espressif/esp-idf
1
0
Fork 1
mirror of https://github.com/espressif/esp-idf.git synced 2025-10-02 18:10:57 +02:00
Code Issues Packages Projects Releases Wiki Activity

Merge branch 'bugfix/encrypt_len_for_sb_update_case_v5.4' into 'release/v5.4'

Browse Source 
fix(bootloader): correct encryption length for secure update without secure boot (v5.4)

See merge request espressif/esp-idf!41924
This commit is contained in:
Jiang Jiang Jian
2025-09-19 03:22:17 +08:00
parent b3f053863d 0bddd778a9
commit 3ad2b49d80
3 changed files with 22 additions and 1 deletions
Download Patch File Download Diff File Expand all files Collapse all files

2
components/bootloader/Kconfig.projbuild
View File

@@ -1107,7 +1107,7 @@ menu "Security features"
endmenu # Potentially Insecure endmenu # Potentially Insecure
config SECURE_FLASH_ENCRYPT_ONLY_IMAGE_LEN_IN_APP_PART config SECURE_FLASH_ENCRYPT_ONLY_IMAGE_LEN_IN_APP_PART
bool "Encrypt only the app image that is present in the partition of type app" bool "Encrypt contents upto app image length in app partition"
depends on SECURE_FLASH_ENC_ENABLED && !SECURE_FLASH_REQUIRE_ALREADY_ENABLED depends on SECURE_FLASH_ENC_ENABLED && !SECURE_FLASH_REQUIRE_ALREADY_ENABLED
default y default y
help help

17
components/bootloader_support/include/esp_secure_boot.h
View File

@@ -236,6 +236,23 @@ typedef struct {
uint8_t signature[64]; uint8_t signature[64];
} esp_secure_boot_sig_block_t; } esp_secure_boot_sig_block_t;
/** @brief Get the size of the secure boot signature block
*
* This is the size of the signature block appended to a signed image.
*
* @return Size of the secure boot signature block in bytes
*/
static inline uint32_t esp_secure_boot_sig_block_size(void)
{
#if CONFIG_SECURE_SIGNED_APPS_RSA_SCHEME || CONFIG_SECURE_SIGNED_APPS_ECDSA_V2_SCHEME
return sizeof(ets_secure_boot_signature_t);
#elif defined(CONFIG_SECURE_SIGNED_APPS_ECDSA_SCHEME)
return sizeof(esp_secure_boot_sig_block_t);
#else
return 0;
#endif
}
/** @brief Verify the ECDSA secure boot signature block for Secure Boot V1. /** @brief Verify the ECDSA secure boot signature block for Secure Boot V1.
* *
* Calculates Deterministic ECDSA w/ SHA256 based on the SHA256 hash of the image. ECDSA signature * Calculates Deterministic ECDSA w/ SHA256 based on the SHA256 hash of the image. ECDSA signature

4
components/bootloader_support/src/flash_encryption/flash_encrypt.c
View File

@@ -413,6 +413,10 @@ static esp_err_t encrypt_partition(int index, const esp_partition_info_t *partit
if (should_encrypt) { if (should_encrypt) {
// Encrypt only the app image instead of encrypting the whole partition // Encrypt only the app image instead of encrypting the whole partition
size = image_data.image_len; size = image_data.image_len;
#if CONFIG_SECURE_SIGNED_ON_UPDATE_NO_SECURE_BOOT
// If secure update without secure boot, also encrypt the signature block
size += esp_secure_boot_sig_block_size();
#endif
} }
#endif #endif
} else if ((partition->type == PART_TYPE_DATA && partition->subtype == PART_SUBTYPE_DATA_OTA) } else if ((partition->type == PART_TYPE_DATA && partition->subtype == PART_SUBTYPE_DATA_OTA)