diff --git a/components/bootloader_support/src/esp32/flash_encrypt.c b/components/bootloader_support/src/esp32/flash_encrypt.c index a85b728c32..8e07095cee 100644 --- a/components/bootloader_support/src/esp32/flash_encrypt.c +++ b/components/bootloader_support/src/esp32/flash_encrypt.c @@ -252,9 +252,7 @@ static esp_err_t encrypt_bootloader(void) ESP_LOGD(TAG, "bootloader is plaintext. Encrypting..."); #if CONFIG_SECURE_BOOT_V2_ENABLED - // Account for the signature sector after the bootloader - image_length = (image_length + FLASH_SECTOR_SIZE - 1) & ~(FLASH_SECTOR_SIZE - 1); - image_length += FLASH_SECTOR_SIZE; + /* The image length obtained from esp_image_verify_bootloader includes the sector boundary padding and the signature block lengths */ if (ESP_BOOTLOADER_OFFSET + image_length > ESP_PARTITION_TABLE_OFFSET) { ESP_LOGE(TAG, "Bootloader is too large to fit Secure Boot V2 signature sector and partition table (configured offset 0x%x)", ESP_PARTITION_TABLE_OFFSET); return ESP_ERR_INVALID_STATE; diff --git a/components/bootloader_support/src/esp32s2beta/flash_encrypt.c b/components/bootloader_support/src/esp32s2beta/flash_encrypt.c index 5afa4b7e6d..bef51c827e 100644 --- a/components/bootloader_support/src/esp32s2beta/flash_encrypt.c +++ b/components/bootloader_support/src/esp32s2beta/flash_encrypt.c @@ -191,6 +191,15 @@ static esp_err_t encrypt_bootloader(void) /* Check for plaintext bootloader (verification will fail if it's already encrypted) */ if (esp_image_verify_bootloader(&image_length) == ESP_OK) { ESP_LOGD(TAG, "bootloader is plaintext. Encrypting..."); + +#if CONFIG_SECURE_BOOT_V2_ENABLED + /* The image length obtained from esp_image_verify_bootloader includes the sector boundary padding and the signature block lengths */ + if (ESP_BOOTLOADER_OFFSET + image_length > ESP_PARTITION_TABLE_OFFSET) { + ESP_LOGE(TAG, "Bootloader is too large to fit Secure Boot V2 signature sector and partition table (configured offset 0x%x)", ESP_PARTITION_TABLE_OFFSET); + return ESP_ERR_INVALID_SIZE; + } +#endif // CONFIG_SECURE_BOOT_V2_ENABLED + err = esp_flash_encrypt_region(ESP_BOOTLOADER_OFFSET, image_length); if (err != ESP_OK) { ESP_LOGE(TAG, "Failed to encrypt bootloader in place: 0x%x", err); diff --git a/components/bootloader_support/src/esp_image_format.c b/components/bootloader_support/src/esp_image_format.c index 5dc6db56a2..e8d705cf80 100644 --- a/components/bootloader_support/src/esp_image_format.c +++ b/components/bootloader_support/src/esp_image_format.c @@ -229,6 +229,7 @@ static esp_err_t image_load(esp_image_load_mode_t mode, const esp_partition_pos_ if (true) { #endif // end checking for JTAG err = verify_secure_boot_signature(sha_handle, data, image_digest, verified_digest); + sha_handle = NULL; // verify_secure_boot_signature finishes sha_handle } #else // SECURE_BOOT_CHECK_SIGNATURE // No secure boot, but SHA-256 can be appended for basic corruption detection diff --git a/components/bootloader_support/src/idf/secure_boot_signatures.c b/components/bootloader_support/src/idf/secure_boot_signatures.c index ee541445bd..ca66be7059 100644 --- a/components/bootloader_support/src/idf/secure_boot_signatures.c +++ b/components/bootloader_support/src/idf/secure_boot_signatures.c @@ -260,8 +260,8 @@ esp_err_t esp_secure_boot_verify_rsa_signature_block(const ets_secure_boot_signa goto exit; } - ret = mbedtls_rsa_rsassa_pss_verify( &pk, mbedtls_ctr_drbg_random, &ctr_drbg, MBEDTLS_RSA_PUBLIC, MBEDTLS_MD_SHA256, 32, - sig_block->block[i].image_digest, sig_be); + ret = mbedtls_rsa_rsassa_pss_verify( &pk, mbedtls_ctr_drbg_random, &ctr_drbg, MBEDTLS_RSA_PUBLIC, MBEDTLS_MD_SHA256, DIGEST_LEN, + image_digest, sig_be); if (ret != 0) { ESP_LOGE(TAG, "Failed mbedtls_rsa_rsassa_pss_verify, err: %d", ret); } else {