BL2: Enable Multi-Signature Support for Built-in keys

This patch introduces multi-signature support for built-in keys,
enabling the use of multiple keys per image (of the same type) for
signature verification.

->  All changes enabled when MCUBOOT_IMAGE_MULTI_SIG_SUPPORT is defined.

->  Secure image is signed with additional key (NS key).
    Related key id is added to the image TLV and parsed by MCUboot
    to retrieve the material from OTP.

Signed-off-by: Maulik Patel <maulik.patel@arm.com>
Change-Id: Ia27d0d4b630069cf2d2372bf7b31e9b86a2f4a1e

Author: maulik-arm

bl2/ext/mcuboot/CMakeLists.txt

@@ -80,6 +80,7 @@ target_compile_definitions(bl2
         $<$<BOOL:${MCUBOOT_BUILTIN_KEY}>:TFM_S_KEY_ID=${TFM_S_KEY_ID}>
         $<$<BOOL:${MCUBOOT_BUILTIN_KEY}>:TFM_NS_KEY_ID=${TFM_NS_KEY_ID}>
         MCUBOOT_ROTPK_MAX_KEYS_PER_IMAGE=${MCUBOOT_ROTPK_MAX_KEYS_PER_IMAGE}
+        $<$<BOOL:${MCUBOOT_IMAGE_MULTI_SIG_SUPPORT}>:MCUBOOT_IMAGE_MULTI_SIG_SUPPORT>
 )
 
 target_link_libraries(bl2
@@ -220,6 +221,13 @@ if (PLATFORM_DEFAULT_IMAGE_SIGNING)
 
     if(MCUBOOT_BUILTIN_KEY)
         set(wrapper_args ${wrapper_args} --psa-key-ids ${TFM_S_KEY_ID})
+        if(MCUBOOT_IMAGE_MULTI_SIG_SUPPORT AND PLATFORM_DEFAULT_ROTPK)
+            set(wrapper_args ${wrapper_args} --psa-key-ids ${TFM_NS_KEY_ID})
+        endif()
+    endif()
+
+    if(MCUBOOT_IMAGE_MULTI_SIG_SUPPORT)
+        set(wrapper_args ${wrapper_args} -k ${MCUBOOT_KEY_NS})
     endif()
 
     add_custom_command(OUTPUT tfm_s_signed.bin

bl2/ext/mcuboot/keys.c

@@ -634,6 +634,32 @@ typedef struct {
     uint32_t key_id[MAX_KEYS_PER_IMAGE];  /*!< Key id of built in keys */
 }image_key_id_mapping_t;
 
+#ifdef MCUBOOT_IMAGE_MULTI_SIG_SUPPORT
+/* Platform specific image to key id (otp id offset) map */
+static const image_key_id_mapping_t tfm_image_key_map[] = {
+    {
+        /* Image 0: Two keys provided; both keys are required */
+        .key_id = { TFM_S_KEY_ID, TFM_NS_KEY_ID},
+    },
+    {
+        /* Image 1: Only one key is provided and required, the second slot is unused */
+        .key_id = { TFM_NS_KEY_ID, PSA_KEY_ID_NULL },
+    },
+#if (MCUBOOT_IMAGE_NUMBER > 2)
+    {
+        /* Image 2: Only one key is provided and required, the second slot is unused */
+        .key_id = { TFM_S_KEY_ID, PSA_KEY_ID_NULL },
+    },
+#endif /* MCUBOOT_IMAGE_NUMBER > 2 */
+#if (MCUBOOT_IMAGE_NUMBER > 3)
+    {
+        /* Image 3: Only one key is provided and required, the second slot is unused */
+        .key_id = { TFM_S_KEY_ID, PSA_KEY_ID_NULL },
+    },
+#endif /* MCUBOOT_IMAGE_NUMBER > 3 */
+};
+
+#else
 /* Platform specific image to key id (otp id offset) map */
 static const image_key_id_mapping_t tfm_image_key_map[] = {
     {
@@ -647,16 +673,17 @@ static const image_key_id_mapping_t tfm_image_key_map[] = {
 #if (MCUBOOT_IMAGE_NUMBER > 2)
     {
         /* Image 2: Only one key is provided and required */
-        .key_id = { TFM_S_KEY_ID_3 },
+        .key_id = { TFM_S_KEY_ID },
     },
 #endif /* MCUBOOT_IMAGE_NUMBER > 2 */
 #if (MCUBOOT_IMAGE_NUMBER > 3)
     {
         /* Image 3: Only one key is provided and required */
-        .key_id = { TFM_S_KEY_ID_4 },
+        .key_id = { TFM_S_KEY_ID },
     },
 #endif /* MCUBOOT_IMAGE_NUMBER > 3 */
 };
+#endif /* MCUBOOT_IMAGE_MULTI_SIG_SUPPORT */
 
 static int get_key_id(uint8_t img_idx, uint8_t key_idx)
 {

bl2/ext/mcuboot/mcuboot_default_config.cmake

@@ -57,7 +57,12 @@ set(MCUBOOT_KEY_S                       "${CMAKE_SOURCE_DIR}/bl2/ext/mcuboot/roo
 set(MCUBOOT_KEY_NS                      "${CMAKE_SOURCE_DIR}/bl2/ext/mcuboot/root-${MCUBOOT_SIGNATURE_TYPE}_1.pem" CACHE FILEPATH "Path to key with which to sign non-secure binary")
 set(TFM_S_KEY_ID                        0                CACHE STRING    "Key ID of the key used to sign the secure image")
 set(TFM_NS_KEY_ID                       1                CACHE STRING    "Key ID of the key used to sign the non-secure image")
-set(MCUBOOT_ROTPK_MAX_KEYS_PER_IMAGE    1                CACHE STRING    "Maximum number of RoTPK keys per image to be used in BL2")
+set(MCUBOOT_IMAGE_MULTI_SIG_SUPPORT     OFF              CACHE BOOL      "Enable multiple signature support for images")
+if(MCUBOOT_IMAGE_MULTI_SIG_SUPPORT)
+    set(MCUBOOT_ROTPK_MAX_KEYS_PER_IMAGE     2           CACHE STRING    "Maximum number of RoTPK keys per image to be used in BL2")
+else()
+    set(MCUBOOT_ROTPK_MAX_KEYS_PER_IMAGE     1           CACHE STRING    "Maximum number of RoTPK keys per image to be used in BL2")
+endif()
 
 if (MCUBOOT_SIGNATURE_TYPE STREQUAL EC-P384)
     set(MCUBOOT_ROTPK_HASH_ALG          SHA384           CACHE STRING "Algoritm to use to hash mcuboot ROTPKs")

platform/ext/common/provisioning_bundle/provisioning_bundle.h

@@ -1,5 +1,5 @@
 /*
- * Copyright (c) 2023-2024, Arm Limited. All rights reserved.
+ * SPDX-FileCopyrightText: Copyright The TrustedFirmware-M Contributors
  *
  * SPDX-License-Identifier: BSD-3-Clause
  *

platform/ext/common/provisioning_bundle/provisioning_code.c

@@ -1,5 +1,5 @@
 /*
- * Copyright (c) 2023, Arm Limited. All rights reserved.
+ * SPDX-FileCopyrightText: Copyright The TrustedFirmware-M Contributors
  *
  * SPDX-License-Identifier: BSD-3-Clause
  *