EC signature padding in TLV created by newt create-image and Mbed TLS

[Jerzy Kasenberg <je...@codecoup.pl>]

Hi,

Images create with newt tool signed with ecdsa-p256 are very likely
not to work with MBed TLS.
Reason for this is that newt tool pads signature with zeros when it
stores it in TLV structure.
TinyCrypt version of signature verification ignores this and can be
used to verify signature (signature on its own has TLV structure).
MBed TLS version when receives this extra padded buffer with signature
checks also for signature size and fails when padding was added.

It can be fixed in several places:
1. MBed TLS drops this check
2 .mcuboot mynewt code checks internal TLV of signature to get correct
signature size before it is passed to MBed TLS
3. newt tool stop padding signatures

1 is not really and option
2 is possible and could be used, will look slightly awkward to check
one TLV then extract size of embedded signature TLV to get correct
signature size
3 simplest solution but of unknown consequences for me

Any advise from those who create/use signed images (possible
manufacturing) with some extra data after signature.

Jerzy