[nrf noup] zephyr: Remove dependency on key import when KMU is used #500
Conversation
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
…nto one place Make enc_key_public.h single point of definitions for key sizes, TLV indexes and so on. Upstream PR #: 2327 Signed-off-by: Dominik Ermel <[email protected]> (cherry picked from commit 2d93958)
Use bootutil_macros.h instead. Upstream PR #: 2327 Signed-off-by: Dominik Ermel <[email protected]> (cherry picked from commit c1bb3a3)
…tions Cleanup. Upstream PR #: 2327 Signed-off-by: Dominik Ermel <[email protected]> (cherry picked from commit f4a5081)
Incorrect range check fix. Upstream PR #: 2337 Signed-off-by: Dominik Ermel <[email protected]> (cherry picked from commit fa17bc9)
This fixes issues when trying to compress images with no header padding requested. Upstream PR #: 2334 Signed-off-by: Michal Kozikowski <[email protected]> (cherry picked from commit 9e0bebc)
The hfwinfo returns bitmask, not single values. Upstream PR #: 2342 Signed-off-by: Tomasz Chyrowicz <[email protected]> (cherry picked from commit 18e3bc8)
…erase This fixes issues when trying to erase secondary slot trailer for platforms with MCUBOOT_SUPPORT_DEV_WITHOUT_ERASE set from flash driver. Calling explicitly to 'scramble' region ensures we delete the trailer. Upstream PR #: 2341 Signed-off-by: Michal Kozikowski <[email protected]> (cherry picked from commit bb644c7)
Consolidates USB DFU entry logic by unifying GPIO and timeout-based DFU triggers under a common flag. This avoids code duplication and improves maintainability. Also improves log clarity for different DFU exit conditions. Signed-off-by: Sayooj K Karun <[email protected]> (cherry picked from commit 402d3f7) Signed-off-by: Dominik Ermel <[email protected]>
Add additional log lines to allow easier tracking potential failures in image validation. Signed-off-by: Dominik Ermel <[email protected]> (cherry picked from commit 11f9c6f)
Improve logging to make it easier to track image validation failures in development. Signed-off-by: Dominik Ermel <[email protected]> (cherry picked from commit c5011f2)
Fixed comments indentation. Signed-off-by: Dominik Ermel <[email protected]> (cherry picked from commit e56cecc)
…25519 Information on TLV and format. Signed-off-by: Dominik Ermel <[email protected]> (cherry picked from commit e542295)
Add support for HKDF/HMAC based on SHA512 for ECIES-X25519 key exchange. The commit adds MCUBOOT_HMAC_SHA512 that enables new TLV IMAGE_TLV_ENC_X25519_SHA512. Encryption code has been altered to support the MCUBOOT_HMAC_SHA512. Signed-off-by: Dominik Ermel <[email protected]> (cherry picked from commit 1d83177)
The commit adds CONFIG_BOOT_HMAC_SHA512 that enables MCUboot configuration option MCUBOOT_HMAC_SHA512, that is used for switching HKDF/HMAC in ECIES key exchange to SHA512, from default SHA256. This option, currently, is only available for ECIES-X25519 with PSA as crypto backend. Signed-off-by: Dominik Ermel <[email protected]> (cherry picked from commit 3771916)
…25519 Commit adds imgtool command line option --hmac-sha allowing to select between SHA256 and SHA512 for HMAC/HKDF. Signed-off-by: Dominik Ermel <[email protected]> (cherry picked from commit a36f951)
Fetch the flash base address if direct hash calculation is performed. Signed-off-by: Tomasz Chyrowicz <[email protected]> (cherry picked from commit 6a178d2)
…d config This board has not been supported in a long time, remove it Upstream PR #: 2380 Signed-off-by: Jamie McCrae <[email protected]> (cherry picked from commit 78ad12e)
Remove redundant application size calculations in favor of a swap-specific function, implemented inside swap_<type>.c. In this way, slot sizes use the same restrictions as image validation. Upstream PR #: 2318 Signed-off-by: Tomasz Chyrowicz <[email protected]> (cherry picked from commit cf1f76c)
…configuration Remove configs that enable multithreading just because of SPI/QSPI use. Currently, nrf drivers do not depend on multithreading, so it is not needed and this change can save memory usage. Upstream PR #: 2375 Signed-off-by: Michal Kozikowski <[email protected]> (cherry picked from commit dd6b3ac)
Option to put execution in infinite loop. Meant to be used for debug. Signed-off-by: Mateusz Michalek <[email protected]> (cherry picked from commit 5eaf190)
Commit introduces BOOT_SOMETHING_USES_SHA<256,384,512> Kconfig options that can be used to control what algorithms should be compiled in with crypto backends. Upstream PR #: 2390 Signed-off-by: Dominik Ermel <[email protected]> (cherry picked from commit 62ee266)
Allow to depend on a specific slot while specifying the version number. This functionality is useful when the Direct XIP mode is used and the booting process of other images is done by the next stage, not the MCUboot itself. Signed-off-by: Tomasz Chyrowicz <[email protected]> (cherry picked from commit dce784a)
Adds Kconfig option CONFIG_BOOT_ECDSA_PSA that allows to switch ECDSA to PSA backend. Signed-off-by: Artur Hadasz <[email protected]> (cherry picked from commit 5ee96f5)
Use the generic commit-tags action to provide sauce tag checks. Signed-off-by: Carles Cufi <[email protected]> (cherry picked from commit 67c4da4)
Removes the `add_subdirectory` of nrfxlib it will still check that the nrfxlib is located outside the mcuboot directory. Signed-off-by: Sigvart Hovland <[email protected]> Signed-off-by: Andrzej Puzdrowski <[email protected]> Signed-off-by: Martí Bolívar <[email protected]> Signed-off-by: Emil Obalski <[email protected]> Signed-off-by: Andrzej Puzdrowski <[email protected]> Signed-off-by: Håkon Øye Amundsen <[email protected]> Signed-off-by: Ioannis Glaropoulos <[email protected]> Signed-off-by: Torsten Rasmussen <[email protected]> Signed-off-by: Jamie McCrae <[email protected]> Signed-off-by: Dominik Ermel <[email protected]> (cherry picked from commit 0566363)
Add prj_minimal.conf, a Kconfig fragment to be used for minimally sized image production. The minimal fragment has been simplified for only external crypto. Move partition sizing into Kconfig to be consistent with the method used by b0. Using this fragment with prj_minimal.conf makes MCUboot < 16kB for all nRF devices (9160 still needs 32kB partition). Ref: NCSDK-6704 Signed-off-by: Stephen Stauts <[email protected]> Signed-off-by: Martí Bolívar <[email protected]> Signed-off-by: Sebastian Bøe <[email protected]> Signed-off-by: Torsten Rasmussen <[email protected]> Signed-off-by: Jamie McCrae <[email protected]> Signed-off-by: Dominik Ermel <[email protected]> Signed-off-by: Andrzej Puzdrowski <[email protected]> Signed-off-by: Artur Hadasz <[email protected]> (cherry picked from commit 33d3e61)
Adds project configurations for the two systems on the Thingy:91 (PCA-20035) board. The bootloader that is factory-programmed on thing91 does not support ECDSA signature type. Hence this commit also sets the signature type to RSA for applications built for Thingy:91. Signed-off-by: Bernt Johan Damslora <[email protected]> Signed-off-by: Sigvart Hovland <[email protected]> Signed-off-by: Jon Helge Nistad <[email protected]> Signed-off-by: Balaji Srinivasan <[email protected]> Signed-off-by: Robert Lubos <[email protected]> Signed-off-by: Torsten Rasmussen <[email protected]> Signed-off-by: Jamie McCrae <[email protected]> Signed-off-by: Marek Pieta <[email protected]> Signed-off-by: Dominik Ermel <[email protected]> (cherry picked from commit 0512d8d)
The default value of CONFIG_NRF_RTC_TIMER_USER_CHAN_COUNT for nRF52 SOCs has been changed from 0 to 3, but it makes MCUBoot get stuck on erasing flash pages when swapping two images. Restore the previous value until the RTC issue is resolved (see NCSDK-14427) Signed-off-by: Damian Krolik <[email protected]> Signed-off-by: Torsten Rasmussen <[email protected]> Signed-off-by: Jamie McCrae <[email protected]> Signed-off-by: Dominik Ermel <[email protected]> (cherry picked from commit 3957a30)
This patch adds board configuration for the Thingy:91 X. Signed-off-by: Maximilian Deubel <[email protected]> (cherry picked from commit 1b2d11c)
Partition Manager is an nRF Connect SDK component which uses yaml files to resolve flash partition placement with a holistic view of the device. This component's MCUboot portions began life as upstream mcuboot PR#430. This added support for being built as a sub image from the downstream Nordic patch set for a zephyr multi image build system (mcuboot 430 was combined with effor submitted to upstream zephyr as PR#13672, which was ultimately reworked after being rejected for mainline at the ELCE 2019 conference in Lyon). It has since evolved over time. This is the version that will go into NCS v1.3. It features: - page size aligned partitions for all partitions used by mcuboot. - image swaps without scratch partitions Add support for configurations where there exists two primary slots but only one secondary slot, which is shared. These two primary slots are the regular application and B1. B1 can be either S0 or S1 depending on the state of the device. Decide where an upgrade should be stored by looking at the vector table. Provide update candidates for both s0 and s1. These candidates must be signed with mcuboot after being signed by b0. Additional notes: - we make update.hex without trailer data This is needed for serial recovery to work using hex files. Prior to this the update.hex got TLV data at the end of the partition, which caused many blank pages to be included, which made it hard to use in a serial recovery scheme. Instead, make update.hex without TLV data at the end, and provide a new file test_update.hex which contains the TLV data, and can be directly flashed to test the upgrade procedure. - we use a function for signing the application as future-proofing for when other components must be signed as well - this includes an update to single image applications that enables support for partition manager; when single image DFU is used, a scratch partition is not needed. - In NCS, image 1 primary slot is the upgrade bank for mcuboot (IE S0 or S1 depending on the active slot). It is not required that this slot contains any valid data. - The nRF boards all have a single flash page size, and partition manager deals with the size of the update partitions and so on, so we must skip a boot_slots_compatible() check to avoid getting an error. - There is no need to verify the target when using partition manager. - We lock mcuboot using fprotect before jumping, to enable the secure boot property of the system. - Call fw_info_ext_api_provide() before booting if EXT_API_PROVIDE EXT_API is enabled. This is relevant only when the immutable bootloader has booted mcuboot. Signed-off-by: Håkon Øye Amundsen <[email protected]> Signed-off-by: Øyvind Rønningstad <[email protected]> Signed-off-by: Sebastian Bøe <[email protected]> Signed-off-by: Sigvart Hovland <[email protected]> Signed-off-by: Martí Bolívar <[email protected]> Signed-off-by: Torsten Rasmussen <[email protected]> Signed-off-by: Andrzej Głąbek <[email protected]> Signed-off-by: Robert Lubos <[email protected]> Signed-off-by: Andrzej Puzdrowski <[email protected]> Signed-off-by: Emil Obalski <[email protected]> Signed-off-by: Pawel Dunaj <[email protected]> Signed-off-by: Ioannis Glaropoulos <[email protected]> Signed-off-by: Johann Fischer <[email protected]> Signed-off-by: Vidar Berg <[email protected]> Signed-off-by: Draus, Sebastian <[email protected]> Signed-off-by: Trond Einar Snekvik <[email protected]> Signed-off-by: Jamie McCrae <[email protected]> Signed-off-by: Joakim Andersson <[email protected]> Signed-off-by: Georgios Vasilakis <[email protected]> Signed-off-by: Dominik Ermel <[email protected]> (cherry picked from commit 9554013)
This reverts commit 9dacf6d. Signed-off-by: Tomasz Chyrowicz <[email protected]>
This reverts commit 373038b. Signed-off-by: Tomasz Chyrowicz <[email protected]>
…ture key" This reverts commit 26192ca. Signed-off-by: Tomasz Chyrowicz <[email protected]>
…ssion" This reverts commit 0ae1441. Signed-off-by: Tomasz Chyrowicz <[email protected]>
This reverts commit 002515b. Signed-off-by: Tomasz Chyrowicz <[email protected]>
This reverts commit 898b9bc. Signed-off-by: Tomasz Chyrowicz <[email protected]>
This reverts commit 4292905. Signed-off-by: Tomasz Chyrowicz <[email protected]>
This reverts commit e1f2ab3. Signed-off-by: Tomasz Chyrowicz <[email protected]>
Add a possibility to express vendor ID and image class ID inside image's TLVs. Signed-off-by: Tomasz Chyrowicz <[email protected]> (cherry picked from commit 94ad4d4)
Allow to specify VID and CID for an image. Signed-off-by: Tomasz Chyrowicz <[email protected]> (cherry picked from commit 59d2f7a)
Add a capability inside the Zephyr bootloader to handle memory-based bootloader requests to: - Boot recovery firmware - Boot firmware loader - Confirm an image - Set the slot preference Ref: NCSDK-34429 Signed-off-by: Tomasz Chyrowicz <[email protected]> (cherry picked from commit e1f2ab3)
nrf-squash! [nrf noup] bootloader: Add bootloader requests Improve logic that handles sending bootloader requests as a result of issuing the MCUmgr commands. Signed-off-by: Tomasz Chyrowicz <[email protected]> (cherry picked from commit 4292905)
Adds support for LZMA-compressed firmware updates which also supports encrypted images and supports more than 1 updateable image Signed-off-by: Jamie McCrae <[email protected]> Signed-off-by: Michal Kozikowski <[email protected]> Signed-off-by: Dominik Ermel <[email protected]> (cherry picked from commit 27758d7)
This commit aligns to the changes in the nrfcompress API, which now enables the caller to provide the expected size of the decompressed image. ref: NCSDK-32340 Signed-off-by: Michal Kozikowski <[email protected]> Signed-off-by: Dominik Ermel <[email protected]> (cherry picked from commit 002515b)
Adds selecting the experimental Kconfig when compession is in use Signed-off-by: Jamie McCrae <[email protected]> Signed-off-by: Dominik Ermel <[email protected]> (cherry picked from commit 0ae1441)
The commit adds verification of image using keys stored in KMU. Signed-off-by: Dominik Ermel <[email protected]> (cherry picked from commit 26192ca)
Adds a new Kconfig CONFIG_BOOT_SIGNATURE_KMU_SLOTS which allows specifying how many KMU key IDs are supported, the default is set to 1 instead of 3 which was set before NCSDK-30743 Signed-off-by: Jamie McCrae <[email protected]> Signed-off-by: Dominik Ermel <[email protected]> (cherry picked from commit 373038b)
Disable previous generation key when update comes with new valid key and application is confirmed. Signed-off-by: Mateusz Michalek <[email protected]> Signed-off-by: Dominik Ermel <[email protected]> (cherry picked from commit 9dacf6d)
This configuration has the purpose of using keys provisioned to the internal trusted storage (ITS). It makes use of the already existing parts of code for MCUBOOT_BUILTIN_KEY Signed-off-by: Artur Hadasz <[email protected]> (cherry picked from commit d69621e)
nrf-squash! [nrf noup] Added BOOT_SIGNATURE_USING_ITS for ecdsa configuration Replace NRF_BOOT_SIGNATURE_USING_ITS with NCS_BOOT_SIGNATURE_USING_ITS prefix. Signed-off-by: Dominik Ermel <[email protected]> (cherry picked from commit 4bfb139)
Thic commit introduces support for ed25519 signature verification when CONFIG_NCS_BOOT_SIGNATURE_USING_ITS is set (through PSA API). Signed-off-by: Michal Kozikowski <[email protected]> (cherry picked from commit 391f093)
Provide an implementation for MCUboot UUID checks that specify a single, common vendor identifier and a unique class identifier for each image. Ref: NCSDK-34175 Signed-off-by: Tomasz Chyrowicz <[email protected]>
nrf-squash! [nrf noup] boot: Improve bootloader request handling Setting "test" for image was failing when using bootloader requests due to an incorrect value being returned from send_boot_request. Signed-off-by: Artur Hadasz <[email protected]>
nrf-squash! [nrf noup] bootloader: Add bootloader requests boot_request_retention.c could not be built if logs were disabled. Signed-off-by: Artur Hadasz <[email protected]>
Lock KMU keys before passing execution to application. Signed-off-by: Dominik Ermel <[email protected]>
nrf-squash! [nrf noup] bootutil: Add support for KMU stored ED25519 signature key We are not importing keys, from MCUboot, when KMU is in use. Signed-off-by: Dominik Ermel <[email protected]>
de-nordic
force-pushed
the
not-needed-import-when-kmu
branch
from
5be564f to
0a0a511
Compare
|
nvlsianpu
reviewed
Oct 29, 2025
Contributor
nvlsianpu
left a comment
nvlsianpu
left a comment
There was a problem hiding this comment.
I think now this can be some more complicated as: PSA encryption (x25519) imports keys.
| select PSA_WANT_ALG_PURE_EDDSA | ||
| select PSA_WANT_ECC_TWISTED_EDWARDS_255 | ||
| select PSA_WANT_ECC_MONTGOMERY_255 | ||
| select PSA_WANT_KEY_TYPE_ECC_KEY_PAIR_IMPORT if !PSA_CORE_LITE |
Contributor
There was a problem hiding this comment.
Suggested change
| select PSA_WANT_KEY_TYPE_ECC_KEY_PAIR_IMPORT if !PSA_CORE_LITE | |
| select PSA_WANT_KEY_TYPE_ECC_KEY_PAIR_IMPORT if (!PSA_CORE_LITE || !BOOT_SIGNATURE_USING_KMU) |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
27 participants
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.
nrf-squash! [nrf noup] bootutil: Add support for KMU stored ED25519 signature key
We are not importing keys, from MCUboot, when KMU is in use.