boot: SHA512 verification #1967
Conversation
michalek-no
force-pushed
the
mb-psa-patch
branch
2 times, most recently
from
4153784 to
9de733a
Compare
michalek-no
force-pushed
the
mb-psa-patch
branch
from
9de733a to
2e6d3ea
Compare
boot/zephyr/Kconfig
Outdated
|
|
||
| config BOOT_SIGNATURE_TYPE_NONE_SHA512 | ||
| bool "No signature; use only sha512 check" |
There was a problem hiding this comment.
Not really sure what the point of this change is? The hash would only be for detecting bit flips, the chance of having a bit flip and a sha256 hash still matching is basically impossible, so not sure why allowing a sha512 for this would improve anything?
There was a problem hiding this comment.
In general yes, but it's security requirement we got.
There was a problem hiding this comment.
AFAIK BOOT_SIGNATURE_TYPE_NONE was introduced for giving SW evaluation (for development testing) value. It is not intended to use in any real product. If we are not going to use BOOT_SIGNATURE_TYPE_NONE_SHA512 for anything like this - then it is not needed.
de-nordic
force-pushed
the
mb-psa-patch
branch
2 times, most recently
from
4b1d4b8 to
4bbfc04
Compare
|
Sorry, got to add own sign off on the thing because I just added one line. |
de-nordic
force-pushed
the
mb-psa-patch
branch
from
4bbfc04 to
65116e0
Compare
boot/zephyr/Kconfig
Outdated
| config BOOT_USE_PSA_CRYPTO | ||
| bool | ||
| # Hidden option | ||
| default n |
There was a problem hiding this comment.
default n is never needed
boot/zephyr/Kconfig
Outdated
| Hash algorithm used for image verification. Selection | ||
| here may be limited by other configurations, like for | ||
| example selected cryptographic signature. | ||
| default BOOT_IMG_HASH_ALG_SHA256 if BOOT_IMG_HASH_ALG_SHA256_ALLOW |
There was a problem hiding this comment.
default goes above help text, help text is always last. In addition the list of options seems reversed, this means if you supported sha512 and sha256, you would always default to sha256
boot/zephyr/Kconfig
Outdated
| config BOOT_IMG_HASH_ALG_SHA512 | ||
| bool "SHA512" | ||
| depends on BOOT_IMG_HASH_ALG_SHA512_ALLOW | ||
| depends on BOOT_USE_PSA_CRYPT |
There was a problem hiding this comment.
this should be part of the depends on for the allow part
There was a problem hiding this comment.
Moved it back, I have wasted too much time fighting with conflicts in Kconfig.
boot/zephyr/Kconfig
Outdated
| select BOOT_USE_TINYCRYPT | ||
| select BOOT_IMG_HASH_ALG_SHA256_ALLOW | ||
| select BOOT_IMG_HASH_ALG_SHA512_ALLOW |
There was a problem hiding this comment.
Don't see the point in sha512 here, this means you have no signature, so you could use a crc16 really, sha512 from sha256 adds nothing in this configuration
There was a problem hiding this comment.
Actually there is significant difference between sha and crc in this context, although I admit that with the sha256 vs sha512 not so much, without signature verification.
But, because there is always one, user may have hardware accelerator that only supports sha512 calculation, which is often the case with hardware with ed25519 accelerators, as the sha512 is the sha of choice for that signature.
Such hardware will often not have the sha256, so, even if ed25519 is not used in the end, the hashing of image will be faster when sha512 is used.
There was a problem hiding this comment.
But that's the point, this is only used either for development where you want nil security or whereby you have a project that has nil security, it doesn't really have any real world use for a product, so even if it is slower, that doesn't matter, this is working fine on an nrf51 which is a cortex m0 from over a decade ago, I don't see the speed of verifying this ever being a problem for it's intended purposes, especially on more modern architectures. Plus it has absolutely no support in MCUmgr tools
There was a problem hiding this comment.
imgtool support is here: #2048, it is based on older version of this PR.
MCUmgr support could be added at some point, and it could also use the sha512 coprocessor on devices that have it.
Crypto engines often have better power characteristics than doing the same hashing on CPU, and the reduction of time may be significant.
In my experimentation with 32kB image, I had following results:
- by chunks with read to mem by flash_read - 5 to 6ms
- by chunks, but with direct access to storage, crypto engine doing the DMA - 3ms
- by whole image at once, crypto doing DMA - 0ms
I probably should repeat the experiment with ticks or some smaller units, but this already show improvement.
Of course, we can restrict usage of sha512 to ed25519 kinda prehashing, but still we will have sha512 TLV added.
There was a problem hiding this comment.
Yes, sha512 TLV support is fine but to me no signature mode is just for development or "I don't care about security" and a few extra ms speed there is not of concern, it should be limited to sha256, then use sha512 when using a signature that needs it. The sha256 is baseline "no thrills" and everything else is good security
There was a problem hiding this comment.
Fine, I will move the line to some limbo PR.
de-nordic
force-pushed
the
mb-psa-patch
branch
6 times, most recently
from
1a3a943 to
f75fb90
Compare
| @@ -131,7 +138,6 @@ static inline int bootutil_sha_drop(bootutil_sha_context *ctx) | |||
| (void)ctx; | |||
| return 0; | |||
| } | |||
|
|
|||
There was a problem hiding this comment.
unrelated? Can we add it back?
boot/zephyr/Kconfig
Outdated
| # Hidden option | ||
| help | ||
| Use PSA crypt for supporting cryptography functions |
There was a problem hiding this comment.
Use same style as below e.g.
help
Hidden option set if using PSA crypt for cryptography functionality
boot/zephyr/Kconfig
Outdated
| Hidden option to set by configurations that allow SHA256 | ||
|
|
||
| config BOOT_IMG_HASH_ALG_SHA384_ALLOW | ||
| bool | ||
| help | ||
| Hidden option to set by configurations that allow SHA384 | ||
|
|
||
| config BOOT_IMG_HASH_ALG_SHA512_ALLOW | ||
| bool | ||
| depends on BOOT_USE_PSA_CRYPTO | ||
| help | ||
| Hidden option to set by configurations that allow SHA512 |
adds TLV and Kconfig to decouple verification from other options. Signed-off-by: Mateusz Michalek <[email protected]> Signed-off-by: Dominik Ermel <[email protected]>
de-nordic
force-pushed
the
mb-psa-patch
branch
from
f75fb90 to
ea7d667
Compare
adds TLV and Kconfig to decouple verification from other options. Upstream PR: mcu-tools/mcuboot#1967 Signed-off-by: Mateusz Michalek <[email protected]> Signed-off-by: Dominik Ermel <[email protected]>
|
Do we want this or #2048? |
adds TLV and Kconfig to decouple verification from other options. Upstream PR: mcu-tools#1967 Signed-off-by: Mateusz Michalek <[email protected]> Signed-off-by: Dominik Ermel <[email protected]>
adds TLV and Kconfig to decouple verification from other options.