test(examples/efuse): Add test for secure boot v2 using ecdsa-p384

examples/system/.build-test-rules.yml

@@ -47,7 +47,11 @@ examples/system/efuse:
     - if: IDF_TARGET == "linux" and CONFIG_NAME == "virt_flash_enc_release"
     - if: IDF_TARGET == "linux" and CONFIG_NAME == "virt_sb_v2_and_fe"
     - if: IDF_TARGET == "linux" and CONFIG_NAME == "virt_secure_boot_v2"
+    - if: IDF_TARGET == "linux" and CONFIG_NAME == "virt_secure_boot_v2_ecdsa_p384"
+    - if: IDF_TARGET == "linux" and CONFIG_NAME == "virt_sb_v2_ecdsa_p384_and_fe"
       reason: Security features are not yet supported for Linux.
+    - if: SOC_ECDSA_SUPPORT_CURVE_P384 != 1 and (CONFIG_NAME == "virt_secure_boot_v2_ecdsa_p384" or CONFIG_NAME == "virt_sb_v2_ecdsa_p384_and_fe")
+      reason: Secure Boot V2 with ECDSA P384 is not supported.
   depends_components:
     - efuse
     - bootloader_support

examples/system/efuse/pytest_system_efuse_example.py

@@ -6,6 +6,7 @@ import os
 import pytest
 from pytest_embedded import Dut
 from pytest_embedded_idf.utils import idf_parametrize
+from pytest_embedded_idf.utils import soc_filtered_targets
 from pytest_embedded_qemu.dut import QemuDut
 
 
@@ -588,15 +589,7 @@ def test_examples_efuse_with_virt_secure_boot_v2_pre_loaded(dut: Dut) -> None:
     dut.expect('example: Done')
 
 
-@pytest.mark.generic
+def example_efuse_with_virt_secure_boot_v2_esp32xx(dut: Dut) -> None:
-@pytest.mark.parametrize('config', ['virt_secure_boot_v2'], indirect=True)
-@pytest.mark.parametrize('skip_autoflash', ['y'], indirect=True)
-@idf_parametrize(
-    'target',
-    ['esp32c3', 'esp32c2', 'esp32c5', 'esp32c6', 'esp32c61', 'esp32h2', 'esp32p4', 'esp32s2', 'esp32s3'],
-    indirect=['target'],
-)
-def test_examples_efuse_with_virt_secure_boot_v2_esp32xx(dut: Dut) -> None:
     # check and log bin size
     binary_file = os.path.join(dut.app.binary_path, 'bootloader', 'bootloader.bin')
     bin_size = os.path.getsize(binary_file)
@@ -659,6 +652,26 @@ def test_examples_efuse_with_virt_secure_boot_v2_esp32xx(dut: Dut) -> None:
     dut.expect('example: Done')
 
 
+@pytest.mark.generic
+@pytest.mark.parametrize('config', ['virt_secure_boot_v2'], indirect=True)
+@pytest.mark.parametrize('skip_autoflash', ['y'], indirect=True)
+@idf_parametrize(
+    'target',
+    ['esp32c3', 'esp32c2', 'esp32c5', 'esp32c6', 'esp32c61', 'esp32h2', 'esp32p4', 'esp32s2', 'esp32s3'],
+    indirect=['target'],
+)
+def test_examples_efuse_with_virt_secure_boot_v2_esp32xx(dut: Dut) -> None:
+    example_efuse_with_virt_secure_boot_v2_esp32xx(dut)
+
+
+@pytest.mark.generic
+@pytest.mark.parametrize('config', ['virt_secure_boot_v2_ecdsa_p384'], indirect=True)
+@pytest.mark.parametrize('skip_autoflash', ['y'], indirect=True)
+@idf_parametrize('target', soc_filtered_targets('SOC_ECDSA_SUPPORT_CURVE_P384 == 1'), indirect=['target'])
+def test_examples_efuse_with_virt_secure_boot_v2_ecdsa_p384_esp32xx(dut: Dut) -> None:
+    example_efuse_with_virt_secure_boot_v2_esp32xx(dut)
+
+
 @pytest.mark.generic
 @pytest.mark.parametrize('config', ['virt_secure_boot_v2'], indirect=True)
 @pytest.mark.parametrize('skip_autoflash', ['y'], indirect=True)
@@ -685,12 +698,14 @@ def test_example_efuse_with_virt_secure_boot_v2_esp32xx_pre_loaded(dut: Dut) ->
     # Resets eFuse, which enables Secure boot feature
     # Resets eFuses, which control digest slots
     if dut.app.sdkconfig.get('SOC_EFUSE_REVOKE_BOOT_KEY_DIGESTS'):
-        dut.serial.erase_field_on_emul_efuse_by_name([
+        dut.serial.erase_field_on_emul_efuse_by_name(
+            [
                 'SECURE_BOOT_EN',
                 'SECURE_BOOT_KEY_REVOKE0',
                 'SECURE_BOOT_KEY_REVOKE1',
                 'SECURE_BOOT_KEY_REVOKE2',
-        ])
+            ]
+        )
     else:
         dut.serial.erase_field_on_emul_efuse_by_name(['SECURE_BOOT_EN'])
 
@@ -906,7 +921,8 @@ def test_examples_efuse_with_virt_sb_v2_and_fe(dut: Dut) -> None:
 @pytest.mark.parametrize(
     'qemu_extra_args',
     [
-        f'-drive file={os.path.join(os.path.dirname(__file__), "test", "esp32eco3_efuses.bin")},if=none,format=raw,id=efuse '
+        f'-drive file={os.path.join(os.path.dirname(__file__), "test", "esp32eco3_efuses.bin")},'
+        'if=none,format=raw,id=efuse '
         '-global driver=nvram.esp32.efuse,property=drive,value=efuse '
         '-global driver=timer.esp32.timg,property=wdt_disable,value=true',
     ],
@@ -983,15 +999,7 @@ def test_examples_efuse_with_virt_sb_v2_and_fe_qemu(dut: QemuDut) -> None:
             efuse_file.write(bytearray.fromhex(esp32eco3_efuses))
 
 
-@pytest.mark.generic
+def example_efuse_with_virt_sb_v2_and_fe(dut: Dut) -> None:
-@pytest.mark.parametrize('skip_autoflash', ['y'], indirect=True)
-@pytest.mark.parametrize('config', ['virt_sb_v2_and_fe'], indirect=True)
-@idf_parametrize(
-    'target',
-    ['esp32c3', 'esp32c2', 'esp32c5', 'esp32c61', 'esp32c6', 'esp32h2', 'esp32s2', 'esp32s3'],
-    indirect=['target'],
-)
-def test_examples_efuse_with_virt_sb_v2_and_fe_esp32xx(dut: Dut) -> None:
     # check and log bin size
     binary_file = os.path.join(dut.app.binary_path, 'bootloader', 'bootloader.bin')
     bin_size = os.path.getsize(binary_file)
@@ -1082,3 +1090,23 @@ def test_examples_efuse_with_virt_sb_v2_and_fe_esp32xx(dut: Dut) -> None:
     dut.expect('example: Flash Encryption is NOT in RELEASE mode')
     dut.expect('example: Secure Boot is in RELEASE mode')
     dut.expect('example: Done')
+
+
+@pytest.mark.generic
+@pytest.mark.parametrize('skip_autoflash', ['y'], indirect=True)
+@pytest.mark.parametrize('config', ['virt_sb_v2_and_fe'], indirect=True)
+@idf_parametrize(
+    'target',
+    ['esp32c3', 'esp32c2', 'esp32c5', 'esp32c61', 'esp32c6', 'esp32h2', 'esp32s2', 'esp32s3'],
+    indirect=['target'],
+)
+def test_examples_efuse_with_virt_sb_v2_and_fe_esp32xx(dut: Dut) -> None:
+    example_efuse_with_virt_sb_v2_and_fe(dut)
+
+
+@pytest.mark.generic
+@pytest.mark.parametrize('skip_autoflash', ['y'], indirect=True)
+@pytest.mark.parametrize('config', ['virt_sb_v2_ecdsa_p384_and_fe'], indirect=True)
+@idf_parametrize('target', soc_filtered_targets('SOC_ECDSA_SUPPORT_CURVE_P384 == 1'), indirect=['target'])
+def test_examples_efuse_with_virt_sb_v2_ecdsa_p384_and_fe_esp32xx(dut: Dut) -> None:
+    example_efuse_with_virt_sb_v2_and_fe(dut)

examples/system/efuse/sdkconfig.ci.virt_sb_v2_ecdsa_p384_and_fe.esp32c5

@@ -0,0 +1,20 @@
+# FLASH_ENCRYPTION & SECURE_BOOT_V2 with EFUSE_VIRTUAL_KEEP_IN_FLASH
+
+CONFIG_IDF_TARGET="esp32c5"
+
+CONFIG_PARTITION_TABLE_OFFSET=0xE000
+CONFIG_PARTITION_TABLE_CUSTOM=y
+CONFIG_PARTITION_TABLE_CUSTOM_FILENAME="test/partitions_efuse_emul.csv"
+
+CONFIG_SECURE_BOOT=y
+CONFIG_SECURE_BOOT_V2_ENABLED=y
+CONFIG_SECURE_SIGNED_APPS_ECDSA_V2_SCHEME=y
+CONFIG_SECURE_BOOT_ECDSA_KEY_LEN_384_BITS=y
+CONFIG_SECURE_BOOT_SIGNING_KEY="test/secure_boot_signing_key_ecdsa_nistp384.pem"
+CONFIG_SECURE_ENABLE_SECURE_ROM_DL_MODE=y
+
+CONFIG_SECURE_FLASH_ENC_ENABLED=y
+
+# IMPORTANT: ONLY VIRTUAL eFuse MODE!
+CONFIG_EFUSE_VIRTUAL=y
+CONFIG_EFUSE_VIRTUAL_KEEP_IN_FLASH=y

examples/system/efuse/sdkconfig.ci.virt_secure_boot_v2_ecdsa_p384.esp32c5

@@ -0,0 +1,18 @@
+# SECURE_BOOT_V2 with EFUSE_VIRTUAL_KEEP_IN_FLASH
+
+CONFIG_IDF_TARGET="esp32c5"
+
+CONFIG_PARTITION_TABLE_OFFSET=0xD000
+CONFIG_PARTITION_TABLE_CUSTOM=y
+CONFIG_PARTITION_TABLE_CUSTOM_FILENAME="test/partitions_efuse_emul.csv"
+
+CONFIG_SECURE_BOOT=y
+CONFIG_SECURE_BOOT_V2_ENABLED=y
+CONFIG_SECURE_SIGNED_APPS_ECDSA_V2_SCHEME=y
+CONFIG_SECURE_BOOT_ECDSA_KEY_LEN_384_BITS=y
+CONFIG_SECURE_BOOT_SIGNING_KEY="test/secure_boot_signing_key_ecdsa_nistp384.pem"
+CONFIG_SECURE_INSECURE_ALLOW_DL_MODE=y
+
+# IMPORTANT: ONLY VIRTUAL eFuse MODE!
+CONFIG_EFUSE_VIRTUAL=y
+CONFIG_EFUSE_VIRTUAL_KEEP_IN_FLASH=y

examples/system/efuse/test/secure_boot_signing_key_ecdsa_nistp384.pem

@@ -0,0 +1,5 @@
+-----BEGIN EC PRIVATE KEY-----
+MIGkAgEBBDC/5UVo7tqYLt17BnN85NRhMRakLUYNrxCEb0nA5bN5WzpILMqCFkjzWWyC6FkeK02g
+BwYFK4EEACKhZANiAAQPbOGJCBJtR6oB29nt6BP+JeMc4+KUkJbusFDT26arFZwcsDEZ/m+GatAl
+GmlOuNGa4F4fJDjSsuz0ejKK4LQ1DliDopGmieIUWPCEScVZNu9DX2PuGC8NIyMU9Ry4Poc=
+-----END EC PRIVATE KEY-----