espressif/esp-idf
1
0
Fork 1
mirror of https://github.com/espressif/esp-idf.git synced 2025-08-02 12:14:32 +02:00
Code Issues Packages Projects Releases Wiki Activity

Merge branch 'bugfix/secure_boot_v2_ota_verification' into 'master'

Browse Source 
Secure Boot V2: Fixes the OTA regression with secure boot in ESP32-V3

Closes IDFGH-4032

See merge request espressif/esp-idf!10600
This commit is contained in:
Angus Gratton
2020-10-13 07:09:44 +08:00
parent ff8d05466e 2356be7c7a
commit af57f5f520
1 changed files with 9 additions and 9 deletions
Download Patch File Download Diff File Expand all files Collapse all files

18
components/bootloader_support/src/idf/secure_boot_signatures.c
View File

@@ -206,11 +206,19 @@ esp_err_t esp_secure_boot_verify_rsa_signature_block(const ets_secure_boot_signa
during boot-time verification. */ during boot-time verification. */
memset(verified_digest, 0, DIGEST_LEN); memset(verified_digest, 0, DIGEST_LEN);
/* Generating the SHA of the public key components in the signature block */
for (i = 0; i < SECURE_BOOT_NUM_BLOCKS; i++) {
bootloader_sha256_handle_t sig_block_sha;
sig_block_sha = bootloader_sha256_start();
bootloader_sha256_data(sig_block_sha, &sig_block->block[i].key, sizeof(sig_block->block[i].key));
bootloader_sha256_finish(sig_block_sha, (unsigned char *)sig_block_key_digest[i]);
}
#if CONFIG_IDF_TARGET_ESP32 #if CONFIG_IDF_TARGET_ESP32
uint8_t efuse_trusted_digest[DIGEST_LEN] = {0}; uint8_t efuse_trusted_digest[DIGEST_LEN] = {0};
memcpy(efuse_trusted_digest, (uint8_t *) EFUSE_BLK2_RDATA0_REG, sizeof(efuse_trusted_digest)); memcpy(efuse_trusted_digest, (uint8_t *) EFUSE_BLK2_RDATA0_REG, sizeof(efuse_trusted_digest));
if (memcmp(efuse_trusted_digest, sig_block_key_digest, DIGEST_LEN) != 0) { if (memcmp(efuse_trusted_digest, sig_block_key_digest[0], DIGEST_LEN) != 0) {
const uint8_t zeroes[DIGEST_LEN] = {0}; const uint8_t zeroes[DIGEST_LEN] = {0};
/* Can't continue if secure boot is enabled, OR if a different digest is already written in efuse BLK2 /* Can't continue if secure boot is enabled, OR if a different digest is already written in efuse BLK2
@@ -231,14 +239,6 @@ esp_err_t esp_secure_boot_verify_rsa_signature_block(const ets_secure_boot_signa
return ESP_FAIL; return ESP_FAIL;
} }
#endif /* CONFIG_IDF_TARGET_ESP32 */ #endif /* CONFIG_IDF_TARGET_ESP32 */
/* Generating the SHA of the public key components in the signature block */
for (i = 0; i < SECURE_BOOT_NUM_BLOCKS; i++) {
bootloader_sha256_handle_t sig_block_sha;
sig_block_sha = bootloader_sha256_start();
bootloader_sha256_data(sig_block_sha, &sig_block->block[i].key, sizeof(sig_block->block[i].key));
bootloader_sha256_finish(sig_block_sha, (unsigned char *)sig_block_key_digest[i]);
}
#endif /* CONFIG_SECURE_BOOT_V2_ENABLED */ #endif /* CONFIG_SECURE_BOOT_V2_ENABLED */
ESP_LOGI(TAG, "Verifying with RSA-PSS..."); ESP_LOGI(TAG, "Verifying with RSA-PSS...");