WolfSSL
/
wolfBoot
mirror of https://github.com/wolfSSL/wolfBoot.git
1
0
Fork 0
Code Issues Releases Wiki Activity

Added new signature algo: ECC384

pull/188/head
Daniele Lacamera 2022-03-24 07:48:01 +01:00 committed by David Garske
parent 0827aa34dd
commit d06178c3a8
15 changed files with 540 additions and 119 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

60
.github/workflows/test-renode-nrf52.yml vendored
View File

@ -30,18 +30,26 @@ jobs:
run: | run: |
make -C tools/test-expect-version make -C tools/test-expect-version
# ECC256 TEST
- name: make clean - name: make clean
run: | run: |
make clean && make -C tools/keytools clean && rm -f include/target.h make clean && make -C tools/keytools clean && rm -f include/target.h
- name: Select config - name: Select config
run: | run: |
cp config/examples/nrf52840.config .config && make include/target.h SIGN=ECC256 cp config/examples/nrf52840.config .config && make include/target.h
- name: Build key tools - name: Build key tools
run: | run: |
make -C tools/keytools SIGN=ECC256 make -C tools/keytools
# ECC256 TEST
- name: make clean
run: |
make clean && rm -f include/target.h
- name: Select config
run: |
cp config/examples/nrf52840.config .config && make include/target.h SIGN=ECC256
- name: Build wolfboot and test app image v1, SIGN=ECC256 - name: Build wolfboot and test app image v1, SIGN=ECC256
run: | run: |
@ -54,19 +62,35 @@ jobs:
- name: Renode Tests ECC256 - name: Renode Tests ECC256
run: ./tools/renode/docker-test.sh run: ./tools/renode/docker-test.sh
# ECC384 TEST
- name: make clean
run: |
make clean && rm -f include/target.h
- name: Select config
run: |
cp config/examples/nrf52840.config .config && make include/target.h SIGN=ECC384
- name: Build wolfboot and test app image v1, SIGN=ECC384
run: |
make SIGN=ECC384
- name: Build update image v2
run: |
make /tmp/renode-test-update.bin SIGN=ECC384 && cp /tmp/renode-test-update.bin test-app/
- name: Renode Tests ECC384
run: ./tools/renode/docker-test.sh
# ED25519 TEST # ED25519 TEST
- name: make clean - name: make clean
run: | run: |
make clean && make -C tools/keytools clean && rm -f include/target.h make clean && rm -f include/target.h
- name: Select config - name: Select config
run: | run: |
cp config/examples/nrf52840.config .config && make include/target.h SIGN=ED25519 cp config/examples/nrf52840.config .config && make include/target.h SIGN=ED25519
- name: Build key tools
run: |
make -C tools/keytools SIGN=ED25519
- name: Build wolfboot and test app image v1, SIGN=ED25519 - name: Build wolfboot and test app image v1, SIGN=ED25519
run: | run: |
make SIGN=ED25519 make SIGN=ED25519
@ -81,16 +105,12 @@ jobs:
# ED448 TEST # ED448 TEST
- name: make clean - name: make clean
run: | run: |
make clean && make -C tools/keytools clean && rm -f include/target.h make clean && rm -f include/target.h
- name: Select config - name: Select config
run: | run: |
cp config/examples/nrf52840.config .config && make include/target.h SIGN=ED448 cp config/examples/nrf52840.config .config && make include/target.h SIGN=ED448
- name: Build key tools
run: |
make -C tools/keytools SIGN=ED448
- name: Build wolfboot and test app image v1, SIGN=ED448 - name: Build wolfboot and test app image v1, SIGN=ED448
run: | run: |
make SIGN=ED448 make SIGN=ED448
@ -105,16 +125,12 @@ jobs:
# RSA2048 TEST # RSA2048 TEST
- name: make clean - name: make clean
run: | run: |
make clean && make -C tools/keytools clean && rm -f include/target.h make clean && rm -f include/target.h
- name: Select config - name: Select config
run: | run: |
cp config/examples/nrf52840.config .config && make include/target.h SIGN=RSA2048 cp config/examples/nrf52840.config .config && make include/target.h SIGN=RSA2048
- name: Build key tools
run: |
make -C tools/keytools SIGN=RSA2048
- name: Build wolfboot and test app image v1, SIGN=RSA2048 - name: Build wolfboot and test app image v1, SIGN=RSA2048
run: | run: |
make SIGN=RSA2048 make SIGN=RSA2048
@ -129,16 +145,12 @@ jobs:
# RSA4096 TEST # RSA4096 TEST
- name: make clean - name: make clean
run: | run: |
make clean && make -C tools/keytools clean && rm -f include/target.h make clean && rm -f include/target.h
- name: Select config - name: Select config
run: | run: |
cp config/examples/nrf52840.config .config && make include/target.h SIGN=RSA4096 cp config/examples/nrf52840.config .config && make include/target.h SIGN=RSA4096
- name: Build key tools
run: |
make -C tools/keytools SIGN=RSA4096
- name: Build wolfboot and test app image v1, SIGN=RSA4096 - name: Build wolfboot and test app image v1, SIGN=RSA4096
run: | run: |
make SIGN=RSA4096 make SIGN=RSA4096
@ -150,8 +162,6 @@ jobs:
- name: Renode Tests RSA4096 - name: Renode Tests RSA4096
run: ./tools/renode/docker-test.sh run: ./tools/renode/docker-test.sh
- name: Upload Output Dir - name: Upload Output Dir
uses: actions/upload-artifact@v2 uses: actions/upload-artifact@v2
with: with:

2
.gitignore vendored
View File

@ -55,6 +55,8 @@
src/ed25519_pub_key.c src/ed25519_pub_key.c
src/ed448_pub_key.c src/ed448_pub_key.c
src/ecc256_pub_key.c src/ecc256_pub_key.c
src/ecc384_pub_key.c
src/ecc512_pub_key.c
src/rsa2048_pub_key.c src/rsa2048_pub_key.c
src/rsa4096_pub_key.c src/rsa4096_pub_key.c

8
Makefile
View File

@ -112,6 +112,10 @@ ed448.der:
$(Q)$(KEYGEN_TOOL) $(KEYGEN_OPTIONS) src/ed448_pub_key.c $(Q)$(KEYGEN_TOOL) $(KEYGEN_OPTIONS) src/ed448_pub_key.c
ecc256.der: ecc256.der:
$(Q)$(KEYGEN_TOOL) $(KEYGEN_OPTIONS) src/ecc256_pub_key.c $(Q)$(KEYGEN_TOOL) $(KEYGEN_OPTIONS) src/ecc256_pub_key.c
ecc384.der:
$(Q)$(KEYGEN_TOOL) $(KEYGEN_OPTIONS) src/ecc384_pub_key.c
ecc521.der:
$(Q)$(KEYGEN_TOOL) $(KEYGEN_OPTIONS) src/ecc521_pub_key.c
rsa2048.der: rsa2048.der:
$(Q)$(KEYGEN_TOOL) $(KEYGEN_OPTIONS) src/rsa2048_pub_key.c $(Q)$(KEYGEN_TOOL) $(KEYGEN_OPTIONS) src/rsa2048_pub_key.c
rsa4096.der: rsa4096.der:
@ -153,6 +157,10 @@ src/ed448_pub_key.c: ed448.der
src/ecc256_pub_key.c: ecc256.der src/ecc256_pub_key.c: ecc256.der
src/ecc384_pub_key.c: ecc384.der
src/ecc521_pub_key.c: ecc521.der
src/rsa2048_pub_key.c: rsa2048.der src/rsa2048_pub_key.c: rsa2048.der
src/rsa4096_pub_key.c: rsa4096.der src/rsa4096_pub_key.c: rsa4096.der

12
include/loader.h
View File

@ -43,6 +43,18 @@
# define KEY_BUFFER ecc256_pub_key # define KEY_BUFFER ecc256_pub_key
# define KEY_LEN ecc256_pub_key_len # define KEY_LEN ecc256_pub_key_len
# define IMAGE_SIGNATURE_SIZE (64) # define IMAGE_SIGNATURE_SIZE (64)
#elif defined(WOLFBOOT_SIGN_ECC384)
extern const unsigned char ecc384_pub_key[];
extern unsigned int ecc384_pub_key_len;
# define KEY_BUFFER ecc384_pub_key
# define KEY_LEN ecc384_pub_key_len
# define IMAGE_SIGNATURE_SIZE (96)
#elif defined(WOLFBOOT_SIGN_ECC521)
extern const unsigned char ecc521_pub_key[];
extern unsigned int ecc521_pub_key_len;
# define KEY_BUFFER ecc521_pub_key
# define KEY_LEN ecc521_pub_key_len
# define IMAGE_SIGNATURE_SIZE (132)
#elif defined(WOLFBOOT_SIGN_RSA2048) #elif defined(WOLFBOOT_SIGN_RSA2048)
extern const unsigned char rsa2048_pub_key[]; extern const unsigned char rsa2048_pub_key[];
extern unsigned int rsa2048_pub_key_len; extern unsigned int rsa2048_pub_key_len;

24
include/user_settings.h
View File

@ -64,10 +64,13 @@
#endif #endif
/* ECC and SHA256 */ /* ECC and SHA256 */
#ifdef WOLFBOOT_SIGN_ECC256 #if defined (WOLFBOOT_SIGN_ECC256) ||\
defined (WOLFBOOT_SIGN_ECC384) ||\
defined (WOLFBOOT_SIGN_ECC521)
# define HAVE_ECC # define HAVE_ECC
# define ECC_TIMING_RESISTANT # define ECC_TIMING_RESISTANT
# define FP_MAX_BITS (256 + 32)
/* Kinetis LTC support */ /* Kinetis LTC support */
# ifdef FREESCALE_USE_LTC # ifdef FREESCALE_USE_LTC
@ -96,8 +99,25 @@
/* Curve */ /* Curve */
# define NO_ECC192 # define NO_ECC192
# define NO_ECC224 # define NO_ECC224
#ifdef WOLFBOOT_SIGN_ECC256
# define HAVE_ECC256 # define HAVE_ECC256
# define FP_MAX_BITS (256 + 32)
# define NO_ECC384 # define NO_ECC384
# define NO_ECC521
#elif defined WOLFBOOT_SIGN_ECC384
# define HAVE_ECC384
# define FP_MAX_BITS (1024 + 32)
# define WOLFSSL_SP_384
# define WOLFSSL_SP_NO_256
# define NO_ECC256
# define NO_ECC521
#elif defined WOLFBOOT_SIGN_ECC521
# define HAVE_ECC521
# define FP_MAX_BITS (544 + 32)
# define NO_ECC256
# define NO_ECC384
#endif
# define NO_RSA # define NO_RSA
# define NO_ASN # define NO_ASN
#endif #endif

9
include/wolfboot/wolfboot.h
View File

@ -71,6 +71,8 @@
#define HDR_IMG_TYPE_AUTH_RSA2048 0x0300 #define HDR_IMG_TYPE_AUTH_RSA2048 0x0300
#define HDR_IMG_TYPE_AUTH_RSA4096 0x0400 #define HDR_IMG_TYPE_AUTH_RSA4096 0x0400
#define HDR_IMG_TYPE_AUTH_ED448 0x0500 #define HDR_IMG_TYPE_AUTH_ED448 0x0500
#define HDR_IMG_TYPE_AUTH_ECC384 0x0600
#define HDR_IMG_TYPE_AUTH_ECC521 0x0700
#define HDR_IMG_TYPE_WOLFBOOT 0x0000 #define HDR_IMG_TYPE_WOLFBOOT 0x0000
#define HDR_IMG_TYPE_APP 0x0001 #define HDR_IMG_TYPE_APP 0x0001
#define HDR_IMG_TYPE_DIFF 0x00D0 #define HDR_IMG_TYPE_DIFF 0x00D0
@ -85,12 +87,17 @@
# define HDR_IMG_TYPE_AUTH HDR_IMG_TYPE_AUTH_ED448 # define HDR_IMG_TYPE_AUTH HDR_IMG_TYPE_AUTH_ED448
#elif defined(WOLFBOOT_SIGN_ECC256) #elif defined(WOLFBOOT_SIGN_ECC256)
# define HDR_IMG_TYPE_AUTH HDR_IMG_TYPE_AUTH_ECC256 # define HDR_IMG_TYPE_AUTH HDR_IMG_TYPE_AUTH_ECC256
#elif defined(WOLFBOOT_SIGN_ECC384)
# define HDR_IMG_TYPE_AUTH HDR_IMG_TYPE_AUTH_ECC384
#elif defined(WOLFBOOT_SIGN_ECC521)
# define HDR_IMG_TYPE_AUTH HDR_IMG_TYPE_AUTH_ECC521
# error "ECC521 curves not yet supported in this version of wolfBoot. Please select a valid SIGN= option."
#elif defined(WOLFBOOT_SIGN_RSA2048) #elif defined(WOLFBOOT_SIGN_RSA2048)
# define HDR_IMG_TYPE_AUTH HDR_IMG_TYPE_AUTH_RSA2048 # define HDR_IMG_TYPE_AUTH HDR_IMG_TYPE_AUTH_RSA2048
#elif defined(WOLFBOOT_SIGN_RSA4096) #elif defined(WOLFBOOT_SIGN_RSA4096)
# define HDR_IMG_TYPE_AUTH HDR_IMG_TYPE_AUTH_RSA4096 # define HDR_IMG_TYPE_AUTH HDR_IMG_TYPE_AUTH_RSA4096
#else #else
# error "no valid authentication mechanism selected. Please define WOLFBOOT_SIGN_ED25519 or WOLFBOOT_SIGN_ECC256 or WOLFBOOT_SIGN_RSA2048" # error "no valid authentication mechanism selected. Please select a valid SIGN= option."
#endif /* defined WOLFBOOT_SIGN_ECC256 || WOLFBOOT_SIGN_ED25519 */ #endif /* defined WOLFBOOT_SIGN_ECC256 || WOLFBOOT_SIGN_ED25519 */
#endif /* defined WOLFBOOT */ #endif /* defined WOLFBOOT */

54
options.mk
View File

@ -51,6 +51,60 @@ ifeq ($(SIGN),ECC256)
endif endif
endif endif
ifeq ($(SIGN),ECC384)
KEYGEN_OPTIONS+=--ecc384
SIGN_OPTIONS+=--ecc384
PRIVATE_KEY=ecc384.der
WOLFCRYPT_OBJS+= \
$(MATH_OBJS) \
./lib/wolfssl/wolfcrypt/src/ecc.o \
./lib/wolfssl/wolfcrypt/src/memory.o \
./lib/wolfssl/wolfcrypt/src/wc_port.o \
./lib/wolfssl/wolfcrypt/src/wolfmath.o \
./lib/wolfssl/wolfcrypt/src/hash.o
CFLAGS+=-D"WOLFBOOT_SIGN_ECC384"
ifeq ($(WOLFBOOT_SMALL_STACK),1)
STACK_USAGE=5880
else ifeq ($(WOLFTPM),1)
STACK_USAGE=6680
else ifneq ($(SPMATH),1)
STACK_USAGE=6056
else
STACK_USAGE=5880
endif
PUBLIC_KEY_OBJS=./src/ecc384_pub_key.o
ifeq ($(shell test $(IMAGE_HEADER_SIZE) -lt 512; echo $$?),0)
IMAGE_HEADER_SIZE=512
endif
endif
ifeq ($(SIGN),ECC521)
KEYGEN_OPTIONS+=--ecc521
SIGN_OPTIONS+=--ecc521
PRIVATE_KEY=ecc521.der
WOLFCRYPT_OBJS+= \
$(MATH_OBJS) \
./lib/wolfssl/wolfcrypt/src/ecc.o \
./lib/wolfssl/wolfcrypt/src/memory.o \
./lib/wolfssl/wolfcrypt/src/wc_port.o \
./lib/wolfssl/wolfcrypt/src/wolfmath.o \
./lib/wolfssl/wolfcrypt/src/hash.o
CFLAGS+=-D"WOLFBOOT_SIGN_ECC521"
ifeq ($(WOLFBOOT_SMALL_STACK),1)
STACK_USAGE=4096
else ifeq ($(WOLFTPM),1)
STACK_USAGE=6680
else ifneq ($(SPMATH),1)
STACK_USAGE=7352
else
STACK_USAGE=3896
endif
PUBLIC_KEY_OBJS=./src/ecc521_pub_key.o
ifeq ($(shell test $(IMAGE_HEADER_SIZE) -lt 512; echo $$?),0)
IMAGE_HEADER_SIZE=512
endif
endif
ifeq ($(SIGN),ED25519) ifeq ($(SIGN),ED25519)
KEYGEN_OPTIONS+=--ed25519 KEYGEN_OPTIONS+=--ed25519
SIGN_OPTIONS+=--ed25519 SIGN_OPTIONS+=--ed25519

22
src/image.c
View File

@ -82,9 +82,25 @@ static void wolfBoot_verify_signature(struct wolfBoot_image *img, uint8_t *sig)
#endif #endif
#ifdef WOLFBOOT_SIGN_ECC256
#if defined(WOLFBOOT_SIGN_ECC256) || defined(WOLFBOOT_SIGN_ECC384) \
|| defined(WOLFBOOT_SIGN_ECC521)
#include <wolfssl/wolfcrypt/ecc.h> #include <wolfssl/wolfcrypt/ecc.h>
#define ECC_KEY_SIZE 32
#ifdef WOLFBOOT_SIGN_ECC256
#define ECC_KEY_SIZE 32
#define ECC_KEY_TYPE ECC_SECP256R1
#endif
#ifdef WOLFBOOT_SIGN_ECC384
#define ECC_KEY_SIZE 48
#define ECC_KEY_TYPE ECC_SECP384R1
#endif
#ifdef WOLFBOOT_SIGN_ECC521
#define ECC_KEY_SIZE 66
#define ECC_KEY_TYPE ECC_SECP521R1
#endif
static void wolfBoot_verify_signature(struct wolfBoot_image *img, uint8_t *sig) static void wolfBoot_verify_signature(struct wolfBoot_image *img, uint8_t *sig)
{ {
int ret, verify_res = 0; int ret, verify_res = 0;
@ -131,7 +147,7 @@ static void wolfBoot_verify_signature(struct wolfBoot_image *img, uint8_t *sig)
/* Import public key */ /* Import public key */
ret = wc_ecc_import_unsigned(&ecc, (byte*)KEY_BUFFER, ret = wc_ecc_import_unsigned(&ecc, (byte*)KEY_BUFFER,
(byte*)(KEY_BUFFER + ECC_KEY_SIZE), NULL, ECC_SECP256R1); (byte*)(KEY_BUFFER + ECC_KEY_SIZE), NULL, ECC_KEY_TYPE);
if ((ret < 0) || ecc.type != ECC_PUBLICKEY) { if ((ret < 0) || ecc.type != ECC_PUBLICKEY) {
/* Failed to import ecc key */ /* Failed to import ecc key */
return; return;

79
src/xmalloc.c
View File

@ -54,20 +54,38 @@ struct xmalloc_slot {
# error "No hash mechanism selected." # error "No hash mechanism selected."
#endif #endif
#ifdef WOLFBOOT_SIGN_ECC256 #if defined(WOLFBOOT_SIGN_ECC256) || defined(WOLFBOOT_SIGN_ECC384)
#ifndef USE_FAST_MATH #ifndef USE_FAST_MATH
#define MP_CURVE_SPECS_SIZE (80) /* SP MATH */
#ifdef WOLFSSL_SP_ARM_CORTEX_M_ASM #ifdef WOLFBOOT_SIGN_ECC256
#define MP_POINT_SIZE (196) #define MP_CURVE_SPECS_SIZE (80)
#define MP_DIGITS_BUFFER_SIZE_0 (MP_DIGIT_SIZE * 16 * 8) #ifdef WOLFSSL_SP_ARM_CORTEX_M_ASM
#define MP_DIGITS_BUFFER_SIZE_1 (MP_DIGIT_SIZE * 2 * 8 * 5) #define MP_POINT_SIZE (196)
#else #define MP_DIGITS_BUFFER_SIZE_0 (MP_DIGIT_SIZE * 16 * 8)
#define MP_POINT_SIZE (220) #define MP_DIGITS_BUFFER_SIZE_1 (MP_DIGIT_SIZE * 2 * 8 * 5)
#define MP_DIGITS_BUFFER_SIZE_0 (MP_DIGIT_SIZE * 16 * 9) #else
#define MP_DIGITS_BUFFER_SIZE_1 (MP_DIGIT_SIZE * (4 * 9 + 3)) #define MP_POINT_SIZE (220)
#define MP_DIGITS_BUFFER_SIZE_2 (MP_DIGIT_SIZE * (2 * 9 * 5)) #define MP_DIGITS_BUFFER_SIZE_0 (MP_DIGIT_SIZE * 16 * 9)
#endif #define MP_DIGITS_BUFFER_SIZE_1 (MP_DIGIT_SIZE * (4 * 9 + 3))
#define MP_DIGITS_BUFFER_SIZE_2 (MP_DIGIT_SIZE * (2 * 9 * 5))
#define MP_MONTGOMERY_SIZE (sizeof(int64_t) * 2 * 8)
#endif
#endif /* WOLFBOOT_SIGN_ECC256 */
#ifdef WOLFBOOT_SIGN_ECC384
#define MP_CURVE_SPECS_SIZE (112)
#ifdef WOLFSSL_SP_ARM_CORTEX_M_ASM
#define MP_POINT_SIZE (292)
#define MP_DIGITS_BUFFER_SIZE_0 (MP_DIGIT_SIZE * 16 * 12)
#define MP_DIGITS_BUFFER_SIZE_1 (MP_DIGIT_SIZE * 2 * 12 * 6)
#define MP_MONTGOMERY_SIZE (sizeof(int64_t) * 12)
#else
#define MP_POINT_SIZE (220)
#define MP_DIGITS_BUFFER_SIZE_0 (MP_DIGIT_SIZE * 16 * 9)
#define MP_DIGITS_BUFFER_SIZE_1 (MP_DIGIT_SIZE * (4 * 9 + 3))
#define MP_DIGITS_BUFFER_SIZE_2 (MP_DIGIT_SIZE * (2 * 9 * 5))
#endif
#endif /* WOLFBOOT_SIGN_ECC384 */
#ifndef WC_NO_CACHE_RESISTANT #ifndef WC_NO_CACHE_RESISTANT
static uint8_t mp_points_3[MP_POINT_SIZE]; static uint8_t mp_points_3[MP_POINT_SIZE];
#endif #endif
@ -76,17 +94,31 @@ struct xmalloc_slot {
static uint8_t mp_points_2[MP_POINT_SIZE * (16 + 1)]; static uint8_t mp_points_2[MP_POINT_SIZE * (16 + 1)];
static uint8_t mp_digits_buffer_0[MP_DIGITS_BUFFER_SIZE_0]; static uint8_t mp_digits_buffer_0[MP_DIGITS_BUFFER_SIZE_0];
static uint8_t mp_digits_buffer_1[MP_DIGITS_BUFFER_SIZE_1]; static uint8_t mp_digits_buffer_1[MP_DIGITS_BUFFER_SIZE_1];
#ifndef WOLFSSL_SP_ARM_CORTEX_M_ASM #if !defined(WOLFSSL_SP_ARM_CORTEX_M_ASM) && defined(WOLFBOOT_SIGN_ECC256)
static uint8_t mp_digits_buffer_2[MP_DIGITS_BUFFER_SIZE_2]; static uint8_t mp_digits_buffer_2[MP_DIGITS_BUFFER_SIZE_2];
static uint8_t mp_montgomery[sizeof(int64_t) * 2 * 8]; static uint8_t mp_montgomery[MP_MONTGOMERY_SIZE];
#elif defined(WOLFBOOT_SIGN_ECC384)
static uint8_t mp_montgomery[MP_MONTGOMERY_SIZE];
#endif #endif
#else #else
/* TFM */
#define MP_INT_SIZE ((sizeof (fp_int))) #define MP_INT_SIZE ((sizeof (fp_int)))
#define MP_CURVE_SPECS_SIZE (MP_INT_SIZE) #ifdef WOLFBOOT_SIGN_ECC256
#define MP_CURVE_FIELD_COUNT_SIZE (380) #define MP_CURVE_SPECS_SIZE (MP_INT_SIZE)
#define ECC_POINT_SIZE (228) #define MP_CURVE_FIELD_COUNT_SIZE (380)
#define MP_INT_BUFFER_SIZE (MP_INT_SIZE * 6) #define ECC_POINT_SIZE (228)
#define MP_DIGIT_BUFFER_MONT_SIZE (sizeof(fp_digit)*(FP_SIZE + 1)) #define MP_INT_BUFFER_SIZE (MP_INT_SIZE * 6)
#define MP_DIGIT_BUFFER_MONT_SIZE (sizeof(fp_digit)*(FP_SIZE + 1))
#endif
#ifdef WOLFBOOT_SIGN_ECC384
#define MP_CURVE_SPECS_SIZE (MP_INT_SIZE)
#define MP_CURVE_FIELD_COUNT_SIZE (380)
#define ECC_POINT_SIZE (516)
#define MP_INT_BUFFER_SIZE (MP_INT_SIZE * 5)
#define MP_INT_BUFFER_SIZE_1 (MP_INT_SIZE * 6)
#define MP_DIGIT_BUFFER_MONT_SIZE (sizeof(fp_digit)*(FP_SIZE + 1))
#endif
static uint8_t mp_curve_field_count[MP_CURVE_FIELD_COUNT_SIZE]; static uint8_t mp_curve_field_count[MP_CURVE_FIELD_COUNT_SIZE];
static uint8_t mp_int_v[MP_INT_SIZE]; static uint8_t mp_int_v[MP_INT_SIZE];
static uint8_t mp_int_w[MP_INT_SIZE]; static uint8_t mp_int_w[MP_INT_SIZE];
@ -103,6 +135,9 @@ struct xmalloc_slot {
static uint8_t ecc_point4[ECC_POINT_SIZE]; static uint8_t ecc_point4[ECC_POINT_SIZE];
static uint8_t ecc_point5[ECC_POINT_SIZE]; static uint8_t ecc_point5[ECC_POINT_SIZE];
static uint8_t mp_buffer0[MP_INT_BUFFER_SIZE]; static uint8_t mp_buffer0[MP_INT_BUFFER_SIZE];
#ifdef WOLFBOOT_SIGN_ECC384
static uint8_t mp_buffer1[MP_INT_BUFFER_SIZE_1];
#endif
static uint8_t mp_digits_buffer[MP_DIGIT_BUFFER_MONT_SIZE]; static uint8_t mp_digits_buffer[MP_DIGIT_BUFFER_MONT_SIZE];
#endif #endif
@ -121,6 +156,9 @@ static struct xmalloc_slot xmalloc_pool[] = {
{ (uint8_t *)mp_points_0, MP_POINT_SIZE * 2, 0 }, { (uint8_t *)mp_points_0, MP_POINT_SIZE * 2, 0 },
#ifdef WOLFSSL_SP_ARM_CORTEX_M_ASM #ifdef WOLFSSL_SP_ARM_CORTEX_M_ASM
{ (uint8_t *)mp_points_1, MP_POINT_SIZE * 2, 0 }, { (uint8_t *)mp_points_1, MP_POINT_SIZE * 2, 0 },
#ifdef WOLFBOOT_SIGN_ECC384
{ (uint8_t *)mp_montgomery, MP_MONTGOMERY_SIZE, 0 },
#endif
#else #else
{ (uint8_t *)mp_points_1, MP_POINT_SIZE * 3, 0 }, { (uint8_t *)mp_points_1, MP_POINT_SIZE * 3, 0 },
{ (uint8_t *)mp_digits_buffer_2, MP_DIGITS_BUFFER_SIZE_2, 0 }, { (uint8_t *)mp_digits_buffer_2, MP_DIGITS_BUFFER_SIZE_2, 0 },
@ -149,6 +187,9 @@ static struct xmalloc_slot xmalloc_pool[] = {
{ ecc_point4, ECC_POINT_SIZE, 0}, { ecc_point4, ECC_POINT_SIZE, 0},
{ ecc_point5, ECC_POINT_SIZE, 0}, { ecc_point5, ECC_POINT_SIZE, 0},
{ mp_buffer0, MP_INT_BUFFER_SIZE, 0}, { mp_buffer0, MP_INT_BUFFER_SIZE, 0},
#ifdef WOLFBOOT_SIGN_ECC384
{ mp_buffer1, MP_INT_BUFFER_SIZE_1, 0},
#endif
{ mp_digits_buffer, MP_DIGIT_BUFFER_MONT_SIZE, 0}, { mp_digits_buffer, MP_DIGIT_BUFFER_MONT_SIZE, 0},
#endif #endif
{ NULL, 0, 0} { NULL, 0, 0}

63
tools/keytools/keygen.c
View File

@ -67,10 +67,14 @@
#define KEYGEN_RSA2048 2 #define KEYGEN_RSA2048 2
#define KEYGEN_RSA4096 3 #define KEYGEN_RSA4096 3
#define KEYGEN_ED448 4 #define KEYGEN_ED448 4
#define KEYGEN_ECC384 5
#define KEYGEN_ECC521 6
const char Ed25519_pub_key_define[] = "const uint8_t ed25519_pub_key[32] = {"; const char Ed25519_pub_key_define[] = "const uint8_t ed25519_pub_key[32] = {";
const char Ed448_pub_key_define[] = "const uint8_t ed448_pub_key[57] = {"; const char Ed448_pub_key_define[] = "const uint8_t ed448_pub_key[57] = {";
const char Ecc256_pub_key_define[] = "const uint8_t ecc256_pub_key[64] = {"; const char Ecc256_pub_key_define[] = "const uint8_t ecc256_pub_key[64] = {";
const char Ecc384_pub_key_define[] = "const uint8_t ecc384_pub_key[96] = {";
const char Ecc521_pub_key_define[] = "const uint8_t ecc521_pub_key[132] = {";
const char Rsa_2048_pub_key_define[] = "const uint8_t rsa2048_pub_key[%d] = {"; const char Rsa_2048_pub_key_define[] = "const uint8_t rsa2048_pub_key[%d] = {";
const char Rsa_4096_pub_key_define[] = "const uint8_t rsa4096_pub_key[%d] = {"; const char Rsa_4096_pub_key_define[] = "const uint8_t rsa4096_pub_key[%d] = {";
@ -85,7 +89,8 @@ const char Cfile_Banner[] = "/* Public-key file for wolfBoot, automatically gene
static void usage(const char *pname) /* implies exit */ static void usage(const char *pname) /* implies exit */
{ {
printf("Usage: %s [--ed25519 | --ed448 | --ecc256 | --rsa2048 | --rsa4096 ] pub_key_file.c\n", pname); printf("Usage: %s [--ed25519 | --ed448 | --ecc256 | --ecc384 "
"| --ecc521 | --rsa2048 | --rsa4096 ] pub_key_file.c\n", pname);
exit(125); exit(125);
} }
@ -158,20 +163,21 @@ static void keygen_rsa(WC_RNG *rng, char *pubkeyfile, int size)
#endif #endif
#ifdef HAVE_ECC #ifdef HAVE_ECC
#define ECC256_KEY_SIZE 32 #define MAX_ECC_KEY_SIZE 66
static void keygen_ecc256(WC_RNG *rng, char *pubkfile)
static void keygen_ecc(WC_RNG *rng, char *pubkfile, uint16_t ecc_key_size)
{ {
ecc_key k; ecc_key k;
uint8_t Qx[ECC256_KEY_SIZE], Qy[ECC256_KEY_SIZE], d[ECC256_KEY_SIZE]; uint8_t Qx[MAX_ECC_KEY_SIZE], Qy[MAX_ECC_KEY_SIZE], d[MAX_ECC_KEY_SIZE];
uint32_t qxsize = ECC256_KEY_SIZE, uint32_t qxsize = ecc_key_size,
qysize = ECC256_KEY_SIZE, qysize = ecc_key_size,
dsize = ECC256_KEY_SIZE; dsize = ecc_key_size;
FILE *fpriv, *fpub; FILE *fpriv, *fpub;
char priv_fname[20] = ""; char priv_fname[20] = "";
if (wc_ecc_make_key(rng, ECC256_KEY_SIZE, &k) != 0) { if (wc_ecc_make_key(rng, ecc_key_size, &k) != 0) {
fprintf(stderr, "Unable to create ecc%d key\n", ECC256_KEY_SIZE << 3); fprintf(stderr, "Unable to create ecc key\n");
exit(1); exit(1);
} }
@ -185,7 +191,7 @@ static void keygen_ecc256(WC_RNG *rng, char *pubkfile)
exit(3); exit(3);
} }
sprintf(priv_fname, "ecc%d.der", (ECC256_KEY_SIZE << 3)); sprintf(priv_fname, "ecc%d.der", (ecc_key_size < 66)?(ecc_key_size << 3):521);
fpriv = fopen(priv_fname, "wb"); fpriv = fopen(priv_fname, "wb");
if (fpriv == NULL) { if (fpriv == NULL) {
@ -203,12 +209,25 @@ static void keygen_ecc256(WC_RNG *rng, char *pubkfile)
exit(4); exit(4);
} }
fprintf(fpub, "%s", Cfile_Banner); fprintf(fpub, "%s", Cfile_Banner);
fprintf(fpub, "%s", Ecc256_pub_key_define); if (ecc_key_size == 32)
fprintf(fpub, "%s", Ecc256_pub_key_define);
else if (ecc_key_size == 48)
fprintf(fpub, "%s", Ecc384_pub_key_define);
else if (ecc_key_size == 66)
fprintf(fpub, "%s", Ecc521_pub_key_define);
else
fprintf(fpub, "#error Unknown ecc key size");
fwritekey(Qx, qxsize, fpub); fwritekey(Qx, qxsize, fpub);
fprintf(fpub, ","); fprintf(fpub, ",");
fwritekey(Qy, qysize, fpub); fwritekey(Qy, qysize, fpub);
fprintf(fpub, "\n};\n"); fprintf(fpub, "\n};\n");
fprintf(fpub, "const uint32_t ecc256_pub_key_len = 64;\n"); if (ecc_key_size == 32)
fprintf(fpub, "const uint32_t ecc256_pub_key_len = 64;\n");
else if (ecc_key_size == 48)
fprintf(fpub, "const uint32_t ecc384_pub_key_len = 96;\n");
else if (ecc_key_size == 66)
fprintf(fpub, "const uint32_t ecc521_pub_key_len = 132;\n");
fclose(fpub); fclose(fpub);
} }
#endif #endif
@ -328,6 +347,14 @@ int main(int argc, char** argv)
keytype = KEYGEN_ECC256; keytype = KEYGEN_ECC256;
kfilename = strdup("ecc256.der"); kfilename = strdup("ecc256.der");
} }
else if (strcmp(argv[i], "--ecc384") == 0) {
keytype = KEYGEN_ECC384;
kfilename = strdup("ecc384.der");
}
else if (strcmp(argv[i], "--ecc521") == 0) {
keytype = KEYGEN_ECC521;
kfilename = strdup("ecc521.der");
}
else if (strcmp(argv[i], "--rsa2048") == 0) { else if (strcmp(argv[i], "--rsa2048") == 0) {
keytype = KEYGEN_RSA2048; keytype = KEYGEN_RSA2048;
kfilename = strdup("rsa2048.der"); kfilename = strdup("rsa2048.der");
@ -387,7 +414,17 @@ int main(int argc, char** argv)
#ifdef HAVE_ECC #ifdef HAVE_ECC
case KEYGEN_ECC256: case KEYGEN_ECC256:
{ {
keygen_ecc256(&rng, output_pubkey_file); keygen_ecc(&rng, output_pubkey_file, 32);
break;
}
case KEYGEN_ECC384:
{
keygen_ecc(&rng, output_pubkey_file, 48);
break;
}
case KEYGEN_ECC521:
{
keygen_ecc(&rng, output_pubkey_file, 66);
break; break;
} }
#endif #endif

60
tools/keytools/keygen.py
View File

@ -45,6 +45,8 @@ Cfile_Banner="/* Public-key file for wolfBoot, automatically generated. Do not e
Ed25519_pub_key_define = "const uint8_t ed25519_pub_key[32] = {\n\t" Ed25519_pub_key_define = "const uint8_t ed25519_pub_key[32] = {\n\t"
Ed448_pub_key_define= "const uint8_t ed448_pub_key[57] = {\n\t" Ed448_pub_key_define= "const uint8_t ed448_pub_key[57] = {\n\t"
Ecc256_pub_key_define = "const uint8_t ecc256_pub_key[64] = {\n\t" Ecc256_pub_key_define = "const uint8_t ecc256_pub_key[64] = {\n\t"
Ecc384_pub_key_define = "const uint8_t ecc384_pub_key[96] = {\n\t"
Ecc521_pub_key_define = "const uint8_t ecc521_pub_key[132] = {\n\t"
Rsa_2048_pub_key_define = "const uint8_t rsa2048_pub_key[%d] = {\n\t" Rsa_2048_pub_key_define = "const uint8_t rsa2048_pub_key[%d] = {\n\t"
Rsa_4096_pub_key_define = "const uint8_t rsa4096_pub_key[%d] = {\n\t" Rsa_4096_pub_key_define = "const uint8_t rsa4096_pub_key[%d] = {\n\t"
@ -56,6 +58,8 @@ parser = ap.ArgumentParser(prog='keygen.py', description='wolfBoot key generatio
parser.add_argument('--ed25519', dest='ed25519', action='store_true') parser.add_argument('--ed25519', dest='ed25519', action='store_true')
parser.add_argument('--ed448', dest='ed448', action='store_true') parser.add_argument('--ed448', dest='ed448', action='store_true')
parser.add_argument('--ecc256', dest='ecc256', action='store_true') parser.add_argument('--ecc256', dest='ecc256', action='store_true')
parser.add_argument('--ecc384', dest='ecc384', action='store_true')
parser.add_argument('--ecc521', dest='ecc521', action='store_true')
parser.add_argument('--rsa2048', dest='rsa2048', action='store_true') parser.add_argument('--rsa2048', dest='rsa2048', action='store_true')
parser.add_argument('--rsa4096', dest='rsa4096', action='store_true') parser.add_argument('--rsa4096', dest='rsa4096', action='store_true')
parser.add_argument('--force', dest='force', action='store_true') parser.add_argument('--force', dest='force', action='store_true')
@ -79,6 +83,14 @@ if (args.ecc256):
if sign is not None: if sign is not None:
dupsign() dupsign()
sign='ecc256' sign='ecc256'
if (args.ecc384):
if sign is not None:
dupsign()
sign='ecc384'
if (args.ecc521):
if sign is not None:
dupsign()
sign='ecc521'
if (args.rsa2048): if (args.rsa2048):
if sign is not None: if sign is not None:
dupsign() dupsign()
@ -165,16 +177,42 @@ if (sign == "ed448"):
f.write("\n};\n") f.write("\n};\n")
f.write("const uint32_t ed448_pub_key_len = 57;\n") f.write("const uint32_t ed448_pub_key_len = 57;\n")
f.close() f.close()
if (sign[0:3] == 'ecc'):
if (sign == "ecc256"):
ec = ciphers.EccPrivate.make_key(32)
banner = Ecc256_pub_key_define
ecc_pub_key_len = 64
qx,qy,d = ec.encode_key_raw()
if os.path.exists(key_file) and not force:
choice = input("** Warning: key file already exist! Are you sure you want to "+
"generate a new key and overwrite the existing key? [Type 'Yes, I am sure!']: ")
if (choice != "Yes, I am sure!"):
print("Operation canceled.")
sys.exit(2)
if (sign == "ecc256"): if (sign == "ecc384"):
ec = ciphers.EccPrivate.make_key(32) ec = ciphers.EccPrivate.make_key(48)
qx,qy,d = ec.encode_key_raw() banner = Ecc384_pub_key_define
if os.path.exists(key_file) and not force: ecc_pub_key_len = 96
choice = input("** Warning: key file already exist! Are you sure you want to "+ qx,qy,d = ec.encode_key_raw()
"generate a new key and overwrite the existing key? [Type 'Yes, I am sure!']: ") if os.path.exists(key_file) and not force:
if (choice != "Yes, I am sure!"): choice = input("** Warning: key file already exist! Are you sure you want to "+
print("Operation canceled.") "generate a new key and overwrite the existing key? [Type 'Yes, I am sure!']: ")
sys.exit(2) if (choice != "Yes, I am sure!"):
print("Operation canceled.")
sys.exit(2)
if (sign == "ecc521"):
ec = ciphers.EccPrivate.make_key(66)
banner = Ecc521_pub_key_define
ecc_pub_key_len = 132
qx,qy,d = ec.encode_key_raw()
if os.path.exists(key_file) and not force:
choice = input("** Warning: key file already exist! Are you sure you want to "+
"generate a new key and overwrite the existing key? [Type 'Yes, I am sure!']: ")
if (choice != "Yes, I am sure!"):
print("Operation canceled.")
sys.exit(2)
print() print()
print("Creating file " + key_file) print("Creating file " + key_file)
@ -186,7 +224,7 @@ if (sign == "ecc256"):
print("Creating file " + pubkey_cfile) print("Creating file " + pubkey_cfile)
with open(pubkey_cfile, "w") as f: with open(pubkey_cfile, "w") as f:
f.write(Cfile_Banner) f.write(Cfile_Banner)
f.write(Ecc256_pub_key_define) f.write(banner)
i = 0 i = 0
for c in bytes(qx): for c in bytes(qx):
f.write("0x%02X, " % c) f.write("0x%02X, " % c)
@ -200,7 +238,7 @@ if (sign == "ecc256"):
f.write('\n') f.write('\n')
f.write("0x%02X" % qy[-1]) f.write("0x%02X" % qy[-1])
f.write("\n};\n") f.write("\n};\n")
f.write("const uint32_t ecc256_pub_key_len = 64;\n") f.write("const uint32_t %s_pub_key_len = %d;\n" % (sign, ecc_pub_key_len))
f.close() f.close()
if (sign == "rsa2048"): if (sign == "rsa2048"):

154
tools/keytools/sign.c
View File

@ -123,6 +123,8 @@
#define HDR_IMG_TYPE_AUTH_RSA2048 0x0300 #define HDR_IMG_TYPE_AUTH_RSA2048 0x0300
#define HDR_IMG_TYPE_AUTH_RSA4096 0x0400 #define HDR_IMG_TYPE_AUTH_RSA4096 0x0400
#define HDR_IMG_TYPE_AUTH_ED448 0x0500 #define HDR_IMG_TYPE_AUTH_ED448 0x0500
#define HDR_IMG_TYPE_AUTH_ECC384 0x0600
#define HDR_IMG_TYPE_AUTH_ECC521 0x0700
#define HDR_IMG_TYPE_WOLFBOOT 0x0000 #define HDR_IMG_TYPE_WOLFBOOT 0x0000
#define HDR_IMG_TYPE_APP 0x0001 #define HDR_IMG_TYPE_APP 0x0001
#define HDR_IMG_TYPE_DIFF 0x00D0 #define HDR_IMG_TYPE_DIFF 0x00D0
@ -137,6 +139,8 @@
#define SIGN_RSA2048 HDR_IMG_TYPE_AUTH_RSA2048 #define SIGN_RSA2048 HDR_IMG_TYPE_AUTH_RSA2048
#define SIGN_RSA4096 HDR_IMG_TYPE_AUTH_RSA4096 #define SIGN_RSA4096 HDR_IMG_TYPE_AUTH_RSA4096
#define SIGN_ED448 HDR_IMG_TYPE_AUTH_ED448 #define SIGN_ED448 HDR_IMG_TYPE_AUTH_ED448
#define SIGN_ECC384 HDR_IMG_TYPE_AUTH_ECC384
#define SIGN_ECC521 HDR_IMG_TYPE_AUTH_ECC521
#define ENC_OFF 0 #define ENC_OFF 0
@ -295,8 +299,8 @@ static uint8_t *load_key(uint8_t **key_buffer, uint32_t *key_buffer_sz,
goto failure; goto failure;
} }
if (CMD.sign == SIGN_AUTO) { if (CMD.sign == SIGN_AUTO) {
CMD.sign = SIGN_ECC256; CMD.sign = SIGN_ECC384;
printf("ecc256 key autodetected\n"); printf("ecc384 key autodetected\n");
} }
} }
else if (*key_buffer_sz > 512) { else if (*key_buffer_sz > 512) {
@ -310,13 +314,15 @@ static uint8_t *load_key(uint8_t **key_buffer, uint32_t *key_buffer_sz,
CMD.sign = SIGN_RSA2048; CMD.sign = SIGN_RSA2048;
printf("rsa2048 key autodetected\n"); printf("rsa2048 key autodetected\n");
} }
if (CMD.sign != SIGN_RSA2048) { if ((CMD.sign != SIGN_RSA2048) && (CMD.sign != SIGN_ECC384) &&
(CMD.sign != SIGN_ECC521)) {
printf("Error: key size too large for the selected cipher\n"); printf("Error: key size too large for the selected cipher\n");
goto failure; goto failure;
} }
} }
else { else {
printf("Error: key size '%d' does not match any cipher\n", *key_buffer_sz); printf("Error: key size '%d' does not match any cipher\n",
*key_buffer_sz);
goto failure; goto failure;
} }
@ -330,7 +336,8 @@ static uint8_t *load_key(uint8_t **key_buffer, uint32_t *key_buffer_sz,
if (ret == 0) { if (ret == 0) {
*pubkey = *key_buffer + ED25519_KEY_SIZE; *pubkey = *key_buffer + ED25519_KEY_SIZE;
*pubkey_sz = ED25519_PUB_KEY_SIZE; *pubkey_sz = ED25519_PUB_KEY_SIZE;
ret = wc_ed25519_import_private_key(*key_buffer, ED25519_KEY_SIZE, *pubkey, *pubkey_sz, &key.ed); ret = wc_ed25519_import_private_key(*key_buffer,
ED25519_KEY_SIZE, *pubkey, *pubkey_sz, &key.ed);
} }
#endif #endif
} else if (CMD.sign == SIGN_ED448) { } else if (CMD.sign == SIGN_ED448) {
@ -339,29 +346,53 @@ static uint8_t *load_key(uint8_t **key_buffer, uint32_t *key_buffer_sz,
if (ret == 0) { if (ret == 0) {
*pubkey = *key_buffer + ED448_KEY_SIZE; *pubkey = *key_buffer + ED448_KEY_SIZE;
*pubkey_sz = ED448_PUB_KEY_SIZE; *pubkey_sz = ED448_PUB_KEY_SIZE;
ret = wc_ed448_import_private_key(*key_buffer, ED448_KEY_SIZE, *pubkey, *pubkey_sz, &key.ed4); ret = wc_ed448_import_private_key(*key_buffer, ED448_KEY_SIZE,
*pubkey, *pubkey_sz, &key.ed4);
} }
#endif #endif
} else if (CMD.sign == SIGN_ECC256) {
#ifdef HAVE_ECC #ifdef HAVE_ECC
} else if (CMD.sign == SIGN_ECC256) {
ret = wc_ecc_init(&key.ecc); ret = wc_ecc_init(&key.ecc);
if (ret == 0) { if (ret == 0) {
ret = wc_ecc_import_unsigned(&key.ecc, *key_buffer, (*key_buffer) + 32, ret = wc_ecc_import_unsigned(&key.ecc, *key_buffer,
(*key_buffer) + 64, ECC_SECP256R1); (*key_buffer) + 32, (*key_buffer) + 64, ECC_SECP256R1);
if (ret == 0) { if (ret == 0) {
*pubkey = *key_buffer; /* first 64 bytes is public portion */ *pubkey = *key_buffer; /* first 64 bytes is public portion */
*pubkey_sz = 64; *pubkey_sz = 64;
} }
} }
} else if (CMD.sign == SIGN_ECC384) {
ret = wc_ecc_init(&key.ecc);
if (ret == 0) {
ret = wc_ecc_import_unsigned(&key.ecc, *key_buffer,
(*key_buffer) + 48, (*key_buffer) + 96, ECC_SECP384R1);
if (ret == 0) {
*pubkey = *key_buffer; /* first 96 bytes is public portion */
*pubkey_sz = 96;
}
}
} else if (CMD.sign == SIGN_ECC521) {
ret = wc_ecc_init(&key.ecc);
if (ret == 0) {
ret = wc_ecc_import_unsigned(&key.ecc, *key_buffer,
(*key_buffer) + 66, (*key_buffer) + 132, ECC_SECP521R1);
if (ret == 0) {
*pubkey = *key_buffer; /* first 132 bytes is public portion */
*pubkey_sz = 132;
}
}
}
#endif #endif
} else if (CMD.sign == SIGN_RSA2048 || CMD.sign == SIGN_RSA4096) {
#ifndef NO_RSA #ifndef NO_RSA
else if (CMD.sign == SIGN_RSA2048 || CMD.sign == SIGN_RSA4096) {
idx = 0; idx = 0;
ret = wc_InitRsaKey(&key.rsa, NULL); ret = wc_InitRsaKey(&key.rsa, NULL);
if (ret == 0) { if (ret == 0) {
ret = wc_RsaPrivateKeyDecode(*key_buffer, &idx, &key.rsa, *key_buffer_sz); ret = wc_RsaPrivateKeyDecode(*key_buffer, &idx, &key.rsa,
*key_buffer_sz);
if (ret == 0) { if (ret == 0) {
ret = wc_RsaKeyToPublicDer(&key.rsa, *key_buffer, *key_buffer_sz); ret = wc_RsaKeyToPublicDer(&key.rsa, *key_buffer,
*key_buffer_sz);
if (ret > 0) { if (ret > 0) {
*pubkey = *key_buffer; *pubkey = *key_buffer;
*pubkey_sz = ret; *pubkey_sz = ret;
@ -369,8 +400,8 @@ static uint8_t *load_key(uint8_t **key_buffer, uint32_t *key_buffer_sz,
} }
} }
} }
#endif
} }
#endif
if (ret != 0) { if (ret != 0) {
printf("Error %d loading key\n", ret); printf("Error %d loading key\n", ret);
goto failure; goto failure;
@ -395,7 +426,8 @@ failure:
return NULL; return NULL;
} }
static int make_header_ex(int is_diff, uint8_t *pubkey, uint32_t pubkey_sz, const char *image_file, const char *outfile, static int make_header_ex(int is_diff, uint8_t *pubkey, uint32_t pubkey_sz,
const char *image_file, const char *outfile,
uint32_t delta_base_version, uint16_t patch_len, uint32_t patch_inv_off, uint32_t delta_base_version, uint16_t patch_len, uint32_t patch_inv_off,
uint16_t patch_inv_len) uint16_t patch_inv_len)
{ {
@ -624,24 +656,45 @@ static int make_header_ex(int is_diff, uint8_t *pubkey, uint32_t pubkey_sz, cons
wc_InitRng(&rng); wc_InitRng(&rng);
if (CMD.sign == SIGN_ED25519) { if (CMD.sign == SIGN_ED25519) {
#ifdef HAVE_ED25519 #ifdef HAVE_ED25519
ret = wc_ed25519_sign_msg(digest, digest_sz, signature, &CMD.signature_sz, &key.ed); ret = wc_ed25519_sign_msg(digest, digest_sz, signature,
&CMD.signature_sz, &key.ed);
#endif #endif
} }
else if (CMD.sign == SIGN_ED448) { else if (CMD.sign == SIGN_ED448) {
#ifdef HAVE_ED448 #ifdef HAVE_ED448
ret = wc_ed448_sign_msg(digest, digest_sz, signature, &CMD.signature_sz, &key.ed4, NULL, 0); ret = wc_ed448_sign_msg(digest, digest_sz, signature,
&CMD.signature_sz, &key.ed4, NULL, 0);
#endif #endif
} }
else if (CMD.sign == SIGN_ECC256) {
#ifdef HAVE_ECC #ifdef HAVE_ECC
else if (CMD.sign == SIGN_ECC256) {
mp_int r, s; mp_int r, s;
mp_init(&r); mp_init(&s); mp_init(&r); mp_init(&s);
ret = wc_ecc_sign_hash_ex(digest, digest_sz, &rng, &key.ecc, &r, &s); ret = wc_ecc_sign_hash_ex(digest, digest_sz, &rng, &key.ecc,
&r, &s);
mp_to_unsigned_bin(&r, &signature[0]); mp_to_unsigned_bin(&r, &signature[0]);
mp_to_unsigned_bin(&s, &signature[32]); mp_to_unsigned_bin(&s, &signature[32]);
mp_clear(&r); mp_clear(&s); mp_clear(&r); mp_clear(&s);
#endif
} }
else if (CMD.sign == SIGN_ECC384) {
mp_int r, s;
mp_init(&r); mp_init(&s);
ret = wc_ecc_sign_hash_ex(digest, digest_sz, &rng, &key.ecc,
&r, &s);
mp_to_unsigned_bin(&r, &signature[0]);
mp_to_unsigned_bin(&s, &signature[48]);
mp_clear(&r); mp_clear(&s);
}
else if (CMD.sign == SIGN_ECC521) {
mp_int r, s;
mp_init(&r); mp_init(&s);
ret = wc_ecc_sign_hash_ex(digest, digest_sz, &rng, &key.ecc,
&r, &s);
mp_to_unsigned_bin(&r, &signature[0]);
mp_to_unsigned_bin(&s, &signature[66]);
mp_clear(&r); mp_clear(&s);
}
#endif
else if (CMD.sign == SIGN_RSA2048 || CMD.sign == SIGN_RSA4096) { else if (CMD.sign == SIGN_RSA2048 || CMD.sign == SIGN_RSA4096) {
#ifndef NO_RSA #ifndef NO_RSA
uint32_t enchash_sz = digest_sz; uint32_t enchash_sz = digest_sz;
@ -653,10 +706,12 @@ static int make_header_ex(int is_diff, uint8_t *pubkey, uint32_t pubkey_sz, cons
hashOID = SHA256h; hashOID = SHA256h;
else if (CMD.hash_algo == HASH_SHA3) else if (CMD.hash_algo == HASH_SHA3)
hashOID = SHA3_384h; hashOID = SHA3_384h;
enchash_sz = wc_EncodeSignature(buf, digest, digest_sz, hashOID); enchash_sz = wc_EncodeSignature(buf, digest, digest_sz,
hashOID);
enchash = buf; enchash = buf;
} }
ret = wc_RsaSSL_Sign(enchash, enchash_sz, signature, CMD.signature_sz, ret = wc_RsaSSL_Sign(enchash, enchash_sz, signature,
CMD.signature_sz,
&key.rsa, &rng); &key.rsa, &rng);
if (ret > 0) { if (ret > 0) {
CMD.signature_sz = ret; CMD.signature_sz = ret;
@ -692,7 +747,8 @@ static int make_header_ex(int is_diff, uint8_t *pubkey, uint32_t pubkey_sz, cons
#endif #endif
/* Add signature to header */ /* Add signature to header */
header_append_tag(header, &header_idx, HDR_SIGNATURE, CMD.signature_sz, signature); header_append_tag(header, &header_idx, HDR_SIGNATURE, CMD.signature_sz,
signature);
} /* end if(sign != NO_SIGN) */ } /* end if(sign != NO_SIGN) */
/* Add padded header at end */ /* Add padded header at end */
@ -746,7 +802,8 @@ static int make_header_ex(int is_diff, uint8_t *pubkey, uint32_t pubkey_sz, cons
} }
fek = fopen(CMD.encrypt_key_file, "rb"); fek = fopen(CMD.encrypt_key_file, "rb");
if (fek == NULL) { if (fek == NULL) {
fprintf(stderr, "Open encryption key file %s: %s\n", CMD.encrypt_key_file, strerror(errno)); fprintf(stderr, "Open encryption key file %s: %s\n",
CMD.encrypt_key_file, strerror(errno));
exit(1); exit(1);
} }
ret = fread(key, 1, keySz, fek); ret = fread(key, 1, keySz, fek);
@ -763,7 +820,8 @@ static int make_header_ex(int is_diff, uint8_t *pubkey, uint32_t pubkey_sz, cons
fef = fopen(CMD.output_encrypted_image_file, "wb"); fef = fopen(CMD.output_encrypted_image_file, "wb");
if (!fef) { if (!fef) {
fprintf(stderr, "Open encrypted output file %s: %s\n", CMD.encrypt_key_file, strerror(errno)); fprintf(stderr, "Open encrypted output file %s: %s\n",
CMD.encrypt_key_file, strerror(errno));
} }
fsize = ftell(f); fsize = ftell(f);
fseek(f, 0, SEEK_SET); /* restart the _signed file from 0 */ fseek(f, 0, SEEK_SET); /* restart the _signed file from 0 */
@ -771,7 +829,8 @@ static int make_header_ex(int is_diff, uint8_t *pubkey, uint32_t pubkey_sz, cons
if (CMD.encrypt == ENC_CHACHA) { if (CMD.encrypt == ENC_CHACHA) {
ChaCha cha; ChaCha cha;
#ifndef HAVE_CHACHA #ifndef HAVE_CHACHA
fprintf(stderr, "Encryption not supported: chacha support not found in wolfssl configuration.\n"); fprintf(stderr, "Encryption not supported: chacha support not found"
"in wolfssl configuration.\n");
exit(100); exit(100);
#endif #endif
wc_Chacha_SetKey(&cha, key, sizeof(key)); wc_Chacha_SetKey(&cha, key, sizeof(key));
@ -815,16 +874,19 @@ failure:
return ret; return ret;
} }
static int make_header(uint8_t *pubkey, uint32_t pubkey_sz, const char *image_file, const char *outfile) static int make_header(uint8_t *pubkey, uint32_t pubkey_sz,
const char *image_file, const char *outfile)
{ {
return make_header_ex(0, pubkey, pubkey_sz, image_file, outfile, 0, 0, 0, 0); return make_header_ex(0, pubkey, pubkey_sz, image_file, outfile, 0, 0, 0, 0);
} }
static int make_header_delta(uint8_t *pubkey, uint32_t pubkey_sz, const char *image_file, const char *outfile, static int make_header_delta(uint8_t *pubkey, uint32_t pubkey_sz,
const char *image_file, const char *outfile,
uint32_t delta_base_version, uint16_t patch_len, uint32_t delta_base_version, uint16_t patch_len,
uint32_t patch_inv_off, uint16_t patch_inv_len) uint32_t patch_inv_off, uint16_t patch_inv_len)
{ {
return make_header_ex(1, pubkey, pubkey_sz, image_file, outfile, delta_base_version, patch_len, return make_header_ex(1, pubkey, pubkey_sz, image_file, outfile,
delta_base_version, patch_len,
patch_inv_off, patch_inv_len); patch_inv_off, patch_inv_len);
} }
@ -1063,11 +1125,11 @@ int main(int argc, char** argv)
/* Check arguments and print usage */ /* Check arguments and print usage */
if (argc < 4 || argc > 10) { if (argc < 4 || argc > 10) {
printf("Usage: %s [--ed25519 | --ed447 | --ecc256 | --rsa2048 | --rsa2048enc | --rsa4096 | --rsa4096enc | --no-CMD.sign] [--sha256 | --sha3] [--wolfboot-update] [--encrypt enc_key.bin] [--chacha | --aes128 | --aes256] [--delta image_vX_signed.bin] image key.der fw_version\n", argv[0]); printf("Usage: %s [--ed25519 | --ed447 | --ecc256 | --ecc384 | --ecc521 | --rsa2048 | --rsa2048enc | --rsa4096 | --rsa4096enc | --no-CMD.sign] [--sha256 | --sha3] [--wolfboot-update] [--encrypt enc_key.bin] [--chacha | --aes128 | --aes256] [--delta image_vX_signed.bin] image key.der fw_version\n", argv[0]);
printf(" - or - "); printf(" - or - ");
printf(" %s [--sha256 | --sha3] [--sha-only] [--wolfboot-update] image pub_key.der fw_version\n", argv[0]); printf(" %s [--sha256 | --sha3] [--sha-only] [--wolfboot-update] image pub_key.der fw_version\n", argv[0]);
printf(" - or - "); printf(" - or - ");
printf(" %s [--ed25519 | --ed448 | --ecc256 | --rsa2048 | --rsa4096 ] [--sha256 | --sha3] [--manual-CMD.sign] image pub_key.der fw_version signature.sig\n", argv[0]); printf(" %s [--ed25519 | --ed448 | --ecc256 | --ecc384 | --ecc521 | --rsa2048 | --rsa4096 ] [--sha256 | --sha3] [--manual-CMD.sign] image pub_key.der fw_version signature.sig\n", argv[0]);
return 0; return 0;
} }
@ -1087,6 +1149,14 @@ int main(int argc, char** argv)
CMD.sign = SIGN_ECC256; CMD.sign = SIGN_ECC256;
sign_str = "ECC256"; sign_str = "ECC256";
} }
else if (strcmp(argv[i], "--ecc384") == 0) {
CMD.sign = SIGN_ECC384;
sign_str = "ECC384";
}
else if (strcmp(argv[i], "--ecc521") == 0) {
CMD.sign = SIGN_ECC521;
sign_str = "ECC521";
}
else if (strcmp(argv[i], "--rsa2048enc") == 0) { else if (strcmp(argv[i], "--rsa2048enc") == 0) {
CMD.sign = SIGN_RSA2048; CMD.sign = SIGN_RSA2048;
sign_str = "RSA2048ENC"; sign_str = "RSA2048ENC";
@ -1164,14 +1234,17 @@ int main(int argc, char** argv)
if (tmpstr) { if (tmpstr) {
*tmpstr = '\0'; /* null terminate at last "." */ *tmpstr = '\0'; /* null terminate at last "." */
} }
snprintf(CMD.output_image_file, sizeof(CMD.output_image_file), "%s_v%s_%s.bin", snprintf(CMD.output_image_file, sizeof(CMD.output_image_file),
(char*)buf, CMD.fw_version, CMD.sha_only ? "digest" : "signed"); "%s_v%s_%s.bin", (char*)buf, CMD.fw_version,
CMD.sha_only ? "digest" : "signed");
snprintf(CMD.output_encrypted_image_file, sizeof(CMD.output_encrypted_image_file), snprintf(CMD.output_encrypted_image_file,
sizeof(CMD.output_encrypted_image_file),
"%s_v%s_signed_and_encrypted.bin", "%s_v%s_signed_and_encrypted.bin",
(char*)buf, CMD.fw_version); (char*)buf, CMD.fw_version);
printf("Update type: %s\n", CMD.self_update ? "wolfBoot" : "Firmware"); printf("Update type: %s\n",
CMD.self_update ? "wolfBoot" : "Firmware");
printf("Input image: %s\n", CMD.image_file); printf("Input image: %s\n", CMD.image_file);
printf("Selected cipher: %s\n", sign_str); printf("Selected cipher: %s\n", sign_str);
printf("Selected hash : %s\n", hash_str); printf("Selected hash : %s\n", hash_str);
@ -1180,7 +1253,8 @@ int main(int argc, char** argv)
} }
if (CMD.delta) { if (CMD.delta) {
printf("Delta Base file: %s\n", CMD.delta_base_file); printf("Delta Base file: %s\n", CMD.delta_base_file);
snprintf(CMD.output_diff_file, sizeof(CMD.output_image_file), "%s_v%s_signed_diff.bin", snprintf(CMD.output_diff_file, sizeof(CMD.output_image_file),
"%s_v%s_signed_diff.bin",
(char*)buf, CMD.fw_version); (char*)buf, CMD.fw_version);
} }
@ -1206,6 +1280,16 @@ int main(int argc, char** argv)
CMD.header_sz = 256; CMD.header_sz = 256;
CMD.signature_sz = 64; CMD.signature_sz = 64;
} }
else if (CMD.sign == SIGN_ECC384) {
if (CMD.header_sz < 512)
CMD.header_sz = 512;
CMD.signature_sz = 96;
}
else if (CMD.sign == SIGN_ECC521) {
if (CMD.header_sz < 512)
CMD.header_sz = 512;
CMD.signature_sz = 132;
}
else if (CMD.sign == SIGN_RSA2048) { else if (CMD.sign == SIGN_RSA2048) {
if (CMD.header_sz < 512) if (CMD.header_sz < 512)
CMD.header_sz = 512; CMD.header_sz = 512;

51
tools/keytools/sign.py
View File

@ -54,6 +54,8 @@ HDR_IMG_TYPE_AUTH_ECC256 = 0x0200
HDR_IMG_TYPE_AUTH_RSA2048 = 0x0300 HDR_IMG_TYPE_AUTH_RSA2048 = 0x0300
HDR_IMG_TYPE_AUTH_RSA4096 = 0x0400 HDR_IMG_TYPE_AUTH_RSA4096 = 0x0400
HDR_IMG_TYPE_AUTH_ED448 = 0x0500 HDR_IMG_TYPE_AUTH_ED448 = 0x0500
HDR_IMG_TYPE_AUTH_ECC384 = 0x0600
HDR_IMG_TYPE_AUTH_ECC521 = 0x0700
HDR_IMG_TYPE_DIFF = 0x00D0 HDR_IMG_TYPE_DIFF = 0x00D0
HDR_IMG_TYPE_WOLFBOOT = 0x0000 HDR_IMG_TYPE_WOLFBOOT = 0x0000
@ -110,6 +112,10 @@ def make_header(image_file, fw_version, extra_fields=[]):
img_type = HDR_IMG_TYPE_AUTH_ED448 img_type = HDR_IMG_TYPE_AUTH_ED448
if (sign == 'ecc256'): if (sign == 'ecc256'):
img_type = HDR_IMG_TYPE_AUTH_ECC256 img_type = HDR_IMG_TYPE_AUTH_ECC256
if (sign == 'ecc384'):
img_type = HDR_IMG_TYPE_AUTH_ECC384
if (sign == 'ecc521'):
img_type = HDR_IMG_TYPE_AUTH_ECC521
if (sign == 'rsa2048'): if (sign == 'rsa2048'):
img_type = HDR_IMG_TYPE_AUTH_RSA2048 img_type = HDR_IMG_TYPE_AUTH_RSA2048
if (sign == 'rsa4096'): if (sign == 'rsa4096'):
@ -219,7 +225,7 @@ def make_header(image_file, fw_version, extra_fields=[]):
signature = ed.sign(digest) signature = ed.sign(digest)
elif (sign == 'ed448'): elif (sign == 'ed448'):
signature = ed.sign(digest) signature = ed.sign(digest)
elif (sign == 'ecc256'): elif (sign[0:3] == 'ecc'):
r, s = ecc.sign_raw(digest) r, s = ecc.sign_raw(digest)
signature = r + s signature = r + s
elif (sign == 'rsa2048') or (sign == 'rsa4096'): elif (sign == 'rsa2048') or (sign == 'rsa4096'):
@ -265,6 +271,10 @@ while (i < len(argv)):
sign='ed448' sign='ed448'
elif (argv[i] == '--ecc256'): elif (argv[i] == '--ecc256'):
sign='ecc256' sign='ecc256'
elif (argv[i] == '--ecc384'):
sign='ecc384'
elif (argv[i] == '--ecc521'):
sign='ecc521'
elif (argv[i] == '--rsa2048'): elif (argv[i] == '--rsa2048'):
sign='rsa2048' sign='rsa2048'
elif (argv[i] == '--rsa4096'): elif (argv[i] == '--rsa4096'):
@ -438,6 +448,20 @@ elif wolfboot_key_buffer_len == 96:
if sign == 'auto': if sign == 'auto':
sign = 'ecc256' sign = 'ecc256'
print("'ecc256' key autodetected.") print("'ecc256' key autodetected.")
elif wolfboot_key_buffer_len == 144:
if (sign != 'auto' and sign != 'ecc384'):
print("Error: key size does not match the cipher selected")
sys.exit(1)
if sign == 'auto':
sign = 'ecc384'
print("'ecc384' key autodetected.")
elif wolfboot_key_buffer_len == 198:
if (sign != 'auto' and sign != 'ecc521'):
print("Error: key size does not match the cipher selected")
sys.exit(1)
if sign == 'auto':
sign = 'ecc521'
print("'ecc521' key autodetected.")
elif (wolfboot_key_buffer_len > 512): elif (wolfboot_key_buffer_len > 512):
if (sign == 'auto'): if (sign == 'auto'):
print("'rsa4096' key autodetected.") print("'rsa4096' key autodetected.")
@ -445,7 +469,7 @@ elif (wolfboot_key_buffer_len > 128):
if (sign == 'auto'): if (sign == 'auto'):
print("'rsa2048' key autodetected.") print("'rsa2048' key autodetected.")
elif (sign != 'rsa2048'): elif (sign != 'rsa2048'):
print ("Error: key size too large for the selected cipher") print ("Error: key size %d too large for the selected cipher" % wolfboot_key_buffer_len)
else: else:
print ("Error: key size does not match any cipher") print ("Error: key size does not match any cipher")
sys.exit(2) sys.exit(2)
@ -462,6 +486,7 @@ elif not sha_only and not manual_sign:
if sign == 'ed448': if sign == 'ed448':
HDR_SIGNATURE_LEN = 114 HDR_SIGNATURE_LEN = 114
if WOLFBOOT_HEADER_SIZE < 512: if WOLFBOOT_HEADER_SIZE < 512:
print("Ed448: header size increased to 512")
WOLFBOOT_HEADER_SIZE = 512 WOLFBOOT_HEADER_SIZE = 512
ed = ciphers.Ed448Private(key = wolfboot_key_buffer) ed = ciphers.Ed448Private(key = wolfboot_key_buffer)
privkey, pubkey = ed.encode_key() privkey, pubkey = ed.encode_key()
@ -471,8 +496,29 @@ elif not sha_only and not manual_sign:
ecc.decode_key_raw(wolfboot_key_buffer[0:32], wolfboot_key_buffer[32:64], wolfboot_key_buffer[64:]) ecc.decode_key_raw(wolfboot_key_buffer[0:32], wolfboot_key_buffer[32:64], wolfboot_key_buffer[64:])
pubkey = wolfboot_key_buffer[0:64] pubkey = wolfboot_key_buffer[0:64]
if sign == 'ecc384':
HDR_SIGNATURE_LEN = 96
if WOLFBOOT_HEADER_SIZE < 512:
print("Ecc384: header size increased to 512")
WOLFBOOT_HEADER_SIZE = 512
ecc = ciphers.EccPrivate()
ecc.decode_key_raw(wolfboot_key_buffer[0:48], wolfboot_key_buffer[48:96], wolfboot_key_buffer[96:],
curve_id = ciphers.ECC_SECP384R1)
pubkey = wolfboot_key_buffer[0:96]
if sign == 'ecc521':
HDR_SIGNATURE_LEN = 132
ecc = ciphers.EccPrivate()
ecc.decode_key_raw(wolfboot_key_buffer[0:66], wolfboot_key_buffer[66:132], wolfboot_key_buffer[132:],
curve_id = ciphers.ECC_SECP521R1)
pubkey = wolfboot_key_buffer[0:132]
if WOLFBOOT_HEADER_SIZE < 512:
print("Ecc521: header size increased to 512")
WOLFBOOT_HEADER_SIZE = 512
if sign == 'rsa2048': if sign == 'rsa2048':
if WOLFBOOT_HEADER_SIZE < 512: if WOLFBOOT_HEADER_SIZE < 512:
print("Rsa2048: header size increased to 512")
WOLFBOOT_HEADER_SIZE = 512 WOLFBOOT_HEADER_SIZE = 512
HDR_SIGNATURE_LEN = 256 HDR_SIGNATURE_LEN = 256
rsa = ciphers.RsaPrivate(wolfboot_key_buffer) rsa = ciphers.RsaPrivate(wolfboot_key_buffer)
@ -480,6 +526,7 @@ elif not sha_only and not manual_sign:
if sign == 'rsa4096': if sign == 'rsa4096':
if WOLFBOOT_HEADER_SIZE < 1024: if WOLFBOOT_HEADER_SIZE < 1024:
print("Rsa4096: header size increased to 1024")
WOLFBOOT_HEADER_SIZE = 1024 WOLFBOOT_HEADER_SIZE = 1024
HDR_SIGNATURE_LEN = 512 HDR_SIGNATURE_LEN = 512
rsa = ciphers.RsaPrivate(wolfboot_key_buffer) rsa = ciphers.RsaPrivate(wolfboot_key_buffer)

3
tools/keytools/user_settings.h
View File

@ -45,6 +45,9 @@
#define HAVE_ECC #define HAVE_ECC
#define WOLFSSL_HAVE_SP_ECC #define WOLFSSL_HAVE_SP_ECC
#define ECC_TIMING_RESISTANT #define ECC_TIMING_RESISTANT
#define HAVE_ECC256
#define HAVE_ECC384
#define HAVE_ECC521
/* ED25519 */ /* ED25519 */
#define HAVE_ED25519 #define HAVE_ED25519

58
tools/test-renode.mk
View File

@ -68,6 +68,16 @@ ifeq ($(SIGN),ECC256)
SIGN_ARGS+= --ecc256 SIGN_ARGS+= --ecc256
endif endif
ifeq ($(SIGN),ECC384)
SIGN_ARGS+= --ecc384
endif
# Already supported in sign tools, not yet in wolfBoot.
# Currently, a compile-time error is produced if selected.
ifeq ($(SIGN),ECC521)
SIGN_ARGS+= --ecc521
endif
ifeq ($(SIGN),RSA2048) ifeq ($(SIGN),RSA2048)
SIGN_ARGS+= --rsa2048 SIGN_ARGS+= --rsa2048
endif endif
@ -208,6 +218,9 @@ renode-factory-ed448: FORCE
renode-factory-ecc256: FORCE renode-factory-ecc256: FORCE
make renode-factory SIGN=ECC256 make renode-factory SIGN=ECC256
renode-factory-ecc384: FORCE
make renode-factory SIGN=ECC384
renode-factory-rsa2048: FORCE renode-factory-rsa2048: FORCE
make renode-factory SIGN=RSA2048 make renode-factory SIGN=RSA2048
@ -222,9 +235,11 @@ renode-factory-all: FORCE
${Q}make clean ${Q}make clean
${Q}make renode-factory-ecc256 RENODE_PORT=55157 ${Q}make renode-factory-ecc256 RENODE_PORT=55157
${Q}make clean ${Q}make clean
${Q}make renode-factory-rsa2048 RENODE_PORT=55158 ${Q}make renode-factory-ecc384 RENODE_PORT=55158
${Q}make clean ${Q}make clean
${Q}make renode-factory-rsa4096 RENODE_PORT=55159 ${Q}make renode-factory-rsa2048 RENODE_PORT=55160
${Q}make clean
${Q}make renode-factory-rsa4096 RENODE_PORT=55161
${Q}echo All tests in $@ OK! ${Q}echo All tests in $@ OK!
renode-update-ed25519: FORCE renode-update-ed25519: FORCE
@ -236,6 +251,9 @@ renode-update-ed448: FORCE
renode-update-ecc256: FORCE renode-update-ecc256: FORCE
make renode-update SIGN=ECC256 make renode-update SIGN=ECC256
renode-update-ecc384: FORCE
make renode-update SIGN=ECC384
renode-update-rsa2048: FORCE renode-update-rsa2048: FORCE
make renode-update SIGN=RSA2048 make renode-update SIGN=RSA2048
@ -251,6 +269,9 @@ renode-no-downgrade-ed448: FORCE
renode-no-downgrade-ecc256: FORCE renode-no-downgrade-ecc256: FORCE
make renode-no-downgrade SIGN=ECC256 make renode-no-downgrade SIGN=ECC256
renode-no-downgrade-ecc384: FORCE
make renode-no-downgrade SIGN=ECC384
renode-no-downgrade-rsa2048: FORCE renode-no-downgrade-rsa2048: FORCE
make renode-no-downgrade SIGN=RSA2048 make renode-no-downgrade SIGN=RSA2048
@ -266,6 +287,9 @@ renode-corrupted-ed448: FORCE
renode-corrupted-ecc256: FORCE renode-corrupted-ecc256: FORCE
make renode-corrupted SIGN=ECC256 make renode-corrupted SIGN=ECC256
renode-corrupted-ecc384: FORCE
make renode-corrupted SIGN=ECC384
renode-corrupted-rsa2048: FORCE renode-corrupted-rsa2048: FORCE
make renode-corrupted SIGN=RSA2048 make renode-corrupted SIGN=RSA2048
@ -280,9 +304,11 @@ renode-update-all: FORCE
${Q}make clean ${Q}make clean
${Q}make renode-update-ecc256 RENODE_PORT=55157 ${Q}make renode-update-ecc256 RENODE_PORT=55157
${Q}make clean ${Q}make clean
${Q}make renode-update-rsa2048 RENODE_PORT=55158 ${Q}make renode-update-ecc384 RENODE_PORT=55158
${Q}make clean ${Q}make clean
${Q}make renode-update-rsa4096 RENODE_PORT=55159 ${Q}make renode-update-rsa2048 RENODE_PORT=55160
${Q}make clean
${Q}make renode-update-rsa4096 RENODE_PORT=55161
${Q}echo All tests in $@ OK! ${Q}echo All tests in $@ OK!
renode-no-downgrade-all: FORCE renode-no-downgrade-all: FORCE
@ -293,9 +319,11 @@ renode-no-downgrade-all: FORCE
${Q}make clean ${Q}make clean
${Q}make renode-no-downgrade-ecc256 RENODE_PORT=55157 ${Q}make renode-no-downgrade-ecc256 RENODE_PORT=55157
${Q}make clean ${Q}make clean
${Q}make renode-no-downgrade-rsa2048 RENODE_PORT=55158 ${Q}make renode-no-downgrade-ecc384 RENODE_PORT=55158
${Q}make clean ${Q}make clean
${Q}make renode-no-downgrade-rsa4096 RENODE_PORT=55159 ${Q}make renode-no-downgrade-rsa2048 RENODE_PORT=55160
${Q}make clean
${Q}make renode-no-downgrade-rsa4096 RENODE_PORT=55161
${Q}echo All tests in $@ OK! ${Q}echo All tests in $@ OK!
renode-corrupted-all: FORCE renode-corrupted-all: FORCE
@ -306,10 +334,24 @@ renode-corrupted-all: FORCE
${Q}make clean ${Q}make clean
${Q}make renode-corrupted-ecc256 RENODE_PORT=55157 ${Q}make renode-corrupted-ecc256 RENODE_PORT=55157
${Q}make clean ${Q}make clean
${Q}make renode-corrupted-rsa2048 RENODE_PORT=55158 ${Q}make renode-corrupted-ecc384 RENODE_PORT=55158
${Q}make clean ${Q}make clean
${Q}make renode-corrupted-rsa4096 RENODE_PORT=55159 ${Q}make renode-corrupted-rsa2048 RENODE_PORT=55160
${Q}make clean
${Q}make renode-corrupted-rsa4096 RENODE_PORT=55161
${Q}echo All tests in $@ OK! ${Q}echo All tests in $@ OK!
renode-update-all-armored: FORCE renode-update-all-armored: FORCE
${Q}make renode-update-all ARMORED=1 ${Q}make renode-update-all ARMORED=1
renode-update-all-smallstack: FORCE
${Q}make renode-update-all WOLFBOOT_SMALL_STACK=1
renode-update-all-smallstack-noasm: FORCE
${Q}make renode-update-all WOLFBOOT_SMALL_STACK=1 NO_ASM=1
renode-update-all-fastmath: FORCE
${Q}make renode-update-all SPMATH=0
renode-update-all-smallstack-fastmath: FORCE
${Q}make renode-update-all SPMATH=0 WOLFBOOT_SMALL_STACK=1