ncsdk-35330 - WIP - experiments

boot/bootutil/include/bootutil/crypto/ecdsa.h

@@ -35,7 +35,8 @@
 #if (defined(MCUBOOT_USE_TINYCRYPT) + \
      defined(MCUBOOT_USE_CC310) + \
      defined(MCUBOOT_USE_NRF_EXTERNAL_CRYPTO) + \
-     defined(MCUBOOT_USE_PSA_OR_MBED_TLS)) != 1
+     defined(MCUBOOT_USE_PSA_OR_MBED_TLS) + \
+     defined(MCUBOOT_USE_NRF_OBERON_EXPERIMENT)) != 1
     #error "One crypto backend must be defined: either CC310/TINYCRYPT/MBED_TLS/PSA_CRYPTO"
 #endif
 
@@ -58,8 +59,12 @@
     #define MCUBOOT_ECDSA_NEED_ASN1_SIG
 #endif /* MCUBOOT_USE_MBED_TLS */
 
+#if defined(MCUBOOT_USE_NRF_OBERON_EXPERIMENT)
+    #include <ocrypto_ecdsa_p256.h>
+#endif /* MCUBOOT_USE_NRF_OBERON_EXPERIMENT */
+
 /*TODO: remove this after cypress port mbedtls to abstract crypto api */
-#if defined(MCUBOOT_USE_CC310) || defined(MCUBOOT_USE_MBED_TLS)
+#if defined(MCUBOOT_USE_CC310) || defined(MCUBOOT_USE_MBED_TLS) || defined(MCUBOOT_USE_NRF_OBERON_EXPERIMENT)
 #define NUM_ECC_BYTES (256 / 8)
 #endif
 
@@ -83,7 +88,8 @@ extern "C" {
 #endif
 
 #if (defined(MCUBOOT_USE_TINYCRYPT) || defined(MCUBOOT_USE_MBED_TLS) || \
-     defined(MCUBOOT_USE_CC310) || defined(MCUBOOT_USE_NRF_EXTERNAL_CRYPTO)) \
+     defined(MCUBOOT_USE_CC310) || defined(MCUBOOT_USE_NRF_EXTERNAL_CRYPTO) || \
+     defined(MCUBOOT_USE_NRF_OBERON_EXPERIMENT)) \
      && !defined(MCUBOOT_USE_PSA_CRYPTO)
 /*
  * Declaring these like this adds NULL termination.
@@ -136,7 +142,7 @@ static int bootutil_import_key(uint8_t **cp, uint8_t *end)
 }
 #endif /* (MCUBOOT_USE_TINYCRYPT || MCUBOOT_USE_MBED_TLS || MCUBOOT_USE_CC310) && !MCUBOOT_USE_PSA_CRYPTO */
 
-#ifndef MCUBOOT_USE_PSA_CRYPTO
+#if !defined(MCUBOOT_USE_PSA_CRYPTO)
 /*
  * cp points to ASN1 string containing an integer.
  * Verify the tag, and that the length is 32 bytes. Helper function.
@@ -186,7 +192,7 @@ static int bootutil_decode_sig(uint8_t signature[NUM_ECC_BYTES * 2], uint8_t *cp
     }
     return 0;
 }
-#endif /* !MCUBOOT_USE_PSA_CRYPTO */
+#endif /* !defined(MCUBOOT_USE_PSA_CRYPTO) */
 
 #if defined(MCUBOOT_USE_TINYCRYPT)
 typedef uintptr_t bootutil_ecdsa_context;
@@ -719,6 +725,54 @@ static inline int bootutil_ecdsa_parse_public_key(bootutil_ecdsa_context *ctx,
 }
 #endif /* MCUBOOT_USE_NRF_EXTERNAL_CRYPTO */
 
+#if defined(MCUBOOT_USE_NRF_OBERON_EXPERIMENT)
+typedef uintptr_t bootutil_ecdsa_context;
+
+static inline void bootutil_ecdsa_init(bootutil_ecdsa_context *ctx)
+{
+    (void)ctx;
+}
+
+static inline void bootutil_ecdsa_drop(bootutil_ecdsa_context *ctx)
+{
+    (void)ctx;
+}
+
+static inline int bootutil_ecdsa_verify(bootutil_ecdsa_context *ctx,
+                                        uint8_t *pk, size_t pk_len,
+                                        uint8_t *hash, size_t hash_len,
+                                        uint8_t *sig, size_t sig_len)
+{
+  if (pk == NULL || hash == NULL || sig == NULL) {
+    return -1;
+  }
+
+  uint8_t signature[2 * NUM_ECC_BYTES];
+  int rc = bootutil_decode_sig(signature, sig, sig + sig_len);
+  if (rc) {
+      return -1;
+  }
+
+  /* Only support uncompressed keys */
+  if (pk[0] != 0x04) {
+      return -1;
+  }
+  /* Skip the first byte holding key format */
+  pk++;
+
+  rc = ocrypto_ecdsa_p256_verify_hash(signature, hash, pk);
+  return rc;
+}
+
+static inline int bootutil_ecdsa_parse_public_key(bootutil_ecdsa_context *ctx,
+                                                  uint8_t **cp,uint8_t *end)
+{
+  (void)ctx;
+  return bootutil_import_key(cp, end);
+  return 0;
+}
+#endif /* MCUBOOT_USE_NRF_OBERON_EXPERIMENT */
+
 #ifdef __cplusplus
 }
 #endif

boot/bootutil/include/bootutil/crypto/sha.h

@@ -31,7 +31,8 @@
 #if (defined(MCUBOOT_USE_PSA_OR_MBED_TLS) + \
      defined(MCUBOOT_USE_TINYCRYPT) + \
      defined(MCUBOOT_USE_NRF_EXTERNAL_CRYPTO) + \
-     defined(MCUBOOT_USE_CC310)) != 1
+     defined(MCUBOOT_USE_CC310) + \
+     defined(MCUBOOT_USE_NRF_OBERON_EXPERIMENT)) != 1
     #error "One crypto backend must be defined: either CC310/MBED_TLS/TINYCRYPT/PSA_CRYPTO"
 #endif
 
@@ -82,6 +83,10 @@
     #include <cc310_glue.h>
 #endif /* MCUBOOT_USE_CC310 */
 
+#if defined(MCUBOOT_USE_NRF_OBERON_EXPERIMENT)
+    #include <ocrypto_sha256.h>
+#endif /* MCUBOOT_USE_NRF_OBERON_EXPERIMENT */
+
 #include <stdint.h>
 
 #ifdef __cplusplus
@@ -302,6 +307,52 @@ static inline int bootutil_sha_finish(bootutil_sha_context *ctx,
 }
 #endif /* MCUBOOT_USE_NRF_EXTERNAL_CRYPTO */
 
+#if defined(MCUBOOT_USE_NRF_OBERON_EXPERIMENT)
+typedef ocrypto_sha256_ctx bootutil_sha_context;
+
+static inline int bootutil_sha_init(bootutil_sha_context *ctx)
+{
+  if (ctx == NULL) {
+    return -1;
+  }
+
+  ocrypto_sha256_init(ctx);
+  return 0;
+}
+
+static inline int bootutil_sha_drop(bootutil_sha_context *ctx)
+{
+  /* NOTE: No corresponding function for ocrypto_sha256 */
+  (void)ctx;
+  return 0;
+}
+
+static inline int bootutil_sha_update(bootutil_sha_context *ctx,
+                                      const void *data,
+                                      uint32_t data_len)
+{
+  if (ctx == NULL || data == NULL) {
+    return -1;
+  }
+
+  ocrypto_sha256_update(ctx, (const uint8_t *)data, (size_t)data_len);
+
+  return 0;
+}
+
+static inline int bootutil_sha_finish(bootutil_sha_context *ctx,
+                                      uint8_t *output)
+{
+  if (ctx == NULL || output == NULL) {
+    return -1;
+  }
+
+  ocrypto_sha256_final(ctx, output);
+  return 0;
+}
+
+#endif /* MCUBOOT_USE_NRF_OBERON_EXPERIMENT */
+
 #ifdef __cplusplus
 }
 #endif

boot/bootutil/zephyr/CMakeLists.txt

@@ -45,6 +45,11 @@ if(CONFIG_BOOT_USE_PSA_CRYPTO)
   )
 endif()
 
+if(CONFIG_BOOT_USE_NRF_OBERON_EXPERIMENT)
+  target_include_directories(MCUBOOT_BOOTUTIL INTERFACE ${OBERON_BASE}/include)
+  zephyr_link_libraries(nrfxlib_crypto)
+endif()
+
 if(CONFIG_BOOT_USE_MBEDTLS OR CONFIG_BOOT_USE_PSA_CRYPTO AND NOT CONFIG_NRF_SECURITY)
   zephyr_link_libraries(mbedTLS)
 endif()

boot/zephyr/Kconfig

@@ -54,6 +54,12 @@ config BOOT_USE_CC310
 config BOOT_USE_NRF_CC310_BL
 	bool
 
+config BOOT_USE_NRF_OBERON_EXPERIMENT
+  bool
+  default n
+  help
+    Use nrf oberon.
+
 config NRFXLIB_CRYPTO
 	bool
 
@@ -286,6 +292,10 @@ choice BOOT_ECDSA_IMPLEMENTATION
 	default BOOT_ECDSA_PSA if NRF_SECURITY
 	default BOOT_ECDSA_TINYCRYPT
 
+config BOOT_ECDSA_NRF_OBERON_EXPERIMENT
+  bool "Use nrf oberon"
+  select BOOT_USE_NRF_OBERON_EXPERIMENT
+
 config BOOT_ECDSA_TINYCRYPT
 	bool "Use tinycrypt"
 	select BOOT_USE_TINYCRYPT

boot/zephyr/include/mcuboot_config/mcuboot_config.h

@@ -51,6 +51,8 @@
 #define MCUBOOT_USE_PSA_CRYPTO
 #elif defined(CONFIG_BOOT_USE_NRF_EXTERNAL_CRYPTO)
 #define MCUBOOT_USE_NRF_EXTERNAL_CRYPTO
+#elif defined(CONFIG_BOOT_USE_NRF_OBERON_EXPERIMENT)
+#define MCUBOOT_USE_NRF_OBERON_EXPERIMENT
 #endif
 
 #ifdef CONFIG_BOOT_IMG_HASH_ALG_SHA512