From 3ea86d53b11fb270525f87fb15f706756fc95bab Mon Sep 17 00:00:00 2001 From: Harshit Malpani Date: Fri, 15 Sep 2023 17:25:10 +0530 Subject: [PATCH 1/2] fix(bootloader_support): Fix condition for SECURE_SIGNED_ON_UPDATE_NO_SECURE_BOOT Fix the condition to verify the image when SECURE_SIGNED_APPS_ECDSA_V2_SCHEME and SECURE_SIGNED_ON_UPDATE_NO_SECURE_BOOT are selected. --- components/bootloader_support/src/secure_boot.c | 12 ++++++------ 1 file changed, 6 insertions(+), 6 deletions(-) diff --git a/components/bootloader_support/src/secure_boot.c b/components/bootloader_support/src/secure_boot.c index 5e9b8832fc..9015bdfd5a 100644 --- a/components/bootloader_support/src/secure_boot.c +++ b/components/bootloader_support/src/secure_boot.c @@ -144,9 +144,9 @@ static esp_err_t secure_boot_v2_check(bool *need_fix) #endif #endif // CONFIG_SECURE_BOOT -#if CONFIG_SECURE_SIGNED_APPS_RSA_SCHEME && CONFIG_SECURE_SIGNED_ON_UPDATE_NO_SECURE_BOOT +#if (CONFIG_SECURE_SIGNED_APPS_RSA_SCHEME || CONFIG_SECURE_SIGNED_APPS_ECDSA_V2_SCHEME) && CONFIG_SECURE_SIGNED_ON_UPDATE_NO_SECURE_BOOT -static void rsa_check_signature_on_update_check(void) +static void check_signature_on_update_check(void) { // We rely on the keys used to sign this app to verify the next app on OTA, so make sure there is at // least one to avoid a stuck firmware @@ -164,7 +164,7 @@ static void rsa_check_signature_on_update_check(void) } #endif } -#endif // CONFIG_SECURE_SIGNED_APPS_RSA_SCHEME && CONFIG_SECURE_SIGNED_ON_UPDATE_NO_SECURE_BOOT +#endif // (CONFIG_SECURE_SIGNED_APPS_RSA_SCHEME || CONFIG_SECURE_SIGNED_APPS_ECDSA_V2_SCHEME) && CONFIG_SECURE_SIGNED_ON_UPDATE_NO_SECURE_BOOT void esp_secure_boot_init_checks(void) { @@ -184,9 +184,9 @@ void esp_secure_boot_init_checks(void) #endif // CONFIG_SECURE_BOOT -#if CONFIG_SECURE_SIGNED_APPS_RSA_SCHEME && CONFIG_SECURE_SIGNED_ON_UPDATE_NO_SECURE_BOOT - rsa_check_signature_on_update_check(); -#endif // CONFIG_SECURE_SIGNED_APPS_RSA_SCHEME && CONFIG_SECURE_SIGNED_ON_UPDATE_NO_SECURE_BOOT +#if (CONFIG_SECURE_SIGNED_APPS_RSA_SCHEME || CONFIG_SECURE_SIGNED_APPS_ECDSA_V2_SCHEME) && CONFIG_SECURE_SIGNED_ON_UPDATE_NO_SECURE_BOOT + check_signature_on_update_check(); +#endif // (CONFIG_SECURE_SIGNED_APPS_RSA_SCHEME || CONFIG_SECURE_SIGNED_APPS_ECDSA_V2_SCHEME) && CONFIG_SECURE_SIGNED_ON_UPDATE_NO_SECURE_BOOT } From c71801f9fa7762644cd113f21c80ecf4fb3788eb Mon Sep 17 00:00:00 2001 From: Harshit Malpani Date: Mon, 18 Sep 2023 17:38:09 +0530 Subject: [PATCH 2/2] fix(bootloader): Update kconfig option --- components/bootloader/Kconfig.projbuild | 4 +--- 1 file changed, 1 insertion(+), 3 deletions(-) diff --git a/components/bootloader/Kconfig.projbuild b/components/bootloader/Kconfig.projbuild index 4579fd41c9..6e776290de 100644 --- a/components/bootloader/Kconfig.projbuild +++ b/components/bootloader/Kconfig.projbuild @@ -691,14 +691,12 @@ menu "Security features" config SECURE_BOOT_VERIFICATION_KEY string "Secure boot public signature verification key" - depends on SECURE_SIGNED_APPS && !SECURE_BOOT_BUILD_SIGNED_BINARIES && !SECURE_SIGNED_APPS_RSA_SCHEME + depends on SECURE_SIGNED_APPS && SECURE_SIGNED_APPS_ECDSA_SCHEME && !SECURE_BOOT_BUILD_SIGNED_BINARIES default "signature_verification_key.bin" help Path to a public key file used to verify signed images. Secure Boot V1: This ECDSA public key is compiled into the bootloader and/or app, to verify app images. - Secure Boot V2: This RSA public key is compiled into the signature block at - the end of the bootloader/app. Key file is in raw binary format, and can be extracted from a PEM formatted private key using the espsecure.py