feedc0de/esp-idf
1
0
Fork 0
forked from espressif/esp-idf
Code Pull Requests Activity

Merge branch 'feature/enable_rsa_based_secure_boot_for_c5_eco1' into 'master'

Browse Source 
feat(bootloader_support): enabled RSA based secure boot scheme for ESP32C5 ECO1

Closes IDF-10453 and IDF-11441

See merge request espressif/esp-idf!35104
This commit is contained in:
Mahavir Jain
2024-12-04 18:00:34 +08:00
parent 242dd354e8 1e11340061
commit 6a4a124d65
7 changed files with 21 additions and 2 deletions
Download Patch File Download Diff File Expand all files Collapse all files

1
components/bootloader/Kconfig.projbuild
View File

@@ -534,6 +534,7 @@ menu "Security features"
config SECURE_SIGNED_APPS_RSA_SCHEME config SECURE_SIGNED_APPS_RSA_SCHEME
bool "RSA" bool "RSA"
depends on SECURE_BOOT_V2_RSA_SUPPORTED && (SECURE_SIGNED_APPS_NO_SECURE_BOOT || SECURE_BOOT_V2_ENABLED) depends on SECURE_BOOT_V2_RSA_SUPPORTED && (SECURE_SIGNED_APPS_NO_SECURE_BOOT || SECURE_BOOT_V2_ENABLED)
depends on !(IDF_TARGET_ESP32C5 && ESP32C5_REV_MIN_FULL < 1)
help help
Appends the RSA-3072 based Signature block to the application. Appends the RSA-3072 based Signature block to the application.
Refer to <Secure Boot Version 2 documentation link> before enabling. Refer to <Secure Boot Version 2 documentation link> before enabling.

1
components/bootloader_support/private_include/bootloader_init.h
View File

@@ -51,6 +51,7 @@ void bootloader_print_banner(void);
* @return ESP_OK - If the setting is successful. * @return ESP_OK - If the setting is successful.
* ESP_FAIL - If the setting is not successful. * ESP_FAIL - If the setting is not successful.
* ESP_ERR_NOT_SUPPORTED - If selected secure boot scheme is not supported.
*/ */
esp_err_t bootloader_init(void); esp_err_t bootloader_init(void);

9
components/bootloader_support/src/esp32c5/bootloader_esp32c5.c
View File

@@ -103,6 +103,15 @@ static inline void bootloader_ana_reset_config(void)
esp_err_t bootloader_init(void) esp_err_t bootloader_init(void)
{ {
#if CONFIG_SECURE_BOOT
#if CONFIG_SECURE_SIGNED_APPS_RSA_SCHEME
if (efuse_hal_chip_revision() == 0) {
ESP_LOGE(TAG, "Chip version 0.0 is not supported with RSA secure boot scheme. Please select the ECDSA scheme.");
return ESP_ERR_NOT_SUPPORTED;
}
#endif /* CONFIG_SECURE_SIGNED_APPS_RSA_SCHEME */
#endif /* CONFIG_SECURE_BOOT */
esp_err_t ret = ESP_OK; esp_err_t ret = ESP_OK;
bootloader_hardware_init(); bootloader_hardware_init();

5
components/esp_hw_support/port/esp32c5/Kconfig.hw_support
View File

@@ -10,12 +10,15 @@ choice ESP32C5_REV_MIN
this will also help to reduce binary size. this will also help to reduce binary size.
config ESP32C5_REV_MIN_0 config ESP32C5_REV_MIN_0
bool "Rev v0.0" bool "Rev v0.0 (ECO0)"
config ESP32C5_REV_MIN_1
bool "Rev v0.1 (ECO1)"
endchoice endchoice
config ESP32C5_REV_MIN_FULL config ESP32C5_REV_MIN_FULL
int int
default 0 if ESP32C5_REV_MIN_0 default 0 if ESP32C5_REV_MIN_0
default 1 if ESP32C5_REV_MIN_1
config ESP_REV_MIN_FULL config ESP_REV_MIN_FULL
int int

4
components/soc/esp32c5/include/soc/Kconfig.soc_caps.in
View File

@@ -1223,6 +1223,10 @@ config SOC_KEY_MANAGER_FE_KEY_DEPLOY
bool bool
default y default y
config SOC_SECURE_BOOT_V2_RSA
bool
default y
config SOC_SECURE_BOOT_V2_ECC config SOC_SECURE_BOOT_V2_ECC
bool bool
default y default y

1
components/soc/esp32c5/include/soc/soc_caps.h
View File

@@ -513,6 +513,7 @@
#define SOC_KEY_MANAGER_FE_KEY_DEPLOY 1 /*!< Key manager responsible to deploy Flash Encryption key */ #define SOC_KEY_MANAGER_FE_KEY_DEPLOY 1 /*!< Key manager responsible to deploy Flash Encryption key */
/*-------------------------- Secure Boot CAPS----------------------------*/ /*-------------------------- Secure Boot CAPS----------------------------*/
#define SOC_SECURE_BOOT_V2_RSA 1
#define SOC_SECURE_BOOT_V2_ECC 1 #define SOC_SECURE_BOOT_V2_ECC 1
#define SOC_EFUSE_SECURE_BOOT_KEY_DIGESTS 3 #define SOC_EFUSE_SECURE_BOOT_KEY_DIGESTS 3
#define SOC_EFUSE_REVOKE_BOOT_KEY_DIGESTS 1 #define SOC_EFUSE_REVOKE_BOOT_KEY_DIGESTS 1

2
docs/en/security/secure-boot-v2.rst
View File

@@ -9,7 +9,7 @@ Secure Boot v2
{IDF_TARGET_SBV2_KEY:default="RSA-3072", esp32c2="ECDSA-256 or ECDSA-192", esp32c6="RSA-3072, ECDSA-256, or ECDSA-192", esp32h2="RSA-3072, ECDSA-256, or ECDSA-192", esp32p4="RSA-3072, ECDSA-256, or ECDSA-192", esp32c5="RSA-3072, ECDSA-256, or ECDSA-192", esp32c61="ECDSA-256 or ECDSA-192"} {IDF_TARGET_SBV2_KEY:default="RSA-3072", esp32c2="ECDSA-256 or ECDSA-192", esp32c6="RSA-3072, ECDSA-256, or ECDSA-192", esp32h2="RSA-3072, ECDSA-256, or ECDSA-192", esp32p4="RSA-3072, ECDSA-256, or ECDSA-192", esp32c5="RSA-3072, ECDSA-256, or ECDSA-192", esp32c61="ECDSA-256 or ECDSA-192"}
{IDF_TARGET_SECURE_BOOT_OPTION_TEXT:default="", esp32c6="RSA is recommended because of faster verification time. You can choose between RSA and ECDSA scheme from the menu.", esp32h2="RSA is recommended because of faster verification time. You can choose between RSA and ECDSA scheme from the menu.", esp32p4="RSA is recommended because of faster verification time. You can choose between RSA and ECDSA scheme from the menu."} {IDF_TARGET_SECURE_BOOT_OPTION_TEXT:default="", esp32c6="RSA is recommended because of faster verification time. You can choose between RSA and ECDSA scheme from the menu.", esp32h2="RSA is recommended because of faster verification time. You can choose between RSA and ECDSA scheme from the menu.", esp32p4="RSA is recommended because of faster verification time. You can choose between RSA and ECDSA scheme from the menu.", esp32c5="RSA is recommended because of faster verification time. You can choose between RSA and ECDSA scheme from the menu."}
{IDF_TARGET_ECO_VERSION:default="", esp32="(v3.0 onwards)", esp32c3="(v0.3 onwards)"} {IDF_TARGET_ECO_VERSION:default="", esp32="(v3.0 onwards)", esp32c3="(v0.3 onwards)"}