Add support for multiple same-type signatures with key ID parsing #2305
Conversation
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
When MCUBOOT_BUILTIN_KEY is enabled, the key id TLV entry is added to the image. Parse this entry while validating the image to identify the key used to sign the image. This enables future support for scenarios such as multiple built-in keys or multi-signature. Signed-off-by: Maulik Patel <[email protected]> Change-Id: Ibe26bc2b09e63350f4214719606a5aa4bc1be93c
This patch adds support for multiple signatures to single image. This is useful for scenarios where multiple keys are used to sign images, allowing for greater flexibility and security in the image verification process. The tool command line interface is extended to support multiple signatures. The imgtool test suite is updated to test the new functionality. Change-Id: I285b426671f6ad76472f0a2f8fb3a330f8882c3d Signed-off-by: Maulik Patel <[email protected]>
This commit adds functionality to the bootutil library to support multiple sign verfication of same type when 'MCUBOOT_BUILTIN_KEY' or 'MCUBOOT_HW_KEY' is enabled. Signed-off-by: Maulik Patel <[email protected]> Change-Id: I05c97ac385c5816c812c51feb010028df8412fe5
Since the key id concept in the PSA specific, rename the variables accordingly. Signed-off-by: Maulik Patel <[email protected]> Change-Id: I8a8a5ceba5554211f185cc4045a6081b6d407507
davidvincze
reviewed
May 21, 2025
| #else | ||
| /* For MCUBOOT_BUILTIN_KEY, key id is passed */ | ||
| #define EXPECTED_KEY_TLV IMAGE_TLV_KEYID | ||
| #define KEY_BUF_SIZE sizeof(int) |
There was a problem hiding this comment.
Suggested change
| #define KEY_BUF_SIZE sizeof(int) | |
| #define KEY_BUF_SIZE sizeof(int32_t) |
Comment on lines
+348
to
+351
| return ((int32_t)key_id_buf[0] << 24) | | ||
| ((int32_t)key_id_buf[1] << 16) | | ||
| ((int32_t)key_id_buf[2] << 8) | | ||
| ((int32_t)key_id_buf[3]); |
There was a problem hiding this comment.
Suggested change
| return ((int32_t)key_id_buf[0] << 24) | | |
| ((int32_t)key_id_buf[1] << 16) | | |
| ((int32_t)key_id_buf[2] << 8) | | |
| ((int32_t)key_id_buf[3]); | |
| return (((int32_t)key_id_buf[0] << 24) | | |
| ((int32_t)key_id_buf[1] << 16) | | |
| ((int32_t)key_id_buf[2] << 8) | | |
| ((int32_t)key_id_buf[3])); |
| @@ -135,13 +136,19 @@ def add(self, kind, payload): | |||
| """ | |||
| e = STRUCT_ENDIAN_DICT[self.endian] | |||
| if isinstance(kind, int): | |||
| if not TLV_VENDOR_RES_MIN <= kind <= TLV_VENDOR_RES_MAX: | |||
| if kind in TLV_VALUES.values(): | |||
| buf = struct.pack(e + 'I', kind) | |||
There was a problem hiding this comment.
The payload length is missing (should be it_type + it_len).
| def _add_key_id_tlv_to_unprotected(self, tlv, key_id: int): | ||
| """Add a key ID TLV into the *unprotected* TLV area.""" | ||
| tag = TLV_VALUES['KEYID'] | ||
| value = key_id.to_bytes(4, 'big') |
Comment on lines
+847
to
+848
| base_tlv_off = header_size + img_size | ||
| tlv_off = base_tlv_off |
There was a problem hiding this comment.
What's the reason behind it? Leftover code from development?
| @@ -450,7 +464,7 @@ def sign(key, public_key_format, align, version, pad_sig, header_size, | |||
| dependencies, load_addr, hex_addr, erased_val, save_enctlv, | |||
| security_counter, boot_record, custom_tlv, rom_fixed, max_align, | |||
| clear, fix_sig, fix_sig_pubkey, sig_out, user_sha, is_pure, | |||
| vector_to_sign, non_bootable): | |||
| vector_to_sign, non_bootable, psa_key_ids): | |||
There was a problem hiding this comment.
It should be passed to the Image constructor in line 473.
Currently it's only initialized to None which is then used by the create method.
| @@ -441,6 +453,8 @@ def convert(self, value, param, ctx): | |||
| help='send to OUTFILE the payload or payload''s digest instead ' | |||
| 'of complied image. These data can be used for external image ' | |||
| 'signing') | |||
| @click.option('--psa-key-ids', multiple=True, type=int, required=False, | |||
There was a problem hiding this comment.
I believe multiple=True is not needed if it takes a list of IDs.
| @@ -97,6 +97,15 @@ def save_signature(sigfile, sig): | |||
| signature = base64.b64encode(sig) | |||
There was a problem hiding this comment.
save_signature can be deleted if unused
davidvincze
added
area: core
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.
This PR adds support for signing and verifying images with multiple signatures of the same type (e.g., multiple EC256 signatures), enhancing flexibility in secure boot scenarios. It also introduces Key ID TLV parsing to enable the bootloader to select the correct key from a set of built-in keys.
Motivation
Previously, MCUboot only allowed a single signature per image per signature type. This limited use cases where multiple stakeholders need to sign the same image or when fallback keys are required.
This PR removes that limitation by allowing multiple signatures of the same type.
Use Cases
Changes Included
1. bootutil: Parse key ID TLV for built-in keys
MCUBOOT_BUILTIN_KEYis enabled.2. imgtool: Add support for multiple signatures and key ID TLVs
--keyarguments.3. bootutil: Add support for verifying multiple same-type signatures
MCUBOOT_BUILTIN_KEYorMCUBOOT_HW_KEYis enabled, the key ID is used to select the appropriate key for verification.Notes