zephyr: Add CONFIG_BOOT_BYPASS_KEY_MATCH

de-nordic · de-nordic · commit 9cc97d965472 · 2025-05-15T17:40:12.000Z
Add Zephyr support for MCUBOOT_BYPASS_KEY_MATCH

Signed-off-by: Dominik Ermel &lt;dominik.ermel@nordicsemi.no&gt;
diff --git a/boot/zephyr/Kconfig b/boot/zephyr/Kconfig
@@ -222,6 +222,18 @@ config BOOT_SIGNATURE_TYPE_RSA
 	select BOOT_IMG_HASH_ALG_SHA256_ALLOW
 	select BOOT_AES_MBEDTLS_DEPENDENCIES if MBEDTLS_BUILTIN && BOOT_ENCRYPT_IMAGE
 
+config BOOT_BYPASS_KEY_MATCH
+	bool "Do not match TLV key hash against built in key"
+	depends on !BOOT_SIGNATURE_TYPE_NONE
+	help
+	  MCUboot reads, from TLV, hash of key thath should be used to verify
+	  signature and tries to match it against list of keys, to select the
+	  key from known keys. This pointless when there is only single key
+	  compiled in, as the key can be used whether it is the right one
+	  or not, the signature verification process will verify the key.
+	  Enabling this option turns off key matching, slightly reducing
+	  MCUboot code and boot time.
+
 if BOOT_SIGNATURE_TYPE_RSA
 config BOOT_SIGNATURE_TYPE_RSA_LEN
 	int "RSA signature length"
diff --git a/boot/zephyr/include/mcuboot_config/mcuboot_config.h b/boot/zephyr/include/mcuboot_config/mcuboot_config.h
@@ -153,6 +153,15 @@
 #define MCUBOOT_ENCRYPT_X25519
 #endif
 
+/* Turn off check of public key hash against compiled in key
+ * before attempting signature verification. When there is only
+ * one key, matching is pointless, the signature may just be
+ * verified with the only key that there is.
+ */
+#ifdef CONFIG_BOOT_BYPASS_KEY_MATCH
+#define MCUBOOT_BYPASS_KEY_MATCH
+#endif
+
 #ifdef CONFIG_BOOT_DECOMPRESSION
 #define MCUBOOT_DECOMPRESS_IMAGES
 #endif
