diff --git a/tools/test_apps/security/.build-test-rules.yml b/tools/test_apps/security/.build-test-rules.yml index 759be2c318..b20c53e61f 100644 --- a/tools/test_apps/security/.build-test-rules.yml +++ b/tools/test_apps/security/.build-test-rules.yml @@ -2,7 +2,10 @@ tools/test_apps/security/secure_boot: disable: - - if: IDF_ENV_FPGA != 1 and CONFIG_NAME != "qemu" + - if: CONFIG_NAME == "ecdsa_p192" + reason: Building the application for secure boot using ECDSA P192 scheme can be skipped in the CI. + disable_test: + - if: CONFIG_NAME != "qemu" reason: the test can only run on an FPGA as efuses need to be reset during the test. disable_test: - if: IDF_TARGET in ["esp32", "esp32c2", "esp32c6", "esp32h2", "esp32s2", "esp32c61", "esp32p4", "esp32s3"] diff --git a/tools/test_apps/security/secure_boot/README.md b/tools/test_apps/security/secure_boot/README.md index 3d78df7684..4252dc963f 100644 --- a/tools/test_apps/security/secure_boot/README.md +++ b/tools/test_apps/security/secure_boot/README.md @@ -9,17 +9,6 @@ The example checks if the secure boot feature is enabled/disabled and if enabled ### Hardware Required -Any of the following ESP module: -* ESP32 (supports Secure Boot V1) -* ESP32-ECO3 (supports Secure Boot V2 & Secure Boot V1) -* ESP32S2 (supports Secure Boot V2) -* ESP32C3-ECO3 (supports Secure Boot V2) -* ESP32S3 (supports Secure Boot V2) -* ESP32P4 (supports Secure Boot V2) -* ESP32C5 (supports Secure Boot V2) -* ESP32C61 (supports Secure Boot V2) -* ESP32H21 (supports Secure Boot V2) - It is recommended to use Secure Boot V2 from ESP32-ECO3 onwards. ### Configure the project @@ -73,7 +62,7 @@ Purpose of the test case (`pytest_secure_boot.py`) is to test the secure boot im ### Hardware required -* FPGA setup with ESP32C3/ESP32S3/ESP32P4/ESP32C5/ESP32C61/ESP32H21 image +* FPGA setup with the target image * COM port for programming and export it as ESPPORT e.g `export ESPPORT=/dev/ttyUSB0` @@ -86,7 +75,7 @@ Purpose of the test case (`pytest_secure_boot.py`) is to test the secure boot im ``` export IDF_ENV_FPGA=1 -idf.py set-target esp32c3 #(or esp32s3 / esp32p4 / esp32c5 / esp32c61 / esp32h21) +idf.py set-target {target} idf.py menuconfig ``` @@ -95,7 +84,7 @@ Under `Security features` - Enable the `Enable hardware Secure Boot` -- Set the secure boot signing key ("test_rsa_3072_key.pem") +- Set the secure boot signing key - Set UART ROM download mode to ENABLED (Required for the script to read the EFUSE) @@ -116,5 +105,5 @@ Under `Security features` - Run the example test ``` - pytest --target esp32c3 + pytest --target {target} ``` diff --git a/tools/test_apps/security/secure_boot/pytest_secure_boot.py b/tools/test_apps/security/secure_boot/pytest_secure_boot.py index a152f49760..1f74fc7a78 100644 --- a/tools/test_apps/security/secure_boot/pytest_secure_boot.py +++ b/tools/test_apps/security/secure_boot/pytest_secure_boot.py @@ -1,5 +1,6 @@ # SPDX-FileCopyrightText: 2022-2025 Espressif Systems (Shanghai) CO LTD # SPDX-License-Identifier: Unlicense OR CC0-1.0 +import itertools import os import struct import zlib @@ -19,13 +20,63 @@ from pytest_embedded_idf.utils import idf_parametrize CORRUPT_ALL_BLOCKS = 0xFF +SIGNATURE_TYPE_RSA = 0 +SIGNATURE_TYPE_RSA_3072 = 1 -def corrupt_signature(signed_bootloader, seed=0, corrupt_sig=True, corrupt_crc=False, corrupt_block=CORRUPT_ALL_BLOCKS): - # type: (bytes, int, bool, bool, int) -> bytes +SIGNATURE_TYPE_ECDSA = 10 +SIGNATURE_TYPE_ECDSA_P192 = 11 +SIGNATURE_TYPE_ECDSA_P256 = 12 +SIGNATURE_TYPE_ECDSA_P384 = 13 + +SIGNATURE_TYPE_RSA_3072_SIZE = 384 +SIGNATURE_TYPE_ECDSA_P192_SIZE = 64 +SIGNATURE_TYPE_ECDSA_P256_SIZE = 64 +SIGNATURE_TYPE_ECDSA_P384_SIZE = 96 + +EFUSE_KEY_BLOCKS = 6 + +SECURE_BOOT_RSA_TARGETS = [ + 'esp32', + 'esp32c3', + 'esp32c5', + 'esp32c6', + 'esp32c61', + 'esp32h2', + 'esp32h21', + 'esp32s2', + 'esp32s3', + 'esp32p4', +] +SECURE_BOOT_ECDSA_TARGETS = ['esp32c2', 'esp32c5', 'esp32c6', 'esp32c61', 'esp32h2', 'esp32h21', 'esp32p4'] +SECURE_BOOT_ECDSA_P384_TARGETS = ['esp32c5'] + +CONFIGS_SECURE_BOOT_ECDSA = list( + itertools.chain( + itertools.product(['ecdsa_p192', 'ecdsa_p256'], SECURE_BOOT_ECDSA_TARGETS), + itertools.product(['ecdsa_p384'], SECURE_BOOT_ECDSA_P384_TARGETS), + ) +) + +CONFIGS_SECURE_BOOT_RSA = list( + itertools.chain( + itertools.product(['rsa_3072'], SECURE_BOOT_RSA_TARGETS), + ) +) + + +def corrupt_signature( + signed_bootloader, + seed=0, + corrupt_sig=True, + corrupt_crc=False, + corrupt_block=CORRUPT_ALL_BLOCKS, + signature_type=SIGNATURE_TYPE_RSA_3072, +): + # type: (bytes, int, bool, bool, int, int) -> bytes image = signed_bootloader[:-4096] signature = signed_bootloader[-4096:] sig_blocks = (signature[0:1216], signature[1216:2432], signature[2432:3648]) - new_blocks = tuple(corrupt_sig_block(s, seed, corrupt_sig, corrupt_crc) for s in sig_blocks) + new_blocks = tuple(corrupt_sig_block(s, seed, corrupt_sig, corrupt_crc, signature_type) for s in sig_blocks) # if corrupt_block is CORRUPT_ALL_BLOCKS, corrupt all blocks # otherwise, only corrupt the one with that index set @@ -36,15 +87,26 @@ def corrupt_signature(signed_bootloader, seed=0, corrupt_sig=True, corrupt_crc=F return image + b''.join(corr_sig_blocks) + signature[3648:] -def corrupt_sig_block(sig_block, seed=0, corrupt_sig=True, corrupt_crc=False): - # type: (bytes, int, bool, bool) -> bytes +def corrupt_sig_block(sig_block, seed=0, corrupt_sig=True, corrupt_crc=False, signature_type=SIGNATURE_TYPE_RSA_3072): + # type: (bytes, int, bool, bool, int) -> bytes assert len(sig_block) == 1216 magic = sig_block[0] assert magic in [0xE7, 0xFF] if magic != 0xE7: return sig_block # not valid - data = sig_block[:812] - new_sig = sig = sig_block[812:1196] + + if signature_type == SIGNATURE_TYPE_RSA_3072: + data = sig_block[:812] + new_sig = sig = sig_block[812:1196] + elif signature_type in [SIGNATURE_TYPE_ECDSA_P192, SIGNATURE_TYPE_ECDSA_P256]: + data = sig_block[:101] + new_sig = sig = sig_block[101:165] + elif signature_type == SIGNATURE_TYPE_ECDSA_P384: + data = sig_block[:149] + new_sig = sig = sig_block[149:245] + else: + raise ValueError('Invalid signature type: {}'.format(signature_type)) + crc = sig_block[1196:1200] padding = sig_block[1200:1216] @@ -80,9 +142,6 @@ def dut_start_secure_app(dut: Dut) -> None: dut.serial.app_flash(os.path.join(dut.app.binary_path, 'secure_boot.bin')) -# Test secure boot flow. -# Correctly signed bootloader + correctly signed app should work -@idf_parametrize('target', ['esp32c3', 'esp32c5', 'esp32c61', 'esp32s3', 'esp32p4'], indirect=['target']) def test_examples_security_secure_boot(dut: Dut) -> None: dut_start_secure_app(dut) dut.expect('Secure Boot is enabled', timeout=10) @@ -90,6 +149,18 @@ def test_examples_security_secure_boot(dut: Dut) -> None: dut.burn_wafer_version() +# Test secure boot flow. +# Correctly signed bootloader + correctly signed app should work +@idf_parametrize('config, target', CONFIGS_SECURE_BOOT_RSA, indirect=['config', 'target']) +def test_examples_security_secure_boot_rsa(dut: Dut) -> None: + test_examples_security_secure_boot(dut) + + +@idf_parametrize('config, target', CONFIGS_SECURE_BOOT_ECDSA, indirect=['config', 'target']) +def test_examples_security_secure_boot_ecdsa(dut: Dut) -> None: + test_examples_security_secure_boot(dut) + + # Test secure boot flow. # Correctly signed bootloader + correctly signed app should work @pytest.mark.host_test @@ -106,6 +177,7 @@ def test_examples_security_secure_boot(dut: Dut) -> None: ) @pytest.mark.parametrize('target', ['esp32c3'], indirect=True) @pytest.mark.parametrize('config', ['qemu'], indirect=True) +@idf_parametrize('target', ['esp32c3'], indirect=['target']) def test_examples_security_secure_boot_qemu(dut: Dut) -> None: try: dut.expect('Secure Boot is enabled', timeout=10) @@ -121,50 +193,92 @@ def test_examples_security_secure_boot_qemu(dut: Dut) -> None: efuse_file.write(bytearray.fromhex(esp32c3_efuses)) +def test_examples_security_secure_boot_key_combo(dut: Dut) -> None: + dut_start_secure_app(dut) + dut.expect('Secure Boot is enabled', timeout=10) + efuse_secure_boot_key_digests = dut.app.sdkconfig.get('SOC_EFUSE_SECURE_BOOT_KEY_DIGESTS') + secure_boot_key = dut.app.sdkconfig.get('SECURE_BOOT_SIGNING_KEY') + for index in range(efuse_secure_boot_key_digests): + for block in range(EFUSE_KEY_BLOCKS): + dut.serial.reset_efuses() + dut.burn_wafer_version() + dut.secure_boot_burn_en_bit() + dut.secure_boot_burn_digest(secure_boot_key, index, block) + dut.expect('Secure Boot is enabled', timeout=10) + dut.serial.reset_efuses() + dut.burn_wafer_version() + + # Test efuse key index and key block combination. # Any key index can be written to any key block and should work # Increasing the test timeout to 1200s as the test runs for 18 iterations # and thus the default 600s timeout is not sufficient @pytest.mark.timeout(1200) -@idf_parametrize('target', ['esp32c3', 'esp32c5', 'esp32c61', 'esp32s3', 'esp32p4'], indirect=['target']) -def test_examples_security_secure_boot_key_combo(dut: Dut) -> None: +@idf_parametrize('config, target', CONFIGS_SECURE_BOOT_RSA, indirect=['config', 'target']) +def test_examples_security_secure_boot_key_combo_rsa(dut: Dut) -> None: + test_examples_security_secure_boot_key_combo(dut) + + +# Test efuse key index and key block combination. +# Any key index can be written to any key block and should work +# Increasing the test timeout to 1200s as the test runs for 18 iterations +# and thus the default 600s timeout is not sufficient +@pytest.mark.timeout(1200) +@idf_parametrize('config, target', CONFIGS_SECURE_BOOT_ECDSA, indirect=['config', 'target']) +def test_examples_security_secure_boot_key_combo_ecdsa(dut: Dut) -> None: + test_examples_security_secure_boot_key_combo(dut) + + +def test_examples_security_secure_boot_key_revoke(dut: Dut) -> None: dut_start_secure_app(dut) dut.expect('Secure Boot is enabled', timeout=10) - for index in range(3): - for block in range(6): - dut.serial.reset_efuses() - dut.burn_wafer_version() - dut.secure_boot_burn_en_bit() - dut.secure_boot_burn_digest('test_rsa_3072_key.pem', index, block) - dut.expect('Secure Boot is enabled', timeout=10) + efuse_secure_boot_key_digests = dut.app.sdkconfig.get('SOC_EFUSE_SECURE_BOOT_KEY_DIGESTS') + secure_boot_key = dut.app.sdkconfig.get('SECURE_BOOT_SIGNING_KEY') + + for index in range(efuse_secure_boot_key_digests): + dut.serial.reset_efuses() + dut.burn_wafer_version() + dut.secure_boot_burn_en_bit() + dut.serial.burn_efuse('SECURE_BOOT_KEY_REVOKE%d' % index, 1) + dut.secure_boot_burn_digest(secure_boot_key, index, 0) + dut.expect('secure boot verification failed', timeout=5) dut.serial.reset_efuses() dut.burn_wafer_version() # Test secure boot key revoke. # If a key is revoked, bootloader signed with that key should fail verification -@idf_parametrize('target', ['esp32c3', 'esp32c5', 'esp32c61', 'esp32s3', 'esp32p4'], indirect=['target']) -def test_examples_security_secure_boot_key_revoke(dut: Dut) -> None: - dut_start_secure_app(dut) - dut.expect('Secure Boot is enabled', timeout=10) - for index in range(3): - dut.serial.reset_efuses() - dut.burn_wafer_version() - dut.secure_boot_burn_en_bit() - dut.serial.burn_efuse('SECURE_BOOT_KEY_REVOKE%d' % index, 1) - dut.secure_boot_burn_digest('test_rsa_3072_key.pem', index, 0) - dut.expect('secure boot verification failed', timeout=5) - dut.serial.reset_efuses() - dut.burn_wafer_version() +@idf_parametrize('config, target', CONFIGS_SECURE_BOOT_RSA, indirect=['config', 'target']) +def test_examples_security_secure_boot_key_revoke_rsa(dut: Dut) -> None: + test_examples_security_secure_boot_key_revoke(dut) -# Test bootloader signature corruption. -# Corrupt one byte at a time of bootloader signature and test that the verification fails -@pytest.mark.timeout(18000) -# Increasing the test timeout to 18000s as the test runs for 384 iterations -# and thus the default 600s timeout is not sufficient -@idf_parametrize('target', ['esp32c3', 'esp32c5', 'esp32c61', 'esp32s3', 'esp32p4'], indirect=['target']) -def test_examples_security_secure_boot_corrupt_bl_sig(dut: Dut) -> None: +# Test secure boot key revoke. +# If a key is revoked, bootloader signed with that key should fail verification +@idf_parametrize('config, target', CONFIGS_SECURE_BOOT_ECDSA, indirect=['config', 'target']) +def test_examples_security_secure_boot_key_revoke_ecdsa(dut: Dut) -> None: + test_examples_security_secure_boot_key_revoke(dut) + + +def get_signature_type_size(dut: Dut, signature_type: int) -> int: + signature_type_size = 0 + if signature_type == SIGNATURE_TYPE_RSA: + signature_type_size = SIGNATURE_TYPE_RSA_3072_SIZE + elif signature_type == SIGNATURE_TYPE_ECDSA: + if dut.app.sdkconfig.get('CONFIG_SECURE_BOOT_ECDSA_KEY_LEN_192_BITS'): + signature_type_size = SIGNATURE_TYPE_ECDSA_P192_SIZE + elif dut.app.sdkconfig.get('CONFIG_SECURE_BOOT_ECDSA_KEY_LEN_256_BITS'): + signature_type_size = SIGNATURE_TYPE_ECDSA_P256_SIZE + elif dut.app.sdkconfig.get('CONFIG_SECURE_BOOT_ECDSA_KEY_LEN_384_BITS'): + signature_type_size = SIGNATURE_TYPE_ECDSA_P384_SIZE + else: + raise ValueError('Invalid signature type: {}'.format(signature_type)) + else: + raise ValueError('Invalid signature type: {}'.format(signature_type)) + return signature_type_size + + +def test_examples_security_secure_boot_corrupt_bl_sig(dut: Dut, signature_type: int) -> None: dut_start_secure_app(dut) dut.expect('Secure Boot is enabled', timeout=10) @@ -172,8 +286,10 @@ def test_examples_security_secure_boot_corrupt_bl_sig(dut: Dut) -> None: with open(bootloader_bin, 'rb') as f: signed_bl = f.read() - seeds = range(0, 384) + signature_type_size = get_signature_type_size(dut, signature_type) + seeds = range(0, signature_type_size) max_seed = max(seeds) + secure_boot_key = dut.app.sdkconfig.get('SECURE_BOOT_SIGNING_KEY') for seed in seeds: print('Case %d / %d' % (seed, max_seed)) @@ -184,7 +300,7 @@ def test_examples_security_secure_boot_corrupt_bl_sig(dut: Dut) -> None: dut.burn_wafer_version() dut.serial.bootloader_flash('corrupt_bl.bin') dut.secure_boot_burn_en_bit() - dut.secure_boot_burn_digest('test_rsa_3072_key.pem', 0, 0) + dut.secure_boot_burn_digest(secure_boot_key, 0, 0) # Though the order of flashing and burning efuse would not effect the test, # if we flash bootlader before burning en bit, even with no_stub = True # it still calls run_stub() and throws an error as it fails to start stub. @@ -193,13 +309,27 @@ def test_examples_security_secure_boot_corrupt_bl_sig(dut: Dut) -> None: dut.burn_wafer_version() -# Test app signature corruption. -# Corrupt app signature, one byte at a time, and test that the verification fails +# Test bootloader signature corruption. +# Corrupt one byte at a time of bootloader signature and test that the verification fails @pytest.mark.timeout(18000) -# Increasing the test timeout to 18000s as the test runs for 385 iterations +# Increasing the test timeout to 18000s as the test runs for 384 iterations # and thus the default 600s timeout is not sufficient -@idf_parametrize('target', ['esp32c3', 'esp32c5', 'esp32c61', 'esp32s3', 'esp32p4'], indirect=['target']) -def test_examples_security_secure_boot_corrupt_app_sig(dut: Dut) -> None: +@idf_parametrize('config, target', CONFIGS_SECURE_BOOT_RSA, indirect=['config', 'target']) +def test_examples_security_secure_boot_corrupt_bl_sig_rsa(dut: Dut) -> None: + test_examples_security_secure_boot_corrupt_bl_sig(dut, signature_type=SIGNATURE_TYPE_RSA) + + +# Test bootloader signature corruption. +# Corrupt one byte at a time of bootloader signature and test that the verification fails +@pytest.mark.timeout(18000) +# Increasing the test timeout to 18000s as the test runs for 384 iterations +# and thus the default 600s timeout is not sufficient +@idf_parametrize('config, target', CONFIGS_SECURE_BOOT_ECDSA, indirect=['config', 'target']) +def test_examples_security_secure_boot_corrupt_bl_sig_ecdsa(dut: Dut) -> None: + test_examples_security_secure_boot_corrupt_bl_sig(dut, signature_type=SIGNATURE_TYPE_ECDSA) + + +def test_examples_security_secure_boot_corrupt_app_sig(dut: Dut, signature_type: int) -> None: dut_start_secure_app(dut) dut.expect('Secure Boot is enabled', timeout=10) @@ -207,7 +337,8 @@ def test_examples_security_secure_boot_corrupt_app_sig(dut: Dut) -> None: with open(app_bin, 'rb') as f: signed_app = f.read() - seeds = range(0, 384) + signature_size = get_signature_type_size(dut, signature_type) + seeds = range(0, signature_size) max_seed = max(seeds) for seed in seeds: @@ -245,3 +376,23 @@ def test_examples_security_secure_boot_corrupt_app_sig(dut: Dut) -> None: ) dut.expect('Secure boot signature verification failed', timeout=2) dut.expect('No bootable app partitions in the partition table', timeout=2) + + +# Test app signature corruption. +# Corrupt app signature, one byte at a time, and test that the verification fails +@pytest.mark.timeout(18000) +# Increasing the test timeout to 18000s as the test runs for 385 iterations +# and thus the default 600s timeout is not sufficient +@idf_parametrize('config, target', CONFIGS_SECURE_BOOT_RSA, indirect=['config', 'target']) +def test_examples_security_secure_boot_corrupt_app_sig_rsa(dut: Dut) -> None: + test_examples_security_secure_boot_corrupt_app_sig(dut, signature_type=SIGNATURE_TYPE_RSA) + + +# Test app signature corruption. +# Corrupt app signature, one byte at a time, and test that the verification fails +@pytest.mark.timeout(18000) +# Increasing the test timeout to 18000s as the test runs for 385 iterations +# and thus the default 600s timeout is not sufficient +@idf_parametrize('config, target', CONFIGS_SECURE_BOOT_ECDSA, indirect=['config', 'target']) +def test_examples_security_secure_boot_corrupt_app_sig_ecdsa(dut: Dut) -> None: + test_examples_security_secure_boot_corrupt_app_sig(dut, signature_type=SIGNATURE_TYPE_ECDSA) diff --git a/tools/test_apps/security/secure_boot/sdkconfig.ci.03 b/tools/test_apps/security/secure_boot/sdkconfig.ci.03 deleted file mode 100644 index 2d3415d936..0000000000 --- a/tools/test_apps/security/secure_boot/sdkconfig.ci.03 +++ /dev/null @@ -1,4 +0,0 @@ -# ESP32-S2 Secure Boot -CONFIG_IDF_TARGET="esp32s2" -CONFIG_SECURE_BOOT=y -CONFIG_SECURE_BOOT_SIGNING_KEY="test_rsa_3072_key.pem" diff --git a/tools/test_apps/security/secure_boot/sdkconfig.ci.04 b/tools/test_apps/security/secure_boot/sdkconfig.ci.04 index 92ee68c11e..fcf9c86d36 100644 --- a/tools/test_apps/security/secure_boot/sdkconfig.ci.04 +++ b/tools/test_apps/security/secure_boot/sdkconfig.ci.04 @@ -1,5 +1,4 @@ -# ESP32-S2 Secure Boot & Flash Encryption (Release mode) -CONFIG_IDF_TARGET="esp32s2" +# Secure Boot & Flash Encryption (Release mode) CONFIG_SECURE_BOOT=y CONFIG_SECURE_BOOT_SIGNING_KEY="test_rsa_3072_key.pem" CONFIG_SECURE_FLASH_ENC_ENABLED=y diff --git a/tools/test_apps/security/secure_boot/sdkconfig.ci.ecdsa_p192 b/tools/test_apps/security/secure_boot/sdkconfig.ci.ecdsa_p192 new file mode 100644 index 0000000000..ebcb66d954 --- /dev/null +++ b/tools/test_apps/security/secure_boot/sdkconfig.ci.ecdsa_p192 @@ -0,0 +1,9 @@ + +CONFIG_PARTITION_TABLE_OFFSET=0xD000 + +CONFIG_SECURE_BOOT=y +CONFIG_SECURE_BOOT_V2_ENABLED=y +CONFIG_SECURE_SIGNED_APPS_ECDSA_V2_SCHEME=y +CONFIG_SECURE_BOOT_ECDSA_KEY_LEN_256_BITS=y +CONFIG_SECURE_BOOT_SIGNING_KEY="test_ecdsa_p192_key.pem" +CONFIG_SECURE_BOOT_BUILD_SIGNED_BINARIES=y diff --git a/tools/test_apps/security/secure_boot/sdkconfig.ci.ecdsa_p256 b/tools/test_apps/security/secure_boot/sdkconfig.ci.ecdsa_p256 new file mode 100644 index 0000000000..b70b07cdf1 --- /dev/null +++ b/tools/test_apps/security/secure_boot/sdkconfig.ci.ecdsa_p256 @@ -0,0 +1,9 @@ + +CONFIG_PARTITION_TABLE_OFFSET=0xD000 + +CONFIG_SECURE_BOOT=y +CONFIG_SECURE_BOOT_V2_ENABLED=y +CONFIG_SECURE_SIGNED_APPS_ECDSA_V2_SCHEME=y +CONFIG_SECURE_BOOT_ECDSA_KEY_LEN_256_BITS=y +CONFIG_SECURE_BOOT_SIGNING_KEY="test_ecdsa_p256_key.pem" +CONFIG_SECURE_BOOT_BUILD_SIGNED_BINARIES=y diff --git a/tools/test_apps/security/secure_boot/sdkconfig.ci.ecdsa_p384 b/tools/test_apps/security/secure_boot/sdkconfig.ci.ecdsa_p384 new file mode 100644 index 0000000000..d46c56ea0a --- /dev/null +++ b/tools/test_apps/security/secure_boot/sdkconfig.ci.ecdsa_p384 @@ -0,0 +1,9 @@ + +CONFIG_PARTITION_TABLE_OFFSET=0xD000 + +CONFIG_SECURE_BOOT=y +CONFIG_SECURE_BOOT_V2_ENABLED=y +CONFIG_SECURE_SIGNED_APPS_ECDSA_V2_SCHEME=y +CONFIG_SECURE_BOOT_ECDSA_KEY_LEN_384_BITS=y +CONFIG_SECURE_BOOT_SIGNING_KEY="test_ecdsa_p384_key.pem" +CONFIG_SECURE_BOOT_BUILD_SIGNED_BINARIES=y diff --git a/tools/test_apps/security/secure_boot/sdkconfig.ci.rsa_3072 b/tools/test_apps/security/secure_boot/sdkconfig.ci.rsa_3072 new file mode 100644 index 0000000000..ad97ce2fdf --- /dev/null +++ b/tools/test_apps/security/secure_boot/sdkconfig.ci.rsa_3072 @@ -0,0 +1,8 @@ + +CONFIG_PARTITION_TABLE_OFFSET=0xD000 + +CONFIG_SECURE_BOOT=y +CONFIG_SECURE_BOOT_V2_ENABLED=y +CONFIG_SECURE_SIGNED_APPS_RSA_SCHEME=y +CONFIG_SECURE_BOOT_SIGNING_KEY="test_rsa_3072_key.pem" +CONFIG_SECURE_BOOT_BUILD_SIGNED_BINARIES=y diff --git a/tools/test_apps/security/secure_boot/test_ecdsa_p192_key.pem b/tools/test_apps/security/secure_boot/test_ecdsa_p192_key.pem new file mode 100644 index 0000000000..2286950ac8 --- /dev/null +++ b/tools/test_apps/security/secure_boot/test_ecdsa_p192_key.pem @@ -0,0 +1,5 @@ +-----BEGIN EC PRIVATE KEY----- +MF8CAQEEGCqtXL4T69v9OhhrHcI0kQNC0NFkmOQ6DqAKBggqhkjOPQMBAaE0AzIA +BDvdwlHoSE5QQ6JBU0Ovy2LjEEuoXVwpPebH3Z87B1ByYLWPZp8XhXWl7Vj7wFK7 +dw== +-----END EC PRIVATE KEY----- diff --git a/tools/test_apps/security/secure_boot/test_ecdsa_p256_key.pem b/tools/test_apps/security/secure_boot/test_ecdsa_p256_key.pem new file mode 100644 index 0000000000..1c424f7c3b --- /dev/null +++ b/tools/test_apps/security/secure_boot/test_ecdsa_p256_key.pem @@ -0,0 +1,5 @@ +-----BEGIN EC PRIVATE KEY----- +MHcCAQEEIJLB2fFAa7istjO0AWfEbvJM8Kn0T+R38GXalwX3oP6GoAoGCCqGSM49 +AwEHoUQDQgAEy2N3ohJ1hIjU2AHNyVKGafSrmGhizG1/xOTOtASbJpiVI3ccUVXI +zrDSnrTwg331qOAT7WWkY1p4ixZvP6HWzA== +-----END EC PRIVATE KEY----- diff --git a/tools/test_apps/security/secure_boot/test_ecdsa_p384_key.pem b/tools/test_apps/security/secure_boot/test_ecdsa_p384_key.pem new file mode 100644 index 0000000000..eeef703ead --- /dev/null +++ b/tools/test_apps/security/secure_boot/test_ecdsa_p384_key.pem @@ -0,0 +1,5 @@ +-----BEGIN EC PRIVATE KEY----- +MIGkAgEBBDC/5UVo7tqYLt17BnN85NRhMRakLUYNrxCEb0nA5bN5WzpILMqCFkjzWWyC6FkeK02g +BwYFK4EEACKhZANiAAQPbOGJCBJtR6oB29nt6BP+JeMc4+KUkJbusFDT26arFZwcsDEZ/m+GatAl +GmlOuNGa4F4fJDjSsuz0ejKK4LQ1DliDopGmieIUWPCEScVZNu9DX2PuGC8NIyMU9Ry4Poc= +-----END EC PRIVATE KEY-----