From e46313568bb0a748343fe62b5dc8a879ea0216af Mon Sep 17 00:00:00 2001
From: Mahavir Jain <mahavir@espressif.com>
Date: Mon, 1 Sep 2025 11:00:48 +0530
Subject: [PATCH 1/2] fix(bootloader): correct encryption length for secure
 update without secure boot

For secure update without secure boot case, the encryption length for
app image must consider signature block length as well. This was
correctly handled for secure boot case but not for secure update without
secure boot.
---
 components/bootloader/Kconfig.projbuild         |  2 +-
 .../include/esp_secure_boot.h                   | 17 +++++++++++++++++
 .../src/flash_encryption/flash_encrypt.c        |  4 ++++
 3 files changed, 22 insertions(+), 1 deletion(-)

diff --git a/components/bootloader/Kconfig.projbuild b/components/bootloader/Kconfig.projbuild
index fdd30c9223..19e5108f85 100644
--- a/components/bootloader/Kconfig.projbuild
+++ b/components/bootloader/Kconfig.projbuild
@@ -1058,7 +1058,7 @@ menu "Security features"
     endmenu  # Potentially Insecure
 
     config SECURE_FLASH_ENCRYPT_ONLY_IMAGE_LEN_IN_APP_PART
-        bool "Encrypt only the app image that is present in the partition of type app"
+        bool "Encrypt contents upto app image length in app partition"
         depends on SECURE_FLASH_ENC_ENABLED && !SECURE_FLASH_REQUIRE_ALREADY_ENABLED
         default y
         help
diff --git a/components/bootloader_support/include/esp_secure_boot.h b/components/bootloader_support/include/esp_secure_boot.h
index 99b2fbd45e..aa1d738a9f 100644
--- a/components/bootloader_support/include/esp_secure_boot.h
+++ b/components/bootloader_support/include/esp_secure_boot.h
@@ -225,6 +225,23 @@ typedef struct {
     uint8_t signature[64];
 } esp_secure_boot_sig_block_t;
 
+/** @brief Get the size of the secure boot signature block
+ *
+ * This is the size of the signature block appended to a signed image.
+ *
+ * @return Size of the secure boot signature block in bytes
+ */
+static inline uint32_t esp_secure_boot_sig_block_size()
+{
+#if CONFIG_SECURE_SIGNED_APPS_RSA_SCHEME || CONFIG_SECURE_SIGNED_APPS_ECDSA_V2_SCHEME
+    return sizeof(ets_secure_boot_signature_t);
+#elif defined(CONFIG_SECURE_SIGNED_APPS_ECDSA_SCHEME)
+    return sizeof(esp_secure_boot_sig_block_t);
+#else
+    return 0;
+#endif
+}
+
 /** @brief Verify the ECDSA secure boot signature block for Secure Boot V1.
  *
  *  Calculates Deterministic ECDSA w/ SHA256 based on the SHA256 hash of the image. ECDSA signature
diff --git a/components/bootloader_support/src/flash_encryption/flash_encrypt.c b/components/bootloader_support/src/flash_encryption/flash_encrypt.c
index 3b6acf0048..6d3ca7bc8c 100644
--- a/components/bootloader_support/src/flash_encryption/flash_encrypt.c
+++ b/components/bootloader_support/src/flash_encryption/flash_encrypt.c
@@ -428,6 +428,10 @@ static esp_err_t encrypt_partition(int index, const esp_partition_info_t *partit
         if (partition->type == PART_TYPE_APP && should_encrypt) {
             // Encrypt only the app image instead of encrypting the whole partition
             size = image_data.image_len;
+#if CONFIG_SECURE_SIGNED_ON_UPDATE_NO_SECURE_BOOT
+            // If secure update without secure boot, also encrypt the signature block
+            size += esp_secure_boot_sig_block_size();
+#endif
         }
 #endif
     } else if (partition->type == PART_TYPE_PARTITION_TABLE) {

From a148c61bef3717ecb4dcaa63398bd5ff1a2e8e94 Mon Sep 17 00:00:00 2001
From: Mahavir Jain <mahavir@espressif.com>
Date: Tue, 2 Sep 2025 12:06:55 +0530
Subject: [PATCH 2/2] test: add test case for secure update with FE case

---
 .../pytest_signed_app_no_secure_boot.py       | 11 +++++-
 .../sdkconfig.ci.secure_update_with_fe        |  4 ++
 .../secure_boot_signing_key.pem               | 39 +++++++++++++++++++
 3 files changed, 53 insertions(+), 1 deletion(-)
 create mode 100644 tools/test_apps/security/signed_app_no_secure_boot/sdkconfig.ci.secure_update_with_fe
 create mode 100644 tools/test_apps/security/signed_app_no_secure_boot/secure_boot_signing_key.pem

diff --git a/tools/test_apps/security/signed_app_no_secure_boot/pytest_signed_app_no_secure_boot.py b/tools/test_apps/security/signed_app_no_secure_boot/pytest_signed_app_no_secure_boot.py
index 9a73e10e26..dedbc9b8da 100644
--- a/tools/test_apps/security/signed_app_no_secure_boot/pytest_signed_app_no_secure_boot.py
+++ b/tools/test_apps/security/signed_app_no_secure_boot/pytest_signed_app_no_secure_boot.py
@@ -1,5 +1,6 @@
 # SPDX-FileCopyrightText: 2023-2025 Espressif Systems (Shanghai) CO LTD
 # SPDX-License-Identifier: Unlicense OR CC0-1.0
+
 import pytest
 from pytest_embedded import Dut
 from pytest_embedded_idf.utils import idf_parametrize
@@ -9,6 +10,14 @@ from pytest_embedded_idf.utils import idf_parametrize
 @idf_parametrize('target', ['esp32c2', 'esp32c3'], indirect=['target'])
 def test_examples_security_on_update_no_secure_boot(dut: Dut) -> None:
     dut.expect(
-        "This app is not signed, but check signature on update is enabled in config. It won't be possible to verify any update.",
+        "This app is not signed, but check signature on update is enabled in config. It won't be possible to verify any update.",  # noqa : E501
         timeout=10,
     )
+
+
+@pytest.mark.host_test
+@pytest.mark.qemu
+@pytest.mark.parametrize('config', ['secure_update_with_fe'], indirect=True)
+@idf_parametrize('target', ['esp32c3'], indirect=['target'])
+def test_examples_secure_update_with_fe_qemu(dut: Dut) -> None:
+    dut.expect('Example for secured signed with no secure boot', timeout=60)
diff --git a/tools/test_apps/security/signed_app_no_secure_boot/sdkconfig.ci.secure_update_with_fe b/tools/test_apps/security/signed_app_no_secure_boot/sdkconfig.ci.secure_update_with_fe
new file mode 100644
index 0000000000..8bddc8f2eb
--- /dev/null
+++ b/tools/test_apps/security/signed_app_no_secure_boot/sdkconfig.ci.secure_update_with_fe
@@ -0,0 +1,4 @@
+CONFIG_SECURE_FLASH_ENC_ENABLED=y
+CONFIG_SECURE_BOOT_BUILD_SIGNED_BINARIES=y
+CONFIG_PARTITION_TABLE_OFFSET=0xc000
+CONFIG_NVS_ENCRYPTION=n
diff --git a/tools/test_apps/security/signed_app_no_secure_boot/secure_boot_signing_key.pem b/tools/test_apps/security/signed_app_no_secure_boot/secure_boot_signing_key.pem
new file mode 100644
index 0000000000..b69b91c5c3
--- /dev/null
+++ b/tools/test_apps/security/signed_app_no_secure_boot/secure_boot_signing_key.pem
@@ -0,0 +1,39 @@
+-----BEGIN RSA PRIVATE KEY-----
+MIIG5AIBAAKCAYEA5sRBdVlob0RWwRsBYrGrMmdhIbam45boFbD/1skxb7lRhJjE
+pStZ5DVhtQWVAsqTKkY/QH0zzRBBSfdnsneBAc3yFBTBrMPBQitOvg2UK5rx3jJ2
+dD3hpFG5QZPzmB48ZBmsnmMILLgSMwraAPwkbA4qU2TAeCkAE5WVH3w2m1n95sze
+gbxZamLbaPj5DedT5yqIjWK4NecTlr7VXFTXWzzAfb+hQtzBN1RmemvbhCgSksAS
+4huoLAZ6iwpEyuACj4pNmFMyQJQ4PPr54mUkL+btMSTbkOZdMbIrXR/FePvFU/Ug
+zu9u3QvGm/u2tmpp2Lo/hDgJOhcS4bQjLk7R6Ynq+pi6zQuqpRSCoMEuSzth+yQr
+rMCox8lvHgALpc/G8ZbI1bZN0UybmqBBQ5p5FVf9xfNwnt/tuyFV4QDjaRrCcJ1y
+FTrMG/+aSM8de4TuxWC3dImfCrVQf/ncB+Y5rL+h3lo9Viozd+bBy79jACjpkwbY
+o9GINr26F3GcK/ShAgMBAAECggGADvNsIkQ2pe7RiBVN060bIFreSibhTSF7y9v5
+11qVn11sUKDtLJ5QZp6mw+mmq9WgDz8Z3f2+m2yQLlCfIUroyssjAfYOTjkojjbs
+FRggH2scfH7cec+AjPrWe88wGwzqcLnRGznjT7JlS3VKhoHPgkiwqVJ/vck6PgqU
+7MNJbms4Lfnb+J/RUzkwae6nhCUWpIV272IT+ToNZNjcTe0ZPsoC1qLRudk/k2we
+b5QJVtiZy3QyRP/xt1h8HAIATvyQTmcdubE3cC0waEINI1jJdGJwJQ66LPJpx5ov
+s+ldjDdkJi/E8fNrnrn/WIWKwAXctg8VaIHj++WVJ0f9hmZ/bBNRJbFh4LpVKRY5
+oU1XCC9b2edbQbhWLsG19E0XJ+c5i8UY8uIH6DC9QCK28I/eYxA1RoDUt1st06CW
+hZT3INFqQ+1mbbff3pm0+kDNxne/PhR7bNApzF/3Fa33v9d0iEfKviEUhCtM4rzD
+SVMGTGOAXuAS5RCBAYzTEPrp8UCBAoHBAPluD2o33eEQ5MOm9WoTYLFKKLS/l91B
+wHmwY9m53YiMBxLgYrJ9oQOTEApAY5B4G1BxidvhehAMd51iK03W/YkZhy3ZhUTJ
+DC29upFPCsS1On1kUC9doyuSgILt3zLZVW98RX6PM7LCLR+jSJPYJQ13xlBRe2Dc
+pHpkr0vwtUR35D1EKV2cXFJZLDzj1xAIFNqiv6591J7xzehzBEyP56lar/oeqsvv
+w7SWsU4rF6E8Os3gvlTRV5QgnBZEUTTZaQKBwQDs2Fio7NYofSQeI5Q+FPDiV4U1
+rkOZzXJFsf6dQl3GaqgXmuJsfYbRDcAvSBcfo6RFu+ZHEa0U9yEQKK4OSeXTrD8U
+0wLCfVmlzQf/l0Iutxv1qGTkB0NnZ7nKCSmdoGErXWTVdz4pHPmU6nUNZ3ih02oP
+2nA6CjVtsJVUGWwi6k8bX2mRvLpmjjfJP82EmRXbkKh4xseddWd7Xf/G9hJcXaXt
+piE8dmyBQP1u2WluffDT1VNGt3k5O8TIvqlfYnkCgcEA66MfKvB2S35jL7bV2A1Q
+ZoyxoffyZxML26pY2kKt16a5tAqJEyh96VuQZq7noH7nBvsMCs6bOvgcNHGeiV3W
+jSOxwg3hydbJC5lW3Jm4iZbQF8+htO2YDbzMbWR9XJNXFAhpuqNcar7oVCA0m38x
+meSSVCR2E06+j+X4eRyAkptU4tA25/mkeiNGGIwCC2InGVlxDk5PhIzZQoUOBapZ
+Z3OGFhvMrPbogv1tqXQqUacNwptUE9rlCso3yw1lTjEpAoHBAJ2CQ3QUDVhf4OUq
+RCwFQS1FhxFsEwj12EkBVpK+0B5kT+Vi27HKyR2+R1EqYDZqXZUCoOIinziSISrd
+4uMdwfpDUrBGpE8zjar175vKu/jVTYLRukbrjaf3E1eJQGPThMuSELzl0DEHU/P0
++GMxrMfyEVb5rijrIR0Rkj2bqo6NxI4vpcWF/XC2o+Lyy3qjVCXwzhmEGLxel7Mz
+kCaA/zTuEqs5EGFlYEOVNPXDIJqaps450Gf3HGczmGroYTtOAQKBwCzmQn+pONYM
+zg8FGbRafACNucw4vuiVgMvWtREgZuGFyQ9UKiaPLjvQl6xR/1jZXA0nD8ApjZwK
+KOoKgzZD1XfiGjpuA6Ift2UuPDdq4NnI8orPfFCZRXmqBFzpByFx7XZLtKEtYm5w
+r4WHCqQMLSYufS77FClcuWOfyx08iaqONLNQLLps1HJ0ydCPWKObhL+iKlzapEMh
+6aAMN/0YR2Fw3+5Cz4Zsn+pe/N6/rqoCVMxS5vsgbmIAZ6537ENMwA==
+-----END RSA PRIVATE KEY-----