From 5be772e96241695c11657ced12d571d695fbcc5b Mon Sep 17 00:00:00 2001 From: Dominik Ermel Date: Thu, 15 May 2025 17:37:06 +0000 Subject: [PATCH 1/2] bootutil: Support for MCUBOOT_BYPASS_KEY_MATCH This MCUboot configuration option turns off matching of public key hash, taken from image TLV, against built in public key. Such verification is not needed when there is only one key built in as the signature verification will reject image signed with unknown key anyway. Enabling the option allows to slightly reduce MCUboot binary size by removing the code that does the key matching. Boot time improvement is not really significant. Signed-off-by: Dominik Ermel --- boot/bootutil/src/image_validate.c | 14 ++++++++++++++ 1 file changed, 14 insertions(+) diff --git a/boot/bootutil/src/image_validate.c b/boot/bootutil/src/image_validate.c index f6d4ba224..db40f9390 100644 --- a/boot/bootutil/src/image_validate.c +++ b/boot/bootutil/src/image_validate.c @@ -278,6 +278,8 @@ bootutil_img_hash(struct boot_loader_state *state, # define KEY_BUF_SIZE (SIG_BUF_SIZE + 24) #endif /* !MCUBOOT_HW_KEY */ +#if !defined(MCUBOOT_BYPASS_KEY_MATCH) +/* Find functions are only needed when key is checked first */ #if !defined(MCUBOOT_HW_KEY) static int bootutil_find_key(uint8_t *keyhash, uint8_t keyhash_len) @@ -347,6 +349,18 @@ bootutil_find_key(uint8_t image_index, uint8_t *key, uint16_t key_len) #endif /* !MCUBOOT_HW_KEY */ #endif /* !MCUBOOT_BUILTIN_KEY */ #endif /* EXPECTED_SIG_TLV */ +#else /* !MCUBOOT_BYPASS_KEY_MATCH */ +static inline int +bootutil_find_key(uint8_t image_index, uint8_t *key, uint16_t key_len) +{ + (void)image_index; + (void)key; + (void)key_len; + + /* There is only one key, so it always matches */ + return 0; +} +#endif /* !MCUBOOT_BYPASS_KEY_MATCH */ /** * Reads the value of an image's security counter. From b8d121477fda65ae693bcc1d91e806e2d1e40edc Mon Sep 17 00:00:00 2001 From: Dominik Ermel Date: Thu, 15 May 2025 17:40:12 +0000 Subject: [PATCH 2/2] zephyr: Add CONFIG_BOOT_BYPASS_KEY_MATCH Add Zephyr support for MCUBOOT_BYPASS_KEY_MATCH Signed-off-by: Dominik Ermel --- boot/zephyr/Kconfig | 13 +++++++++++++ boot/zephyr/include/mcuboot_config/mcuboot_config.h | 9 +++++++++ 2 files changed, 22 insertions(+) diff --git a/boot/zephyr/Kconfig b/boot/zephyr/Kconfig index 929a85892..ff4c14c1a 100644 --- a/boot/zephyr/Kconfig +++ b/boot/zephyr/Kconfig @@ -325,6 +325,19 @@ endif endchoice +config BOOT_BYPASS_KEY_MATCH + bool "Do not match TLV key hash against built in key" + depends on !BOOT_SIGNATURE_TYPE_NONE + depends on !BOOT_HW_KEY + help + MCUboot reads, from TLV, hash of a key that should be used to verify + a signature and uses it to find a builtin key. + This action is pointless when there is single key compiled in, + as the signature verification process will just fail if that is not + the right key. + Enabling this option turns off key matching, slightly reducing + MCUboot code and boot time. + config BOOT_SIGNATURE_KEY_FILE string "PEM key file" default "root-ec-p256.pem" if BOOT_SIGNATURE_TYPE_ECDSA_P256 diff --git a/boot/zephyr/include/mcuboot_config/mcuboot_config.h b/boot/zephyr/include/mcuboot_config/mcuboot_config.h index f580c53c9..9612b2eae 100644 --- a/boot/zephyr/include/mcuboot_config/mcuboot_config.h +++ b/boot/zephyr/include/mcuboot_config/mcuboot_config.h @@ -164,6 +164,15 @@ #define MCUBOOT_HMAC_SHA512 #endif +/* Turn off check of public key hash against compiled in key + * before attempting signature verification. When there is only + * one key, matching is pointless, the signature may just be + * verified with the only key that there is. + */ +#ifdef CONFIG_BOOT_BYPASS_KEY_MATCH +#define MCUBOOT_BYPASS_KEY_MATCH +#endif + #ifdef CONFIG_BOOT_DECOMPRESSION #define MCUBOOT_DECOMPRESS_IMAGES #endif