diff --git a/doc/releases/migration-guide-3.7.rst b/doc/releases/migration-guide-3.7.rst index 4d40baa6f4e..a9f6515161c 100644 --- a/doc/releases/migration-guide-3.7.rst +++ b/doc/releases/migration-guide-3.7.rst @@ -96,6 +96,14 @@ MbedTLS MCUboot ======= +Trusted Firmware-M +================== + +* The default MCUboot signature type has been changed from RSA-3072 to EC-P256. + This affects builds that have MCUboot enabled in TF-M (:kconfig:option:`CONFIG_TFM_BL2`). + If you wish to keep using RSA-3072, you need to set :kconfig:option:`CONFIG_TFM_MCUBOOT_SIGNATURE_TYPE` + to `"RSA-3072"`. Otherwise, make sure to have your own signing keys of the signature type in use. + zcbor ===== diff --git a/doc/releases/release-notes-3.7.rst b/doc/releases/release-notes-3.7.rst index 32c52d19fa3..fb33ab25702 100644 --- a/doc/releases/release-notes-3.7.rst +++ b/doc/releases/release-notes-3.7.rst @@ -427,6 +427,10 @@ Trusted Firmware-M * TF-M was updated to 2.1.0. Release notes can be found at: https://tf-m-user-guide.trustedfirmware.org/releases/2.1.0.html +* Support for MCUboot signature types other than RSA-3072 has been added. + The type can be chosen with the :kconfig:option:`CONFIG_TFM_MCUBOOT_SIGNATURE_TYPE` Kconfig option. + Using EC-P256, the new default, reduces flash usage by several KBs compared to RSA. + zcbor ***** diff --git a/modules/trusted-firmware-m/CMakeLists.txt b/modules/trusted-firmware-m/CMakeLists.txt index 0824a758902..b3d836490d6 100644 --- a/modules/trusted-firmware-m/CMakeLists.txt +++ b/modules/trusted-firmware-m/CMakeLists.txt @@ -35,6 +35,25 @@ if (CONFIG_BUILD_WITH_TFM) list(APPEND TFM_CMAKE_ARGS -DBL2=TRUE) list(APPEND TFM_CMAKE_ARGS -DMCUBOOT_IMAGE_VERSION_S=${CONFIG_TFM_IMAGE_VERSION_S}) list(APPEND TFM_CMAKE_ARGS -DMCUBOOT_IMAGE_VERSION_NS=${CONFIG_TFM_IMAGE_VERSION_NS}) + list(APPEND TFM_CMAKE_ARGS -DMCUBOOT_SIGNATURE_TYPE=${CONFIG_TFM_MCUBOOT_SIGNATURE_TYPE}) + + # TF-M's config/check_config.cmake requires MCUBOOT_BUILTIN_KEY=OFF for RSA + # and MCUBOOT_USE_PSA_CRYPTO for EC-P. The others are dependencies needed + # for either the build or the boot to succeed. + if (${CONFIG_TFM_MCUBOOT_SIGNATURE_TYPE} MATCHES "^RSA") + list(APPEND TFM_CMAKE_ARGS -DMCUBOOT_BUILTIN_KEY=OFF) + list(APPEND TFM_CMAKE_ARGS -DMCUBOOT_HW_KEY=ON) + elseif (${CONFIG_TFM_MCUBOOT_SIGNATURE_TYPE} MATCHES "^EC-P") + list(APPEND TFM_CMAKE_ARGS -DMCUBOOT_USE_PSA_CRYPTO=ON) + list(APPEND TFM_CMAKE_ARGS -DMCUBOOT_BUILTIN_KEY=ON) + list(APPEND TFM_CMAKE_ARGS -DMCUBOOT_HW_KEY=OFF) + endif() + + foreach(SUFFIX IN ITEMS "S" "NS") + string(CONFIGURE ${CONFIG_TFM_KEY_FILE_${SUFFIX}} CONFIG_TFM_KEY_FILE_${SUFFIX}) + list(APPEND TFM_CMAKE_ARGS -DMCUBOOT_KEY_${SUFFIX}=${CONFIG_TFM_KEY_FILE_${SUFFIX}}) + endforeach() + else() list(APPEND TFM_CMAKE_ARGS -DBL2=FALSE) endif() diff --git a/modules/trusted-firmware-m/Kconfig.tfm b/modules/trusted-firmware-m/Kconfig.tfm index 3f3fbfff161..5e8511947cf 100644 --- a/modules/trusted-firmware-m/Kconfig.tfm +++ b/modules/trusted-firmware-m/Kconfig.tfm @@ -53,27 +53,8 @@ menuconfig BUILD_WITH_TFM if BUILD_WITH_TFM -config TFM_KEY_FILE_S - string "Path to private key used to sign secure firmware images." - depends on BUILD_WITH_TFM - default "${ZEPHYR_TRUSTED_FIRMWARE_M_MODULE_DIR}/bl2/ext/mcuboot/root-RSA-3072.pem" - help - The path and filename for the .pem file containing the private key - that should be used by the BL2 bootloader when signing secure - firmware images. - -config TFM_KEY_FILE_NS - string "Path to private key used to sign non-secure firmware images." - depends on BUILD_WITH_TFM - default "${ZEPHYR_TRUSTED_FIRMWARE_M_MODULE_DIR}/bl2/ext/mcuboot/root-RSA-3072_1.pem" - help - The path and filename for the .pem file containing the private key - that should be used by the BL2 bootloader when signing non-secure - firmware images. - config TFM_PROFILE string - depends on BUILD_WITH_TFM default "profile_small" if TFM_PROFILE_TYPE_SMALL default "profile_medium" if TFM_PROFILE_TYPE_MEDIUM default "profile_medium_arotless" if TFM_PROFILE_TYPE_AROTLESS @@ -85,7 +66,6 @@ config TFM_PROFILE choice TFM_PROFILE_TYPE prompt "TF-M build profile" - depends on BUILD_WITH_TFM default TFM_PROFILE_TYPE_NOT_SET help The TF-M build profile selection. Can be empty (not set), @@ -134,7 +114,6 @@ endchoice config TFM_ISOLATION_LEVEL int "Isolation level setting." if (TFM_PROFILE_TYPE_NOT_SET && TFM_IPC) range 1 3 - depends on BUILD_WITH_TFM default 1 if TFM_PROFILE_TYPE_SMALL || !TFM_IPC default 2 if TFM_PROFILE_TYPE_MEDIUM default 3 if TFM_PROFILE_TYPE_LARGE @@ -259,6 +238,28 @@ config TFM_CONNECTION_BASED_SERVICE_API if TFM_BL2 +config TFM_MCUBOOT_SIGNATURE_TYPE + string "The signature type used to sign the secure and non-secure firmware images." + default "EC-P256" + help + Available types: RSA-2048, RSA-3072, EC-P256, EC-P384. + +config TFM_KEY_FILE_S + string "Path to private key used to sign secure firmware images." + default "${ZEPHYR_TRUSTED_FIRMWARE_M_MODULE_DIR}/bl2/ext/mcuboot/root-${CONFIG_TFM_MCUBOOT_SIGNATURE_TYPE}.pem" + help + The path and filename for the .pem file containing the private key + that should be used by the BL2 bootloader when signing secure + firmware images. + +config TFM_KEY_FILE_NS + string "Path to private key used to sign non-secure firmware images." + default "${ZEPHYR_TRUSTED_FIRMWARE_M_MODULE_DIR}/bl2/ext/mcuboot/root-${CONFIG_TFM_MCUBOOT_SIGNATURE_TYPE}_1.pem" + help + The path and filename for the .pem file containing the private key + that should be used by the BL2 bootloader when signing non-secure + firmware images. + config TFM_MCUBOOT_IMAGE_NUMBER int "Granularity of FW updates of TFM and app" range 1 2