From c19e1b8f72160da5370cbc013b83774d5ecaf6eb Mon Sep 17 00:00:00 2001 From: Harshit Malpani Date: Fri, 15 Sep 2023 17:25:10 +0530 Subject: [PATCH 1/3] fix(bootloader_support): Fix condition for SECURE_SIGNED_ON_UPDATE_NO_SECURE_BOOT Fix the condition to verify the image when SECURE_SIGNED_APPS_ECDSA_V2_SCHEME and SECURE_SIGNED_ON_UPDATE_NO_SECURE_BOOT are selected. --- components/bootloader_support/src/secure_boot.c | 12 ++++++------ 1 file changed, 6 insertions(+), 6 deletions(-) diff --git a/components/bootloader_support/src/secure_boot.c b/components/bootloader_support/src/secure_boot.c index 5e9b8832fc..9015bdfd5a 100644 --- a/components/bootloader_support/src/secure_boot.c +++ b/components/bootloader_support/src/secure_boot.c @@ -144,9 +144,9 @@ static esp_err_t secure_boot_v2_check(bool *need_fix) #endif #endif // CONFIG_SECURE_BOOT -#if CONFIG_SECURE_SIGNED_APPS_RSA_SCHEME && CONFIG_SECURE_SIGNED_ON_UPDATE_NO_SECURE_BOOT +#if (CONFIG_SECURE_SIGNED_APPS_RSA_SCHEME || CONFIG_SECURE_SIGNED_APPS_ECDSA_V2_SCHEME) && CONFIG_SECURE_SIGNED_ON_UPDATE_NO_SECURE_BOOT -static void rsa_check_signature_on_update_check(void) +static void check_signature_on_update_check(void) { // We rely on the keys used to sign this app to verify the next app on OTA, so make sure there is at // least one to avoid a stuck firmware @@ -164,7 +164,7 @@ static void rsa_check_signature_on_update_check(void) } #endif } -#endif // CONFIG_SECURE_SIGNED_APPS_RSA_SCHEME && CONFIG_SECURE_SIGNED_ON_UPDATE_NO_SECURE_BOOT +#endif // (CONFIG_SECURE_SIGNED_APPS_RSA_SCHEME || CONFIG_SECURE_SIGNED_APPS_ECDSA_V2_SCHEME) && CONFIG_SECURE_SIGNED_ON_UPDATE_NO_SECURE_BOOT void esp_secure_boot_init_checks(void) { @@ -184,9 +184,9 @@ void esp_secure_boot_init_checks(void) #endif // CONFIG_SECURE_BOOT -#if CONFIG_SECURE_SIGNED_APPS_RSA_SCHEME && CONFIG_SECURE_SIGNED_ON_UPDATE_NO_SECURE_BOOT - rsa_check_signature_on_update_check(); -#endif // CONFIG_SECURE_SIGNED_APPS_RSA_SCHEME && CONFIG_SECURE_SIGNED_ON_UPDATE_NO_SECURE_BOOT +#if (CONFIG_SECURE_SIGNED_APPS_RSA_SCHEME || CONFIG_SECURE_SIGNED_APPS_ECDSA_V2_SCHEME) && CONFIG_SECURE_SIGNED_ON_UPDATE_NO_SECURE_BOOT + check_signature_on_update_check(); +#endif // (CONFIG_SECURE_SIGNED_APPS_RSA_SCHEME || CONFIG_SECURE_SIGNED_APPS_ECDSA_V2_SCHEME) && CONFIG_SECURE_SIGNED_ON_UPDATE_NO_SECURE_BOOT } From 7c2df01af2db184ef10b9bd7e5daf92bf9f0ab06 Mon Sep 17 00:00:00 2001 From: Harshit Malpani Date: Mon, 18 Sep 2023 17:38:09 +0530 Subject: [PATCH 2/3] fix(bootloader): Update kconfig option --- components/bootloader/Kconfig.projbuild | 4 +--- 1 file changed, 1 insertion(+), 3 deletions(-) diff --git a/components/bootloader/Kconfig.projbuild b/components/bootloader/Kconfig.projbuild index d376f4f1a2..b1c291c624 100644 --- a/components/bootloader/Kconfig.projbuild +++ b/components/bootloader/Kconfig.projbuild @@ -709,14 +709,12 @@ menu "Security features" config SECURE_BOOT_VERIFICATION_KEY string "Secure boot public signature verification key" - depends on SECURE_SIGNED_APPS && !SECURE_BOOT_BUILD_SIGNED_BINARIES && !SECURE_SIGNED_APPS_RSA_SCHEME + depends on SECURE_SIGNED_APPS && SECURE_SIGNED_APPS_ECDSA_SCHEME && !SECURE_BOOT_BUILD_SIGNED_BINARIES default "signature_verification_key.bin" help Path to a public key file used to verify signed images. Secure Boot V1: This ECDSA public key is compiled into the bootloader and/or app, to verify app images. - Secure Boot V2: This RSA public key is compiled into the signature block at - the end of the bootloader/app. Key file is in raw binary format, and can be extracted from a PEM formatted private key using the espsecure.py From 7d98bdd495efae8af993330a3059f059250cf1ba Mon Sep 17 00:00:00 2001 From: Harshit Malpani Date: Mon, 18 Sep 2023 17:53:43 +0530 Subject: [PATCH 3/3] feat: Add test app to verify SECURE_SIGNED_ON_UPDATE_NO_SECURE_BOOT Add a test app to verify the working of the application when SECURE_SIGNED_ON_UPDATE_NO_SECURE_BOOT is selected in the menuconfig and the application is not signed --- tools/test_apps/.build-test-rules.yml | 6 ++++++ .../signed_app_no_secure_boot/CMakeLists.txt | 7 +++++++ .../security/signed_app_no_secure_boot/README.md | 11 +++++++++++ .../signed_app_no_secure_boot/main/CMakeLists.txt | 2 ++ .../signed_app_no_secure_boot/main/main.c | 15 +++++++++++++++ .../pytest_signed_app_no_secure_boot.py | 12 ++++++++++++ .../signed_app_no_secure_boot/sdkconfig.defaults | 8 ++++++++ 7 files changed, 61 insertions(+) create mode 100644 tools/test_apps/security/signed_app_no_secure_boot/CMakeLists.txt create mode 100644 tools/test_apps/security/signed_app_no_secure_boot/README.md create mode 100644 tools/test_apps/security/signed_app_no_secure_boot/main/CMakeLists.txt create mode 100644 tools/test_apps/security/signed_app_no_secure_boot/main/main.c create mode 100644 tools/test_apps/security/signed_app_no_secure_boot/pytest_signed_app_no_secure_boot.py create mode 100644 tools/test_apps/security/signed_app_no_secure_boot/sdkconfig.defaults diff --git a/tools/test_apps/.build-test-rules.yml b/tools/test_apps/.build-test-rules.yml index 39cadd6f2a..e41802b864 100644 --- a/tools/test_apps/.build-test-rules.yml +++ b/tools/test_apps/.build-test-rules.yml @@ -68,6 +68,12 @@ tools/test_apps/security/secure_boot: - if: IDF_ENV_FPGA != 1 reason: the test can only run on an FPGA as efuses need to be reset during the test. +tools/test_apps/security/signed_app_no_secure_boot: + enable: + - if: IDF_TARGET in ["esp32c2", "esp32c3"] + temporary: true + reason: No need to test on all targets + tools/test_apps/system/bootloader_sections: disable: - if: IDF_TARGET == "esp32c2" diff --git a/tools/test_apps/security/signed_app_no_secure_boot/CMakeLists.txt b/tools/test_apps/security/signed_app_no_secure_boot/CMakeLists.txt new file mode 100644 index 0000000000..09d112f667 --- /dev/null +++ b/tools/test_apps/security/signed_app_no_secure_boot/CMakeLists.txt @@ -0,0 +1,7 @@ +# The following lines of boilerplate have to be in your project's +# CMakeLists in this exact order for cmake to work correctly +cmake_minimum_required(VERSION 3.16) + +# Secure Boot not currently supported for ESP32-S2 +include($ENV{IDF_PATH}/tools/cmake/project.cmake) +project(secure_boot) diff --git a/tools/test_apps/security/signed_app_no_secure_boot/README.md b/tools/test_apps/security/signed_app_no_secure_boot/README.md new file mode 100644 index 0000000000..7a2105fef3 --- /dev/null +++ b/tools/test_apps/security/signed_app_no_secure_boot/README.md @@ -0,0 +1,11 @@ +| Supported Targets | ESP32-C2 | ESP32-C3 | +| ----------------- | -------- | -------- | + +# Secure Signed On Update No Secure Boot + +This examples verifies the case when CONFIG_SECURE_SIGNED_ON_UPDATE_NO_SECURE_BOOT is selected and application is not signed. The application should abort its execution with the logs: + +``` +secure_boot_v2: No signatures were found for the running app +secure_boot: This app is not signed, but check signature on update is enabled in config. It won't be possible to verify any update. +``` \ No newline at end of file diff --git a/tools/test_apps/security/signed_app_no_secure_boot/main/CMakeLists.txt b/tools/test_apps/security/signed_app_no_secure_boot/main/CMakeLists.txt new file mode 100644 index 0000000000..cf2c455cb5 --- /dev/null +++ b/tools/test_apps/security/signed_app_no_secure_boot/main/CMakeLists.txt @@ -0,0 +1,2 @@ +idf_component_register(SRCS "main.c" + INCLUDE_DIRS ".") diff --git a/tools/test_apps/security/signed_app_no_secure_boot/main/main.c b/tools/test_apps/security/signed_app_no_secure_boot/main/main.c new file mode 100644 index 0000000000..b49cdd1ee8 --- /dev/null +++ b/tools/test_apps/security/signed_app_no_secure_boot/main/main.c @@ -0,0 +1,15 @@ +/* + * SPDX-FileCopyrightText: 2023 Espressif Systems (Shanghai) CO LTD + * + * SPDX-License-Identifier: Unlicense OR CC0-1.0 + */ +#include +#include "freertos/FreeRTOS.h" +#include "freertos/task.h" + +#define TAG "example_secure_boot" + +void app_main(void) +{ + printf("\nExample for secured signed with no secure boot\n"); +} diff --git a/tools/test_apps/security/signed_app_no_secure_boot/pytest_signed_app_no_secure_boot.py b/tools/test_apps/security/signed_app_no_secure_boot/pytest_signed_app_no_secure_boot.py new file mode 100644 index 0000000000..686b7cdeda --- /dev/null +++ b/tools/test_apps/security/signed_app_no_secure_boot/pytest_signed_app_no_secure_boot.py @@ -0,0 +1,12 @@ +# SPDX-FileCopyrightText: 2023 Espressif Systems (Shanghai) CO LTD +# SPDX-License-Identifier: Unlicense OR CC0-1.0 + +import pytest +from pytest_embedded import Dut + + +@pytest.mark.esp32c2 +@pytest.mark.esp32c3 +@pytest.mark.generic +def test_examples_security_on_update_no_secure_boot(dut: Dut) -> None: + dut.expect("This app is not signed, but check signature on update is enabled in config. It won't be possible to verify any update.", timeout=10) diff --git a/tools/test_apps/security/signed_app_no_secure_boot/sdkconfig.defaults b/tools/test_apps/security/signed_app_no_secure_boot/sdkconfig.defaults new file mode 100644 index 0000000000..2bab812218 --- /dev/null +++ b/tools/test_apps/security/signed_app_no_secure_boot/sdkconfig.defaults @@ -0,0 +1,8 @@ +CONFIG_SECURE_SIGNED_ON_UPDATE=y +CONFIG_SECURE_SIGNED_APPS=y +CONFIG_SECURE_BOOT_V2_PREFERRED=y +CONFIG_SECURE_SIGNED_APPS_NO_SECURE_BOOT=y +CONFIG_SECURE_SIGNED_ON_UPDATE_NO_SECURE_BOOT=y +# CONFIG_SECURE_BOOT is not set +# CONFIG_SECURE_BOOT_BUILD_SIGNED_BINARIES is not set +# CONFIG_SECURE_FLASH_ENC_ENABLED is not set