From 904b85e36563eb55600c68cd797fab30bd706bdb Mon Sep 17 00:00:00 2001 From: Angus Gratton Date: Fri, 30 Aug 2019 09:35:47 +1000 Subject: [PATCH 1/2] secure boot: Ensure mbedTLS enables ECDSA if signatures are checked in app and all ECDSA to be disabled if secure boot is not enabled Previously if ECDSA disabled in config then secure_boot_signatures.c would fail to build (whether or not secure boot was enabled). To avoid breaking apps that might be using the signature scheme with custom OTA without enabling secure boot signatures in config, this change just disables this functionality if unavailable in mbedTLS config. Possible fix for root cause of https://github.com/espressif/esp-idf/pull/3703 Closes https://github.com/espressif/esp-idf/issues/4758 --- components/bootloader/Kconfig.projbuild | 5 ++++- .../bootloader_support/src/idf/secure_boot_signatures.c | 5 +++++ 2 files changed, 9 insertions(+), 1 deletion(-) diff --git a/components/bootloader/Kconfig.projbuild b/components/bootloader/Kconfig.projbuild index 8711095681..c21af3f9bb 100644 --- a/components/bootloader/Kconfig.projbuild +++ b/components/bootloader/Kconfig.projbuild @@ -234,12 +234,15 @@ menu "Security features" config SECURE_SIGNED_ON_UPDATE bool default y - select MBEDTLS_ECP_DP_SECP256R1_ENABLED depends on SECURE_BOOT_ENABLED || SECURE_SIGNED_ON_UPDATE_NO_SECURE_BOOT config SECURE_SIGNED_APPS bool default y + select MBEDTLS_ECP_DP_SECP256R1_ENABLED + select MBEDTLS_ECP_C + select MBEDTLS_ECDH_C + select MBEDTLS_ECDSA_C depends on SECURE_SIGNED_ON_BOOT || SECURE_SIGNED_ON_UPDATE diff --git a/components/bootloader_support/src/idf/secure_boot_signatures.c b/components/bootloader_support/src/idf/secure_boot_signatures.c index 14e8faea53..df1424124b 100644 --- a/components/bootloader_support/src/idf/secure_boot_signatures.c +++ b/components/bootloader_support/src/idf/secure_boot_signatures.c @@ -56,6 +56,10 @@ esp_err_t esp_secure_boot_verify_signature(uint32_t src_addr, uint32_t length) esp_err_t esp_secure_boot_verify_signature_block(const esp_secure_boot_sig_block_t *sig_block, const uint8_t *image_digest) { +#if !(defined(CONFIG_MBEDTLS_ECDSA_C) && defined(CONFIG_MBEDTLS_ECP_DP_SECP256R1_ENABLED)) + ESP_LOGE(TAG, "Signature verification requires ECDSA & SECP256R1 curve enabled"); + return ESP_ERR_NOT_SUPPORTED; +#else ptrdiff_t keylen; keylen = signature_verification_key_end - signature_verification_key_start; @@ -117,4 +121,5 @@ cleanup: mbedtls_mpi_free(&s); mbedtls_ecdsa_free(&ecdsa_context); return ret == 0 ? ESP_OK : ESP_ERR_IMAGE_INVALID; +#endif // CONFIG_MBEDTLS_ECDSA_C && CONFIG_MBEDTLS_ECP_DP_SECP256R1_ENABLED } From bdfba3b88c970700e6e9107b28eaeabb819fdcd2 Mon Sep 17 00:00:00 2001 From: Angus Gratton Date: Fri, 30 Aug 2019 15:01:43 +1000 Subject: [PATCH 2/2] mbedtls: Make ECDHE-PSK config item depend on ECDHE --- components/mbedtls/Kconfig | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/components/mbedtls/Kconfig b/components/mbedtls/Kconfig index 2615a61ce3..7514d76214 100644 --- a/components/mbedtls/Kconfig +++ b/components/mbedtls/Kconfig @@ -254,7 +254,7 @@ menu "mbedTLS" config MBEDTLS_KEY_EXCHANGE_ECDHE_PSK bool "Enable ECDHE-PSK based ciphersuite modes" - depends on MBEDTLS_PSK_MODES + depends on MBEDTLS_PSK_MODES && MBEDTLS_ECDH_C default y help Enable to support Elliptic-Curve-Diffie-Hellman PSK (pre-shared-key) TLS authentication modes.