espressif/esp-idf
1
0
Fork 1
mirror of https://github.com/espressif/esp-idf.git synced 2025-07-30 18:57:19 +02:00
Code Issues Packages Projects Releases Wiki Activity

Merge branch 'bugfix/fix_condition_to_verify_when_no_SB_v5.1' into 'release/v5.1'

Browse Source 
fix(bootloader_support): Fix condition for checking signature in the application (v5.1)

See merge request espressif/esp-idf!26225
This commit is contained in:
Mahavir Jain
2023-09-27 17:20:50 +08:00
parent 86808a09f7 a4c13f156e
commit fd7f8ee8f9
2 changed files with 7 additions and 9 deletions
Download Patch File Download Diff File Expand all files Collapse all files

4
components/bootloader/Kconfig.projbuild
View File

@ -704,14 +704,12 @@ menu "Security features"
config SECURE_BOOT_VERIFICATION_KEY config SECURE_BOOT_VERIFICATION_KEY
string "Secure boot public signature verification key" string "Secure boot public signature verification key"
depends on SECURE_SIGNED_APPS && !SECURE_BOOT_BUILD_SIGNED_BINARIES && !SECURE_SIGNED_APPS_RSA_SCHEME depends on SECURE_SIGNED_APPS && SECURE_SIGNED_APPS_ECDSA_SCHEME && !SECURE_BOOT_BUILD_SIGNED_BINARIES
default "signature_verification_key.bin" default "signature_verification_key.bin"
help help
Path to a public key file used to verify signed images. Path to a public key file used to verify signed images.
Secure Boot V1: This ECDSA public key is compiled into the bootloader and/or Secure Boot V1: This ECDSA public key is compiled into the bootloader and/or
app, to verify app images. app, to verify app images.
Secure Boot V2: This RSA public key is compiled into the signature block at
the end of the bootloader/app.
Key file is in raw binary format, and can be extracted from a Key file is in raw binary format, and can be extracted from a
PEM formatted private key using the espsecure.py PEM formatted private key using the espsecure.py

12
components/bootloader_support/src/secure_boot.c
View File

@ -144,9 +144,9 @@ static esp_err_t secure_boot_v2_check(bool *need_fix)
#endif #endif
#endif // CONFIG_SECURE_BOOT #endif // CONFIG_SECURE_BOOT
#if CONFIG_SECURE_SIGNED_APPS_RSA_SCHEME && CONFIG_SECURE_SIGNED_ON_UPDATE_NO_SECURE_BOOT #if (CONFIG_SECURE_SIGNED_APPS_RSA_SCHEME || CONFIG_SECURE_SIGNED_APPS_ECDSA_V2_SCHEME) && CONFIG_SECURE_SIGNED_ON_UPDATE_NO_SECURE_BOOT
static void rsa_check_signature_on_update_check(void) static void check_signature_on_update_check(void)
{ {
// We rely on the keys used to sign this app to verify the next app on OTA, so make sure there is at // We rely on the keys used to sign this app to verify the next app on OTA, so make sure there is at
// least one to avoid a stuck firmware // least one to avoid a stuck firmware
@ -164,7 +164,7 @@ static void rsa_check_signature_on_update_check(void)
} }
#endif #endif
} }
#endif // CONFIG_SECURE_SIGNED_APPS_RSA_SCHEME && CONFIG_SECURE_SIGNED_ON_UPDATE_NO_SECURE_BOOT #endif // (CONFIG_SECURE_SIGNED_APPS_RSA_SCHEME || CONFIG_SECURE_SIGNED_APPS_ECDSA_V2_SCHEME) && CONFIG_SECURE_SIGNED_ON_UPDATE_NO_SECURE_BOOT
void esp_secure_boot_init_checks(void) void esp_secure_boot_init_checks(void)
{ {
@ -184,9 +184,9 @@ void esp_secure_boot_init_checks(void)
#endif // CONFIG_SECURE_BOOT #endif // CONFIG_SECURE_BOOT
#if CONFIG_SECURE_SIGNED_APPS_RSA_SCHEME && CONFIG_SECURE_SIGNED_ON_UPDATE_NO_SECURE_BOOT #if (CONFIG_SECURE_SIGNED_APPS_RSA_SCHEME || CONFIG_SECURE_SIGNED_APPS_ECDSA_V2_SCHEME) && CONFIG_SECURE_SIGNED_ON_UPDATE_NO_SECURE_BOOT
rsa_check_signature_on_update_check(); check_signature_on_update_check();
#endif // CONFIG_SECURE_SIGNED_APPS_RSA_SCHEME && CONFIG_SECURE_SIGNED_ON_UPDATE_NO_SECURE_BOOT #endif // (CONFIG_SECURE_SIGNED_APPS_RSA_SCHEME || CONFIG_SECURE_SIGNED_APPS_ECDSA_V2_SCHEME) && CONFIG_SECURE_SIGNED_ON_UPDATE_NO_SECURE_BOOT
} }