espressif/esp-idf
1
0
Fork 1
mirror of https://github.com/espressif/esp-idf.git synced 2025-07-30 18:57:19 +02:00
Code Issues Packages Projects Releases Wiki Activity

secure_boot: Do not allow key revocation in bootloader

Browse Source
This commit is contained in:
Sachin Parekh
2021-10-22 12:11:15 +05:30
parent 7fe2a4815d
commit 2f39639c20
1 changed files with 4 additions and 1 deletions
Download Patch File Download Diff File Expand all files Collapse all files

5
components/bootloader_support/src/secure_boot_v2/secure_boot_signatures_bootloader.c
View File

@ -137,10 +137,13 @@ esp_err_t esp_secure_boot_verify_rsa_signature_block(const ets_secure_boot_signa
#if SOC_EFUSE_SECURE_BOOT_KEY_DIGESTS == 1 #if SOC_EFUSE_SECURE_BOOT_KEY_DIGESTS == 1
int sb_result = ets_secure_boot_verify_signature(sig_block, image_digest, trusted.key_digests[0], verified_digest); int sb_result = ets_secure_boot_verify_signature(sig_block, image_digest, trusted.key_digests[0], verified_digest);
#else #else
ets_secure_boot_key_digests_t trusted_key_digests; ets_secure_boot_key_digests_t trusted_key_digests = {0};
for (unsigned i = 0; i < SECURE_BOOT_NUM_BLOCKS; i++) { for (unsigned i = 0; i < SECURE_BOOT_NUM_BLOCKS; i++) {
trusted_key_digests.key_digests[i] = &trusted.key_digests[i]; trusted_key_digests.key_digests[i] = &trusted.key_digests[i];
} }
// Key revocation happens in ROM bootloader.
// Do NOT allow key revocation while verifying application
trusted_key_digests.allow_key_revoke = false;
int sb_result = ets_secure_boot_verify_signature(sig_block, image_digest, &trusted_key_digests, verified_digest); int sb_result = ets_secure_boot_verify_signature(sig_block, image_digest, &trusted_key_digests, verified_digest);
#endif #endif
if (sb_result != SB_SUCCESS) { if (sb_result != SB_SUCCESS) {