From ec588172ed5a85ba246d2708258347c55fd094ff Mon Sep 17 00:00:00 2001 From: Mahavir Jain Date: Mon, 1 Sep 2025 11:00:48 +0530 Subject: [PATCH] fix(bootloader): correct encryption length for secure update without secure boot For secure update without secure boot case, the encryption length for app image must consider signature block length as well. This was correctly handled for secure boot case but not for secure update without secure boot. --- components/bootloader/Kconfig.projbuild | 2 +- .../include/esp_secure_boot.h | 17 +++++++++++++++++ .../src/flash_encryption/flash_encrypt.c | 4 ++++ 3 files changed, 22 insertions(+), 1 deletion(-) diff --git a/components/bootloader/Kconfig.projbuild b/components/bootloader/Kconfig.projbuild index a53b68e388..e05d386acd 100644 --- a/components/bootloader/Kconfig.projbuild +++ b/components/bootloader/Kconfig.projbuild @@ -1111,7 +1111,7 @@ menu "Security features" endmenu # Potentially Insecure config SECURE_FLASH_ENCRYPT_ONLY_IMAGE_LEN_IN_APP_PART - bool "Encrypt only the app image that is present in the partition of type app" + bool "Encrypt contents upto app image length in app partition" depends on SECURE_FLASH_ENC_ENABLED && !SECURE_FLASH_REQUIRE_ALREADY_ENABLED default y help diff --git a/components/bootloader_support/include/esp_secure_boot.h b/components/bootloader_support/include/esp_secure_boot.h index 465c7368d5..ec0caabf19 100644 --- a/components/bootloader_support/include/esp_secure_boot.h +++ b/components/bootloader_support/include/esp_secure_boot.h @@ -196,6 +196,23 @@ typedef struct { uint8_t signature[64]; } esp_secure_boot_sig_block_t; +/** @brief Get the size of the secure boot signature block + * + * This is the size of the signature block appended to a signed image. + * + * @return Size of the secure boot signature block in bytes + */ +static inline uint32_t esp_secure_boot_sig_block_size(void) +{ +#if CONFIG_SECURE_SIGNED_APPS_RSA_SCHEME || CONFIG_SECURE_SIGNED_APPS_ECDSA_V2_SCHEME + return sizeof(ets_secure_boot_signature_t); +#elif defined(CONFIG_SECURE_SIGNED_APPS_ECDSA_SCHEME) + return sizeof(esp_secure_boot_sig_block_t); +#else + return 0; +#endif +} + /** @brief Verify the ECDSA secure boot signature block for Secure Boot V1. * * Calculates Deterministic ECDSA w/ SHA256 based on the SHA256 hash of the image. ECDSA signature diff --git a/components/bootloader_support/src/flash_encryption/flash_encrypt.c b/components/bootloader_support/src/flash_encryption/flash_encrypt.c index 85697dbeb3..4bc91a03ec 100644 --- a/components/bootloader_support/src/flash_encryption/flash_encrypt.c +++ b/components/bootloader_support/src/flash_encryption/flash_encrypt.c @@ -437,6 +437,10 @@ static esp_err_t encrypt_partition(int index, const esp_partition_info_t *partit if (should_encrypt) { // Encrypt only the app image instead of encrypting the whole partition size = image_data.image_len; +#if CONFIG_SECURE_SIGNED_ON_UPDATE_NO_SECURE_BOOT + // If secure update without secure boot, also encrypt the signature block + size += esp_secure_boot_sig_block_size(); +#endif } #endif } else if ((partition->type == PART_TYPE_DATA && partition->subtype == PART_SUBTYPE_DATA_OTA)