Initial commit

Initial commit.

bootloader/mcuboot/ext/nrf/README.md

@@ -0,0 +1,18 @@
+# Building MCUboot with nRF52840 CC310 enabled
+
+## Prerequisites
+
+Clone [nrfxlib](https://github.com/NordicPlayground/nrfxlib) next to the MCUboot root folder. So that it's located `../nrfxlib` from MCUboot root folder.
+
+## Building
+
+make sure `root-ec-p256.pem` is set as the certificate and that `CONFIG_BOOT_SIGNATURE_TYPE_ECDSA_P256` is selected not `CONFIG_BOOT_SIGNATURE_TYPE_RSA` in `prj.conf` of `boot/zephyr`.
+Since it defaults to tinycrypt you'll have to go into `menuconfig` and change the implementation selection to `cc310` or also set this in `prj.conf`.
+
+```
+mkdir build && cd build
+cmake -GNinja -DBOARD=nrf52840dk/nrf52840
+ninja flash
+```
+
+Build a hello world example in zephyr and sign it with imgtool.py with the `root-ec-p256.pem` and flash it at `FLASH_AREA_IMAGE_0`.

bootloader/mcuboot/ext/nrf/cc310_glue.c

@@ -0,0 +1,73 @@
+/*
+ *  Copyright Nordic Semiconductor ASA
+ *  SPDX-License-Identifier: Apache-2.0
+ *
+ *  Licensed under the Apache License, Version 2.0 (the "License"); you may
+ *  not use this file except in compliance with the License.
+ *  You may obtain a copy of the License at
+ *
+ *  http://www.apache.org/licenses/LICENSE-2.0
+ *
+ *  Unless required by applicable law or agreed to in writing, software
+ *  distributed under the License is distributed on an "AS IS" BASIS, WITHOUT
+ *  WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ *  See the License for the specific language governing permissions and
+ *  limitations under the License.
+ */
+
+#include "cc310_glue.h"
+
+int cc310_init(void)
+{
+    /* Only initialize once */
+    static bool initialized;
+
+    if (!initialized) {
+        nrf_cc310_enable();
+        if (nrf_cc310_bl_init() != 0) {
+            return -1;
+        }
+        initialized = true;
+        nrf_cc310_disable();
+    }
+
+    return 0;
+}
+
+void cc310_sha256_update(nrf_cc310_bl_hash_context_sha256_t *ctx,
+                         const void *data,
+                         uint32_t data_len)
+{
+    /*
+     * NRF Cryptocell can only read from RAM this allocates a buffer on the stack
+     * if the data provided is not located in RAM.
+     */
+
+    if ((uint32_t) data < CONFIG_SRAM_BASE_ADDRESS) {
+        uint8_t stack_buffer[data_len];
+        uint32_t block_len = data_len;
+        memcpy(stack_buffer, data, block_len);
+        nrf_cc310_bl_hash_sha256_update(ctx, stack_buffer, block_len);
+    } else {
+        nrf_cc310_bl_hash_sha256_update(ctx, data, data_len);
+    }
+};
+
+int cc310_ecdsa_verify_secp256r1(uint8_t *hash,
+                                 uint8_t *public_key,
+                                 uint8_t *signature,
+                                 size_t hash_len)
+{
+        int rc;
+        nrf_cc310_bl_ecdsa_verify_context_secp256r1_t ctx;
+        cc310_init();
+        nrf_cc310_enable();
+        rc = nrf_cc310_bl_ecdsa_verify_secp256r1(&ctx,
+                                                 (nrf_cc310_bl_ecc_public_key_secp256r1_t *) public_key,
+                                                 (nrf_cc310_bl_ecc_signature_secp256r1_t  *) signature,
+                                                 hash,
+                                                 hash_len);
+        nrf_cc310_disable();
+        return rc;
+}
+

bootloader/mcuboot/ext/nrf/cc310_glue.h

@@ -0,0 +1,77 @@
+/*
+ *  Copyright Nordic Semiconductor ASA
+ *  SPDX-License-Identifier: Apache-2.0
+ *
+ *  Licensed under the Apache License, Version 2.0 (the "License"); you may
+ *  not use this file except in compliance with the License.
+ *  You may obtain a copy of the License at
+ *
+ *  http://www.apache.org/licenses/LICENSE-2.0
+ *
+ *  Unless required by applicable law or agreed to in writing, software
+ *  distributed under the License is distributed on an "AS IS" BASIS, WITHOUT
+ *  WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ *  See the License for the specific language governing permissions and
+ *  limitations under the License.
+ */
+
+#ifndef NRF_CC310_GLUE_H__
+#define NRF_CC310_GLUE_H__
+
+#include <nrf.h>
+#include <nrf_cc310_bl_init.h>
+#include <nrf_cc310_bl_hash_sha256.h>
+#include <nrf_cc310_bl_ecdsa_verify_secp256r1.h>
+#include <zephyr/devicetree.h>
+#include <string.h>
+
+/*
+ * Name translation for peripherals with only one type of access available.
+ */
+#if !defined(NRF_TRUSTZONE_NONSECURE) && defined(CONFIG_ARM_TRUSTZONE_M)
+#define NRF_CRYPTOCELL   NRF_CRYPTOCELL_S
+#endif
+
+typedef nrf_cc310_bl_hash_context_sha256_t bootutil_sha_context;
+
+int cc310_ecdsa_verify_secp256r1(uint8_t *hash,
+                                 uint8_t *public_key,
+                                 uint8_t *signature,
+                                 size_t hash_len);
+
+
+int cc310_init(void);
+
+static inline void cc310_sha256_init(nrf_cc310_bl_hash_context_sha256_t *ctx);
+
+void cc310_sha256_update(nrf_cc310_bl_hash_context_sha256_t *ctx,
+                         const void *data,
+                         uint32_t data_len);
+
+static inline void nrf_cc310_enable(void)
+{
+    NRF_CRYPTOCELL->ENABLE=1;
+}
+
+static inline void nrf_cc310_disable(void)
+{
+    NRF_CRYPTOCELL->ENABLE=0;
+}
+
+/* Enable and disable cc310 to reduce power consumption */
+static inline void cc310_sha256_init(nrf_cc310_bl_hash_context_sha256_t * ctx)
+{
+    cc310_init();
+    nrf_cc310_enable();
+    nrf_cc310_bl_hash_sha256_init(ctx);
+}
+
+static inline void cc310_sha256_finalize(nrf_cc310_bl_hash_context_sha256_t *ctx,
+                                          uint8_t *output)
+{
+    nrf_cc310_bl_hash_sha256_finalize(ctx,
+                                      (nrf_cc310_bl_hash_digest_sha256_t *)output);
+    nrf_cc310_disable();
+}
+
+#endif /* NRF_CC310_GLUE_H__ */