From 52c9c342bdbf63d5b94fffc81866d6cac44c6704 Mon Sep 17 00:00:00 2001 From: Mahavir Jain Date: Wed, 2 Aug 2023 19:22:34 +0530 Subject: [PATCH] fix(secure_ota): secure app verification issue without padding bytes For the following configuration case: - CONFIG_SECURE_SIGNED_APPS_RSA_SCHEME - CONFIG_SECURE_SIGNED_ON_UPDATE_NO_SECURE_BOOT - CONFIG_SECURE_BOOT_ALLOW_SHORT_APP_PARTITION verification of the application was failing because the externally padded bytes were not considered in the hash (checksum) process. This commit fixes the problem by enabling relevant code for secure OTA without secure boot case. Closes https://github.com/espressif/esp-idf/issues/11995 --- components/bootloader_support/src/esp_image_format.c | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/components/bootloader_support/src/esp_image_format.c b/components/bootloader_support/src/esp_image_format.c index 67105299ff..17ee0e8a16 100644 --- a/components/bootloader_support/src/esp_image_format.c +++ b/components/bootloader_support/src/esp_image_format.c @@ -860,7 +860,7 @@ static esp_err_t verify_secure_boot_signature(bootloader_sha256_handle_t sha_han bootloader_munmap(simple_hash); } -#if CONFIG_SECURE_BOOT_V2_ENABLED +#if CONFIG_SECURE_SIGNED_APPS_RSA_SCHEME || CONFIG_SECURE_SIGNED_APPS_ECDSA_V2_SCHEME // End of the image needs to be padded all the way to a 4KB boundary, after the simple hash // (for apps they are usually already padded due to --secure-pad-v2, only a problem if this option was not used.) uint32_t padded_end = ALIGN_UP(end, FLASH_SECTOR_SIZE); @@ -870,7 +870,7 @@ static esp_err_t verify_secure_boot_signature(bootloader_sha256_handle_t sha_han bootloader_munmap(padding); end = padded_end; } -#endif +#endif // CONFIG_SECURE_SIGNED_APPS_RSA_SCHEME || CONFIG_SECURE_SIGNED_APPS_ECDSA_V2_SCHEME bootloader_sha256_finish(sha_handle, image_digest);