secure_boot(esp32c2): Fix case when SB key is pre-loaded

2025-08-13 17:44:38 +02:00 · 2022-05-24 01:36:12 +08:00
parent 505e18237a
commit dd4642b6ba
2 changed files with 11 additions and 4 deletions
--- a/components/bootloader_support/src/secure_boot.c
+++ b/components/bootloader_support/src/secure_boot.c
@@ -64,7 +64,7 @@ static esp_err_t secure_boot_v2_check(bool *need_fix)
 {
    esp_err_t err = ESP_OK;
    esp_efuse_block_t block = EFUSE_BLK_SECURE_BOOT;
-#ifndef CONFIG_SECURE_BOOT_FLASH_ENC_KEYS_BURN_TOGETHER
+#ifndef CONFIG_SOC_EFUSE_CONSISTS_OF_ONE_KEY_BLOCK
    if (esp_efuse_get_key_dis_read(block)) {
        ESP_LOGE(TAG, "eFuse BLOCK%d should be readable", block);
        abort();
--- a/components/bootloader_support/src/secure_boot_v2/secure_boot.c
+++ b/components/bootloader_support/src/secure_boot_v2/secure_boot.c
@@ -218,17 +218,24 @@ static esp_err_t check_and_generate_secure_boot_keys(const esp_image_metadata_t
                continue;
            }
 #endif
 #ifndef CONFIG_SOC_EFUSE_CONSISTS_OF_ONE_KEY_BLOCK
            if (esp_efuse_get_key_dis_read(blocks[i])) {
                ESP_LOGE(TAG, "Key digest (BLK%d) read protected, aborting...", blocks[i]);
                return ESP_FAIL;
            }
 #endif
            if (esp_efuse_block_is_empty(blocks[i])) {
                ESP_LOGE(TAG, "%d eFuse block is empty, aborting...", blocks[i]);
                return ESP_FAIL;
            }
            esp_efuse_set_key_dis_write(blocks[i]);
-            ret = esp_efuse_read_block(blocks[i], boot_key_digests.key_digests[boot_key_digests.num_digests], 0,
+#ifdef CONFIG_SOC_EFUSE_CONSISTS_OF_ONE_KEY_BLOCK
-                                            sizeof(boot_key_digests.key_digests[0]) * 8);
+            size_t offset = 128;
 #else
            size_t offset = 0;
 #endif
             ret = esp_efuse_read_block(blocks[i], boot_key_digests.key_digests[boot_key_digests.num_digests], offset,
                                            ESP_SECURE_BOOT_KEY_DIGEST_LEN * 8);
            if (ret) {
                ESP_LOGE(TAG, "Error during reading %d eFuse block (err=0x%x)", blocks[i], ret);
                return ret;
@@ -271,7 +278,7 @@ static esp_err_t check_and_generate_secure_boot_keys(const esp_image_metadata_t
        }
 #endif // SOC_EFUSE_REVOKE_BOOT_KEY_DIGESTS
        for (unsigned j = 0; j < app_key_digests.num_digests; j++) {
-            if (!memcmp(boot_key_digests.key_digests[i], app_key_digests.key_digests[j], ESP_SECURE_BOOT_DIGEST_LEN)) {
+            if (!memcmp(boot_key_digests.key_digests[i], app_key_digests.key_digests[j], ESP_SECURE_BOOT_KEY_DIGEST_LEN)) {
                ESP_LOGI(TAG, "Application key(%d) matches with bootloader key(%d).", j, i);
                match = true;
            }