storage/flash_map: Add option to use MBEDTLS for img integrity check.
Add option to use MBEDTLS library to perform the flash area integrity check. Signed-off-by: Yong Cong Sin <yongcong.sin@gmail.com>
This commit is contained in:
Yong Cong Sin
Christopher Friedt
parent
a612fbd1dc
commit
113c6f249e
5 changed files with 90 additions and 5 deletions
|
|
@ -5,3 +5,7 @@ zephyr_sources_ifndef(CONFIG_FLASH_MAP_CUSTOM flash_map_default.c)
|
||||||
zephyr_sources_ifdef(CONFIG_FLASH_MAP_SHELL flash_map_shell.c)
|
zephyr_sources_ifdef(CONFIG_FLASH_MAP_SHELL flash_map_shell.c)
|
||||||
zephyr_sources_ifdef(CONFIG_FLASH_PAGE_LAYOUT flash_map_layout.c)
|
zephyr_sources_ifdef(CONFIG_FLASH_PAGE_LAYOUT flash_map_layout.c)
|
||||||
zephyr_sources_ifdef(CONFIG_FLASH_AREA_CHECK_INTEGRITY flash_map_integrity.c)
|
zephyr_sources_ifdef(CONFIG_FLASH_AREA_CHECK_INTEGRITY flash_map_integrity.c)
|
||||||
|
|
||||||
|
if(CONFIG_FLASH_AREA_CHECK_INTEGRITY_MBEDTLS)
|
||||||
|
zephyr_library_link_libraries_ifdef(CONFIG_MBEDTLS mbedTLS)
|
||||||
|
endif()
|
||||||
|
|
|
||||||
|
|
@ -30,10 +30,32 @@ config FLASH_MAP_CUSTOM
|
||||||
|
|
||||||
config FLASH_AREA_CHECK_INTEGRITY
|
config FLASH_AREA_CHECK_INTEGRITY
|
||||||
bool "Enable flash check functions"
|
bool "Enable flash check functions"
|
||||||
select TINYCRYPT
|
|
||||||
select TINYCRYPT_SHA256
|
|
||||||
help
|
help
|
||||||
If enabled, there will be available the backend to check flash
|
If enabled, there will be available the backend to check flash
|
||||||
integrity using SHA-256 verification algorithm.
|
integrity using SHA-256 verification algorithm.
|
||||||
|
|
||||||
|
if FLASH_AREA_CHECK_INTEGRITY
|
||||||
|
choice
|
||||||
|
prompt "Crypto backend for the flash check functions"
|
||||||
|
default FLASH_AREA_CHECK_INTEGRITY_TC
|
||||||
|
|
||||||
|
config FLASH_AREA_CHECK_INTEGRITY_TC
|
||||||
|
bool "Use TinyCrypt"
|
||||||
|
select TINYCRYPT
|
||||||
|
select TINYCRYPT_SHA256
|
||||||
|
help
|
||||||
|
Use TinyCrypt library to perform the integrity check.
|
||||||
|
|
||||||
|
config FLASH_AREA_CHECK_INTEGRITY_MBEDTLS
|
||||||
|
bool "Use MBEDTLS"
|
||||||
|
select MBEDTLS
|
||||||
|
select MBEDTLS_MD
|
||||||
|
select MBEDTLS_MAC_SHA256_ENABLED
|
||||||
|
select MBEDTLS_ENABLE_HEAP
|
||||||
|
help
|
||||||
|
Use MBEDTLS library to perform the integrity check.
|
||||||
|
|
||||||
|
endchoice
|
||||||
|
endif
|
||||||
|
|
||||||
endif
|
endif
|
||||||
|
|
|
||||||
|
|
@ -17,15 +17,27 @@
|
||||||
#include <soc.h>
|
#include <soc.h>
|
||||||
#include <init.h>
|
#include <init.h>
|
||||||
|
|
||||||
|
#if defined(CONFIG_FLASH_AREA_CHECK_INTEGRITY)
|
||||||
|
#define SHA256_DIGEST_SIZE 32
|
||||||
|
#if defined(CONFIG_FLASH_AREA_CHECK_INTEGRITY_TC)
|
||||||
#include <tinycrypt/constants.h>
|
#include <tinycrypt/constants.h>
|
||||||
#include <tinycrypt/sha256.h>
|
#include <tinycrypt/sha256.h>
|
||||||
|
#else
|
||||||
|
#include <mbedtls/md.h>
|
||||||
|
#endif
|
||||||
#include <string.h>
|
#include <string.h>
|
||||||
|
#endif /* CONFIG_FLASH_AREA_CHECK_INTEGRITY */
|
||||||
|
|
||||||
int flash_area_check_int_sha256(const struct flash_area *fa,
|
int flash_area_check_int_sha256(const struct flash_area *fa,
|
||||||
const struct flash_area_check *fac)
|
const struct flash_area_check *fac)
|
||||||
{
|
{
|
||||||
unsigned char hash[TC_SHA256_DIGEST_SIZE];
|
unsigned char hash[SHA256_DIGEST_SIZE];
|
||||||
|
#if defined(CONFIG_FLASH_AREA_CHECK_INTEGRITY_TC)
|
||||||
struct tc_sha256_state_struct sha;
|
struct tc_sha256_state_struct sha;
|
||||||
|
#else /* CONFIG_FLASH_AREA_CHECK_INTEGRITY_MBEDTLS */
|
||||||
|
mbedtls_md_context_t mbed_hash_ctx;
|
||||||
|
const mbedtls_md_info_t *mbed_hash_info;
|
||||||
|
#endif
|
||||||
const struct device *dev;
|
const struct device *dev;
|
||||||
int to_read;
|
int to_read;
|
||||||
int pos;
|
int pos;
|
||||||
|
|
@ -40,9 +52,24 @@ int flash_area_check_int_sha256(const struct flash_area *fa,
|
||||||
return -EINVAL;
|
return -EINVAL;
|
||||||
}
|
}
|
||||||
|
|
||||||
|
#if defined(CONFIG_FLASH_AREA_CHECK_INTEGRITY_TC)
|
||||||
if (tc_sha256_init(&sha) != TC_CRYPTO_SUCCESS) {
|
if (tc_sha256_init(&sha) != TC_CRYPTO_SUCCESS) {
|
||||||
return -ESRCH;
|
return -ESRCH;
|
||||||
}
|
}
|
||||||
|
#else /* CONFIG_FLASH_AREA_CHECK_INTEGRITY_MBEDTLS */
|
||||||
|
mbed_hash_info = mbedtls_md_info_from_type(MBEDTLS_MD_SHA256);
|
||||||
|
|
||||||
|
mbedtls_md_init(&mbed_hash_ctx);
|
||||||
|
|
||||||
|
if (mbedtls_md_setup(&mbed_hash_ctx, mbed_hash_info, 0) != 0) {
|
||||||
|
return -ESRCH;
|
||||||
|
}
|
||||||
|
|
||||||
|
if (mbedtls_md_starts(&mbed_hash_ctx)) {
|
||||||
|
rc = -ESRCH;
|
||||||
|
goto error;
|
||||||
|
}
|
||||||
|
#endif
|
||||||
|
|
||||||
dev = device_get_binding(fa->fa_dev_name);
|
dev = device_get_binding(fa->fa_dev_name);
|
||||||
to_read = fac->rblen;
|
to_read = fac->rblen;
|
||||||
|
|
@ -55,23 +82,50 @@ int flash_area_check_int_sha256(const struct flash_area *fa,
|
||||||
rc = flash_read(dev, (fa->fa_off + fac->off + pos),
|
rc = flash_read(dev, (fa->fa_off + fac->off + pos),
|
||||||
fac->rbuf, to_read);
|
fac->rbuf, to_read);
|
||||||
if (rc != 0) {
|
if (rc != 0) {
|
||||||
|
#if defined(CONFIG_FLASH_AREA_CHECK_INTEGRITY_TC)
|
||||||
return rc;
|
return rc;
|
||||||
|
#else /* CONFIG_FLASH_AREA_CHECK_INTEGRITY_MBEDTLS */
|
||||||
|
goto error;
|
||||||
|
#endif
|
||||||
}
|
}
|
||||||
|
|
||||||
|
#if defined(CONFIG_FLASH_AREA_CHECK_INTEGRITY_TC)
|
||||||
if (tc_sha256_update(&sha,
|
if (tc_sha256_update(&sha,
|
||||||
fac->rbuf,
|
fac->rbuf,
|
||||||
to_read) != TC_CRYPTO_SUCCESS) {
|
to_read) != TC_CRYPTO_SUCCESS) {
|
||||||
return -ESRCH;
|
return -ESRCH;
|
||||||
}
|
}
|
||||||
|
#else /* CONFIG_FLASH_AREA_CHECK_INTEGRITY_MBEDTLS */
|
||||||
|
if (mbedtls_md_update(&mbed_hash_ctx, fac->rbuf, to_read) != 0) {
|
||||||
|
rc = -ESRCH;
|
||||||
|
goto error;
|
||||||
|
}
|
||||||
|
#endif
|
||||||
}
|
}
|
||||||
|
|
||||||
|
#if defined(CONFIG_FLASH_AREA_CHECK_INTEGRITY_TC)
|
||||||
if (tc_sha256_final(hash, &sha) != TC_CRYPTO_SUCCESS) {
|
if (tc_sha256_final(hash, &sha) != TC_CRYPTO_SUCCESS) {
|
||||||
return -ESRCH;
|
return -ESRCH;
|
||||||
}
|
}
|
||||||
|
#else /* CONFIG_FLASH_AREA_CHECK_INTEGRITY_MBEDTLS */
|
||||||
|
if (mbedtls_md_finish(&mbed_hash_ctx, hash) != 0) {
|
||||||
|
rc = -ESRCH;
|
||||||
|
goto error;
|
||||||
|
}
|
||||||
|
#endif
|
||||||
|
|
||||||
if (memcmp(hash, fac->match, TC_SHA256_DIGEST_SIZE)) {
|
if (memcmp(hash, fac->match, SHA256_DIGEST_SIZE)) {
|
||||||
|
#if defined(CONFIG_FLASH_AREA_CHECK_INTEGRITY_TC)
|
||||||
return -EILSEQ;
|
return -EILSEQ;
|
||||||
|
#else /* CONFIG_FLASH_AREA_CHECK_INTEGRITY_MBEDTLS */
|
||||||
|
rc = -EILSEQ;
|
||||||
|
goto error;
|
||||||
|
#endif
|
||||||
}
|
}
|
||||||
|
|
||||||
return 0;
|
#if defined(CONFIG_FLASH_AREA_CHECK_INTEGRITY_MBEDTLS)
|
||||||
|
error:
|
||||||
|
mbedtls_md_free(&mbed_hash_ctx);
|
||||||
|
#endif
|
||||||
|
return rc;
|
||||||
}
|
}
|
||||||
|
|
|
||||||
1
tests/subsys/storage/flash_map/overlay-mbedtls.conf
Normal file
1
tests/subsys/storage/flash_map/overlay-mbedtls.conf
Normal file
|
|
@ -0,0 +1 @@
|
||||||
|
CONFIG_FLASH_AREA_CHECK_INTEGRITY_MBEDTLS=y
|
||||||
|
|
@ -7,3 +7,7 @@ tests:
|
||||||
platform_allow: nrf52840dk_nrf52840 nrf52dk_nrf52832 frdm_k64f hexiwear_k64
|
platform_allow: nrf52840dk_nrf52840 nrf52dk_nrf52832 frdm_k64f hexiwear_k64
|
||||||
twr_ke18f
|
twr_ke18f
|
||||||
tags: flash_map
|
tags: flash_map
|
||||||
|
storage.flash_map.mbedtls:
|
||||||
|
extra_args: OVERLAY_CONFIG=overlay-mbedtls.conf
|
||||||
|
platform_allow: nrf51dk_nrf51422 qemu_x86 native_posix native_posix_64
|
||||||
|
tags: flash_map
|
||||||
|
|
|
||||||
Loading…
Add table
Add a link
Reference in a new issue