diff --git a/components/bootloader/Kconfig.projbuild b/components/bootloader/Kconfig.projbuild index f949ee693d..4c75181f8f 100644 --- a/components/bootloader/Kconfig.projbuild +++ b/components/bootloader/Kconfig.projbuild @@ -1107,7 +1107,7 @@ menu "Security features" endmenu # Potentially Insecure config SECURE_FLASH_ENCRYPT_ONLY_IMAGE_LEN_IN_APP_PART - bool "Encrypt only the app image that is present in the partition of type app" + bool "Encrypt contents upto app image length in app partition" depends on SECURE_FLASH_ENC_ENABLED && !SECURE_FLASH_REQUIRE_ALREADY_ENABLED default y help diff --git a/components/bootloader_support/include/esp_secure_boot.h b/components/bootloader_support/include/esp_secure_boot.h index 84cb241010..93d2ac3dd3 100644 --- a/components/bootloader_support/include/esp_secure_boot.h +++ b/components/bootloader_support/include/esp_secure_boot.h @@ -236,6 +236,23 @@ typedef struct { uint8_t signature[64]; } esp_secure_boot_sig_block_t; +/** @brief Get the size of the secure boot signature block + * + * This is the size of the signature block appended to a signed image. + * + * @return Size of the secure boot signature block in bytes + */ +static inline uint32_t esp_secure_boot_sig_block_size(void) +{ +#if CONFIG_SECURE_SIGNED_APPS_RSA_SCHEME || CONFIG_SECURE_SIGNED_APPS_ECDSA_V2_SCHEME + return sizeof(ets_secure_boot_signature_t); +#elif defined(CONFIG_SECURE_SIGNED_APPS_ECDSA_SCHEME) + return sizeof(esp_secure_boot_sig_block_t); +#else + return 0; +#endif +} + /** @brief Verify the ECDSA secure boot signature block for Secure Boot V1. * * Calculates Deterministic ECDSA w/ SHA256 based on the SHA256 hash of the image. ECDSA signature diff --git a/components/bootloader_support/src/flash_encryption/flash_encrypt.c b/components/bootloader_support/src/flash_encryption/flash_encrypt.c index 810cd36c2d..b6a61d9978 100644 --- a/components/bootloader_support/src/flash_encryption/flash_encrypt.c +++ b/components/bootloader_support/src/flash_encryption/flash_encrypt.c @@ -413,6 +413,10 @@ static esp_err_t encrypt_partition(int index, const esp_partition_info_t *partit if (should_encrypt) { // Encrypt only the app image instead of encrypting the whole partition size = image_data.image_len; +#if CONFIG_SECURE_SIGNED_ON_UPDATE_NO_SECURE_BOOT + // If secure update without secure boot, also encrypt the signature block + size += esp_secure_boot_sig_block_size(); +#endif } #endif } else if ((partition->type == PART_TYPE_DATA && partition->subtype == PART_SUBTYPE_DATA_OTA)