From a314875c791c2ed5e20630f7b7850f4961dd138c Mon Sep 17 00:00:00 2001 From: Daniele Lacamera Date: Fri, 1 Mar 2024 15:22:27 +0100 Subject: [PATCH] Added support for SIGN=ECC521 --- .../test-renode-fastmath-smallstack.yml | 3 ++ .github/workflows/test-renode-fastmath.yml | 4 +++ .../test-renode-noasm-smallstack.yml | 3 ++ .github/workflows/test-renode-noasm.yml | 3 ++ .github/workflows/test-renode-nrf52.yml | 4 +++ .github/workflows/test-renode-sha3.yml | 3 ++ .github/workflows/test-renode-sha384.yml | 3 ++ .github/workflows/test-renode-smallstack.yml | 4 +++ include/wolfboot/wolfboot.h | 5 +-- options.mk | 4 +-- src/xmalloc.c | 33 ++++++++++++++++--- tools/test-renode.mk | 22 +++++++++++-- 12 files changed, 81 insertions(+), 10 deletions(-) diff --git a/.github/workflows/test-renode-fastmath-smallstack.yml b/.github/workflows/test-renode-fastmath-smallstack.yml index 2d5f68369..715ff84a1 100644 --- a/.github/workflows/test-renode-fastmath-smallstack.yml +++ b/.github/workflows/test-renode-fastmath-smallstack.yml @@ -31,6 +31,9 @@ jobs: - name: Renode Tests ECC384 run: ./tools/renode/docker-test.sh "SIGN=ECC384 WOLFBOOT_SMALL_STACK=1 SPMATH=0" +# ECC521 TEST + - name: Renode Tests ECC521 + run: ./tools/renode/docker-test.sh "SIGN=ECC521 WOLFBOOT_SMALL_STACK=1 SPMATH=0" # RSA2048 TEST - name: Renode Tests RSA2048 diff --git a/.github/workflows/test-renode-fastmath.yml b/.github/workflows/test-renode-fastmath.yml index 6b31f07a9..838a45729 100644 --- a/.github/workflows/test-renode-fastmath.yml +++ b/.github/workflows/test-renode-fastmath.yml @@ -30,6 +30,10 @@ jobs: - name: Renode Tests ECC384 run: ./tools/renode/docker-test.sh "SIGN=ECC384 SPMATH=0" +# ECC521 TEST + - name: Renode Tests ECC521 + run: ./tools/renode/docker-test.sh "SIGN=ECC521 SPMATH=0" + # RSA2048 TEST - name: Renode Tests RSA2048 diff --git a/.github/workflows/test-renode-noasm-smallstack.yml b/.github/workflows/test-renode-noasm-smallstack.yml index 4e3a3fad2..eddc69172 100644 --- a/.github/workflows/test-renode-noasm-smallstack.yml +++ b/.github/workflows/test-renode-noasm-smallstack.yml @@ -31,6 +31,9 @@ jobs: - name: Renode Tests ECC384 run: ./tools/renode/docker-test.sh "SIGN=ECC384 WOLFBOOT_SMALL_STACK=1 NO_ASM=1" +# ECC521 TEST + - name: Renode Tests ECC521 + run: ./tools/renode/docker-test.sh "SIGN=ECC521 WOLFBOOT_SMALL_STACK=1 NO_ASM=1" # RSA2048 TEST - name: Renode Tests RSA2048 diff --git a/.github/workflows/test-renode-noasm.yml b/.github/workflows/test-renode-noasm.yml index 0b072a539..1323da486 100644 --- a/.github/workflows/test-renode-noasm.yml +++ b/.github/workflows/test-renode-noasm.yml @@ -30,6 +30,9 @@ jobs: - name: Renode Tests ECC384 run: ./tools/renode/docker-test.sh "SIGN=ECC384 NO_ASM=1" +# ECC521 TEST + - name: Renode Tests ECC521 + run: ./tools/renode/docker-test.sh "SIGN=ECC521 NO_ASM=1" # ED25519 TEST - name: Renode Tests ED25519 diff --git a/.github/workflows/test-renode-nrf52.yml b/.github/workflows/test-renode-nrf52.yml index 7e562f7f1..1759e2ad5 100644 --- a/.github/workflows/test-renode-nrf52.yml +++ b/.github/workflows/test-renode-nrf52.yml @@ -34,6 +34,10 @@ jobs: - name: Renode Tests ECC384 run: ./tools/renode/docker-test.sh "SIGN=ECC384" +# ECC521 TEST + - name: Renode Tests ECC521 + run: ./tools/renode/docker-test.sh "SIGN=ECC521" + # ED25519 TEST - name: Renode Tests ED25519 run: ./tools/renode/docker-test.sh "SIGN=ED25519" diff --git a/.github/workflows/test-renode-sha3.yml b/.github/workflows/test-renode-sha3.yml index 05292874c..9ae8e301f 100644 --- a/.github/workflows/test-renode-sha3.yml +++ b/.github/workflows/test-renode-sha3.yml @@ -34,6 +34,9 @@ jobs: - name: Renode Tests ECC384 run: ./tools/renode/docker-test.sh "SIGN=ECC384 HASH=SHA3" +# ECC521 TEST + - name: Renode Tests ECC521 + run: ./tools/renode/docker-test.sh "SIGN=ECC521 HASH=SHA3" # ED25519 TEST - name: Renode Tests ED25519 diff --git a/.github/workflows/test-renode-sha384.yml b/.github/workflows/test-renode-sha384.yml index 2d7cde579..75488efc9 100644 --- a/.github/workflows/test-renode-sha384.yml +++ b/.github/workflows/test-renode-sha384.yml @@ -33,6 +33,9 @@ jobs: - name: Renode Tests ECC384 run: ./tools/renode/docker-test.sh "SIGN=ECC384 HASH=SHA384" +# ECC521 TEST + - name: Renode Tests ECC521 + run: ./tools/renode/docker-test.sh "SIGN=ECC521 HASH=SHA521" # ED25519 TEST - name: Renode Tests ED25519 diff --git a/.github/workflows/test-renode-smallstack.yml b/.github/workflows/test-renode-smallstack.yml index 11ad29c6a..e83027500 100644 --- a/.github/workflows/test-renode-smallstack.yml +++ b/.github/workflows/test-renode-smallstack.yml @@ -35,6 +35,10 @@ jobs: - name: Renode Tests ECC384 run: ./tools/renode/docker-test.sh "SIGN=ECC384 WOLFBOOT_SMALL_STACK=1" +# ECC521 TEST + - name: Renode Tests ECC521 + run: ./tools/renode/docker-test.sh "SIGN=ECC521 WOLFBOOT_SMALL_STACK=1" + # ED25519 TEST - name: Renode Tests ED25519 diff --git a/include/wolfboot/wolfboot.h b/include/wolfboot/wolfboot.h index 20d48ab0e..ccdc0da85 100644 --- a/include/wolfboot/wolfboot.h +++ b/include/wolfboot/wolfboot.h @@ -203,8 +203,9 @@ extern "C" { # endif #elif defined(WOLFBOOT_SIGN_ECC521) # define HDR_IMG_TYPE_AUTH HDR_IMG_TYPE_AUTH_ECC521 - # error "ECC521 curves not yet supported in this version of wolfBoot. " \ - "Please select a valid SIGN= option." + # ifndef WOLFBOOT_UNIVERSAL_KEYSTORE + # define KEYSTORE_PUBKEY_SIZE KEYSTORE_PUBKEY_SIZE_ECC521 + # endif #elif defined(WOLFBOOT_SIGN_RSA2048) # define HDR_IMG_TYPE_AUTH HDR_IMG_TYPE_AUTH_RSA2048 # ifndef WOLFBOOT_UNIVERSAL_KEYSTORE diff --git a/options.mk b/options.mk index f7aaea0c4..5b1bcefd3 100644 --- a/options.mk +++ b/options.mk @@ -138,9 +138,9 @@ ifeq ($(SIGN),ECC521) STACK_USAGE=6680 else ifneq ($(SPMATH),1) - STACK_USAGE=7352 + STACK_USAGE=11256 else - STACK_USAGE=3896 + STACK_USAGE=8288 endif endif endif diff --git a/src/xmalloc.c b/src/xmalloc.c index 90cf72b18..b570e6325 100644 --- a/src/xmalloc.c +++ b/src/xmalloc.c @@ -63,7 +63,7 @@ struct xmalloc_slot { # error "No hash mechanism selected." #endif -#if defined(WOLFBOOT_SIGN_ECC256) || defined(WOLFBOOT_SIGN_ECC384) +#if defined(WOLFBOOT_SIGN_ECC256) || defined(WOLFBOOT_SIGN_ECC384) || defined(WOLFBOOT_SIGN_ECC521) #ifndef USE_FAST_MATH /* SP MATH */ @@ -98,6 +98,22 @@ struct xmalloc_slot { #define MP_MONTGOMERY_SIZE (sizeof(int64_t) * 2 * 12) #endif #endif /* WOLFBOOT_SIGN_ECC384 */ + #ifdef WOLFBOOT_SIGN_ECC521 + #define MP_SCHEME "SP ECC521" + #define MP_CURVE_SPECS_SIZE (148) + #ifdef WOLFSSL_SP_ARM_CORTEX_M_ASM + #define MP_POINT_SIZE (412) + #define MP_DIGITS_BUFFER_SIZE_0 (MP_DIGIT_SIZE * 18 * 17) + #define MP_DIGITS_BUFFER_SIZE_1 (MP_DIGIT_SIZE * 2 * 17 * 6) + #define MP_MONTGOMERY_SIZE (sizeof(int64_t) * 12) + #else + #define MP_POINT_SIZE (508) + #define MP_DIGITS_BUFFER_SIZE_0 (MP_DIGIT_SIZE * 18 * 21) + #define MP_DIGITS_BUFFER_SIZE_1 (MP_DIGIT_SIZE * (4 * 21 + 3)) + #define MP_DIGITS_BUFFER_SIZE_2 (MP_DIGIT_SIZE * (2 * 21 * 6)) + #define MP_MONTGOMERY_SIZE (sizeof(int64_t) * 2 * 12) + #endif + #endif /* WOLFBOOT_SIGN_ECC521 */ #ifndef WC_NO_CACHE_RESISTANT static uint8_t mp_points_3[MP_POINT_SIZE]; #endif @@ -106,10 +122,10 @@ struct xmalloc_slot { static uint8_t mp_points_2[MP_POINT_SIZE * (16 + 1)]; static uint8_t mp_digits_buffer_0[MP_DIGITS_BUFFER_SIZE_0]; static uint8_t mp_digits_buffer_1[MP_DIGITS_BUFFER_SIZE_1]; - #if !defined(WOLFSSL_SP_ARM_CORTEX_M_ASM) && (defined(WOLFBOOT_SIGN_ECC256) || defined(WOLFBOOT_SIGN_ECC384)) + #if !defined(WOLFSSL_SP_ARM_CORTEX_M_ASM) && (defined(WOLFBOOT_SIGN_ECC256) || defined(WOLFBOOT_SIGN_ECC384) || defined(WOLFBOOT_SIGN_ECC521)) static uint8_t mp_digits_buffer_2[MP_DIGITS_BUFFER_SIZE_2]; static uint8_t mp_montgomery[MP_MONTGOMERY_SIZE]; - #elif defined(WOLFBOOT_SIGN_ECC384) + #elif defined(WOLFBOOT_SIGN_ECC384) || defined (WOLFBOOT_SIGN_ECC521) static uint8_t mp_montgomery[MP_MONTGOMERY_SIZE]; #endif #else @@ -132,6 +148,15 @@ struct xmalloc_slot { #define MP_INT_BUFFER_SIZE_1 (MP_INT_TYPE_SIZE * 6) #define MP_DIGIT_BUFFER_MONT_SIZE (sizeof(fp_digit)*(FP_SIZE + 1)) #endif + #ifdef WOLFBOOT_SIGN_ECC521 + #define MP_SCHEME "TFM ECC521" + #define MP_CURVE_SPECS_SIZE (MP_INT_TYPE_SIZE) + #define MP_CURVE_FIELD_COUNT_SIZE (380) + #define ECC_POINT_SIZE (516) + #define MP_INT_BUFFER_SIZE (MP_INT_TYPE_SIZE * 5) + #define MP_INT_BUFFER_SIZE_1 (MP_INT_TYPE_SIZE * 6) + #define MP_DIGIT_BUFFER_MONT_SIZE (sizeof(fp_digit)*(FP_SIZE + 1)) + #endif static uint8_t mp_curve_field_count[MP_CURVE_FIELD_COUNT_SIZE]; static uint8_t mp_int_v[MP_INT_TYPE_SIZE]; @@ -170,7 +195,7 @@ static struct xmalloc_slot xmalloc_pool[] = { { (uint8_t *)mp_points_0, MP_POINT_SIZE * 2, 0 }, #ifdef WOLFSSL_SP_ARM_CORTEX_M_ASM { (uint8_t *)mp_points_1, MP_POINT_SIZE * 2, 0 }, - #ifdef WOLFBOOT_SIGN_ECC384 + #if defined(WOLFBOOT_SIGN_ECC384) || defined(WOLFBOOT_SIGN_ECC521) { (uint8_t *)mp_montgomery, MP_MONTGOMERY_SIZE, 0 }, #endif #else diff --git a/tools/test-renode.mk b/tools/test-renode.mk index bdba179fd..76d31d911 100644 --- a/tools/test-renode.mk +++ b/tools/test-renode.mk @@ -78,8 +78,6 @@ ifeq ($(SIGN),ECC384) SIGN_ARGS+= --ecc384 endif -# Already supported in sign tools, not yet in wolfBoot. -# Currently, a compile-time error is produced if selected. ifeq ($(SIGN),ECC521) SIGN_ARGS+= --ecc521 endif @@ -255,6 +253,9 @@ renode-factory-ecc256: FORCE renode-factory-ecc384: FORCE make renode-factory SIGN=ECC384 +renode-factory-ecc521: FORCE + make renode-factory SIGN=ECC521 + renode-factory-rsa2048: FORCE make renode-factory SIGN=RSA2048 @@ -287,6 +288,8 @@ renode-factory-all: FORCE ${Q}make renode-factory-rsa4096 RENODE_PORT=55162 ${Q}make keysclean ${Q}make renode-factory SIGN=NONE RENODE_PORT=55163 + ${Q}make keysclean + ${Q}make renode-factory-ecc521 RENODE_PORT=55166 ${Q}echo All tests in $@ OK! renode-update-ed25519: FORCE @@ -301,6 +304,9 @@ renode-update-ecc256: FORCE renode-update-ecc384: FORCE make renode-update SIGN=ECC384 +renode-update-ecc521: FORCE + make renode-update SIGN=ECC521 + renode-update-rsa2048: FORCE make renode-update SIGN=RSA2048 @@ -328,6 +334,9 @@ renode-no-downgrade-ecc256: FORCE renode-no-downgrade-ecc384: FORCE make renode-no-downgrade SIGN=ECC384 +renode-no-downgrade-ecc521: FORCE + make renode-no-downgrade SIGN=ECC521 + renode-no-downgrade-rsa2048: FORCE make renode-no-downgrade SIGN=RSA2048 @@ -352,6 +361,9 @@ renode-corrupted-ecc256: FORCE renode-corrupted-ecc384: FORCE make renode-corrupted SIGN=ECC384 +renode-corrupted-ecc521: FORCE + make renode-corrupted SIGN=ECC521 + renode-corrupted-rsa2048: FORCE make renode-corrupted SIGN=RSA2048 @@ -388,6 +400,8 @@ renode-update-all: FORCE ${Q}make renode-update-lms RENODE_PORT=55164 ${Q}make keysclean ${Q}make renode-update-xmss RENODE_PORT=55165 + ${Q}make keysclean + ${Q}make renode-update-ecc521 RENODE_PORT=55166 ${Q}echo All tests in $@ OK! renode-no-downgrade-all: FORCE @@ -411,6 +425,8 @@ renode-no-downgrade-all: FORCE ${Q}make renode-no-downgrade-lms RENODE_PORT=55164 ${Q}make keysclean ${Q}make renode-no-downgrade-xmss RENODE_PORT=55165 + ${Q}make keysclean + ${Q}make renode-no-downgrade-ecc521 RENODE_PORT=55166 ${Q}echo All tests in $@ OK! renode-corrupted-all: FORCE @@ -434,6 +450,8 @@ renode-corrupted-all: FORCE ${Q}make renode-corrupted-lms RENODE_PORT=55164 ${Q}make keysclean ${Q}make renode-corrupted-xmss RENODE_PORT=55165 + ${Q}make keysclean + ${Q}make renode-corrupted-ecc521 RENODE_PORT=55166 ${Q}echo All tests in $@ OK! renode-update-all-armored: FORCE