Add support for multiple same-type signatures with key ID parsing #2305
Conversation
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
davidvincze
reviewed
May 21, 2025
| @@ -450,7 +464,7 @@ def sign(key, public_key_format, align, version, pad_sig, header_size, | |||
| dependencies, load_addr, hex_addr, erased_val, save_enctlv, | |||
| security_counter, boot_record, custom_tlv, rom_fixed, max_align, | |||
| clear, fix_sig, fix_sig_pubkey, sig_out, user_sha, is_pure, | |||
| vector_to_sign, non_bootable): | |||
| vector_to_sign, non_bootable, psa_key_ids): | |||
There was a problem hiding this comment.
It should be passed to the Image constructor in line 473.
Currently it's only initialized to None which is then used by the create method.
There was a problem hiding this comment.
I have updated so that psa_key_ids is applied to the image using the set function in the new PS.
davidvincze
added
area: core
maulik-arm
force-pushed
the
feat/multi-sig-same-type
branch
from
6ce6e96 to
e0027a2
Compare
RcColes
suggested changes
Jun 3, 2025
maulik-arm
force-pushed
the
feat/multi-sig-same-type
branch
from
e0027a2 to
8301988
Compare
When MCUBOOT_BUILTIN_KEY is enabled, the key id TLV entry is added to the image. Parse this entry while validating the image to identify the key used to sign the image. This enables future support for scenarios such as multiple built-in keys or multi-signature. Signed-off-by: Maulik Patel <[email protected]> Change-Id: Ibe26bc2b09e63350f4214719606a5aa4bc1be93c
This patch adds support for multiple signatures to single image. This is useful for scenarios where multiple keys are used to sign images, allowing for greater flexibility and security in the image verification process. The tool command line interface is extended to support multiple signatures. The imgtool test suite is updated to test the new functionality. Change-Id: I285b426671f6ad76472f0a2f8fb3a330f8882c3d Signed-off-by: Maulik Patel <[email protected]>
maulik-arm
force-pushed
the
feat/multi-sig-same-type
branch
from
8301988 to
9322025
Compare
Anton-TF
reviewed
Jun 10, 2025
This commit adds functionality to the bootutil library to support multiple sign verfication of same type when 'MCUBOOT_BUILTIN_KEY' or 'MCUBOOT_HW_KEY' is enabled. The image_validate.c file is refactored such that: * bootutil_find_key() find the key is moved to a new file bootutil_find_key.c. * bootutil_image_hash() is moved to a new file bootutil_image_hash.c. * bootutil_img_security_cnt() is moved to a new file bootutil_img_security_cnt.c. This allows common validation code to be reused for multiple signatures. All code specific to multi sign is under the option 'MCUBOOT_IMAGE_MULTI_SIG_SUPPORT'. Furthermore, key id type is updated to uint32_t as per PSA crypto spec. Signed-off-by: Maulik Patel <[email protected]> Change-Id: I05c97ac385c5816c812c51feb010028df8412fe5
Since the key id concept in the PSA specific, rename the variables accordingly. Signed-off-by: Maulik Patel <[email protected]> Change-Id: I8a8a5ceba5554211f185cc4045a6081b6d407507
maulik-arm
force-pushed
the
feat/multi-sig-same-type
branch
from
9322025 to
291cf66
Compare
openci-bot
pushed a commit
to TrustedFirmware-M/trusted-firmware-m
that referenced
this pull request
Jun 19, 2025
Until the PR mcu-tools/mcuboot#2305 is merged, apply the added patches to support multiple signatures in mcuboot. Signed-off-by: Maulik Patel <[email protected]> Change-Id: Id8e62b7f332611858508bd445fab99fd7c0259ab
openci-bot
pushed a commit
to TrustedFirmware-M/trusted-firmware-m
that referenced
this pull request
Jun 19, 2025
By default MCUBOOT_IMAGE_MULTI_SIG_SUPPORT is set to OFF, maintaining the existing single-signature behavior. When enabled, RSE secure image is also signed with additional ROTPK key. And both the signaures are verified during boot. This patch works with changes to mcuboot for multi-signature support (PR: mcu-tools/mcuboot#2305) Signed-off-by: Maulik Patel <[email protected]> Change-Id: Ic72d1dcfa3f3ada6c4d275281122f6d919a2d8e1
davidvincze
reviewed
Jun 19, 2025
Comment on lines
+55
to
+58
| key_id = (((uint32_t)key_id_buf[0] << 24) | | ||
| ((uint32_t)key_id_buf[1] << 16) | | ||
| ((uint32_t)key_id_buf[2] << 8) | | ||
| ((uint32_t)key_id_buf[3])); |
There was a problem hiding this comment.
As I saw the key ID is now added with the set endianness (not hardcoded big). In this case this reordering is not required anymore, right? Thanks!
| @@ -0,0 +1,193 @@ | |||
| /* | |||
There was a problem hiding this comment.
Could you please rename the file to bootutil_img_hash.c?
This naming better aligns with other files, please update the CMake file(s) as well.
| @@ -33,9 +35,24 @@ target_sources(bootutil | |||
| src/swap_scratch.c | |||
| src/tlv.c | |||
| ) | |||
|
|
|||
| if(MCUBOOT_HW_ROLLBACK_PROT) | |||
There was a problem hiding this comment.
MCUboot is configured through the mcuboot_config/mcuboot_config.h file, it has no effect on the CMake system. Please include all files unconditionally in the target_sources for bootutil.
Comment on lines
+53
to
+57
| target_compile_definitions(bootutil | ||
| PRIVATE | ||
| $<$<BOOL:${MCUBOOT_IMAGE_MULTI_SIG_SUPPORT}>:MCUBOOT_IMAGE_MULTI_SIG_SUPPORT> | ||
| $<$<BOOL:${MCUBOOT_IMAGE_MULTI_SIG_SUPPORT}>:MCUBOOT_ROTPK_MAX_KEYS_PER_IMAGE=${MCUBOOT_ROTPK_MAX_KEYS_PER_IMAGE}> | ||
| ) |
There was a problem hiding this comment.
Please use the mcuboot_config.h here as well:
- Update the
samples/mcuboot_config/mcuboot_config.template.hfile describing this new option, - Update the config file (which is part of the porting layer - provided by the "target OS"), for TF-M it should be: https://git.trustedfirmware.org/plugins/gitiles/TF-M/trusted-firmware-m.git/+/refs/heads/main/bl2/ext/mcuboot/include/mcuboot_config/mcuboot_config.h.in (which can be configured from CMake).
| @@ -38,7 +38,7 @@ | |||
| #if !defined(MCUBOOT_BUILTIN_KEY) | |||
| fih_ret | |||
| bootutil_verify_sig(uint8_t *hash, uint32_t hlen, uint8_t *sig, size_t slen, | |||
| uint8_t key_id) | |||
| uint32_t key_id) | |||
There was a problem hiding this comment.
Please also update: boot/bootutil/src/image_ed25519.c:141.
| #include "bootutil/crypto/sha.h" | ||
| #include "bootutil/fault_injection_hardening.h" | ||
| #include "bootutil/image.h" | ||
| #include "bootutil/sign_key.h" |
There was a problem hiding this comment.
As I see this include is not needed.
Suggested change
| #include "bootutil/sign_key.h" |
| */ | ||
|
|
||
| #include <stdint.h> | ||
| #include <flash_map_backend/flash_map_backend.h> |
There was a problem hiding this comment.
As I see this include is not needed.
Suggested change
| #include <flash_map_backend/flash_map_backend.h> |
| @@ -671,6 +389,15 @@ bootutil_img_validate(struct boot_loader_state *state, | |||
| #ifndef MCUBOOT_SIGN_PURE | |||
| FIH_CALL(bootutil_verify_sig, valid_signature, hash, sizeof(hash), | |||
| buf, len, key_id); | |||
| #ifdef MCUBOOT_IMAGE_MULTI_SIG_SUPPORT | |||
| rc = boot_plat_check_key_policy((valid_signature == 0), key_id, | |||
There was a problem hiding this comment.
Please add its declaration to boot/bootutil/include/bootutil/sign_key.h with some documentation.
| if (FIH_NOT_EQ(key_must_sign, true) || FIH_NOT_EQ(key_might_sign, true)) { | ||
| FIH_RET(FIH_FAILURE); | ||
| } else { | ||
| FIH_RET(FIH_SUCCESS); |
There was a problem hiding this comment.
By returning here we are skipping the security_counter_valid check in line 478.
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.
This PR adds support for signing and verifying images with multiple signatures of the same type (e.g., multiple EC256 signatures), enhancing flexibility in secure boot scenarios. It also introduces Key ID TLV parsing to enable the bootloader to select the correct key from a set of built-in keys.
Motivation
Previously, MCUboot only allowed a single signature per image per signature type. This limited use cases where multiple stakeholders need to sign the same image or when fallback keys are required.
This PR removes that limitation by allowing multiple signatures of the same type.
Use Cases
Changes Included
1. bootutil: Parse key ID TLV for built-in keys
MCUBOOT_BUILTIN_KEYis enabled.2. imgtool: Add support for multiple signatures and key ID TLVs
--keyarguments.3. bootutil: Add support for verifying multiple same-type signatures
MCUBOOT_BUILTIN_KEYorMCUBOOT_HW_KEYis enabled, the key ID is used to select the appropriate key for verification.Notes