forked from nrfconnect/sdk-nrf
-
Notifications
You must be signed in to change notification settings - Fork 0
Expand file tree
/
Copy pathKconfig.secureboot
More file actions
407 lines (328 loc) · 12.9 KB
/
Copy pathKconfig.secureboot
File metadata and controls
407 lines (328 loc) · 12.9 KB
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
186
187
188
189
190
191
192
193
194
195
196
197
198
199
200
201
202
203
204
205
206
207
208
209
210
211
212
213
214
215
216
217
218
219
220
221
222
223
224
225
226
227
228
229
230
231
232
233
234
235
236
237
238
239
240
241
242
243
244
245
246
247
248
249
250
251
252
253
254
255
256
257
258
259
260
261
262
263
264
265
266
267
268
269
270
271
272
273
274
275
276
277
278
279
280
281
282
283
284
285
286
287
288
289
290
291
292
293
294
295
296
297
298
299
300
301
302
303
304
305
306
307
308
309
310
311
312
313
314
315
316
317
318
319
320
321
322
323
324
325
326
327
328
329
330
331
332
333
334
335
336
337
338
339
340
341
342
343
344
345
346
347
348
349
350
351
352
353
354
355
356
357
358
359
360
361
362
363
364
365
366
367
368
369
370
371
372
373
374
375
376
377
378
379
380
381
382
383
384
385
386
387
388
389
390
391
392
393
394
395
396
397
398
399
400
401
402
403
404
405
406
407
# Copyright (c) 2023 Nordic Semiconductor
#
# SPDX-License-Identifier: LicenseRef-Nordic-5-Clause
menu "Secure Bootloader"
config SECURE_BOOT
bool
help
This option will be set if the first stage bootloader which verifies the signature of the
application is enabled for one or multiple cores.
menuconfig SECURE_BOOT_APPCORE
bool "Appcore"
select SECURE_BOOT
help
Enable first stage bootloader for application core.
if SECURE_BOOT_APPCORE
config SECURE_BOOT_APPCORE_SUPPORTED_HASH_HARDWARE
bool
default y if SECURE_BOOT_HASH_TYPE_SHA256 && (SOC_SERIES_NRF91 || SOC_NRF52840)
config SECURE_BOOT_APPCORE_SUPPORTED_HASH_SOFTWARE
bool
default y if !SECURE_BOOT_HASH_TYPE_NONE
config SECURE_BOOT_APPCORE_SUPPORTED_HASH_UNUSED
bool
default y if !SECURE_BOOT_HASH_TYPE_NONE
config SECURE_BOOT_APPCORE_SUPPORTED_HASH_NONE
bool
default y if SECURE_BOOT_HASH_TYPE_NONE
config SECURE_BOOT_APPCORE_SUPPORTED_SIGNATURE_HARDWARE
bool
default y if SECURE_BOOT_SIGNATURE_TYPE_ECDSA && (SOC_SERIES_NRF91 || SOC_NRF52840)
default y if SECURE_BOOT_SIGNATURE_TYPE_ED25519 && SOC_SERIES_NRF54L
config SECURE_BOOT_APPCORE_SUPPORTED_SIGNATURE_SOFTWARE
bool
default y if !SECURE_BOOT_SIGNATURE_TYPE_NONE && !SECURE_BOOT_SIGNATURE_TYPE_ED25519
config SECURE_BOOT_APPCORE_SUPPORTED_SIGNATURE_UNUSED
bool
default y
choice SECURE_BOOT_APPCORE_HASH_TYPE
prompt "Hash mode"
default SECURE_BOOT_APPCORE_HASH_TYPE_HARDWARE if SECURE_BOOT_APPCORE_SUPPORTED_HASH_HARDWARE
default SECURE_BOOT_APPCORE_HASH_TYPE_SOFTWARE if SECURE_BOOT_APPCORE_SUPPORTED_HASH_SOFTWARE
default SECURE_BOOT_APPCORE_HASH_TYPE_UNUSED if SECURE_BOOT_APPCORE_SUPPORTED_HASH_UNUSED
default SECURE_BOOT_APPCORE_HASH_TYPE_NONE if SECURE_BOOT_APPCORE_SUPPORTED_HASH_NONE
config SECURE_BOOT_APPCORE_HASH_TYPE_HARDWARE
bool "Hardware"
depends on SECURE_BOOT_APPCORE_SUPPORTED_HASH_HARDWARE
help
Hashing using hardware acceleration.
config SECURE_BOOT_APPCORE_HASH_TYPE_SOFTWARE
bool "Software"
depends on SECURE_BOOT_APPCORE_SUPPORTED_HASH_SOFTWARE
help
Hashing using software implementation.
config SECURE_BOOT_APPCORE_HASH_TYPE_UNUSED
bool "Unused"
depends on SECURE_BOOT_APPCORE_SUPPORTED_HASH_UNUSED
help
Hash present but not used/verified.
config SECURE_BOOT_APPCORE_HASH_TYPE_NONE
bool "None"
depends on SECURE_BOOT_APPCORE_SUPPORTED_HASH_NONE
help
Disables hashing and excludes hash.
endchoice
choice SECURE_BOOT_APPCORE_SIGNATURE_TYPE
prompt "Signature mode"
default SECURE_BOOT_APPCORE_SIGNATURE_TYPE_HARDWARE if SECURE_BOOT_APPCORE_SUPPORTED_SIGNATURE_HARDWARE
default SECURE_BOOT_APPCORE_SIGNATURE_TYPE_SOFTWARE if SECURE_BOOT_APPCORE_SUPPORTED_SIGNATURE_SOFTWARE
default SECURE_BOOT_APPCORE_SIGNATURE_TYPE_UNUSED if SECURE_BOOT_APPCORE_SUPPORTED_SIGNATURE_UNUSED
config SECURE_BOOT_APPCORE_SIGNATURE_TYPE_HARDWARE
bool "Hardware"
depends on SECURE_BOOT_APPCORE_SUPPORTED_SIGNATURE_HARDWARE
help
Signature verification using hardware acceleration.
config SECURE_BOOT_APPCORE_SIGNATURE_TYPE_SOFTWARE
bool "Software"
depends on SECURE_BOOT_APPCORE_SUPPORTED_SIGNATURE_SOFTWARE
help
Signatures verification using software implementation.
config SECURE_BOOT_APPCORE_SIGNATURE_TYPE_UNUSED
bool "Unused"
depends on SECURE_BOOT_APPCORE_SUPPORTED_SIGNATURE_UNUSED
help
Signature present but not used/verified.
endchoice
config SECURE_BOOT_MONOTONIC_COUNTER
bool "HW monotonic version counter"
default y
help
The counter stores the current firmware version in a way that ensures that the value
can only increase. This is used to prevent malicious rollback of the firmware.
An array of slots is used for the counter. One slot is used per
counter update, and each new slot must have a larger value than the
previous. Application versions are checked against the largest
counter value before being booted.
config SECURE_BOOT_NUM_VER_COUNTER_SLOTS
int "Number of monotonic counter slots used for the firmware version"
default 20 if BOOTLOADER_MCUBOOT
default 240
range 2 300 if SOC_NRF5340_CPUAPP || SOC_SERIES_NRF91 || SOC_SERIES_NRF54L
range 2 1800 if SOC_SERIES_NRF52
range 2 288 if SOC_SERIES_NRF51
depends on SECURE_BOOT_MONOTONIC_COUNTER
help
The number of monotonic counter slots available for the counter,
i.e., the number of times the counter can be updated.
The slots are 16 bits each.
Rationale for the default number (240): Assume one update a month for
10 years, then double that value just in case. This default fits
comfortably within the OTP region of UICR.
When a second stage bootloader is enabled, such as MCUboot, this counter is used
for the updates of the second stage bootloader and not of the application image. Thus
the default when MCUboot is enabled is 20, to allow two updates a year for 10 years.
Regarding ranges: The actual maximum depends on the number of
provisioned public keys, since they share the space. The same is true if
other data is stored in the "OTP" region (on for example nRF91 and nRF53).
This configuration should not be used in code. Instead, the header before the
slots should be read at run-time.
endif # SECURE_BOOT_APPCORE
menuconfig SECURE_BOOT_NETCORE
bool "Netcore"
depends on SUPPORT_NETCORE
select SECURE_BOOT
help
Enable first stage bootloader for network core.
if SECURE_BOOT_NETCORE
config SECURE_BOOT_NETCORE_SUPPORTED_HASH_SOFTWARE
bool
default y if !SECURE_BOOT_HASH_TYPE_NONE
config SECURE_BOOT_NETCORE_SUPPORTED_HASH_UNUSED
bool
default y if !SECURE_BOOT_HASH_TYPE_NONE
config SECURE_BOOT_NETCORE_SUPPORTED_HASH_NONE
bool
default y if SECURE_BOOT_HASH_TYPE_NONE
config SECURE_BOOT_NETCORE_SUPPORTED_SIGNATURE_SOFTWARE
bool
default y
config SECURE_BOOT_NETCORE_SUPPORTED_SIGNATURE_UNUSED
bool
default y
choice SECURE_BOOT_NETCORE_HASH_TYPE
prompt "Hash mode"
default SECURE_BOOT_NETCORE_HASH_TYPE_SOFTWARE if SECURE_BOOT_NETCORE_SUPPORTED_HASH_SOFTWARE
default SECURE_BOOT_NETCORE_HASH_TYPE_UNUSED if SECURE_BOOT_NETCORE_SUPPORTED_HASH_UNUSED
default SECURE_BOOT_NETCORE_HASH_TYPE_NONE if SECURE_BOOT_NETCORE_SUPPORTED_HASH_NONE
config SECURE_BOOT_NETCORE_HASH_TYPE_SOFTWARE
bool "Software"
depends on SECURE_BOOT_NETCORE_SUPPORTED_HASH_SOFTWARE
help
Hashing using software implementation.
config SECURE_BOOT_NETCORE_HASH_TYPE_UNUSED
bool "Unused"
depends on SECURE_BOOT_NETCORE_SUPPORTED_HASH_UNUSED
help
Hash present but not used/verified.
config SECURE_BOOT_NETCORE_HASH_TYPE_NONE
bool "None"
depends on SECURE_BOOT_NETCORE_SUPPORTED_HASH_NONE
help
Disables hashing and excludes hash.
endchoice
choice SECURE_BOOT_NETCORE_SIGNATURE_TYPE
# Application core verifies image, network core signature checking support is disabled by
# default selection to reduce flash usage
prompt "Signature mode"
default SECURE_BOOT_NETCORE_SIGNATURE_TYPE_UNUSED if SECURE_BOOT_NETCORE_SUPPORTED_SIGNATURE_UNUSED
config SECURE_BOOT_NETCORE_SIGNATURE_TYPE_SOFTWARE
bool "Software"
depends on SECURE_BOOT_NETCORE_SUPPORTED_SIGNATURE_SOFTWARE
help
Signatures verification using software implementation.
config SECURE_BOOT_NETCORE_SIGNATURE_TYPE_UNUSED
bool "Unused"
depends on SECURE_BOOT_NETCORE_SUPPORTED_SIGNATURE_UNUSED
help
Signature present but not used/verified.
endchoice
endif # SECURE_BOOT_NETCORE
if SECURE_BOOT
config SECURE_BOOT_SUPPORTED_HASH_SHA512
bool
config SECURE_BOOT_SUPPORTED_HASH_SHA256
bool
default y if !SECURE_BOOT_SIGNATURE_TYPE_ED25519
config SECURE_BOOT_SUPPORTED_HASH_NONE
bool
default y if SECURE_BOOT_SIGNATURE_TYPE_ED25519
config SECURE_BOOT_SUPPORTED_SIGNATURE_ECDSA
bool
default y
config SECURE_BOOT_SUPPORTED_SIGNATURE_ED25519
bool
default y if SOC_SERIES_NRF54L
choice SECURE_BOOT_HASH_TYPE
prompt "Hash type"
default SECURE_BOOT_HASH_TYPE_SHA512 if SECURE_BOOT_SUPPORTED_HASH_SHA512
default SECURE_BOOT_HASH_TYPE_SHA256 if SECURE_BOOT_SUPPORTED_HASH_SHA256
default SECURE_BOOT_HASH_TYPE_NONE if SECURE_BOOT_SUPPORTED_HASH_NONE
config SECURE_BOOT_HASH_TYPE_SHA512
bool "SHA512"
depends on SECURE_BOOT_SUPPORTED_HASH_SHA512
help
SHA512 hash.
config SECURE_BOOT_HASH_TYPE_SHA256
bool "SHA256"
depends on SECURE_BOOT_SUPPORTED_HASH_SHA256
help
SHA256 hash.
config SECURE_BOOT_HASH_TYPE_NONE
bool "None"
depends on SECURE_BOOT_SUPPORTED_HASH_NONE
help
Disables hashing and excludes hash.
endchoice
choice SECURE_BOOT_SIGNATURE_TYPE
prompt "Signature type"
default SECURE_BOOT_SIGNATURE_TYPE_ED25519 if SECURE_BOOT_SUPPORTED_SIGNATURE_ED25519
default SECURE_BOOT_SIGNATURE_TYPE_ECDSA if SECURE_BOOT_SUPPORTED_SIGNATURE_ECDSA
default SECURE_BOOT_SIGNATURE_TYPE_NONE
config SECURE_BOOT_SIGNATURE_TYPE_ED25519
bool "ED25519"
depends on SECURE_BOOT_SUPPORTED_SIGNATURE_ED25519
help
ED25519 signatures using hardware acceleration.
config SECURE_BOOT_SIGNATURE_TYPE_ECDSA
bool "ECDSA"
depends on SECURE_BOOT_SUPPORTED_SIGNATURE_ECDSA
help
ECDSA signatures using hardware acceleration.
config SECURE_BOOT_SIGNATURE_TYPE_NONE
bool "None"
help
Disables signatures and excludes public key.
endchoice
config SECURE_BOOT_NETWORK_BOARD_TARGET_CPUCLUSTER
string
default "cpunet" if SOC_NRF5340_CPUAPP
depends on SECURE_BOOT_NETCORE
help
Remote CPU cluster when building the secure boot application for the network core. If not
set, the board given to sysbuild is used.
config SECURE_BOOT_BUILD_S1_VARIANT_IMAGE
bool
default y
depends on SECURE_BOOT_APPCORE
help
Will build an S1 variant image for the second slot.
choice SECURE_BOOT_SIGNING
prompt "Firmware signing method"
default SECURE_BOOT_SIGNING_PYTHON
config SECURE_BOOT_SIGNING_PYTHON
bool "Sign with Python ecdsa library"
config SECURE_BOOT_SIGNING_CUSTOM
bool "Sign with custom command"
endchoice
config SECURE_BOOT_SIGNING_KEY_FILE
string
prompt "Private key PEM file" if !SECURE_BOOT_SIGNING_CUSTOM
default ""
help
Absolute (or relative to APPLICATION_CONFIG_DIR) path to the private key PEM file.
Specifies the private key used for signing the firmware image. The hash of the
corresponding public key is stored as the first entry in the list of public key hashes
in the provision hex file.
See also SECURE_BOOT_PUBLIC_KEY_FILES.
config SECURE_BOOT_SIGNING_COMMAND
string
prompt "Custom signing command" if SECURE_BOOT_SIGNING_CUSTOM
default ""
help
This command will be called to produce a signature of the firmware. It will be called as:
"${SB_CONFIG_SECURE_BOOT_SIGNING_COMMAND} <file>"
The command must calculate the signature over the contents of the <file> and write the
signature to stdout. The signature must be in DER format.
config SECURE_BOOT_SIGNING_PUBLIC_KEY
string
prompt "Public key PEM file" if SECURE_BOOT_SIGNING_CUSTOM
default ""
help
Path to a PEM file.
When using a custom signing command, specify the corresponding public key here. This
public key is checked during building, and added as the first entry in the provisioned
data. See SECURE_BOOT_PUBLIC_KEY_FILES.
config SECURE_BOOT_PUBLIC_KEY_FILES
string "Public Key PEM files"
default ""
help
Comma-separated list of absolute (or relative to APPLICATION_CONFIG_DIR) paths to public
key pem files. The provision hex file will contain a list of hashes of public keys. The
first public key hash is the one corresponding to the private signing key used to sign
the image. See SECURE_BOOT_SIGNING_KEY_FILE. The hashes of the public keys specified in
this configuration will be placed after the aforementioned public key hash, in the order
they appear in this config. The order is significant since if an image is successfully
validated against a public key in the list, all public keys before it in the list will be
invalidated.
Example value: ~/keys/pk1.pem,~/keys/pk2.pem,~/keys/pk3.pem
If config is the string "debug", 2 generated debug files will be used. If config is an
empty string then only the public key hash corresponding to the private signing key used
to sign the image is included in provision.hex.
config SECURE_BOOT_BOOTCONF_LOCK_WRITES_SUPPORTED
bool
default y if SOC_NRF54L15_CPUAPP || SOC_NRF54L05_CPUAPP || SOC_NRF54L10_CPUAPP
default y if SOC_NRF54LV10A_CPUAPP
default y if SOC_NRF54LM20A_CPUAPP || SOC_NRF54LM20B_CPUAPP
config SECURE_BOOT_BOOTCONF_LOCK_WRITES
bool "Protect bootloader's NVM from writes"
depends on SECURE_BOOT_BOOTCONF_LOCK_WRITES_SUPPORTED
default y
help
Sets RRAMC's BOOTCONF region protection to disable writes.
config SECURE_BOOT_DEBUG_SIGNATURE_PUBLIC_KEY_LAST
bool "[DEBUG] Place signing public key last"
help
Place the public key used for signing last in the list instead of first. This is meant to
be used for testing looping through the public keys.
config SECURE_BOOT_DEBUG_NO_VERIFY_HASHES
bool
help
[DEBUG] Don't check public key hashes for applicability. Only Use this in (negative) tests!
config SECURE_BOOT_GENERATE_DEFAULT_KMU_KEYFILE
bool "Generate default keyfile for provisioning during build"
depends on SOC_SERIES_NRF54L
depends on SECURE_BOOT_APPCORE
help
If enabled, the build system will generate keyfile.json file in the build directory.
endif
endmenu