Skip to content

Allow bypasing signature hash key matching #2310

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Open
wants to merge 2 commits into
base: main
Choose a base branch
from
+30 −0
Open

Allow bypasing signature hash key matching #2310

Show file tree
Hide file tree
Changes from all commits
Commits
Show all changes
2 commits
Select commit Hold shift + click to select a range
f2503a2
bootutil: Support for MCUBOOT_BYPASS_KEY_MATCH
de-nordic May 15, 2025
d9f52fa
zephyr: Add CONFIG_BOOT_BYPASS_KEY_MATCH
de-nordic May 15, 2025
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
8 changes: 8 additions & 0 deletions boot/bootutil/src/image_validate.c
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -271,6 +271,8 @@ bootutil_img_hash(struct boot_loader_state *state,
# define KEY_BUF_SIZE (SIG_BUF_SIZE + 24)
#endif /* !MCUBOOT_HW_KEY */

#if !defined(MCUBOOT_BYPASS_KEY_MATCH)
/* Find functions are only needed when key is checked first */
#if !defined(MCUBOOT_HW_KEY)
static int
bootutil_find_key(uint8_t *keyhash, uint8_t keyhash_len)
Expand Down Expand Up @@ -337,6 +339,7 @@ bootutil_find_key(uint8_t image_index, uint8_t *key, uint16_t key_len)
#endif /* !MCUBOOT_HW_KEY */
#endif /* !MCUBOOT_BUILTIN_KEY */
#endif /* EXPECTED_SIG_TLV */
#endif /* !MCUBOOT_BYPASS_KEY_MATCH */

/**
* Reads the value of an image's security counter.
Expand Down Expand Up @@ -631,7 +634,12 @@ bootutil_img_validate(struct boot_loader_state *state,
if (rc) {
goto out;
}
#if !defined(MCUBOOT_BYPASS_KEY_MATCH)
key_id = bootutil_find_key(buf, len);
#else
/* There is only one key */
key_id = 0;
#endif
#else
rc = LOAD_IMAGE_DATA(hdr, fap, off, key_buf, len);
if (rc) {
Expand Down
13 changes: 13 additions & 0 deletions boot/zephyr/Kconfig
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -325,6 +325,19 @@ endif

endchoice

config BOOT_BYPASS_KEY_MATCH
bool "Do not match TLV key hash against built in key"
depends on !BOOT_SIGNATURE_TYPE_NONE
Copy link
Collaborator

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

depends on !hw key?

depends on !BOOT_HW_KEY
help
MCUboot reads, from TLV, hash of key thath should be used to verify
signature and tries to match it against list of keys, to select the
key from known keys. This pointless when there is only single key
compiled in, as the key can be used whether it is the right one
or not, the signature verification process will verify the key.
Enabling this option turns off key matching, slightly reducing
MCUboot code and boot time.

config BOOT_SIGNATURE_KEY_FILE
string "PEM key file"
default "root-ec-p256.pem" if BOOT_SIGNATURE_TYPE_ECDSA_P256
Expand Down
9 changes: 9 additions & 0 deletions boot/zephyr/include/mcuboot_config/mcuboot_config.h
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -153,6 +153,15 @@
#define MCUBOOT_ENCRYPT_X25519
#endif

/* Turn off check of public key hash against compiled in key
* before attempting signature verification. When there is only
* one key, matching is pointless, the signature may just be
* verified with the only key that there is.
*/
#ifdef CONFIG_BOOT_BYPASS_KEY_MATCH
#define MCUBOOT_BYPASS_KEY_MATCH
#endif

#ifdef CONFIG_BOOT_DECOMPRESSION
#define MCUBOOT_DECOMPRESS_IMAGES
#endif
Expand Down
Loading