Skip to content

boot: zephyr: kconfig: add choice for RSA crypto library #140

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Draft
valeriosetti wants to merge 3 commits into
base: main
Choose a base branch
from
Draft

boot: zephyr: kconfig: add choice for RSA crypto library #140

Show file tree
Hide file tree
Changes from all commits
Commits
Show all changes
3 commits
Select commit Hold shift + click to select a range
0dabbeb
bootutil: update sha calls to legacy Mbed TLS
valeriosetti Feb 25, 2026
7494d1b
bootutil: remove useless code from bootutil_rsa_parse_public_key()
valeriosetti Feb 25, 2026
ffeadd8
boot: zephyr: kconfig: add choice for RSA crypto library
valeriosetti Feb 24, 2026
File filter

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
9 changes: 0 additions & 9 deletions boot/bootutil/include/bootutil/crypto/rsa.h
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -317,15 +317,6 @@ bootutil_rsa_parse_public_key(bootutil_rsa_context *ctx, uint8_t **p, uint8_t *e
return -4;
}

/* The Mbed TLS version is more than 2.6.1 */
#if MBEDTLS_VERSION_NUMBER > 0x02060100
rc = mbedtls_rsa_import(ctx, &ctx->MBEDTLS_CONTEXT_MEMBER(N), NULL,
NULL, NULL, &ctx->MBEDTLS_CONTEXT_MEMBER(E));
if (rc != 0) {
return -5;
}
#endif

rc = mbedtls_rsa_check_pubkey(ctx);
if (rc != 0) {
return -6;
Expand Down
15 changes: 6 additions & 9 deletions boot/bootutil/include/bootutil/crypto/sha.h
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -62,9 +62,6 @@
#endif

#include <mbedtls/version.h>
#if MBEDTLS_VERSION_NUMBER >= 0x03000000
#include <mbedtls/compat-2.x.h>
#endif

#endif /* MCUBOOT_USE_MBED_TLS */

Expand Down Expand Up @@ -144,10 +141,10 @@ static inline int bootutil_sha_init(bootutil_sha_context *ctx)

#ifdef MCUBOOT_SHA512
mbedtls_sha512_init(ctx);
ret = mbedtls_sha512_starts_ret(ctx, 0);
ret = mbedtls_sha512_starts(ctx, 0);
#else
mbedtls_sha256_init(ctx);
ret = mbedtls_sha256_starts_ret(ctx, 0);
ret = mbedtls_sha256_starts(ctx, 0);
#endif

return ret;
Expand All @@ -171,9 +168,9 @@ static inline int bootutil_sha_update(bootutil_sha_context *ctx,
int ret;

#ifdef MCUBOOT_SHA512
ret = mbedtls_sha512_update_ret(ctx, data, data_len);
ret = mbedtls_sha512_update(ctx, data, data_len);
#else
ret = mbedtls_sha256_update_ret(ctx, data, data_len);
ret = mbedtls_sha256_update(ctx, data, data_len);
#endif

return ret;
Expand All @@ -185,9 +182,9 @@ static inline int bootutil_sha_finish(bootutil_sha_context *ctx,
int ret;

#ifdef MCUBOOT_SHA512
ret = mbedtls_sha512_finish_ret(ctx, output);
ret = mbedtls_sha512_finish(ctx, output);
#else
ret = mbedtls_sha256_finish_ret(ctx, output);
ret = mbedtls_sha256_finish(ctx, output);
#endif

return ret;
Expand Down
53 changes: 46 additions & 7 deletions boot/zephyr/Kconfig
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -125,7 +125,8 @@ config BOOT_ECDSA_PSA_DEPENDENCIES
if MBEDTLS_ENABLE_HEAP

config MBEDTLS_HEAP_SIZE
default 2048 if BOOT_USE_PSA_CRYPTO
default 8192 if BOOT_RSA_PSA
default 2048 if BOOT_ED25519_PSA
help
The PSA internals need to be able to allocate memory for operation
and it uses mbedTLS heap for that.
Expand Down Expand Up @@ -244,13 +245,8 @@ config BOOT_SIGNATURE_TYPE_NONE

config BOOT_SIGNATURE_TYPE_RSA
bool "RSA signatures"
select BOOT_USE_MBEDTLS
select MBEDTLS
select MBEDTLS_ASN1_PARSE_C if MBEDTLS_BUILTIN
select MBEDTLS_MD_C if MBEDTLS_BUILTIN
select MBEDTLS_RSA_C if MBEDTLS_BUILTIN
select MBEDTLS_PKCS1_V15 if MBEDTLS_BUILTIN
select MBEDTLS_PKCS1_V21 if MBEDTLS_BUILTIN
select BOOT_ENCRYPTION_SUPPORT
select BOOT_IMG_HASH_ALG_SHA256_ALLOW
select BOOT_AES_MBEDTLS_DEPENDENCIES if MBEDTLS_BUILTIN && BOOT_ENCRYPT_IMAGE
Expand All @@ -260,7 +256,50 @@ config BOOT_SIGNATURE_TYPE_RSA_LEN
int "RSA signature length"
range 2048 3072
default 2048
endif

choice BOOT_RSA_IMPLEMENTATION
prompt "RSA implementation"
# In TF-PSA-Crypto legacy crypto modules are internal and not meant
# to be used by the app. PSA API should be used instead. However this
# is not always possible in MCUboot due to the constrained partition
# size, so we default to using legacy crypto.
default BOOT_RSA_MBEDTLS_4 if MBEDTLS_VERSION_MAJOR >= 4
default BOOT_RSA_MBEDTLS_3

config BOOT_RSA_MBEDTLS_3
bool "Use legacy crypto from Mbed TLS 3.x"
select BOOT_USE_MBEDTLS
select MBEDTLS
select MBEDTLS_RSA_C if MBEDTLS_BUILTIN
select MBEDTLS_PKCS1_V15 if MBEDTLS_BUILTIN
select MBEDTLS_PKCS1_V21 if MBEDTLS_BUILTIN

# This is a mix between BOOT_RSA_MBEDTLS_3 and BOOT_RSA_PSA in the
# sense that we select PSA_WANT but still use legacy crypto under the
# hood to minimize footprint.
config BOOT_RSA_MBEDTLS_4
bool "Use legacy crypto from TF-PSA-Crypto (i.e. Mbed TLS 4.x)"
select BOOT_USE_MBEDTLS
select PSA_CRYPTO
select PSA_WANT_KEY_TYPE_RSA_PUBLIC_KEY
select PSA_WANT_ALG_RSA_PKCKS1_V15
select PSA_WANT_ALG_RSA_PSS
select PSA_WANT_ALG_SHA_256
select MBEDTLS_DECLARE_PRIVATE_IDENTIFIERS

config BOOT_RSA_PSA
bool "Use PSA API crypto"
select BOOT_USE_PSA_CRYPTO
select PSA_CRYPTO
select MBEDTLS_ENABLE_HEAP if MBEDTLS_BUILTIN
select PSA_WANT_KEY_TYPE_RSA_PUBLIC_KEY
select PSA_WANT_ALG_RSA_PKCKS1_V15
select PSA_WANT_ALG_RSA_PSS
select PSA_WANT_ALG_SHA_256

endchoice

endif # BOOT_SIGNATURE_TYPE_RSA

config BOOT_SIGNATURE_TYPE_ECDSA_P256
bool "Elliptic curve digital signatures with curve P-256"
Expand Down
Loading