From 1e11340061263551d710a10bb0a7d628a4281d91 Mon Sep 17 00:00:00 2001 From: "nilesh.kale" Date: Thu, 21 Nov 2024 17:04:12 +0530 Subject: [PATCH] feat(bootloader_support): enabled RSA based secure boot scheme for ESP32C5 ECO1 This commit enabled RSA based secure boot scheme for ESP32C5 ECO1 module. This update also adds a check to ensure the selected secure boot scheme is valid for ECO0 modules. --- components/bootloader/Kconfig.projbuild | 1 + .../bootloader_support/private_include/bootloader_init.h | 1 + .../bootloader_support/src/esp32c5/bootloader_esp32c5.c | 9 +++++++++ .../esp_hw_support/port/esp32c5/Kconfig.hw_support | 5 ++++- components/soc/esp32c5/include/soc/Kconfig.soc_caps.in | 4 ++++ components/soc/esp32c5/include/soc/soc_caps.h | 1 + docs/en/security/secure-boot-v2.rst | 2 +- 7 files changed, 21 insertions(+), 2 deletions(-) diff --git a/components/bootloader/Kconfig.projbuild b/components/bootloader/Kconfig.projbuild index c11c7b95a4..d7a5cc9635 100644 --- a/components/bootloader/Kconfig.projbuild +++ b/components/bootloader/Kconfig.projbuild @@ -534,6 +534,7 @@ menu "Security features" config SECURE_SIGNED_APPS_RSA_SCHEME bool "RSA" depends on SECURE_BOOT_V2_RSA_SUPPORTED && (SECURE_SIGNED_APPS_NO_SECURE_BOOT || SECURE_BOOT_V2_ENABLED) + depends on !(IDF_TARGET_ESP32C5 && ESP32C5_REV_MIN_FULL < 1) help Appends the RSA-3072 based Signature block to the application. Refer to before enabling. diff --git a/components/bootloader_support/private_include/bootloader_init.h b/components/bootloader_support/private_include/bootloader_init.h index 724643703e..4dfc2d5a9a 100644 --- a/components/bootloader_support/private_include/bootloader_init.h +++ b/components/bootloader_support/private_include/bootloader_init.h @@ -51,6 +51,7 @@ void bootloader_print_banner(void); * @return ESP_OK - If the setting is successful. * ESP_FAIL - If the setting is not successful. + * ESP_ERR_NOT_SUPPORTED - If selected secure boot scheme is not supported. */ esp_err_t bootloader_init(void); diff --git a/components/bootloader_support/src/esp32c5/bootloader_esp32c5.c b/components/bootloader_support/src/esp32c5/bootloader_esp32c5.c index 4d572e102b..f40e47e498 100644 --- a/components/bootloader_support/src/esp32c5/bootloader_esp32c5.c +++ b/components/bootloader_support/src/esp32c5/bootloader_esp32c5.c @@ -103,6 +103,15 @@ static inline void bootloader_ana_reset_config(void) esp_err_t bootloader_init(void) { +#if CONFIG_SECURE_BOOT +#if CONFIG_SECURE_SIGNED_APPS_RSA_SCHEME + if (efuse_hal_chip_revision() == 0) { + ESP_LOGE(TAG, "Chip version 0.0 is not supported with RSA secure boot scheme. Please select the ECDSA scheme."); + return ESP_ERR_NOT_SUPPORTED; + } +#endif /* CONFIG_SECURE_SIGNED_APPS_RSA_SCHEME */ +#endif /* CONFIG_SECURE_BOOT */ + esp_err_t ret = ESP_OK; bootloader_hardware_init(); diff --git a/components/esp_hw_support/port/esp32c5/Kconfig.hw_support b/components/esp_hw_support/port/esp32c5/Kconfig.hw_support index 4d40c5c547..201a526ae8 100644 --- a/components/esp_hw_support/port/esp32c5/Kconfig.hw_support +++ b/components/esp_hw_support/port/esp32c5/Kconfig.hw_support @@ -10,12 +10,15 @@ choice ESP32C5_REV_MIN this will also help to reduce binary size. config ESP32C5_REV_MIN_0 - bool "Rev v0.0" + bool "Rev v0.0 (ECO0)" + config ESP32C5_REV_MIN_1 + bool "Rev v0.1 (ECO1)" endchoice config ESP32C5_REV_MIN_FULL int default 0 if ESP32C5_REV_MIN_0 + default 1 if ESP32C5_REV_MIN_1 config ESP_REV_MIN_FULL int diff --git a/components/soc/esp32c5/include/soc/Kconfig.soc_caps.in b/components/soc/esp32c5/include/soc/Kconfig.soc_caps.in index 805e36a32f..78b5d735af 100644 --- a/components/soc/esp32c5/include/soc/Kconfig.soc_caps.in +++ b/components/soc/esp32c5/include/soc/Kconfig.soc_caps.in @@ -1219,6 +1219,10 @@ config SOC_KEY_MANAGER_FE_KEY_DEPLOY bool default y +config SOC_SECURE_BOOT_V2_RSA + bool + default y + config SOC_SECURE_BOOT_V2_ECC bool default y diff --git a/components/soc/esp32c5/include/soc/soc_caps.h b/components/soc/esp32c5/include/soc/soc_caps.h index a58cee0fed..95ee637012 100644 --- a/components/soc/esp32c5/include/soc/soc_caps.h +++ b/components/soc/esp32c5/include/soc/soc_caps.h @@ -511,6 +511,7 @@ #define SOC_KEY_MANAGER_FE_KEY_DEPLOY 1 /*!< Key manager responsible to deploy Flash Encryption key */ /*-------------------------- Secure Boot CAPS----------------------------*/ +#define SOC_SECURE_BOOT_V2_RSA 1 #define SOC_SECURE_BOOT_V2_ECC 1 #define SOC_EFUSE_SECURE_BOOT_KEY_DIGESTS 3 #define SOC_EFUSE_REVOKE_BOOT_KEY_DIGESTS 1 diff --git a/docs/en/security/secure-boot-v2.rst b/docs/en/security/secure-boot-v2.rst index d2404cf3c6..b0fa0cd42f 100644 --- a/docs/en/security/secure-boot-v2.rst +++ b/docs/en/security/secure-boot-v2.rst @@ -9,7 +9,7 @@ Secure Boot v2 {IDF_TARGET_SBV2_KEY:default="RSA-3072", esp32c2="ECDSA-256 or ECDSA-192", esp32c6="RSA-3072, ECDSA-256, or ECDSA-192", esp32h2="RSA-3072, ECDSA-256, or ECDSA-192", esp32p4="RSA-3072, ECDSA-256, or ECDSA-192", esp32c5="RSA-3072, ECDSA-256, or ECDSA-192", esp32c61="ECDSA-256 or ECDSA-192"} -{IDF_TARGET_SECURE_BOOT_OPTION_TEXT:default="", esp32c6="RSA is recommended because of faster verification time. You can choose between RSA and ECDSA scheme from the menu.", esp32h2="RSA is recommended because of faster verification time. You can choose between RSA and ECDSA scheme from the menu.", esp32p4="RSA is recommended because of faster verification time. You can choose between RSA and ECDSA scheme from the menu."} +{IDF_TARGET_SECURE_BOOT_OPTION_TEXT:default="", esp32c6="RSA is recommended because of faster verification time. You can choose between RSA and ECDSA scheme from the menu.", esp32h2="RSA is recommended because of faster verification time. You can choose between RSA and ECDSA scheme from the menu.", esp32p4="RSA is recommended because of faster verification time. You can choose between RSA and ECDSA scheme from the menu.", esp32c5="RSA is recommended because of faster verification time. You can choose between RSA and ECDSA scheme from the menu."} {IDF_TARGET_ECO_VERSION:default="", esp32="(v3.0 onwards)", esp32c3="(v0.3 onwards)"}