#
# Copyright (c) 2018 Nordic Semiconductor ASA
#
# SPDX-License-Identifier: LicenseRef-Nordic-5-Clause
#

menuconfig SECURE_BOOT_CRYPTO
	bool
	prompt "Secure Boot Crypto"
	depends on IS_SECURE_BOOTLOADER || MCUBOOT || ZTEST
	select FW_INFO
	select NRF_OBERON

if (SECURE_BOOT_CRYPTO)
config SB_ECDSA_SECP256R1
	bool
config SB_RSA_PSS2048
	bool
config SB_SHA256
	bool

config SB_SIGNATURE_LEN
	int
	default 64 if SB_ECDSA_SECP256R1
	default 256 if SB_RSA_PSS2048

config SB_PUBLIC_KEY_LEN
	int
	default 64 if SB_ECDSA_SECP256R1
	default 256 if SB_RSA_PSS2048

config SB_HASH_LEN
	def_int 32

choice SB_CRYPTO_SIG
	prompt "Firmware verification Algorithm"
	default SB_CRYPTO_NO_ECDSA_SECP256R1 if !IS_SECURE_BOOTLOADER || SB_VALIDATE_FW_HASH
	default SB_CRYPTO_CC310_ECDSA_SECP256R1 if HAS_HW_NRF_CC310
	default SB_CRYPTO_OBERON_ECDSA_SECP256R1
	help
	  Crypto implementation to use for signature verification of firmware in Bootloader.

	config SB_CRYPTO_OBERON_ECDSA_SECP256R1
		bool "Software ECDSA secp256r1"
		select SB_ECDSA_SECP256R1
		help
		  Software implementation of ECDSA with NIST curve secp256r1.

	config SB_CRYPTO_CC310_ECDSA_SECP256R1
		bool "Hardware ECDSA secp256r1" if HAS_HW_NRF_CC310
		select NRF_CC310_BL
		select SB_ECDSA_SECP256R1
		help
		  Hardware implementation of ECDSA with NIST curve secp256r1.

	config SB_CRYPTO_CLIENT_ECDSA_SECP256R1
		bool "Use another image's ECDSA secp256r1 implementation"
		select BL_SECP256R1_EXT_API_ATLEAST_REQUIRED
		select SB_ECDSA_SECP256R1
		help
		  Using EXT_APIs from fw_info.

	config SB_CRYPTO_NO_ECDSA_SECP256R1
		bool "Disable secp256r1 support"
		select SB_ECDSA_SECP256R1

	#config SB_CRYPTO_OBERON_RSA_2048
	#	bool #"Software RSA-PSS 2048-bits"
	#	select NRF_OBERON
	#	select SB_RSA_PSS2048
	#	help
	#	  Software implementation of RSASSA-PSS, 2048-bits.
	#	  Not available yet.

	#config SB_CRYPTO_CC310_RSA_2048
	#	bool #"Hardware RSA-PSS 2048-bits" if HAS_HW_NRF_CC310
	#	select NRF_CC310_BL
	#	select SB_RSA_PSS2048
	#	help
	#	  Hardware implementation of RSASSA-PSS, 2048-bits.
	#	  Not available yet.

endchoice

choice SB_CRYPTO_HASH
	prompt "Hashing Implementation"
	default SB_CRYPTO_NO_SHA256 if !IS_SECURE_BOOTLOADER
	default SB_CRYPTO_CC310_SHA256 if HAS_HW_NRF_CC310
	default SB_CRYPTO_OBERON_SHA256
	help
	  Crypto implementation to use for hash generation in Bootloader.

	config SB_CRYPTO_OBERON_SHA256
		bool "Software SHA256"
		select SB_SHA256
		help
		  Software implementation of SHA256.

	config SB_CRYPTO_CC310_SHA256
		bool "Hardware SHA256" if HAS_HW_NRF_CC310
		select NRF_CC310_BL
		select SB_SHA256
		help
		  Hardware implementation of SHA256.

	config SB_CRYPTO_CLIENT_SHA256
		bool "Use another image's SHA256 implementation"
		select BL_SHA256_EXT_API_ATLEAST_REQUIRED
		select SB_SHA256
		help
		  Using EXT_APIs from fw_info.

	config SB_CRYPTO_NO_SHA256
		bool "Disable SHA256 support"
		select SB_SHA256

endchoice

EXT_API = BL_ROT_VERIFY
id = 0x1001
flags = 2
ver = 1
source "${ZEPHYR_BASE}/../nrf/subsys/fw_info/Kconfig.template.fw_info_ext_api"

EXT_API = BL_SHA256
id = 0x1002
flags = 0
ver = 1
source "${ZEPHYR_BASE}/../nrf/subsys/fw_info/Kconfig.template.fw_info_ext_api"

EXT_API = BL_SECP256R1
id = 0x1003
flags = 1
ver = 1
source "${ZEPHYR_BASE}/../nrf/subsys/fw_info/Kconfig.template.fw_info_ext_api"

endif # SECURE_BOOT_CRYPTO
