Initial experiments

Signed-off-by: Adam Szczygieł <adam.szczygiel@nordicsemi.no>

Author: adsz-nordic

boot/bootutil/include/bootutil/crypto/ecdsa.h

@@ -35,8 +35,9 @@
 #if (defined(MCUBOOT_USE_TINYCRYPT) + \
      defined(MCUBOOT_USE_CC310) + \
      defined(MCUBOOT_USE_NRF_EXTERNAL_CRYPTO) + \
-     defined(MCUBOOT_USE_PSA_OR_MBED_TLS)) != 1
-    #error "One crypto backend must be defined: either CC310/TINYCRYPT/MBED_TLS/PSA_CRYPTO"
+     defined(MCUBOOT_USE_PSA_OR_MBED_TLS) + \
+     defined(MCUBOOT_USE_NRF_OBERON)) != 1
+    #error "One crypto backend must be defined: either CC310/TINYCRYPT/MBED_TLS/PSA_CRYPTO/NRF_OBERON"
 #endif
 
 #if defined(MCUBOOT_USE_TINYCRYPT)
@@ -58,8 +59,13 @@
     #define MCUBOOT_ECDSA_NEED_ASN1_SIG
 #endif /* MCUBOOT_USE_MBED_TLS */
 
+#if defined(MCUBOOT_USE_NRF_OBERON)
+  #include <ocrypto_ecdsa_p256.h>
+#endif /* MCUBOOT_USE_NRF_OBERON */
+
 /*TODO: remove this after cypress port mbedtls to abstract crypto api */
-#if defined(MCUBOOT_USE_CC310) || defined(MCUBOOT_USE_MBED_TLS)
+#if defined(MCUBOOT_USE_CC310) || defined(MCUBOOT_USE_MBED_TLS) || \
+  defined(MCUBOOT_USE_NRF_OBERON)
 #define NUM_ECC_BYTES (256 / 8)
 #endif
 
@@ -83,7 +89,8 @@ extern "C" {
 #endif
 
 #if (defined(MCUBOOT_USE_TINYCRYPT) || defined(MCUBOOT_USE_MBED_TLS) || \
-     defined(MCUBOOT_USE_CC310) || defined(MCUBOOT_USE_NRF_EXTERNAL_CRYPTO)) \
+     defined(MCUBOOT_USE_CC310) || defined(MCUBOOT_USE_NRF_EXTERNAL_CRYPTO) || \
+     defined(MCUBOOT_USE_NRF_OBERON)) \
      && !defined(MCUBOOT_USE_PSA_CRYPTO)
 /*
  * Declaring these like this adds NULL termination.
@@ -719,6 +726,57 @@ static inline int bootutil_ecdsa_parse_public_key(bootutil_ecdsa_context *ctx,
 }
 #endif /* MCUBOOT_USE_NRF_EXTERNAL_CRYPTO */
 
+#if defined(MCUBOOT_USE_NRF_OBERON)
+#define UNCOMPRESSED_KEY_PREFIX 0x04
+
+typedef uintptr_t bootutil_ecdsa_context;
+
+static inline void bootutil_ecdsa_init(bootutil_ecdsa_context *ctx)
+{
+  (void)ctx;
+}
+
+static inline void bootutil_ecdsa_drop(bootutil_ecdsa_context *ctx)
+{
+  (void)ctx;
+}
+
+static inline int bootutil_ecdsa_verify(bootutil_ecdsa_context *ctx,
+                                        uint8_t *pk, size_t pk_len,
+                                        uint8_t *hash, size_t hash_len,
+                                        uint8_t *sig, size_t sig_len)
+{
+  if (pk == NULL || hash == NULL || sig == NULL) {
+    return -1;
+  }
+
+  uint8_t signature[2 * NUM_ECC_BYTES];
+  int rc = bootutil_decode_sig(signature, sig, sig + sig_len);
+  if (rc) {
+    return rc;
+  }
+
+  /* Support only uncompressed keys */
+  if (pk[0] != UNCOMPRESSED_KEY_PREFIX) {
+    return -2;
+  }
+
+  /* Skip the first byte holding key format */
+  pk++;
+
+  return ocrypto_ecdsa_p256_verify_hash(signature, hash, pk);
+}
+
+static inline int bootutil_ecdsa_parse_public_key(bootutil_ecdsa_context *ctx,
+                                                  uint8_t **cp, uint8_t *end)
+{
+  (void)ctx;
+
+  return bootutil_import_key(cp, end);
+}
+
+#endif /* MCUBOOT_USE_NRF_OBERON */
+
 #ifdef __cplusplus
 }
 #endif

boot/bootutil/include/bootutil/crypto/sha.h

@@ -31,8 +31,9 @@
 #if (defined(MCUBOOT_USE_PSA_OR_MBED_TLS) + \
      defined(MCUBOOT_USE_TINYCRYPT) + \
      defined(MCUBOOT_USE_NRF_EXTERNAL_CRYPTO) + \
-     defined(MCUBOOT_USE_CC310)) != 1
-    #error "One crypto backend must be defined: either CC310/MBED_TLS/TINYCRYPT/PSA_CRYPTO"
+     defined(MCUBOOT_USE_CC310) + \
+     defined(MCUBOOT_USE_NRF_OBERON)) != 1
+    #error "One crypto backend must be defined: either CC310/MBED_TLS/TINYCRYPT/PSA_CRYPTO/NRF_OBERON"
 #endif
 
 #if defined(MCUBOOT_SHA512)
@@ -84,6 +85,10 @@
 
 #include <stdint.h>
 
+#if defined(MCUBOOT_USE_NRF_OBERON)
+  #include <ocrypto_sha256.h>
+#endif /* MCUBOOT_USE_NRF_OBERON */
+
 #ifdef __cplusplus
 extern "C" {
 #endif
@@ -302,6 +307,51 @@ static inline int bootutil_sha_finish(bootutil_sha_context *ctx,
 }
 #endif /* MCUBOOT_USE_NRF_EXTERNAL_CRYPTO */
 
+#if defined(MCUBOOT_USE_NRF_OBERON)
+typedef ocrypto_sha256_ctx bootutil_sha_context;
+
+static inline int bootutil_sha_init(bootutil_sha_context *ctx)
+{
+  if (ctx == NULL) {
+    return -1;
+  }
+
+  ocrypto_sha256_init(ctx);
+  return 0;
+}
+
+static inline int bootutil_sha_drop(bootutil_sha_context *ctx)
+{
+  /* NOTE: No corresponding function for ocrypto_sha256 */
+  (void)ctx;
+  return 0;
+}
+
+static inline int bootutil_sha_update(bootutil_sha_context *ctx,
+                                      const void *data,
+                                      uint32_t data_len)
+{
+  if (ctx == NULL || data == NULL) {
+    return -1;
+  }
+
+  ocrypto_sha256_update(ctx, (const uint8_t *)data, (size_t)data_len);
+  return 0;
+}
+
+static inline int bootutil_sha_finish(bootutil_sha_context *ctx,
+                                      uint8_t *output)
+{
+  if (ctx == NULL || output == NULL) {
+    return -1;
+  }
+
+  ocrypto_sha256_final(ctx, output);
+  return 0;
+}
+
+#endif /* MCUBOOT_USE_NRF_OBERON */
+
 #ifdef __cplusplus
 }
 #endif

boot/bootutil/zephyr/CMakeLists.txt

@@ -48,6 +48,11 @@ if(CONFIG_BOOT_USE_TINYCRYPT)
   )
 endif()
 
+if(CONFIG_BOOT_USE_NRF_OBERON)
+  target_include_directories(MCUBOOT_BOOTUTIL INTERFACE ${OBERON_BASE}/include)
+  zephyr_link_libraries(nrfxlib_crypto)
+endif()
+
 if(CONFIG_BOOT_USE_PSA_CRYPTO)
   target_include_directories(MCUBOOT_BOOTUTIL INTERFACE
      ${ZEPHYR_MBEDTLS_MODULE_DIR}/include

boot/zephyr/Kconfig

@@ -54,6 +54,12 @@ config BOOT_USE_CC310
 config BOOT_USE_NRF_CC310_BL
 	bool
 
+config BOOT_USE_NRF_OBERON
+  bool
+  default n
+  help
+    Use nrf oberon SW crypto.
+
 config NRFXLIB_CRYPTO
 	bool
 
@@ -286,6 +292,10 @@ choice BOOT_ECDSA_IMPLEMENTATION
 	default BOOT_ECDSA_PSA if NRF_SECURITY
 	default BOOT_ECDSA_TINYCRYPT
 
+config BOOT_ECDSA_NRF_OBERON
+  bool "use nrf oberon SW crypto."
+  select BOOT_USE_NRF_OBERON
+
 config BOOT_ECDSA_TINYCRYPT
 	bool "Use tinycrypt"
 	select BOOT_USE_TINYCRYPT

boot/zephyr/include/mcuboot_config/mcuboot_config.h

@@ -51,6 +51,8 @@
 #define MCUBOOT_USE_PSA_CRYPTO
 #elif defined(CONFIG_BOOT_USE_NRF_EXTERNAL_CRYPTO)
 #define MCUBOOT_USE_NRF_EXTERNAL_CRYPTO
+#elif defined(CONFIG_BOOT_USE_NRF_OBERON)
+#define MCUBOOT_USE_NRF_OBERON
 #endif
 
 #ifdef CONFIG_BOOT_IMG_HASH_ALG_SHA512