Merge branch 'feature/doc_sbv2_key_not_read_protected' into 'master'

secure_boot_v2(doc): secure_boot_v2 key/s must be readable See merge request espressif/esp-idf!14619
2025-08-03 20:54:32 +02:00 · 2021-08-05 05:20:36 +00:00
parent 947980ecac 93512edc7a
commit 1e8d1344a1
2 changed files with 8 additions and 6 deletions
--- a/components/esptool_py/esptool
+++ b/components/esptool_py/esptool
--- a/docs/en/security/secure-boot-v2.rst
+++ b/docs/en/security/secure-boot-v2.rst
@@ -36,11 +36,11 @@ Advantages

 - The RSA public key is stored on the device. The corresponding RSA private key is kept secret on a server and is never accessed by the device.

-  .. only:: esp32
+.. only:: esp32

    - Only one public key can be generated and stored in ESP32 ECO3 during manufacturing.

-  .. only:: esp32s2 or esp32c3
+.. only:: esp32s2 or esp32c3

    - Up to three public keys can be generated and stored in the chip during manufacturing.

@@ -152,15 +152,15 @@ eFuse usage

    - ABS_DONE_1 - Enables secure boot protection on boot.

-    - BLK2 - Stores the SHA-256 digest of the public key. SHA-256 hash of public key modulus, exponent, precalculated R & M’ values (represented as 776 bytes – offsets 36 to 812 - as per the :ref:`signature-block-format`) is written to an eFuse key block.
+    - BLK2 - Stores the SHA-256 digest of the public key. SHA-256 hash of public key modulus, exponent, precalculated R & M’ values (represented as 776 bytes – offsets 36 to 812 - as per the :ref:`signature-block-format`) is written to an eFuse key block. The write-protection bit must be set, but the read-protection bit must not.

 .. only:: esp32s2 or esp32c3

    - SECURE_BOOT_EN - Enables secure boot protection on boot.

-    - KEY_PURPOSE_X - Set the purpose of the key block on {IDF_TARGET_NAME} by programming SECURE_BOOT_DIGESTX (X = 0, 1, 2) into KEY_PURPOSE_X (X = 0, 1, 2, 3, 4, 5). Example: If KEY_PURPOSE_2 is set to SECURE_BOOT_DIGEST1, then BLOCK_KEY2 will have the Secure Boot V2 public key digest.
+    - KEY_PURPOSE_X - Set the purpose of the key block on {IDF_TARGET_NAME} by programming SECURE_BOOT_DIGESTX (X = 0, 1, 2) into KEY_PURPOSE_X (X = 0, 1, 2, 3, 4, 5). Example: If KEY_PURPOSE_2 is set to SECURE_BOOT_DIGEST1, then BLOCK_KEY2 will have the Secure Boot V2 public key digest. The write-protection bit must be set (this field does not have a read-protection bit).

-    - BLOCK_KEYX - The block contains the data corresponding to its purpose programmed in KEY_PURPOSE_X. Stores the SHA-256 digest of the public key. SHA-256 hash of public key modulus, exponent, precalculated R & M’ values (represented as 776 bytes – offsets 36 to 812 - as per the :ref:`signature-block-format`) is written to an eFuse key block.
+    - BLOCK_KEYX - The block contains the data corresponding to its purpose programmed in KEY_PURPOSE_X. Stores the SHA-256 digest of the public key. SHA-256 hash of public key modulus, exponent, precalculated R & M’ values (represented as 776 bytes – offsets 36 to 812 - as per the :ref:`signature-block-format`) is written to an eFuse key block. The write-protection bit must be set, but the read-protection bit must not.

    - KEY_REVOKEX - The revocation bits corresponding to each of the 3 key block. Ex. Setting KEY_REVOKE2 revokes the key block whose key purpose is SECURE_BOOT_DIGEST2.

@@ -168,6 +168,8 @@ eFuse usage

    To ensure no trusted keys can be added later by an attacker, each unused key digest slot should be revoked (KEY_REVOKEX). It will be checked during app startup in :cpp:func:`esp_secure_boot_init_checks` and fixed unless :ref:`CONFIG_SECURE_BOOT_ALLOW_UNUSED_DIGEST_SLOTS` is enabled.

+The key(s) must be readable in order to give software access to it. If the key(s) is read-protected then the software reads the key(s) as all zeros and the signature verification process occurs with error, bootloader and app can not be run.
+
 .. _secure-boot-v2-howto:

 How To Enable Secure Boot V2