From 0076bb0289631dc4463883c08054b661e3605cf7 Mon Sep 17 00:00:00 2001 From: "harshal.patil" Date: Wed, 5 Mar 2025 11:26:33 +0530 Subject: [PATCH] fix(secure_boot): Fix SB verification failure when sig block and key digest mismatch - Secure boot V2 verification failed when multiple keys are used to sign the bootloader and the application is signed with a key other than the first key that is used to sign the bootloader. - The issue was introduced as a regression from the commit `ff16ce43`. --- .../src/secure_boot_v2/secure_boot_signatures_bootloader.c | 3 +-- 1 file changed, 1 insertion(+), 2 deletions(-) diff --git a/components/bootloader_support/src/secure_boot_v2/secure_boot_signatures_bootloader.c b/components/bootloader_support/src/secure_boot_v2/secure_boot_signatures_bootloader.c index a653707845..45332f9925 100644 --- a/components/bootloader_support/src/secure_boot_v2/secure_boot_signatures_bootloader.c +++ b/components/bootloader_support/src/secure_boot_v2/secure_boot_signatures_bootloader.c @@ -154,13 +154,12 @@ esp_err_t esp_secure_boot_verify_sbv2_signature_block(const ets_secure_boot_sign ets_secure_boot_key_digests_t trusted_key_digests = {0}; bool valid_sig_blk = false; for (unsigned i = 0; i < SECURE_BOOT_NUM_BLOCKS; i++) { + trusted_key_digests.key_digests[i] = &trusted.key_digests[i]; if (sig_block->block[i].version != ESP_SECURE_BOOT_SCHEME) { ESP_LOGD(TAG, "%s signing scheme selected but signature block %d generated for %s scheme", esp_secure_boot_get_scheme_name(ESP_SECURE_BOOT_SCHEME), i, esp_secure_boot_get_scheme_name(sig_block->block[i].version)); - continue; } else { valid_sig_blk = true; } - trusted_key_digests.key_digests[i] = &trusted.key_digests[i]; } if (valid_sig_blk != true) { ESP_LOGE(TAG, "No signature block generated for valid scheme");