@@ -134,6 +134,14 @@ config BOOT_IMG_HASH_ALG_SHA512
134134
135135endchoice # BOOT_IMG_HASH_ALG
136136
137+ config BOOT_SIGNATURE_TYPE_PURE_ALLOW
138+ bool
139+ help
140+ Hidden option set by configurations that allow Pure variant,
141+ for example ed25519. The pure variant means that image
142+ signature is calculated over entire image instead of hash
143+ of an image.
144+
137145choice BOOT_SIGNATURE_TYPE
138146 prompt "Signature type"
139147 default BOOT_SIGNATURE_TYPE_RSA
@@ -185,10 +193,28 @@ endif
185193
186194config BOOT_SIGNATURE_TYPE_ED25519
187195 bool "Edwards curve digital signatures using ed25519"
188- select BOOT_ENCRYPTION_SUPPORT
189- select BOOT_IMG_HASH_ALG_SHA256_ALLOW
196+ select BOOT_ENCRYPTION_SUPPORT if !BOOT_SIGNATURE_TYPE_PURE
197+ select BOOT_IMG_HASH_ALG_SHA256_ALLOW if !BOOT_SIGNATURE_TYPE_PURE
198+ # The SHA is used only for key hashing, not for images.
199+ select BOOT_SIGNATURE_TYPE_PURE_ALLOW
200+ help
201+ This is ed25519 signature calculated over SHA512 of SHA256 of application
202+ image.
203+ To check signature over entire image directly, rather than hash,
204+ select BOOT_SIGNATURE_TYPE_PURE.
190205
191206if BOOT_SIGNATURE_TYPE_ED25519
207+
208+ config BOOT_SIGNATURE_TYPE_PURE
209+ bool "Use Pure signature of image"
210+ depends on BOOT_SIGNATURE_TYPE_PURE_ALLOW
211+ help
212+ The Pure signature is calculated directly over image rather than
213+ hash of an image, as the BOOT_SIGNATURE_TYPE_ED25519 does by
214+ default.
215+ Image to be verified needs to be accessible through memory address
216+ space that cryptography functions can access via pointers.
217+
192218choice BOOT_ED25519_IMPLEMENTATION
193219 prompt "Ecdsa implementation"
194220 default BOOT_ED25519_TINYCRYPT
0 commit comments