zephyr: Add CONFIG_BOOT_BYPASS_KEY_MATCH

Add Zephyr support for MCUBOOT_BYPASS_KEY_MATCH

Signed-off-by: Dominik Ermel <[email protected]>

Author: de-nordic

boot/zephyr/Kconfig

@@ -325,6 +325,20 @@ endif
 
 endchoice
 
+config BOOT_BYPASS_KEY_MATCH
+	bool "Do not match TLV key hash against built in key"
+	depends on !BOOT_SIGNATURE_TYPE_NONE
+	help
+	  MCUboot reads, from TLV, hash of key thath should be used to verify
+	  signature and tries to match it against list of keys, to select the
+	  key from known keys. This pointless when there is only single key
+	  compiled in, as the key can be used whether it is the right one
+	  or not, the signature verification process will verify the key.
+	  Enabling this option turns off key matching, slightly reducing
+	  MCUboot code and boot time.
+
+
+
 config BOOT_SIGNATURE_KEY_FILE
 	string "PEM key file"
 	default "root-ec-p256.pem" if BOOT_SIGNATURE_TYPE_ECDSA_P256

boot/zephyr/include/mcuboot_config/mcuboot_config.h

@@ -153,6 +153,15 @@
 #define MCUBOOT_ENCRYPT_X25519
 #endif
 
+/* Turn off check of public key hash against compiled in key
+ * before attempting signature verification. When there is only
+ * one key, matching is pointless, the signature may just be
+ * verified with the only key that there is.
+ */
+#ifdef CONFIG_BOOT_BYPASS_KEY_MATCH
+#define MCUBOOT_BYPASS_KEY_MATCH
+#endif
+
 #ifdef CONFIG_BOOT_DECOMPRESSION
 #define MCUBOOT_DECOMPRESS_IMAGES
 #endif