183,8 @@ static int bootutil_decode_sig(uint8_t signature[NUM_ECC_BYTES * 2], uint8_t *cp
     }
     return 0;
 }
-#endif /* not MCUBOOT_ECDSA_NEED_ASN1_SIG */
 
+#if defined(MCUBOOT_USE_TINYCRYPT)
 typedef uintptr_t bootutil_ecdsa_context;
 static inline void bootutil_ecdsa_init(bootutil_ecdsa_context *ctx)
 {
@@ -248,16 +253,20 @@ static inline int bootutil_ecdsa_verify(bootutil_ecdsa_context *ctx,
 {
     (void)ctx;
     (void)pk_len;
-    (void)sig_len;
     (void)hash_len;
+    uint8_t dsig[2 * NUM_ECC_BYTES];
+
+    if (bootutil_decode_sig(dsig, sig, sig + sig_len)) {
+        return -1;
+    }
 
     /* Only support uncompressed keys. */
     if (pk[0] != 0x04) {
         return -1;
     }
     pk++;
 
-    return cc310_ecdsa_verify_secp256r1(hash, pk, sig, BOOTUTIL_CRYPTO_ECDSA_P256_HASH_SIZE);
+    return cc310_ecdsa_verify_secp256r1(hash, pk, dsig, BOOTUTIL_CRYPTO_ECDSA_P256_HASH_SIZE);
 }
 
 static inline int bootutil_ecdsa_parse_public_key(bootutil_ecdsa_context *ctx,
@@ -613,6 +622,49 @@ static inline int bootutil_ecdsa_parse_public_key(bootutil_ecdsa_context *ctx,
 
 #endif /* MCUBOOT_USE_MBED_TLS */
 
+#if defined(MCUBOOT_USE_NRF_EXTERNAL_CRYPTO)
+typedef uintptr_t bootutil_ecdsa_context;
+static inline void bootutil_ecdsa_init(bootutil_ecdsa_context *ctx)
+{
+    (void)ctx;
+}
+
+static inline void bootutil_ecdsa_drop(bootutil_ecdsa_context *ctx)
+{
+    (void)ctx;
+}
+
+static inline int bootutil_ecdsa_verify(bootutil_ecdsa_context *ctx,
+                                        uint8_t *pk, size_t pk_len,
+                                        uint8_t *hash, size_t hash_len,
+                                        uint8_t *sig, size_t sig_len)
+{
+    (void)ctx;
+    (void)pk_len;
+    (void)hash_len;
+    uint8_t dsig[2 * NUM_ECC_BYTES];
+
+    if (bootutil_decode_sig(dsig, sig, sig + sig_len)) {
+        return -1;
+    }
+
+    /* Only support uncompressed keys. */
+    if (pk[0] != 0x04) {
+        return -1;
+    }
+    pk++;
+
+    return bl_secp256r1_validate(hash, BOOTUTIL_CRYPTO_ECDSA_P256_HASH_SIZE, pk, dsig);
+}
+
+static inline int bootutil_ecdsa_parse_public_key(bootutil_ecdsa_context *ctx,
+                                                  uint8_t **cp,uint8_t *end)
+{
+    (void)ctx;
+    return bootutil_import_key(cp, end);
+}
+#endif /* MCUBOOT_USE_NRF_EXTERNAL_CRYPTO */
+
 #ifdef __cplusplus
 }
 #endif