From a6ea9bcd411d72bc48dc884e6e1b5a4eb93aa3fa Mon Sep 17 00:00:00 2001
From: "harshal.patil" <harshal.patil@espressif.com>
Date: Thu, 27 Feb 2025 16:18:47 +0530
Subject: [PATCH] fix(secure_boot): Fix SB verification failure when sig block
 and key digest mismatch

- Secure boot V2 verification failed when multiple keys are used to sign the bootloader
  and the application is signed with a key other than the first key that is used to
  sign the bootloader.
- The issue was introduced as a regression from the commit `ff16ce43`.
- Added a QEMU test for recreating the issue.
- Made SECURE_BOOT_FLASH_BOOTLOADER_DEFAULT independent of SECURE_BOOT_BUILD_SIGNED_BINARIES.
---
 components/bootloader/Kconfig.projbuild       |   2 +-
 .../secure_boot_signatures_bootloader.c       |   3 +-
 .../test_apps/security/.build-test-rules.yml  |   2 +-
 .../security/secure_boot/main/CMakeLists.txt  |  35 ++++++++++++++++
 .../secure_boot/main/Kconfig.projbuild        |   9 ++++
 .../secure_boot/main/secure_boot_main.c       |   9 ++++
 .../secure_boot/pytest_secure_boot.py         |  32 +++++++++++++-
 .../security/secure_boot/sdkconfig.ci.qemu    |   7 ++++
 .../secure_boot/test/esp32c3_efuses.bin       | Bin 0 -> 1024 bytes
 .../test/secure_boot_signing_key0.pem         |  39 ++++++++++++++++++
 .../test/secure_boot_signing_key1.pem         |  39 ++++++++++++++++++
 .../test/secure_boot_signing_key2.pem         |  39 ++++++++++++++++++
 12 files changed, 211 insertions(+), 5 deletions(-)
 create mode 100644 tools/test_apps/security/secure_boot/main/Kconfig.projbuild
 create mode 100644 tools/test_apps/security/secure_boot/sdkconfig.ci.qemu
 create mode 100644 tools/test_apps/security/secure_boot/test/esp32c3_efuses.bin
 create mode 100644 tools/test_apps/security/secure_boot/test/secure_boot_signing_key0.pem
 create mode 100644 tools/test_apps/security/secure_boot/test/secure_boot_signing_key1.pem
 create mode 100644 tools/test_apps/security/secure_boot/test/secure_boot_signing_key2.pem

diff --git a/components/bootloader/Kconfig.projbuild b/components/bootloader/Kconfig.projbuild
index 222e2ad5d4..214ad0f48e 100644
--- a/components/bootloader/Kconfig.projbuild
+++ b/components/bootloader/Kconfig.projbuild
@@ -764,7 +764,7 @@ menu "Security features"
 
     config SECURE_BOOT_FLASH_BOOTLOADER_DEFAULT
         bool "Flash bootloader along with other artifacts when using the default flash command"
-        depends on SECURE_BOOT_V2_ENABLED && SECURE_BOOT_BUILD_SIGNED_BINARIES
+        depends on SECURE_BOOT_V2_ENABLED
         default n
         help
             When Secure Boot V2 is enabled, by default the bootloader is not flashed along with other artifacts
diff --git a/components/bootloader_support/src/secure_boot_v2/secure_boot_signatures_bootloader.c b/components/bootloader_support/src/secure_boot_v2/secure_boot_signatures_bootloader.c
index a653707845..45332f9925 100644
--- a/components/bootloader_support/src/secure_boot_v2/secure_boot_signatures_bootloader.c
+++ b/components/bootloader_support/src/secure_boot_v2/secure_boot_signatures_bootloader.c
@@ -154,13 +154,12 @@ esp_err_t esp_secure_boot_verify_sbv2_signature_block(const ets_secure_boot_sign
     ets_secure_boot_key_digests_t trusted_key_digests = {0};
     bool valid_sig_blk = false;
     for (unsigned i = 0; i < SECURE_BOOT_NUM_BLOCKS; i++) {
+        trusted_key_digests.key_digests[i] = &trusted.key_digests[i];
         if (sig_block->block[i].version != ESP_SECURE_BOOT_SCHEME) {
             ESP_LOGD(TAG, "%s signing scheme selected but signature block %d generated for %s scheme", esp_secure_boot_get_scheme_name(ESP_SECURE_BOOT_SCHEME), i, esp_secure_boot_get_scheme_name(sig_block->block[i].version));
-            continue;
         } else {
             valid_sig_blk = true;
         }
-        trusted_key_digests.key_digests[i] = &trusted.key_digests[i];
     }
     if (valid_sig_blk != true) {
         ESP_LOGE(TAG, "No signature block generated for valid scheme");
diff --git a/tools/test_apps/security/.build-test-rules.yml b/tools/test_apps/security/.build-test-rules.yml
index c015f7ea42..45e3922604 100644
--- a/tools/test_apps/security/.build-test-rules.yml
+++ b/tools/test_apps/security/.build-test-rules.yml
@@ -2,7 +2,7 @@
 
 tools/test_apps/security/secure_boot:
   disable:
-    - if: IDF_ENV_FPGA != 1
+    - if: IDF_ENV_FPGA != 1 and CONFIG_NAME != "qemu"
       reason: the test can only run on an FPGA as efuses need to be reset during the test.
 
 tools/test_apps/security/signed_app_no_secure_boot:
diff --git a/tools/test_apps/security/secure_boot/main/CMakeLists.txt b/tools/test_apps/security/secure_boot/main/CMakeLists.txt
index 609328ff5e..5201d97810 100644
--- a/tools/test_apps/security/secure_boot/main/CMakeLists.txt
+++ b/tools/test_apps/security/secure_boot/main/CMakeLists.txt
@@ -7,3 +7,38 @@ endif()
 
 idf_component_register(SRCS "${main_src}" INCLUDE_DIRS ".")
 target_compile_options(${COMPONENT_LIB} PRIVATE "-Wno-format")
+
+if(CONFIG_EXAMPLE_TARGET_QEMU)
+    set(bootloader_unsigned_bin "bootloader-unsigned.bin")
+    set(app_unsigned_bin "${PROJECT_BIN}-unsigned.bin")
+
+    add_custom_target(sign_bootloader ALL
+        COMMAND ${CMAKE_COMMAND} -E copy "${CMAKE_BINARY_DIR}/bootloader/bootloader.bin"
+        "${CMAKE_BINARY_DIR}/bootloader/${bootloader_unsigned_bin}"
+        COMMAND ${ESPSECUREPY} sign_data --version 2 --keyfile
+        ${PROJECT_DIR}/test/secure_boot_signing_key0.pem
+        ${PROJECT_DIR}/test/secure_boot_signing_key1.pem
+        ${PROJECT_DIR}/test/secure_boot_signing_key2.pem
+        -o "${CMAKE_BINARY_DIR}/bootloader/bootloader.bin"
+        "${CMAKE_BINARY_DIR}/bootloader/${bootloader_unsigned_bin}"
+        COMMAND ${CMAKE_COMMAND} -E echo "Generated signed binary image ${CMAKE_BINARY_DIR}/bootloader/bootloader.bin"
+        "from ${CMAKE_BINARY_DIR}/bootloader/${bootloader_unsigned_bin}"
+        VERBATIM
+        COMMENT "Generated the test-specific signed bootloader")
+
+    add_dependencies(sign_bootloader bootloader)
+
+    add_custom_target(sign_app ALL
+        COMMAND ${CMAKE_COMMAND} -E copy "${CMAKE_BINARY_DIR}/${PROJECT_BIN}"
+        "${CMAKE_BINARY_DIR}/${app_unsigned_bin}"
+        COMMAND ${ESPSECUREPY} sign_data --version 2 --keyfile
+        ${PROJECT_DIR}/test/secure_boot_signing_key1.pem
+        -o "${CMAKE_BINARY_DIR}/${PROJECT_BIN}"
+        "${CMAKE_BINARY_DIR}/${app_unsigned_bin}"
+        COMMAND ${CMAKE_COMMAND} -E echo "Generated signed binary image ${CMAKE_BINARY_DIR}/${PROJECT_BIN}"
+        "from ${CMAKE_BINARY_DIR}/${app_unsigned_bin}"
+        VERBATIM
+        COMMENT "Generated the test-specific signed application")
+
+    add_dependencies(sign_app app)
+endif()
diff --git a/tools/test_apps/security/secure_boot/main/Kconfig.projbuild b/tools/test_apps/security/secure_boot/main/Kconfig.projbuild
new file mode 100644
index 0000000000..471d37419a
--- /dev/null
+++ b/tools/test_apps/security/secure_boot/main/Kconfig.projbuild
@@ -0,0 +1,9 @@
+menu "Example Configuration"
+
+    config EXAMPLE_TARGET_QEMU
+        bool "Run the example tests for target QEMU"
+        default n
+        help
+            Run the example tests for target QEMU
+
+endmenu
diff --git a/tools/test_apps/security/secure_boot/main/secure_boot_main.c b/tools/test_apps/security/secure_boot/main/secure_boot_main.c
index 011b599cdc..82611c1f39 100644
--- a/tools/test_apps/security/secure_boot/main/secure_boot_main.c
+++ b/tools/test_apps/security/secure_boot/main/secure_boot_main.c
@@ -76,4 +76,13 @@ static void example_secure_boot_status(void)
     } else {
         ESP_LOGI(TAG, "Secure Boot not enabled. Enable Secure Boot in menuconfig, build & flash again.");
     }
+
+#if CONFIG_EXAMPLE_TARGET_QEMU
+    for (int i = 5; i >= 0; i--) {
+        ESP_LOGI(TAG, "Restarting in %d seconds...", i);
+        vTaskDelay(1000 / portTICK_PERIOD_MS);
+    }
+    ESP_LOGI(TAG, "Restarting now.");
+    esp_restart();
+#endif /* CONFIG_EXAMPLE_TARGET_QEMU */
 }
diff --git a/tools/test_apps/security/secure_boot/pytest_secure_boot.py b/tools/test_apps/security/secure_boot/pytest_secure_boot.py
index 6bd5ae69cd..1ebb0fcee4 100644
--- a/tools/test_apps/security/secure_boot/pytest_secure_boot.py
+++ b/tools/test_apps/security/secure_boot/pytest_secure_boot.py
@@ -1,4 +1,4 @@
-# SPDX-FileCopyrightText: 2022-2024 Espressif Systems (Shanghai) CO LTD
+# SPDX-FileCopyrightText: 2022-2025 Espressif Systems (Shanghai) CO LTD
 # SPDX-License-Identifier: Unlicense OR CC0-1.0
 import os
 import struct
@@ -91,6 +91,36 @@ def test_examples_security_secure_boot(dut: Dut) -> None:
     dut.burn_wafer_version()
 
 
+# Test secure boot flow.
+# Correctly signed bootloader + correctly signed app should work
+@pytest.mark.host_test
+@pytest.mark.qemu
+@pytest.mark.esp32c3
+@pytest.mark.parametrize(
+    'qemu_extra_args',
+    [
+        f'-drive file={os.path.join(os.path.dirname(__file__), "test", "esp32c3_efuses.bin")},if=none,format=raw,id=efuse '
+        '-global driver=nvram.esp32c3.efuse,property=drive,value=efuse '
+        '-global driver=timer.esp32c3.timg,property=wdt_disable,value=true',
+    ],
+    indirect=True,
+)
+@pytest.mark.parametrize('config', ['qemu'], indirect=True)
+def test_examples_security_secure_boot_qemu(dut: Dut) -> None:
+    try:
+        dut.expect('Secure Boot is enabled', timeout=10)
+        dut.expect('Restarting now.', timeout=10)
+        dut.expect('Secure Boot is enabled', timeout=10)
+
+    finally:
+        # the above example test burns the efuses, and hence the efuses file which the
+        # qemu uses to emulate the efuses, "esp32c3_efuses.bin", gets modified.
+        # Thus, restore the efuses file values back to the default ESP32C3 efuses values.
+        with open(os.path.join(os.path.dirname(__file__), 'test', 'esp32c3_efuses.bin'), 'wb') as efuse_file:
+            esp32c3_efuses = '0' * 77 + 'c' + '0' * 1970
+            efuse_file.write(bytearray.fromhex(esp32c3_efuses))
+
+
 # Test efuse key index and key block combination.
 # Any key index can be written to any key block and should work
 @pytest.mark.esp32c3
diff --git a/tools/test_apps/security/secure_boot/sdkconfig.ci.qemu b/tools/test_apps/security/secure_boot/sdkconfig.ci.qemu
new file mode 100644
index 0000000000..2f609c136b
--- /dev/null
+++ b/tools/test_apps/security/secure_boot/sdkconfig.ci.qemu
@@ -0,0 +1,7 @@
+CONFIG_IDF_TARGET="esp32c3"
+
+CONFIG_SECURE_BOOT=y
+CONFIG_SECURE_BOOT_BUILD_SIGNED_BINARIES=n
+CONFIG_SECURE_BOOT_FLASH_BOOTLOADER_DEFAULT=y
+
+CONFIG_EXAMPLE_TARGET_QEMU=y
diff --git a/tools/test_apps/security/secure_boot/test/esp32c3_efuses.bin b/tools/test_apps/security/secure_boot/test/esp32c3_efuses.bin
new file mode 100644
index 0000000000000000000000000000000000000000..bcab7e0b284aa0d9f983e70d2f633f6ea4a91269
GIT binary patch
literal 1024
XcmZP|3h)r6YE;o^2#kin&<X(nGB^MY

literal 0
HcmV?d00001

diff --git a/tools/test_apps/security/secure_boot/test/secure_boot_signing_key0.pem b/tools/test_apps/security/secure_boot/test/secure_boot_signing_key0.pem
new file mode 100644
index 0000000000..70fb9df6b8
--- /dev/null
+++ b/tools/test_apps/security/secure_boot/test/secure_boot_signing_key0.pem
@@ -0,0 +1,39 @@
+-----BEGIN RSA PRIVATE KEY-----
+MIIG4wIBAAKCAYEA1E4X2rXFWjZ96ZDvzQInTb9Of+R6cL9CPejkKi38mgDTD7T8
+t3VBD2MSrNEXk9CjjI1tbMAUQfWdthPGnPwpqWThK+OxdpHVqIHJ5IHn+3+2O9PA
+V9lV2Ls7HyX2/xpTLGD9DUTTsh0yDHnU5+LqIC3e8idL2mY/3eF5cOQDfuSQ1ifP
+T7ZjUs0MPYuiUPSwJHK2f8Sco/HzbM6MCxFUjXLMgyZ3vAdgoqlZnPffj1jIeQAL
+mj07vW1FYuRJ7RpNc7nxWs7kvE+ygFLUsnbhpreLt1f4JhjqU7FVupx/EQumg1B0
+ZEtnDYnRv8oFj+BPVa0ox0dwHF9qS57LG21SF+B3xr9UOGI8w98ZOm4VMNU1JKpf
+kSqsvlUCR23SpLQ7P3DaQMAkZqUWHoafnmPQBL1beaiPcwmPwTC0XZFX5VCq+lQd
+bV3jurM8EXY4Dk/YRrk7tZFEO8istytHXcFINL1zgCXbBXeFmzppePtpNYfuamMN
+br+Eq/UBz+FWG1ITAgMBAAECggGAPRQcg8UQuoP71ILoooPQl+sGY//xA9facGI8
+pi/lwM6k6htpK0SWC522pTZggJuhOdIEXamjCljl3xiwZsCbIctOhqhyiUiqfdid
+I1sGSRI0dODWMM/rhTdUaoErHrhNnnJmyvb2qoMAv5sbV/0t20UnI2aPyYzqKeTw
+4bwPj2Wlj58TYvz3dT5dm6U89Op4dHv2Kir/36C/phmEK7j4KNuSn9ak0tkSgamU
+CPc8/4oM3tbW/7BHLBewQyOnawnKIO2C27/MrWm5gehGMW/c5p40Tgv8cA95cv/0
+VHFOMlgpEIZtm8HhgPt+t+UM7+/T4dBPO4pOCFaXZK0RcMawttpVm6kGDpyqoAQ4
+UCNl2qPo7EADsWcvpKbLSk23SoznUdslrr4y1frGiDBaPg7siSQepJ8d25K/d3vO
+sAWV4lf6qMEJebWfPKlv2HQQ08xRa8g4T187gQqsNaFVkZP+mJCyJSKIko56ui1x
+1zBCazwFZStIvoIQWXDJ/UaLhCXJAoHBAP53tlkuAUEwuJ/2KlMqIEk6m7M5ZHl3
+zYy4bujmpsDZG/FphxkH32ULe2stlms3w+7zg/i36Xc4ZYnrDreTygKqaXQQXZni
+SHeii0/GZkzTH7lf0wz4XRNjlw+zcMRaRpA58/DSVjMmRvG2eK/FPtn+VZ19oQB9
+CY1+W/P/CKB1N1Gh7R6JWMpOnoAYnM+6yym0UGCXu1MLzNpDKJ2DPKBB/k6DyA8k
+19MEB0BFL7aBEaFrerF+SO7Ri6+KIQw4OwKBwQDVlWILnpaS/eph7Egnx67RgDzs
+X/zJAEV0zTRJtTYzZPTVPZWkEZE+8Nd51l2S6YQfKVi4PskQqlomU5/15WRMYGRB
+ja56rBCcjO38vo/G5OCUWBfn4OmZkj87RZDNzvaKgfhTESWlScgUyftiCnQw/WNV
+CFJ/qB7KlNvxBnz461L0OdVM4WpCss1nRq77P6bMK0uW6gDukuOQxPcA57WVyCDD
+dGqXWLXTIGT4HV9kO2t4Vyr7SzOH8/RDDS2KiAkCgcB/HYoHroWN7SqtLaki9i4+
+pnpU41yfmQsjOpac3Wt7dnkQ9Wg5Rsd/kGbMuW8kjCziVt8cBbMojRGb/cHSTo9h
+GYOoKOy5DGKq8JWq+i7sPaLhVU72cbL9FojFnRu92mLZdTm4mTnaP0q9QCu1klC9
+UOGv1KvytINrHS4OCt5iWWuS6dKrqGykUvW2g5UB6AvI/3wPZHx9Fa31cgr99Cr6
+2zyQOCBeAEeX77E3l9gn0P3fpvMZaz4/nomq3NN5aTUCgcB5D6o6QdLBUJE4nfAs
+NB/f+dsOdD3ZRIEZ+nJH0SH+sZug/r5B9/8m+OZ51crGSfwsmYgDLvtSqexdSwsh
+GrvmGsDY81DRkZP82FjQ6MagCv1MuD4cnbxq4p1aoEy6izPtQEwb8V0wOgjh17bY
+VGqVlhpmiUgRuZ5yXzvnezD8+o3ThrBjWmWblrOcdVEbcnG9ylCXIt4SXEoGtc33
+wl6Hnp8LioIcdRjiqbrxc9ys+I0q8eWX+IEl714lX2PP4NkCgcEA/O7zrnGJ2kQP
+QuE/A7YWgGVD3ybK1Crk7vKtGQPaCKrSVVS5E/WBNsIpAMkroaJCOd53+l/OzBfz
+uPWIcVCujOvrrhxsvkkCIZ66mQkiygd5etPyvfmeqXHNhLBVNER6c42rpmTf1WAf
+UnIBhKoG09ehJ5rqfcAnMN92Z5a7zP+7iDnANgUQrH5qfDLkvZq37wyS01iIX47D
+fo1MQgUBAUjpBNUGLtCSo8r/irDLnt2/VWx+67dE1ELv7/QizXBm
+-----END RSA PRIVATE KEY-----
diff --git a/tools/test_apps/security/secure_boot/test/secure_boot_signing_key1.pem b/tools/test_apps/security/secure_boot/test/secure_boot_signing_key1.pem
new file mode 100644
index 0000000000..b101342ee3
--- /dev/null
+++ b/tools/test_apps/security/secure_boot/test/secure_boot_signing_key1.pem
@@ -0,0 +1,39 @@
+-----BEGIN RSA PRIVATE KEY-----
+MIIG4wIBAAKCAYEAn9mfX+24efn7xCnI2YlpBJONsht1SOLQTQQ7xC8JGVxHwJ6f
+KaPWZFdb+LMy7hN9YRudr+93c2LDh0sfBetKUs/i5jio+StKitI8VVDUj2ccV6Fb
+qlL/9NtdNGTIcP29MoexcCyF+U5IsXjgyrVgfDWyr/ca9y0SFJ7GPeWn6W8ESpIC
+AmeQOcJ0VFTaYpyJy0uPPAxZFoq9uuNGjtiDg33TmOcC4A5h+xCU+AxLDgogbNw5
+/yY9P5Tm9VD92KLenoXkRWyAKscpyOOa77fRViLa16RkaJLWv+sd8Xk+Qry0Yeoq
+BnZF5atz37h2TOFDvTyBkACjK/Hs+nqSekqF+3IrEH71Llk1lyTKbARFTtHe0VrE
+dNAtwZqPqa+bqJJKaIE9Ts3WoNRSUcgsZpzV+rSzVsHj6pTbODruFqhhkHXVvOQj
+6uiK005+uoPFeuNiV2/s4vTniofXHgGqnHtXx8+XMR+uoTwrdVk0HQD5PIpOtQzF
+xGmN6pjjMNgBnDuXAgMBAAECggGACaIWSjQryWIIy6YO/hkbVJTF1cV02HsevX1z
+UpvZCwe2JUQJ6HsAqRRgrQizmYhgJnGBG8CtLK13hhg/Wt52oK35iRFCEZ4LxHjt
+/OA9pxS6LwfA2+9bkHiF0en+8FxCQiDOTynHuyH+HH/h4CV1Fpcv2Q3luJ6lN8vn
+u4QzDczMb+gDqfxuwyRWWVyxun6fiTpY++/skIC09WXL80DWEB8NmOnXEQSc4AH8
+UESBY2u1z4moDxnRWBsTnhYO7jbGZk+ohEeiYFriGCELqdStNESTfuv1uMNfem7K
+OW5WZ3bKmCc1oBbZOwL8/M12+sk/b2OR15yBa16hCZF0yDuv54YZOpLew6Agc7/l
+z9nk32CSca57GvpGtDZjXswhlmEoX6PybMSIQwtjkgPcNk99Wba+n4zEJqVq1erd
+kj1Nn1niWjwsCc5+K5uEVIwMwrZXgPZG2hiEhkkOl72GvNt2BfEJDaajMSTTdmmU
+C3CJkA90THrugPAcxEMl05MORWMFAoHBANaNhTVp9i8o01iXvVCBtoUgA0VJpy2b
+4DrZ+1b6z5hqRz9EngPmmthCjlWx+U9s4XlASRb2a4aIyqAXLqRlg8BYpGPACP90
+aRwWRfSFVogW1ji/3qVK3mPyl/j3AG0I+O3JX87OC0LgPaxO/UswV/B2ToTlnN3H
+eoWTrRegDL/GjA9URG+YDebiSnmwL/70CBU+MWttWfTtiIjSWhXhez1+J37r/KEi
+JYXdkYK7ww6D7aA0kE+iNoIqbiUpQAQYEwKBwQC+utZlqFWLqRGA6cbQWqCrftrY
+XHKT2137gUsJKst/fy35NUN1fF0upbqLtrYDkLHzam3fEuap6ZPm6jB8tN9HtOlh
+xufff5R0CJ1wKHNYOAwcvfps8JKVS/PaoEZJlgnmjh41CiGJuntsDIBYiM65w/62
+OPy1hRtBd62PZB99+eFo80ERLCBbP/g6ML2GXTSk7UOHYtNfxA7QjPp8q8JT3e4t
+T9563czQqMBiru4gvG4+aRx6Jq0Kg+gE2hjohu0CgcB2fMeBHRihKLm3Jm2dpVUI
+JgrIXAmgbYIi3jko6vB0qtTYAuwFGXiQUAlNGDGoBGhszuzOap4tOSQ1zzeqAIoH
+UqzOjcIqWb6mjUJq7KxCEeKSipvJyxQQPGxjSP2KObdHkrt/eVjMwQwuOZ02xeb6
+3Es2p5u++ygV1t1zu6buzhaRbKcyvdWHmZcppvyKn3hLSwJ94nEYi4mojgrEJLcr
+2Zy0Ql1NG49/Y0K14T2yqXc0z3KXF+1ka0xS53n8CNMCgcAT4UedmvknsHypkjRt
+3TRoC7Xl3WT38mKOZ4CZuQMzC9+P3TRl14ui5BVYoLfCEV/q/knreX3fcgA/jmN1
+bCjlwX6d+WyLyDGCEq/OU/kJ1fW1PTwQBNdShnMpc5E/9Eqd5GxTnPW39F8O+RKb
+p87cYAh5l+EHTpNztHS7wHTj3ZrYJJrAnnfU6wsFjbUDf02Qb0adovhjP/1HUZp+
+SizcLwK3aF7JMbs6eIxs/MzHTryy9qPIO6XHtc4GS3FTM1UCgcEAqbGAfdryYGnB
+xEQPE7aw8rC1+SA9D8MhYjyIQi863MruDD4eqa6kyjATiKH2kV4yhLO/7aH31qZ0
+Jq/dV2/onzEF8/pFKUyjwDMvLo9FTR9ysE/o/sj7EyL4TdEX0bTZUUryEzIfA+Oc
+6xv+80viBRbBV4sTiUPVsA7ai8TuQCvXQqZCP9FDPNvQgRaVSnpzh2+VS9BdGUmY
+0yN4fBdiw2aDB1nywwO30FbzxgdS722/bUN922vQcBH5dXzx7O8F
+-----END RSA PRIVATE KEY-----
diff --git a/tools/test_apps/security/secure_boot/test/secure_boot_signing_key2.pem b/tools/test_apps/security/secure_boot/test/secure_boot_signing_key2.pem
new file mode 100644
index 0000000000..410858d446
--- /dev/null
+++ b/tools/test_apps/security/secure_boot/test/secure_boot_signing_key2.pem
@@ -0,0 +1,39 @@
+-----BEGIN RSA PRIVATE KEY-----
+MIIG4wIBAAKCAYEAm20CFl1l5N/JZ0AwxgouohrhQPFrBTtG+mQkC+vyhYd+ytBw
+HXfoKAZA35EOWZlZUH8lBUYKAlISo9jQ7RvCFkd2JHPjSrtSjZXLp7+FWCSBirjX
+AwOVclquzecPoRB5SRUhhnhjTi8nDwX+t5rGwztZ/+eEF3Hgt4g7BOieokrYp8Nq
+AkiZm0FHOP0j9R4t8zRIOImdFBbuNT+47MN2gUMxIKxP21SIXGt999x3aA2Ae7dt
+Xg2mMTW+JEcjvDHw0bID/hia77dhRLpUhLnyPI3e1uHX9q6jZKs/q7px5wOE/nvg
+ViR9TD4Fg0veQjrpSbsrqo5k+Hxm0kGPVVQRpQH0zTEiwZC3QpeXiUkJcLmbAwhj
+oP8mG+gfKins36vF4ozP6wxgNicCqzPEe6whtanUoqHkXpV78KjFXf7EVMTNI/p3
+3GH+8mcMVVXCUaASXZxzZUiXcjhj2K2QDPnHaVogiznzAD2RYMdpoUt9tDi53jeT
+TWBzDRxYX8GBPayrAgMBAAECggGACy8w80MNTgb8iz2HRPj+mhOtGetFdD7rwKDs
+Jx93eDxj11xgdP5n6llo2a2qhrAOSUic9WAw4DHfvYKgpi9VLB1AVycvt/T6381j
+tlKF2e3mlIDwl/ruCiiUY6S47zIsSCIJI5AONVYXTXF0/ulYXDwtIckbLES5kvtu
+o8/JeoxAQvJA8qEezJlJ8sPkjoL5c4LTn53ne8aapaJMQF1gbbTUGDHOHU5b8aqa
+ifeHcClokX6FlDsPNoNTh3DHFYfSW7PG0wb9f8JdM74m8gpc+7dBY5e+ePlCZqNz
+Tg4FXkz8R2UupPpbUWYl1h3OE5xgEMZhquThgMkOVvLe0KPl4ETi+gCWHp9vxqMR
+/vVYOpE6dE+p2gfig6PEIyCTnqGW6WcjHtPKfo5iGltAABqQzR0FOPMJYTwCbFJP
+VXuBGEIC55aN7xMdz9JfzF8nHF3hTEYwfqXnuQghJ9oTmR6HRVUQX7gJ3IsGQY7j
+tOG43VQRCZm4vMfxQDSDo4X2HUQhAoHBANmChopRDwVovuhFGsFOESUVpyNX9hPZ
+zlJ9iWgww6nwUr6GkdNvJAIGAyQRbsWR6omTxbC4ngypyRz+IoNQyd05GZ4Js6pk
+5ttWgkDcrl2e967CgwGahBpI1OrPpY9axIYTH27xqFMDxbq3z9ZB//qHiZAKcTWb
+QozG2OH5m6mNVtUiOf7bD+L7JXbAjo9oOGEnVN70HtEUWCC7X9DVc9l2G4Cv4yxF
+qxO8UeBt0G1YVIw6ObDLO/JJb+bZaS1gnwKBwQC27f7ttbaKjxISBCujph+69Tnv
+Z+XBaEy3iJXUSy12DaC//Mut3RFunhp1nMlNoFPN6ucZ1Rqk5f0Hfbz4FLtJQ1w4
+u0uGCq371gCLjZ8Kxh4kmxfmTScigK+1bzD99RMA83kCWgyormJ2mVuaM5ULzwEj
+8ryJTyRPbqUPFRY5tFvys3aqcZtN8hxaMENrGA9IsvXgF8Mp8VXDD7+WIwCf8Lzp
+FBKegWj7xfnNKjrmM6WATm5SEb1I+je5Tu0c/HUCgcAzFLtB+n1bmNjUtX3uDcZq
+/iXNYBfzW4Bf0QmXBXS+ESltgy72B7DeJMlSDCIGlhkNjD2uHf1IHguUGn7CdhOi
+N4mzmrWt+5pXwn4+e1UbuXyTdyzLEJ2biqUuK+vGudtTXWRRasFMFaO3EPnnaIKU
+NIZy5HDn1PmRFBXVJAiRjhbpYOtb1dhqRu7qb5hLR3+OGW2OGqiuE2gK79Y1thtJ
+47nbw/LG7+mYbe6QlVmQhGD+uaHYyjHe2a5E+aQAuyMCgcBGjSvRClBIyD0z7Z/X
+Ee8S8BlUGEIogc10y5zdr9DswvzIjvsPJz/d5eRWkA2jfr5ToNFYyTPpfTpFdV04
+YOaKrwwWZUYPgHbxteun5wr74MUnYRmqnP8G85LQ6v1+NNMLftug6JIRTJB1JViK
+9HH7h+7sqmXEn11ltUq7smpL/x+nT0fpHL/FJCeDMTIPT8w1QbBKqV+AAbAN9zjw
+8rb++J4jVraHo2mWERjy4+KrfifKgHVT+buDNd3f/my8zTECgcEAs/v5UXrgmPTW
+Zk6c3gBaXzsdaFjiPPB87JVypufzqoQ8kVqrAcUUUjXwQ2Bl2hAmmgwa4xAMBITP
+Z33gs8gilYGTrCt/r91Zgo4tyM9QQM7kVskxY3o42GeRgD1+WNsOpEEuz2XxAEEc
+CqY1xlNkAeqHis8k5GyFTxCu00eagunt/BPRq8iKtgBSVplEQisqAjM8WaEHKYp0
+3Eb6/fKw0va5ABMiwuiuSUtv4GAkok/DZC4pOgwCYICX9kjuuFXp
+-----END RSA PRIVATE KEY-----