Add dedicated sketch to enable MCUboot security features

Author: pennam

libraries/MCUboot/examples/enableSecurity/ecdsa-p256-encrypt-key.h

@@ -0,0 +1,21 @@
+const unsigned char enc_priv_key[] {
+    0x30, 0x81, 0x87, 0x02, 0x01, 0x00, 0x30, 0x13,
+    0x06, 0x07, 0x2a, 0x86, 0x48, 0xce, 0x3d, 0x02,
+    0x01, 0x06, 0x08, 0x2a, 0x86, 0x48, 0xce, 0x3d,
+    0x03, 0x01, 0x07, 0x04, 0x6d, 0x30, 0x6b, 0x02,
+    0x01, 0x01, 0x04, 0x20, 0x79, 0x72, 0xb6, 0xf3,
+    0x62, 0x91, 0x09, 0xbb, 0x35, 0x22, 0xb8, 0x54,
+    0x32, 0x3b, 0xfe, 0x1c, 0x9f, 0xa7, 0x10, 0x6f,
+    0xba, 0xaf, 0x73, 0x64, 0xd3, 0xf5, 0x31, 0xbc,
+    0x28, 0xe7, 0xc9, 0x72, 0xa1, 0x44, 0x03, 0x42,
+    0x00, 0x04, 0x6a, 0xc9, 0x20, 0x4c, 0x96, 0xd6,
+    0x89, 0xe8, 0xd1, 0x6e, 0x51, 0x04, 0x02, 0x86,
+    0xe8, 0x95, 0x0b, 0x22, 0xc4, 0xc9, 0x95, 0x06,
+    0x4f, 0xf5, 0x1b, 0xf6, 0xd0, 0xe3, 0x83, 0xd9,
+    0xd1, 0x81, 0x66, 0x6e, 0xf2, 0x07, 0x3b, 0x03,
+    0xdb, 0xe4, 0xd1, 0xde, 0x7c, 0x43, 0x70, 0x8d,
+    0xa2, 0x89, 0xeb, 0x1b, 0xfa, 0xbe, 0x02, 0x5e,
+    0x5c, 0xa0, 0x12, 0xdc, 0x23, 0x31, 0xc1, 0xe0,
+    0x37, 0xb0,
+};
+const unsigned int enc_priv_key_len = 138;

libraries/MCUboot/examples/enableSecurity/ecdsa-p256-signing-key.h

@@ -0,0 +1,15 @@
+const unsigned char ecdsa_pub_key[] {
+    0x30, 0x59, 0x30, 0x13, 0x06, 0x07, 0x2a, 0x86,
+    0x48, 0xce, 0x3d, 0x02, 0x01, 0x06, 0x08, 0x2a,
+    0x86, 0x48, 0xce, 0x3d, 0x03, 0x01, 0x07, 0x03,
+    0x42, 0x00, 0x04, 0xd5, 0x16, 0x35, 0x26, 0xc3,
+    0x3b, 0xad, 0x4d, 0x67, 0x8e, 0x43, 0x24, 0xc4,
+    0x98, 0xe9, 0x6b, 0x2e, 0xbe, 0x0d, 0xa3, 0xf1,
+    0xf4, 0x97, 0x80, 0x7b, 0x31, 0x32, 0x07, 0xd9,
+    0x95, 0xa7, 0x17, 0x57, 0x69, 0x43, 0x7b, 0xe9,
+    0xc8, 0xaa, 0xd0, 0x0a, 0x0c, 0x86, 0x0b, 0xe3,
+    0x7f, 0x99, 0x88, 0x51, 0xc4, 0xf9, 0x22, 0x98,
+    0xbe, 0x5e, 0xaa, 0xfd, 0x90, 0x3c, 0xa2, 0x74,
+    0x18, 0x49, 0x05,
+};
+const unsigned int ecdsa_pub_key_len = 91;

libraries/MCUboot/examples/enableSecurity/enableSecurity.ino

@@ -0,0 +1,155 @@
+#include "FlashIAP.h"
+#include "QSPIFBlockDevice.h"
+#include "MBRBlockDevice.h"
+#include "LittleFileSystem.h"
+#include "FATFileSystem.h"
+#if defined(ARDUINO_PORTENTA_H7_M7) || defined(ARDUINO_OPTA) || defined(ARDUINO_GIGA)
+#include "ecdsa-p256-encrypt-key.h"
+#include "ecdsa-p256-signing-key.h"
+#else
+#error "Security features not available for this board"
+#endif
+
+#ifndef CORE_CM7
+  #error Update the bootloader by uploading the sketch to the M7 core instead of the M4 core.
+#endif
+
+#define BOOTLOADER_ADDR   (0x8000000)
+#define SIGNING_KEY_ADDR  (0x8000300)
+#define ENCRYPT_KEY_ADDR  (0x8000400)
+#define ENCRYPT_KEY_SIZE  (0x0000100)
+#define SIGNING_KEY_SIZE  (0x0000100)
+
+mbed::FlashIAP flash;
+QSPIFBlockDevice root(QSPI_SO0, QSPI_SO1, QSPI_SO2, QSPI_SO3,  QSPI_SCK, QSPI_CS, QSPIF_POLARITY_MODE_1, 40000000);
+
+bool writeKeys = false;
+uint32_t bootloader_data_offset = 0x1F000;
+uint8_t* bootloader_data = (uint8_t*)(BOOTLOADER_ADDR + bootloader_data_offset);
+
+uint32_t bootloader_identification_offset = 0x2F0;
+uint8_t* bootloader_identification = (uint8_t*)(BOOTLOADER_ADDR + bootloader_identification_offset);
+
+void setup() {
+  Serial.begin(115200);
+  while (!Serial) {}
+
+  uint8_t currentBootloaderVersion = bootloader_data[1];
+  String currentBootloaderIdentifier = String(bootloader_identification, 15);
+
+  if((currentBootloaderVersion > 24) && (currentBootloaderIdentifier.equals("MCUboot Arduino"))) {
+    Serial.println("\nThe sketch comes with a set of default keys to evaluate signing and encryption process");
+    Serial.println("If you load the keys, you will need to upload the future sketches with Security Settings -> Signing + Encryption.");
+    Serial.println("If you select Security Settings -> None, the sketches will not be executed.");
+    Serial.println("Do you want to load the keys? Y/[n]");
+    if (waitResponse()) {
+      Serial.println("\nPlease notice that loading the keys will enable MCUboot Sketch swap. This will increase the sketch update time after the upload.");
+      Serial.println("A violet LED will blink until the sketch is ready to run.");
+      Serial.println("Do you want to proceed loading the default keys? Y/[n]");
+      writeKeys = waitResponse();
+    } 
+  }
+  
+  if (writeKeys) {
+    applyUpdate();
+  }
+  Serial.println("It's now safe to reboot or disconnect your board.");
+}
+
+void printProgress(uint32_t offset, uint32_t size, uint32_t threshold, bool reset) {
+  static int percent_done = 0;
+  if (reset == true) {
+    percent_done = 0;
+    Serial.println("Flashed " + String(percent_done) + "%");
+  } else {
+    uint32_t percent_done_new = offset * 100 / size;
+    if (percent_done_new >= percent_done + threshold) {
+      percent_done = percent_done_new;
+      Serial.println("Flashed " + String(percent_done) + "%");
+    }
+  }
+}
+
+bool waitResponse() {
+  bool confirmation = false;
+  while (confirmation == false) {
+    if (Serial.available()) {
+      char choice = Serial.read();
+      switch (choice) {
+        case 'y':
+        case 'Y':
+          confirmation = true;
+          return true;
+          break;
+        case 'n':
+        case 'N':
+          confirmation = true;
+          return false;
+          break;
+        default:
+          continue;
+      }
+    }
+  }
+}
+
+void setupMCUBootOTAData() {
+  mbed::MBRBlockDevice ota_data(&root, 2);
+  mbed::FATFileSystem ota_data_fs("fs");
+  
+  int err = ota_data_fs.reformat(&ota_data);
+  if (err) {
+    Serial.println("Error creating MCUboot files in OTA partition.");
+    Serial.println("Run QSPIformat.ino sketch to format the QSPI flash and fix the issue.");
+  }
+
+  FILE* fp = fopen("/fs/scratch.bin", "wb");
+  const int scratch_file_size = 128 * 1024;
+  const char buffer[128] = {0xFF};
+  int size = 0;
+
+  Serial.println("\nCreating scratch file");
+  printProgress(size, scratch_file_size, 10, true);
+  while (size < scratch_file_size) {
+    int ret = fwrite(buffer, sizeof(buffer), 1, fp);
+    if (ret != 1) {
+      Serial.println("Error writing scratch file");
+      break;
+    }
+    size += sizeof(buffer);
+    printProgress(size, scratch_file_size, 10, false);
+  }
+  fclose(fp);
+
+  fp = fopen("/fs/update.bin", "wb");
+  const int update_file_size = 15 * 128 * 1024;
+  size = 0;
+
+  Serial.println("\nCreating update file");
+  printProgress(size, update_file_size, 10, true);
+  while (size < update_file_size) {
+    int ret = fwrite(buffer, sizeof(buffer), 1, fp);
+    if (ret != 1) {
+      Serial.println("Error writing scratch file");
+      break;
+    }
+    size += sizeof(buffer);
+    printProgress(size, update_file_size, 5, false);
+  }
+
+  fclose(fp);
+}
+
+void applyUpdate() {
+  flash.init();
+  setupMCUBootOTAData();
+  flash.program(&enc_priv_key, ENCRYPT_KEY_ADDR, ENCRYPT_KEY_SIZE);
+  flash.program(&ecdsa_pub_key, SIGNING_KEY_ADDR, SIGNING_KEY_SIZE);
+  Serial.println("Flashed 100%");
+  flash.deinit();
+  Serial.println("\nBootloader update complete. It's now safe to reboot or disconnect your board.");
+}
+
+void loop() {
+  delay(1000);
+}