boot/bootutil: give the hash of the received key to boot_retrieve_public_key_hash #1869
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.
MCUBOOT_HW_KEY already allows to put your own signature key management into the bootloader, independent of mcuboot. In the moment boot_retrieve_public_key_hash is limited to exactly one key hash, since it is only called once and there is no way for the called function to determine whether it will be returning an accepted hash.
Adding the hash itself to the call enables the project specific code to look for a fitting hash instead of just returning one. This way two things can be accomplished:
The key revocation scheme I plan to use based on this patch is based on a sorted list of key hashes. Normally the first entry is expected to be used for signing. If an entry deeper down the list is used, this indicates that the private keys up to that entry have been compromised and they should be invalidated.
Invalidation itself is HW specfic. For example on an STM32 it is possible to overwrite already written flash with zeros, which can be used to delete a non zero validity flag.