Allow bypasing signature hash key matching #2310
Open
Conversation
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
de-nordic
force-pushed
the
bypass-key-match
branch
3 times, most recently
from
29e6bcb to
2825070
Compare
nordicjm
reviewed
May 20, 2025
| @@ -325,6 +325,18 @@ endif | |||
|
|
|||
| endchoice | |||
|
|
|||
| config BOOT_BYPASS_KEY_MATCH | |||
| bool "Do not match TLV key hash against built in key" | |||
| depends on !BOOT_SIGNATURE_TYPE_NONE | |||
de-nordic
changed the title
There was a problem hiding this comment.
Pull Request Overview
This PR introduces an option to skip matching the TLV key hash against built-in public keys when only one key is compiled in, reducing code size.
- Adds
MCUBOOT_BYPASS_KEY_MATCHconfig flag inmcuboot_config.h - Wraps
bootutil_find_keyand its call inimage_validate.cwith#if !defined(MCUBOOT_BYPASS_KEY_MATCH) - Defaults
key_idto 0 when bypassing key match
Reviewed Changes
Copilot reviewed 2 out of 3 changed files in this pull request and generated 1 comment.
| File | Description |
|---|---|
| boot/zephyr/include/mcuboot_config/mcuboot_config.h | Added MCUBOOT_BYPASS_KEY_MATCH option |
| boot/bootutil/src/image_validate.c | Conditionalized key-hash matching and lookup logic |
Files not reviewed (1)
- boot/zephyr/Kconfig: Language not supported
Comments suppressed due to low confidence (2)
boot/bootutil/src/image_validate.c:274
- There are no tests covering the bypass logic. Please add unit tests for both paths (with and without
MCUBOOT_BYPASS_KEY_MATCH) to verify correct key lookup and fallback behavior.
#if !defined(MCUBOOT_BYPASS_KEY_MATCH)
boot/bootutil/src/image_validate.c:641
- When bypassing the key‐match, we unconditionally set
key_id = 0. Consider adding a compile-time or runtime assertion to ensure exactly one built-in key is present when this option is enabled to avoid inadvertently using the wrong key.
key_id = 0;
This MCUboot configuration option turns off matching of public key hash, taken from image TLV, against built in public key. Such verification is not needed when there is only one key built in as the signature verification will reject image signed with unknown key anyway. Enabling the option allows to slightly reduce MCUboot binary size by removing the code that does the key matching. Boot time improvement is not really significant. Signed-off-by: Dominik Ermel <[email protected]>
Add Zephyr support for MCUBOOT_BYPASS_KEY_MATCH Signed-off-by: Dominik Ermel <[email protected]>
de-nordic
force-pushed
the
bypass-key-match
branch
from
ac3dd9a to
4420345
Compare
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.
Currently MCUboot checks whether key hash in TLV matches any known builtin public keys.
When only one key in compiled in, most cases, then this match is pointless as image signature verification will just verify validity of the key anyway.
The PR adds MCUBOOT_BYPASS_KEY_MATCH option that allows to turn of the key matching and slightly reduces the binary size.