Merge branch 'change/add_error_logs_for_incorrect_secure_boot_key' into 'master'

change: Add error logs for secure boot scheme and key mismatch

See merge request espressif/esp-idf!31199

components/bootloader_support/include/esp_secure_boot.h

@@ -63,6 +63,42 @@ extern "C" {
 #include "esp_efuse_table.h"
 #endif
 
+/**
+ * @brief   Secure Boot Signature Block Version field
+ */
+typedef enum {
+    ESP_SECURE_BOOT_V1_ECDSA = 0,           /*!< Secure Boot v1 */
+    ESP_SECURE_BOOT_V2_RSA   = 2,           /*!< Secure Boot v2 with RSA key */
+    ESP_SECURE_BOOT_V2_ECDSA = 3,           /*!< Secure Boot v2 with ECDSA key */
+} esp_secure_boot_sig_scheme_t;
+
+#if CONFIG_SECURE_SIGNED_APPS_ECDSA_SCHEME
+#define ESP_SECURE_BOOT_SCHEME ESP_SECURE_BOOT_V1_ECDSA
+#elif CONFIG_SECURE_SIGNED_APPS_RSA_SCHEME
+#define ESP_SECURE_BOOT_SCHEME ESP_SECURE_BOOT_V2_RSA
+#elif CONFIG_SECURE_SIGNED_APPS_ECDSA_V2_SCHEME
+#define ESP_SECURE_BOOT_SCHEME ESP_SECURE_BOOT_V2_ECDSA
+#endif
+
+#if CONFIG_SECURE_BOOT || CONFIG_SECURE_SIGNED_APPS_NO_SECURE_BOOT
+/** @brief Get the selected secure boot scheme key type
+ *
+ * @return key type for the selected secure boot scheme
+ */
+static inline char* esp_secure_boot_get_scheme_name(esp_secure_boot_sig_scheme_t scheme)
+{
+    switch (scheme) {
+        case ESP_SECURE_BOOT_V2_RSA:
+            return "RSA";
+        case ESP_SECURE_BOOT_V1_ECDSA:
+        case ESP_SECURE_BOOT_V2_ECDSA:
+            return "ECDSA";
+        default:
+            return "Unknown";
+    }
+}
+#endif
+
 /** @brief Is secure boot currently enabled in hardware?
  *
  * This means that the ROM bootloader code will only boot

components/bootloader_support/src/secure_boot_v1/secure_boot_signatures_app.c

@@ -70,7 +70,7 @@ esp_err_t esp_secure_boot_verify_ecdsa_signature_block(const esp_secure_boot_sig
         return ESP_FAIL;
     }
 
-    if (sig_block->version != 0) {
+    if (sig_block->version != ESP_SECURE_BOOT_SCHEME) {
         ESP_LOGE(TAG, "image has invalid signature version field 0x%08"PRIx32" (image without a signature?)", sig_block->version);
         return ESP_FAIL;
     }

components/bootloader_support/src/secure_boot_v1/secure_boot_signatures_bootloader.c

@@ -69,7 +69,7 @@ esp_err_t esp_secure_boot_verify_ecdsa_signature_block(const esp_secure_boot_sig
         return ESP_FAIL;
     }
 
-    if (sig_block->version != 0) {
+    if (sig_block->version != ESP_SECURE_BOOT_SCHEME) {
         ESP_LOGE(TAG, "image has invalid signature version field 0x%08" PRIx32 " (image without a signature?)", sig_block->version);
         return ESP_FAIL;
     }

components/bootloader_support/src/secure_boot_v2/secure_boot.c

@@ -1,5 +1,5 @@
 /*
- * SPDX-FileCopyrightText: 2015-2022 Espressif Systems (Shanghai) CO LTD
+ * SPDX-FileCopyrightText: 2015-2024 Espressif Systems (Shanghai) CO LTD
  *
  * SPDX-License-Identifier: Apache-2.0
  */

components/bootloader_support/src/secure_boot_v2/secure_boot_signatures_app.c

@@ -44,6 +44,10 @@ static esp_err_t validate_signature_block(const ets_secure_boot_sig_block_t *blo
         || block->block_crc != esp_rom_crc32_le(0, (uint8_t *)block, CRC_SIGN_BLOCK_LEN)) {
         return ESP_FAIL;
     }
+    if (block->version != ESP_SECURE_BOOT_SCHEME) {
+        ESP_LOGE(TAG, "%s signing scheme selected but signature block generated for %s scheme", esp_secure_boot_get_scheme_name(ESP_SECURE_BOOT_SCHEME), esp_secure_boot_get_scheme_name(block->version));
+        return ESP_FAIL;
+    }
     return ESP_OK;
 }
 

components/bootloader_support/src/secure_boot_v2/secure_boot_signatures_bootloader.c

@@ -61,6 +61,10 @@ static esp_err_t validate_signature_block(const ets_secure_boot_sig_block_t *blo
         || block->block_crc != esp_rom_crc32_le(0, (uint8_t *)block, CRC_SIGN_BLOCK_LEN)) {
         return ESP_FAIL;
     }
+    if (block->version != ESP_SECURE_BOOT_SCHEME) {
+        ESP_LOGE(TAG, "%s signing scheme selected but signature block generated for %s scheme", esp_secure_boot_get_scheme_name(ESP_SECURE_BOOT_SCHEME), esp_secure_boot_get_scheme_name(block->version));
+        return ESP_FAIL;
+    }
     return ESP_OK;
 }
 
@@ -148,9 +152,21 @@ esp_err_t esp_secure_boot_verify_sbv2_signature_block(const ets_secure_boot_sign
     int sb_result = ets_secure_boot_verify_signature(sig_block, image_digest, trusted.key_digests[0], verified_digest);
 #else
     ets_secure_boot_key_digests_t trusted_key_digests = {0};
+    bool valid_sig_blk = false;
     for (unsigned i = 0; i < SECURE_BOOT_NUM_BLOCKS; i++) {
+        if (sig_block->block[i].version != ESP_SECURE_BOOT_SCHEME) {
+            ESP_LOGD(TAG, "%s signing scheme selected but signature block %d generated for %s scheme", esp_secure_boot_get_scheme_name(ESP_SECURE_BOOT_SCHEME), i, esp_secure_boot_get_scheme_name(sig_block->block[i].version));
+            continue;
+        } else {
+            valid_sig_blk = true;
+        }
         trusted_key_digests.key_digests[i] = &trusted.key_digests[i];
     }
+    if (valid_sig_blk != true) {
+        ESP_LOGE(TAG, "No signature block generated for valid scheme");
+        ESP_LOGE(TAG, "%s signing scheme selected but no signature block for the selected scheme", esp_secure_boot_get_scheme_name(ESP_SECURE_BOOT_SCHEME));
+        return ESP_FAIL;
+    }
 
     // Key revocation happens in ROM bootloader.
     // Do NOT allow key revocation while verifying application