mirror of
https://github.com/espressif/esp-idf.git
synced 2025-08-05 21:54:33 +02:00
Merge branch 'bugfix/secure_boot_sig_verify' into 'master'
secure boot: Fix incorrect handling of mbedtls_ctr_drbg_seed() failure in signature verification See merge request espressif/esp-idf!14300
This commit is contained in:
@@ -182,7 +182,7 @@ esp_err_t esp_secure_boot_verify_rsa_signature_block(const ets_secure_boot_signa
|
||||
ret = mbedtls_ctr_drbg_seed(&ctr_drbg, mbedtls_entropy_func, &entropy, NULL, 0);
|
||||
if (ret != 0) {
|
||||
ESP_LOGE(TAG, "mbedtls_ctr_drbg_seed returned -0x%04x\n", ret);
|
||||
goto exit;
|
||||
goto exit_outer;
|
||||
}
|
||||
|
||||
#ifdef CONFIG_SECURE_SIGNED_ON_UPDATE_NO_SECURE_BOOT
|
||||
@@ -234,19 +234,19 @@ esp_err_t esp_secure_boot_verify_rsa_signature_block(const ets_secure_boot_signa
|
||||
ret = mbedtls_rsa_import(&pk, &N, NULL, NULL, NULL, &e);
|
||||
if (ret != 0) {
|
||||
ESP_LOGE(TAG, "Failed mbedtls_rsa_import, err: %d", ret);
|
||||
goto exit;
|
||||
goto exit_inner;
|
||||
}
|
||||
|
||||
ret = mbedtls_rsa_complete(&pk);
|
||||
if (ret != 0) {
|
||||
ESP_LOGE(TAG, "Failed mbedtls_rsa_complete, err: %d", ret);
|
||||
goto exit;
|
||||
goto exit_inner;
|
||||
}
|
||||
|
||||
ret = mbedtls_rsa_check_pubkey(&pk);
|
||||
if (ret != 0) {
|
||||
ESP_LOGI(TAG, "Key is not an RSA key -%0x", -ret);
|
||||
goto exit;
|
||||
goto exit_inner;
|
||||
}
|
||||
|
||||
/* Signature needs to be byte swapped into BE representation */
|
||||
@@ -257,7 +257,7 @@ esp_err_t esp_secure_boot_verify_rsa_signature_block(const ets_secure_boot_signa
|
||||
ret = mbedtls_rsa_public( &pk, sig_be, buf);
|
||||
if (ret != 0) {
|
||||
ESP_LOGE(TAG, "mbedtls_rsa_public failed, err: %d", ret);
|
||||
goto exit;
|
||||
goto exit_inner;
|
||||
}
|
||||
|
||||
ret = mbedtls_rsa_rsassa_pss_verify( &pk, mbedtls_ctr_drbg_random, &ctr_drbg, MBEDTLS_RSA_PUBLIC, MBEDTLS_MD_SHA256, ESP_SECURE_BOOT_DIGEST_LEN,
|
||||
@@ -267,13 +267,14 @@ esp_err_t esp_secure_boot_verify_rsa_signature_block(const ets_secure_boot_signa
|
||||
} else {
|
||||
ESP_LOGI(TAG, "Signature verified successfully!");
|
||||
}
|
||||
exit:
|
||||
exit_inner:
|
||||
mbedtls_rsa_free(&pk);
|
||||
if (ret == 0) {
|
||||
break;
|
||||
}
|
||||
}
|
||||
|
||||
exit_outer:
|
||||
free(sig_be);
|
||||
free(buf);
|
||||
return (ret != 0 || any_trusted_key == false) ? ESP_ERR_IMAGE_INVALID: ESP_OK;
|
||||
|
@@ -1,5 +1,5 @@
|
||||
| Supported Targets | ESP32 |
|
||||
| ----------------- | ----- |
|
||||
| Supported Targets | ESP32 | ESP32-S2 |
|
||||
| ----------------- | ----- | -------- |
|
||||
|
||||
# Secure Boot
|
||||
|
||||
|
@@ -1,2 +1,8 @@
|
||||
idf_component_register(SRCS "secure_boot_main.c"
|
||||
INCLUDE_DIRS ".")
|
||||
|
||||
if(CONFIG_IDF_TARGET_ESP32)
|
||||
set(main_src "secure_boot_main_esp32.c")
|
||||
else()
|
||||
set(main_src "secure_boot_main.c")
|
||||
endif()
|
||||
|
||||
idf_component_register(SRCS "${main_src}" INCLUDE_DIRS ".")
|
||||
|
@@ -11,6 +11,7 @@
|
||||
#include "freertos/task.h"
|
||||
#include "soc/efuse_reg.h"
|
||||
#include "esp_efuse.h"
|
||||
#include "esp_secure_boot.h"
|
||||
#include "esp_system.h"
|
||||
#include "esp_spi_flash.h"
|
||||
#include "esp_log.h"
|
||||
@@ -36,10 +37,7 @@ static void example_print_chip_info(void)
|
||||
/* Print chip information */
|
||||
esp_chip_info_t chip_info;
|
||||
esp_chip_info(&chip_info);
|
||||
printf("This is ESP32 chip with %d CPU cores, WiFi%s%s, ",
|
||||
chip_info.cores,
|
||||
(chip_info.features & CHIP_FEATURE_BT) ? "/BT" : "",
|
||||
(chip_info.features & CHIP_FEATURE_BLE) ? "/BLE" : "");
|
||||
printf("This is %s chip with %d CPU cores\n", CONFIG_IDF_TARGET, chip_info.cores);
|
||||
|
||||
printf("silicon revision %d, ", chip_info.revision);
|
||||
|
||||
@@ -51,46 +49,23 @@ static void example_print_chip_info(void)
|
||||
|
||||
static void example_secure_boot_status(void)
|
||||
{
|
||||
uint32_t efuse_block0 = REG_READ(EFUSE_BLK0_RDATA6_REG);
|
||||
ets_secure_boot_key_digests_t trusted_keys = { 0};
|
||||
|
||||
#ifdef CONFIG_ESP32_REV_MIN_3
|
||||
uint8_t efuse_trusted_digest[DIGEST_LEN] = {0}, i;
|
||||
ESP_LOGI(TAG, "Checking for secure boot v2..");
|
||||
if(efuse_block0 & EFUSE_RD_ABS_DONE_1) {
|
||||
ESP_LOGI(TAG, "ABS_DONE_1 is set. Secure Boot V2 enabled");
|
||||
memcpy(efuse_trusted_digest, (uint8_t *)EFUSE_BLK2_RDATA0_REG, DIGEST_LEN);
|
||||
ESP_LOGI(TAG, "Reading the public key digest from BLK2.");
|
||||
for (i = 0; i < DIGEST_LEN; i++) {
|
||||
ESP_LOGI(TAG, "%02x \t", efuse_trusted_digest[i]);
|
||||
ESP_LOGI(TAG, "Checking for Secure Boot..");
|
||||
if(esp_secure_boot_enabled()) {
|
||||
ESP_LOGI(TAG, "Secure Boot is enabled");
|
||||
ESP_ERROR_CHECK( esp_secure_boot_read_key_digests(&trusted_keys) );
|
||||
|
||||
unsigned total = 0;
|
||||
for (int i = 0; i < MAX_KEY_DIGESTS; i++) {
|
||||
ESP_LOGI(TAG, "Key slot %d:", i);
|
||||
if (trusted_keys.key_digests[i]) {
|
||||
ESP_LOG_BUFFER_HEXDUMP("trusted key", trusted_keys.key_digests[i], DIGEST_LEN, ESP_LOG_INFO);
|
||||
total++;
|
||||
}
|
||||
}
|
||||
return;
|
||||
ESP_LOGI(TAG, "Total %d trusted public keys", total);
|
||||
} else {
|
||||
ESP_LOGI(TAG, "Secure boot v2 not enabled. Enable Secure Boot V2 in menuconfig, build & flash again.");
|
||||
}
|
||||
#endif
|
||||
|
||||
ESP_LOGI(TAG, "Checking for secure boot v1..");
|
||||
uint32_t dis_reg = REG_READ(EFUSE_BLK0_RDATA0_REG);
|
||||
if (efuse_block0 & EFUSE_RD_ABS_DONE_0) {
|
||||
ESP_LOGI(TAG, "ABS_DONE_0 is set. Secure Boot V1 enabled");
|
||||
#ifdef CONFIG_ESP32_REV_MIN_3
|
||||
ESP_LOGW(TAG, "This chip version supports Secure Boot V2. It is recommended to use Secure Boot V2.");
|
||||
#endif
|
||||
bool efuse_key_read_protected = dis_reg & EFUSE_RD_DIS_BLK2;
|
||||
bool efuse_key_write_protected = dis_reg & EFUSE_WR_DIS_BLK2;
|
||||
|
||||
ESP_LOGI(TAG, "Checking the integrityof the key in BLK2..");
|
||||
if (!efuse_key_read_protected) {
|
||||
ESP_LOGE(TAG, "Key is not read protected. Refusing to blow secure boot efuse.");
|
||||
return;
|
||||
}
|
||||
if (!efuse_key_write_protected) {
|
||||
ESP_LOGE(TAG, "Key is not write protected. Refusing to blow secure boot efuse.");
|
||||
return;
|
||||
}
|
||||
ESP_LOGI(TAG, "Key is read/write protected in eFuse.");
|
||||
return;
|
||||
} else {
|
||||
ESP_LOGI(TAG, "Secure Boot V1 not enabled. Enable Secure Boot in menuconfig, build & flash again.");
|
||||
ESP_LOGI(TAG, "Secure Boot not enabled. Enable Secure Boot in menuconfig, build & flash again.");
|
||||
}
|
||||
}
|
||||
|
@@ -0,0 +1,96 @@
|
||||
/* Flash encryption Example
|
||||
|
||||
This example code is in the Public Domain (or CC0 licensed, at your option.)
|
||||
|
||||
Unless required by applicable law or agreed to in writing, this
|
||||
software is distributed on an "AS IS" BASIS, WITHOUT WARRANTIES OR
|
||||
CONDITIONS OF ANY KIND, either express or implied.
|
||||
*/
|
||||
#include <stdio.h>
|
||||
#include "freertos/FreeRTOS.h"
|
||||
#include "freertos/task.h"
|
||||
#include "soc/efuse_reg.h"
|
||||
#include "esp_efuse.h"
|
||||
#include "esp_system.h"
|
||||
#include "esp_spi_flash.h"
|
||||
#include "esp_log.h"
|
||||
#include "esp_efuse_table.h"
|
||||
#include <string.h>
|
||||
|
||||
static void example_print_chip_info(void);
|
||||
static void example_secure_boot_status(void);
|
||||
|
||||
#define TAG "example_secure_boot"
|
||||
|
||||
void app_main(void)
|
||||
{
|
||||
printf("\nExample to check Secure Boot status\n");
|
||||
|
||||
example_print_chip_info();
|
||||
example_secure_boot_status();
|
||||
}
|
||||
|
||||
|
||||
static void example_print_chip_info(void)
|
||||
{
|
||||
/* Print chip information */
|
||||
esp_chip_info_t chip_info;
|
||||
esp_chip_info(&chip_info);
|
||||
printf("This is ESP32 chip with %d CPU cores, WiFi%s%s, ",
|
||||
chip_info.cores,
|
||||
(chip_info.features & CHIP_FEATURE_BT) ? "/BT" : "",
|
||||
(chip_info.features & CHIP_FEATURE_BLE) ? "/BLE" : "");
|
||||
|
||||
printf("silicon revision %d, ", chip_info.revision);
|
||||
|
||||
printf("%dMB %s flash\n", spi_flash_get_chip_size() / (1024 * 1024),
|
||||
(chip_info.features & CHIP_FEATURE_EMB_FLASH) ? "embedded" : "external");
|
||||
}
|
||||
|
||||
#define DIGEST_LEN 32
|
||||
|
||||
static void example_secure_boot_status(void)
|
||||
{
|
||||
uint32_t efuse_block0 = REG_READ(EFUSE_BLK0_RDATA6_REG);
|
||||
|
||||
#ifdef CONFIG_ESP32_REV_MIN_3
|
||||
uint8_t efuse_trusted_digest[DIGEST_LEN] = {0}, i;
|
||||
ESP_LOGI(TAG, "Checking for secure boot v2..");
|
||||
if(efuse_block0 & EFUSE_RD_ABS_DONE_1) {
|
||||
ESP_LOGI(TAG, "ABS_DONE_1 is set. Secure Boot V2 enabled");
|
||||
memcpy(efuse_trusted_digest, (uint8_t *)EFUSE_BLK2_RDATA0_REG, DIGEST_LEN);
|
||||
ESP_LOGI(TAG, "Reading the public key digest from BLK2.");
|
||||
for (i = 0; i < DIGEST_LEN; i++) {
|
||||
ESP_LOGI(TAG, "%02x \t", efuse_trusted_digest[i]);
|
||||
}
|
||||
return;
|
||||
} else {
|
||||
ESP_LOGI(TAG, "Secure boot v2 not enabled. Enable Secure Boot V2 in menuconfig, build & flash again.");
|
||||
}
|
||||
#endif
|
||||
|
||||
ESP_LOGI(TAG, "Checking for secure boot v1..");
|
||||
uint32_t dis_reg = REG_READ(EFUSE_BLK0_RDATA0_REG);
|
||||
if (efuse_block0 & EFUSE_RD_ABS_DONE_0) {
|
||||
ESP_LOGI(TAG, "ABS_DONE_0 is set. Secure Boot V1 enabled");
|
||||
#ifdef CONFIG_ESP32_REV_MIN_3
|
||||
ESP_LOGW(TAG, "This chip version supports Secure Boot V2. It is recommended to use Secure Boot V2.");
|
||||
#endif
|
||||
bool efuse_key_read_protected = dis_reg & EFUSE_RD_DIS_BLK2;
|
||||
bool efuse_key_write_protected = dis_reg & EFUSE_WR_DIS_BLK2;
|
||||
|
||||
ESP_LOGI(TAG, "Checking the integrityof the key in BLK2..");
|
||||
if (!efuse_key_read_protected) {
|
||||
ESP_LOGE(TAG, "Key is not read protected. Refusing to blow secure boot efuse.");
|
||||
return;
|
||||
}
|
||||
if (!efuse_key_write_protected) {
|
||||
ESP_LOGE(TAG, "Key is not write protected. Refusing to blow secure boot efuse.");
|
||||
return;
|
||||
}
|
||||
ESP_LOGI(TAG, "Key is read/write protected in eFuse.");
|
||||
return;
|
||||
} else {
|
||||
ESP_LOGI(TAG, "Secure Boot V1 not enabled. Enable Secure Boot in menuconfig, build & flash again.");
|
||||
}
|
||||
}
|
@@ -3,4 +3,4 @@ CONFIG_IDF_TARGET="esp32s2"
|
||||
CONFIG_SECURE_BOOT=y
|
||||
CONFIG_SECURE_BOOT_SIGNING_KEY="test_rsa_3072_key.pem"
|
||||
CONFIG_SECURE_FLASH_ENC_ENABLED=y
|
||||
SECURE_FLASH_ENCRYPTION_MODE_RELEASE=y
|
||||
CONFIG_SECURE_FLASH_ENCRYPTION_MODE_RELEASE=y
|
||||
|
@@ -4,3 +4,6 @@
|
||||
# If you find yourself needing to edit this in the future, it's a sign the
|
||||
# bootloader is bloating out!
|
||||
CONFIG_PARTITION_TABLE_OFFSET=0xC000
|
||||
|
||||
# Maximize the number of possible build warnings
|
||||
CONFIG_COMPILER_OPTIMIZATION_PERF=y
|
||||
|
Reference in New Issue
Block a user