From f1ac614c06e49fd4d312b229fa129291c5e56cd2 Mon Sep 17 00:00:00 2001 From: muhaidong Date: Tue, 19 Aug 2025 19:26:09 +0800 Subject: [PATCH 1/5] fix(wifi): fix ersu compatibility issue --- components/esp_rom/esp32c5/ld/esp32c5.rom.net80211.ld | 2 +- components/esp_rom/esp32c61/ld/esp32c61.rom.net80211.ld | 2 +- 2 files changed, 2 insertions(+), 2 deletions(-) diff --git a/components/esp_rom/esp32c5/ld/esp32c5.rom.net80211.ld b/components/esp_rom/esp32c5/ld/esp32c5.rom.net80211.ld index 6f9bde7677..b10a95bf25 100644 --- a/components/esp_rom/esp32c5/ld/esp32c5.rom.net80211.ld +++ b/components/esp_rom/esp32c5/ld/esp32c5.rom.net80211.ld @@ -40,7 +40,7 @@ ieee80211_ampdu_start_age_timer = 0x40000b5c; ieee80211_is_tx_allowed = 0x40000b64; ieee80211_output_pending_eb = 0x40000b68; ieee80211_output_process = 0x40000b6c; -ieee80211_set_tx_desc = 0x40000b70; +/*ieee80211_set_tx_desc = 0x40000b70;*/ ieee80211_classify = 0x40000b74; ieee80211_copy_eb_header = 0x40000b78; ieee80211_recycle_cache_eb = 0x40000b7c; diff --git a/components/esp_rom/esp32c61/ld/esp32c61.rom.net80211.ld b/components/esp_rom/esp32c61/ld/esp32c61.rom.net80211.ld index 7f390abb9a..93c0457081 100644 --- a/components/esp_rom/esp32c61/ld/esp32c61.rom.net80211.ld +++ b/components/esp_rom/esp32c61/ld/esp32c61.rom.net80211.ld @@ -36,7 +36,7 @@ ieee80211_ampdu_start_age_timer = 0x40000ac4; ieee80211_is_tx_allowed = 0x40000acc; ieee80211_output_pending_eb = 0x40000ad0; ieee80211_output_process = 0x40000ad4; -ieee80211_set_tx_desc = 0x40000ad8; +/*ieee80211_set_tx_desc = 0x40000ad8;*/ ieee80211_classify = 0x40000adc; ieee80211_copy_eb_header = 0x40000ae0; ieee80211_recycle_cache_eb = 0x40000ae4; From 7538ae7052cb04d9dc20d1aa8e49a1b6963b6ef4 Mon Sep 17 00:00:00 2001 From: muhaidong Date: Wed, 20 Aug 2025 19:52:49 +0800 Subject: [PATCH 2/5] fix(ci): increased app partition size in mqtt5 example --- examples/protocols/mqtt5/sdkconfig.defaults | 1 + 1 file changed, 1 insertion(+) diff --git a/examples/protocols/mqtt5/sdkconfig.defaults b/examples/protocols/mqtt5/sdkconfig.defaults index db60a2ab38..e344845e87 100644 --- a/examples/protocols/mqtt5/sdkconfig.defaults +++ b/examples/protocols/mqtt5/sdkconfig.defaults @@ -1 +1,2 @@ CONFIG_MQTT_PROTOCOL_5=y +CONFIG_PARTITION_TABLE_SINGLE_APP_LARGE=y From d8eae6c80df11358a159e74c9e3b56a565a4b8ed Mon Sep 17 00:00:00 2001 From: muhaidong Date: Thu, 21 Aug 2025 10:11:09 +0800 Subject: [PATCH 3/5] fix(ci): increase the bin size of esp-mqtt ssl example with psk verification --- examples/protocols/mqtt/ssl_psk/sdkconfig.defaults | 1 + 1 file changed, 1 insertion(+) diff --git a/examples/protocols/mqtt/ssl_psk/sdkconfig.defaults b/examples/protocols/mqtt/ssl_psk/sdkconfig.defaults index 1df83e8f39..40bed90325 100644 --- a/examples/protocols/mqtt/ssl_psk/sdkconfig.defaults +++ b/examples/protocols/mqtt/ssl_psk/sdkconfig.defaults @@ -1 +1,2 @@ CONFIG_ESP_TLS_PSK_VERIFICATION=y +CONFIG_PARTITION_TABLE_SINGLE_APP_LARGE=y From b0713ffe0823f368e25c6c48823e92fbc7aa03d7 Mon Sep 17 00:00:00 2001 From: Mahavir Jain Date: Mon, 1 Sep 2025 11:00:48 +0530 Subject: [PATCH 4/5] fix(bootloader): correct encryption length for secure update without secure boot For secure update without secure boot case, the encryption length for app image must consider signature block length as well. This was correctly handled for secure boot case but not for secure update without secure boot. --- components/bootloader/Kconfig.projbuild | 2 +- .../include/esp_secure_boot.h | 17 +++++++++++++++++ .../src/flash_encryption/flash_encrypt.c | 4 ++++ 3 files changed, 22 insertions(+), 1 deletion(-) diff --git a/components/bootloader/Kconfig.projbuild b/components/bootloader/Kconfig.projbuild index c902e7ff87..65a53d9c91 100644 --- a/components/bootloader/Kconfig.projbuild +++ b/components/bootloader/Kconfig.projbuild @@ -1051,7 +1051,7 @@ menu "Security features" endmenu # Potentially Insecure config SECURE_FLASH_ENCRYPT_ONLY_IMAGE_LEN_IN_APP_PART - bool "Encrypt only the app image that is present in the partition of type app" + bool "Encrypt contents upto app image length in app partition" depends on SECURE_FLASH_ENC_ENABLED && !SECURE_FLASH_REQUIRE_ALREADY_ENABLED default y help diff --git a/components/bootloader_support/include/esp_secure_boot.h b/components/bootloader_support/include/esp_secure_boot.h index 5888e8c3ac..4b7294d53a 100644 --- a/components/bootloader_support/include/esp_secure_boot.h +++ b/components/bootloader_support/include/esp_secure_boot.h @@ -225,6 +225,23 @@ typedef struct { uint8_t signature[64]; } esp_secure_boot_sig_block_t; +/** @brief Get the size of the secure boot signature block + * + * This is the size of the signature block appended to a signed image. + * + * @return Size of the secure boot signature block in bytes + */ +static inline uint32_t esp_secure_boot_sig_block_size(void) +{ +#if CONFIG_SECURE_SIGNED_APPS_RSA_SCHEME || CONFIG_SECURE_SIGNED_APPS_ECDSA_V2_SCHEME + return sizeof(ets_secure_boot_signature_t); +#elif defined(CONFIG_SECURE_SIGNED_APPS_ECDSA_SCHEME) + return sizeof(esp_secure_boot_sig_block_t); +#else + return 0; +#endif +} + /** @brief Verify the ECDSA secure boot signature block for Secure Boot V1. * * Calculates Deterministic ECDSA w/ SHA256 based on the SHA256 hash of the image. ECDSA signature diff --git a/components/bootloader_support/src/flash_encryption/flash_encrypt.c b/components/bootloader_support/src/flash_encryption/flash_encrypt.c index 3b6acf0048..6d3ca7bc8c 100644 --- a/components/bootloader_support/src/flash_encryption/flash_encrypt.c +++ b/components/bootloader_support/src/flash_encryption/flash_encrypt.c @@ -428,6 +428,10 @@ static esp_err_t encrypt_partition(int index, const esp_partition_info_t *partit if (partition->type == PART_TYPE_APP && should_encrypt) { // Encrypt only the app image instead of encrypting the whole partition size = image_data.image_len; +#if CONFIG_SECURE_SIGNED_ON_UPDATE_NO_SECURE_BOOT + // If secure update without secure boot, also encrypt the signature block + size += esp_secure_boot_sig_block_size(); +#endif } #endif } else if (partition->type == PART_TYPE_PARTITION_TABLE) { From 9c257c4f0ba80990cf39ef0c33d3bb8e336482f2 Mon Sep 17 00:00:00 2001 From: Mahavir Jain Date: Tue, 2 Sep 2025 12:06:55 +0530 Subject: [PATCH 5/5] test: add test case for secure update with FE case --- .../pytest_signed_app_no_secure_boot.py | 11 +++++- .../sdkconfig.ci.secure_update_with_fe | 4 ++ .../secure_boot_signing_key.pem | 39 +++++++++++++++++++ 3 files changed, 53 insertions(+), 1 deletion(-) create mode 100644 tools/test_apps/security/signed_app_no_secure_boot/sdkconfig.ci.secure_update_with_fe create mode 100644 tools/test_apps/security/signed_app_no_secure_boot/secure_boot_signing_key.pem diff --git a/tools/test_apps/security/signed_app_no_secure_boot/pytest_signed_app_no_secure_boot.py b/tools/test_apps/security/signed_app_no_secure_boot/pytest_signed_app_no_secure_boot.py index 9a73e10e26..dedbc9b8da 100644 --- a/tools/test_apps/security/signed_app_no_secure_boot/pytest_signed_app_no_secure_boot.py +++ b/tools/test_apps/security/signed_app_no_secure_boot/pytest_signed_app_no_secure_boot.py @@ -1,5 +1,6 @@ # SPDX-FileCopyrightText: 2023-2025 Espressif Systems (Shanghai) CO LTD # SPDX-License-Identifier: Unlicense OR CC0-1.0 + import pytest from pytest_embedded import Dut from pytest_embedded_idf.utils import idf_parametrize @@ -9,6 +10,14 @@ from pytest_embedded_idf.utils import idf_parametrize @idf_parametrize('target', ['esp32c2', 'esp32c3'], indirect=['target']) def test_examples_security_on_update_no_secure_boot(dut: Dut) -> None: dut.expect( - "This app is not signed, but check signature on update is enabled in config. It won't be possible to verify any update.", + "This app is not signed, but check signature on update is enabled in config. It won't be possible to verify any update.", # noqa : E501 timeout=10, ) + + +@pytest.mark.host_test +@pytest.mark.qemu +@pytest.mark.parametrize('config', ['secure_update_with_fe'], indirect=True) +@idf_parametrize('target', ['esp32c3'], indirect=['target']) +def test_examples_secure_update_with_fe_qemu(dut: Dut) -> None: + dut.expect('Example for secured signed with no secure boot', timeout=60) diff --git a/tools/test_apps/security/signed_app_no_secure_boot/sdkconfig.ci.secure_update_with_fe b/tools/test_apps/security/signed_app_no_secure_boot/sdkconfig.ci.secure_update_with_fe new file mode 100644 index 0000000000..8bddc8f2eb --- /dev/null +++ b/tools/test_apps/security/signed_app_no_secure_boot/sdkconfig.ci.secure_update_with_fe @@ -0,0 +1,4 @@ +CONFIG_SECURE_FLASH_ENC_ENABLED=y +CONFIG_SECURE_BOOT_BUILD_SIGNED_BINARIES=y +CONFIG_PARTITION_TABLE_OFFSET=0xc000 +CONFIG_NVS_ENCRYPTION=n diff --git a/tools/test_apps/security/signed_app_no_secure_boot/secure_boot_signing_key.pem b/tools/test_apps/security/signed_app_no_secure_boot/secure_boot_signing_key.pem new file mode 100644 index 0000000000..b69b91c5c3 --- /dev/null +++ b/tools/test_apps/security/signed_app_no_secure_boot/secure_boot_signing_key.pem @@ -0,0 +1,39 @@ +-----BEGIN RSA PRIVATE KEY----- +MIIG5AIBAAKCAYEA5sRBdVlob0RWwRsBYrGrMmdhIbam45boFbD/1skxb7lRhJjE +pStZ5DVhtQWVAsqTKkY/QH0zzRBBSfdnsneBAc3yFBTBrMPBQitOvg2UK5rx3jJ2 +dD3hpFG5QZPzmB48ZBmsnmMILLgSMwraAPwkbA4qU2TAeCkAE5WVH3w2m1n95sze +gbxZamLbaPj5DedT5yqIjWK4NecTlr7VXFTXWzzAfb+hQtzBN1RmemvbhCgSksAS +4huoLAZ6iwpEyuACj4pNmFMyQJQ4PPr54mUkL+btMSTbkOZdMbIrXR/FePvFU/Ug +zu9u3QvGm/u2tmpp2Lo/hDgJOhcS4bQjLk7R6Ynq+pi6zQuqpRSCoMEuSzth+yQr +rMCox8lvHgALpc/G8ZbI1bZN0UybmqBBQ5p5FVf9xfNwnt/tuyFV4QDjaRrCcJ1y +FTrMG/+aSM8de4TuxWC3dImfCrVQf/ncB+Y5rL+h3lo9Viozd+bBy79jACjpkwbY +o9GINr26F3GcK/ShAgMBAAECggGADvNsIkQ2pe7RiBVN060bIFreSibhTSF7y9v5 +11qVn11sUKDtLJ5QZp6mw+mmq9WgDz8Z3f2+m2yQLlCfIUroyssjAfYOTjkojjbs +FRggH2scfH7cec+AjPrWe88wGwzqcLnRGznjT7JlS3VKhoHPgkiwqVJ/vck6PgqU +7MNJbms4Lfnb+J/RUzkwae6nhCUWpIV272IT+ToNZNjcTe0ZPsoC1qLRudk/k2we +b5QJVtiZy3QyRP/xt1h8HAIATvyQTmcdubE3cC0waEINI1jJdGJwJQ66LPJpx5ov +s+ldjDdkJi/E8fNrnrn/WIWKwAXctg8VaIHj++WVJ0f9hmZ/bBNRJbFh4LpVKRY5 +oU1XCC9b2edbQbhWLsG19E0XJ+c5i8UY8uIH6DC9QCK28I/eYxA1RoDUt1st06CW +hZT3INFqQ+1mbbff3pm0+kDNxne/PhR7bNApzF/3Fa33v9d0iEfKviEUhCtM4rzD +SVMGTGOAXuAS5RCBAYzTEPrp8UCBAoHBAPluD2o33eEQ5MOm9WoTYLFKKLS/l91B +wHmwY9m53YiMBxLgYrJ9oQOTEApAY5B4G1BxidvhehAMd51iK03W/YkZhy3ZhUTJ +DC29upFPCsS1On1kUC9doyuSgILt3zLZVW98RX6PM7LCLR+jSJPYJQ13xlBRe2Dc +pHpkr0vwtUR35D1EKV2cXFJZLDzj1xAIFNqiv6591J7xzehzBEyP56lar/oeqsvv +w7SWsU4rF6E8Os3gvlTRV5QgnBZEUTTZaQKBwQDs2Fio7NYofSQeI5Q+FPDiV4U1 +rkOZzXJFsf6dQl3GaqgXmuJsfYbRDcAvSBcfo6RFu+ZHEa0U9yEQKK4OSeXTrD8U +0wLCfVmlzQf/l0Iutxv1qGTkB0NnZ7nKCSmdoGErXWTVdz4pHPmU6nUNZ3ih02oP +2nA6CjVtsJVUGWwi6k8bX2mRvLpmjjfJP82EmRXbkKh4xseddWd7Xf/G9hJcXaXt +piE8dmyBQP1u2WluffDT1VNGt3k5O8TIvqlfYnkCgcEA66MfKvB2S35jL7bV2A1Q +ZoyxoffyZxML26pY2kKt16a5tAqJEyh96VuQZq7noH7nBvsMCs6bOvgcNHGeiV3W +jSOxwg3hydbJC5lW3Jm4iZbQF8+htO2YDbzMbWR9XJNXFAhpuqNcar7oVCA0m38x +meSSVCR2E06+j+X4eRyAkptU4tA25/mkeiNGGIwCC2InGVlxDk5PhIzZQoUOBapZ +Z3OGFhvMrPbogv1tqXQqUacNwptUE9rlCso3yw1lTjEpAoHBAJ2CQ3QUDVhf4OUq +RCwFQS1FhxFsEwj12EkBVpK+0B5kT+Vi27HKyR2+R1EqYDZqXZUCoOIinziSISrd +4uMdwfpDUrBGpE8zjar175vKu/jVTYLRukbrjaf3E1eJQGPThMuSELzl0DEHU/P0 ++GMxrMfyEVb5rijrIR0Rkj2bqo6NxI4vpcWF/XC2o+Lyy3qjVCXwzhmEGLxel7Mz +kCaA/zTuEqs5EGFlYEOVNPXDIJqaps450Gf3HGczmGroYTtOAQKBwCzmQn+pONYM +zg8FGbRafACNucw4vuiVgMvWtREgZuGFyQ9UKiaPLjvQl6xR/1jZXA0nD8ApjZwK +KOoKgzZD1XfiGjpuA6Ift2UuPDdq4NnI8orPfFCZRXmqBFzpByFx7XZLtKEtYm5w +r4WHCqQMLSYufS77FClcuWOfyx08iaqONLNQLLps1HJ0ydCPWKObhL+iKlzapEMh +6aAMN/0YR2Fw3+5Cz4Zsn+pe/N6/rqoCVMxS5vsgbmIAZ6537ENMwA== +-----END RSA PRIVATE KEY-----