fix(bootloader): correct encryption length for secure update without secure boot

For secure update without secure boot case, the encryption length for app image must consider signature block length as well. This was correctly handled for secure boot case but not for secure update without secure boot.
2025-10-02 18:10:57 +02:00 · 2025-09-01 11:00:48 +05:30
parent d8eae6c80d
commit b0713ffe08
3 changed files with 22 additions and 1 deletions
--- a/components/bootloader/Kconfig.projbuild
+++ b/components/bootloader/Kconfig.projbuild
@@ -1051,7 +1051,7 @@ menu "Security features"
    endmenu  # Potentially Insecure

    config SECURE_FLASH_ENCRYPT_ONLY_IMAGE_LEN_IN_APP_PART
-        bool "Encrypt only the app image that is present in the partition of type app"
+        bool "Encrypt contents upto app image length in app partition"
        depends on SECURE_FLASH_ENC_ENABLED && !SECURE_FLASH_REQUIRE_ALREADY_ENABLED
        default y
        help
--- a/components/bootloader_support/include/esp_secure_boot.h
+++ b/components/bootloader_support/include/esp_secure_boot.h
@@ -225,6 +225,23 @@ typedef struct {
    uint8_t signature[64];
 } esp_secure_boot_sig_block_t;

+/** @brief Get the size of the secure boot signature block
+ *
+ * This is the size of the signature block appended to a signed image.
+ *
+ * @return Size of the secure boot signature block in bytes
+ */
+static inline uint32_t esp_secure_boot_sig_block_size(void)
+{
+#if CONFIG_SECURE_SIGNED_APPS_RSA_SCHEME || CONFIG_SECURE_SIGNED_APPS_ECDSA_V2_SCHEME
+    return sizeof(ets_secure_boot_signature_t);
+#elif defined(CONFIG_SECURE_SIGNED_APPS_ECDSA_SCHEME)
+    return sizeof(esp_secure_boot_sig_block_t);
+#else
+    return 0;
+#endif
+}
+
 /** @brief Verify the ECDSA secure boot signature block for Secure Boot V1.
 *
 *  Calculates Deterministic ECDSA w/ SHA256 based on the SHA256 hash of the image. ECDSA signature
--- a/components/bootloader_support/src/flash_encryption/flash_encrypt.c
+++ b/components/bootloader_support/src/flash_encryption/flash_encrypt.c
@@ -428,6 +428,10 @@ static esp_err_t encrypt_partition(int index, const esp_partition_info_t *partit
        if (partition->type == PART_TYPE_APP && should_encrypt) {
            // Encrypt only the app image instead of encrypting the whole partition
            size = image_data.image_len;
+#if CONFIG_SECURE_SIGNED_ON_UPDATE_NO_SECURE_BOOT
+            // If secure update without secure boot, also encrypt the signature block
+            size += esp_secure_boot_sig_block_size();
+#endif
        }
 #endif
    } else if (partition->type == PART_TYPE_PARTITION_TABLE) {