mcuboot icon indicating copy to clipboard operation
mcuboot copied to clipboard

Published 20 hours ago verified publisher icon mcu-tools

Add support for multiple same-type signatures with key ID parsing

Open maulik-arm opened this issue 6 months ago • 7 comments

This PR adds support for signing and verifying images with multiple signatures of the same type (e.g., multiple EC256 signatures), enhancing flexibility in secure boot scenarios. It also introduces Key ID TLV parsing to enable the bootloader to select the correct key from a set of built-in keys.

Motivation

Previously, MCUboot only allowed a single signature per image per signature type. This limited use cases where multiple stakeholders need to sign the same image or when fallback keys are required. This PR removes that limitation by allowing multiple signatures of the same type.

Use Cases

  • Multi-party signing: e.g., 2 (potentially independent) parties can sign the same image, enabling chain-of-trust across organizational boundaries.
  • Key rotation or backup: include signatures from both the current and next key, or a recovery key.

Changes Included

1. bootutil: Parse key ID TLV for built-in keys

  • Adds support for parsing Key ID TLVs in the image when MCUBOOT_BUILTIN_KEY is enabled.
  • This enables selection of the correct built-in key for verification.

2. imgtool: Add support for multiple signatures and key ID TLVs

  • Enables signing an image with multiple keys of the same type.
  • Adds CLI support for passing multiple --key arguments.
  • Allows optional specification of a key ID per signature, which gets encoded in the TLV.
  • Updates imgtool test suite to verify both multiple signatures and key ID inclusion.

3. bootutil: Add support for verifying multiple same-type signatures

  • Updates signature verification logic to loop through all same-type signature TLVs.
  • When MCUBOOT_BUILTIN_KEY or MCUBOOT_HW_KEY is enabled, the key ID is used to select the appropriate key for verification.

Notes

  • Backwards compatible: Images with a single signature continue to work as before.
  • Only takes effect when config 'MCUBOOT_IMAGE_MULTI_SIG_SUPPORT' is enabled.
  • Designed to work with existing MCUboot signature verification flow with minimal disruption.

maulik-arm avatar May 14 '25 09:05 maulik-arm