refactor(bootloader_support): Unify bootloader_sha layer

components/bootloader_support/CMakeLists.txt

@@ -11,7 +11,7 @@ if(esp_tee_build)
                      "bootloader_flash/include")
 
     set(tee_srcs "src/flash_partitions.c"
-                 "src/${IDF_TARGET}/bootloader_sha.c"
+                 "src/bootloader_sha.c"
                  "src/bootloader_common_loader.c"
                  "src/esp_image_format.c"
                  "src/bootloader_utility.c"
@@ -64,6 +64,8 @@ if(CONFIG_APP_BUILD_TYPE_APP_2NDBOOT)
         )
 endif()
 
+list(APPEND srcs "src/bootloader_sha.c")
+
 if(BOOTLOADER_BUILD OR CONFIG_APP_BUILD_TYPE_RAM)
     set(include_dirs "include" "bootloader_flash/include"
         "private_include")
@@ -73,7 +75,6 @@ if(BOOTLOADER_BUILD OR CONFIG_APP_BUILD_TYPE_RAM)
     "src/bootloader_clock_loader.c"
     "src/bootloader_console.c"
     "src/bootloader_console_loader.c"
-    "src/${IDF_TARGET}/bootloader_sha.c"
     "src/${IDF_TARGET}/bootloader_soc.c"
     "src/${IDF_TARGET}/bootloader_${IDF_TARGET}.c"
     )
@@ -86,8 +87,6 @@ if(BOOTLOADER_BUILD OR CONFIG_APP_BUILD_TYPE_RAM)
             "src/${IDF_TARGET}/bootloader_ecdsa.c")
     endif()
 else()
-    list(APPEND srcs
-        "src/idf/bootloader_sha.c")
     set(include_dirs "include" "bootloader_flash/include")
     set(priv_include_dirs "private_include")
     # heap is required for `heap_memory_layout.h` header

components/bootloader_support/src/bootloader_sha.c

@@ -1,15 +1,58 @@
 /*
- * SPDX-FileCopyrightText: 2017-2021 Espressif Systems (Shanghai) CO LTD
+ * SPDX-FileCopyrightText: 2025 Espressif Systems (Shanghai) CO LTD
  *
  * SPDX-License-Identifier: Apache-2.0
  */
-#include "bootloader_sha.h"
+
+#include <assert.h>
 #include <stdbool.h>
 #include <string.h>
-#include <assert.h>
 #include <sys/param.h>
 
-#include "esp32/rom/sha.h"
+#include "bootloader_sha.h"
+#include "soc/soc_caps.h"
+#include "rom/sha.h"
+#include "sdkconfig.h"
+
+#if NON_OS_BUILD || CONFIG_APP_BUILD_TYPE_RAM
+#if !CONFIG_IDF_TARGET_ESP32
+static SHA_CTX ctx;
+
+bootloader_sha256_handle_t bootloader_sha256_start()
+{
+    // Enable SHA hardware
+    ets_sha_enable();
+    ets_sha_init(&ctx, SHA2_256);
+    return &ctx; // Meaningless non-NULL value
+}
+
+void bootloader_sha256_data(bootloader_sha256_handle_t handle, const void *data, size_t data_len)
+{
+    assert(handle != NULL);
+
+#if !SOC_SECURE_BOOT_V2_ECC
+    /* For secure boot, the key field consists of 1 byte of curve identifier and 64 bytes of ECDSA public key.
+     * While verifying the signature block, we need to calculate the SHA of this key field which is of 65 bytes.
+     * ets_sha_update handles it cleanly so we can safely remove the check:
+     */
+    assert(data_len % 4 == 0);
+#endif /* SOC_SECURE_BOOT_V2_ECC */
+
+    ets_sha_update(&ctx, data, data_len, false);
+}
+
+void bootloader_sha256_finish(bootloader_sha256_handle_t handle, uint8_t *digest)
+{
+    assert(handle != NULL);
+
+    if (digest == NULL) {
+        bzero(&ctx, sizeof(ctx));
+        return;
+    }
+    ets_sha_finish(&ctx, digest);
+}
+#else /* !CONFIG_IDF_TARGET_ESP32 */
+
 #include "soc/dport_reg.h"
 #include "soc/hwcrypto_periph.h"
 
@@ -114,3 +157,46 @@ void bootloader_sha256_finish(bootloader_sha256_handle_t handle, uint8_t *digest
     }
     asm volatile ("memw");
 }
+#endif /* CONFIG_IDF_TARGET_ESP32 */
+#else /* NON_OS_BUILD || CONFIG_APP_BUILD_TYPE_RAM */
+
+#include "bootloader_flash_priv.h"
+#include <mbedtls/sha256.h>
+
+bootloader_sha256_handle_t bootloader_sha256_start(void)
+{
+    mbedtls_sha256_context *ctx = (mbedtls_sha256_context *)malloc(sizeof(mbedtls_sha256_context));
+    if (!ctx) {
+        return NULL;
+    }
+    mbedtls_sha256_init(ctx);
+    int ret = mbedtls_sha256_starts(ctx, false);
+    if (ret != 0) {
+        return NULL;
+    }
+    return ctx;
+}
+
+void bootloader_sha256_data(bootloader_sha256_handle_t handle, const void *data, size_t data_len)
+{
+    assert(handle != NULL);
+    mbedtls_sha256_context *ctx = (mbedtls_sha256_context *)handle;
+    int ret = mbedtls_sha256_update(ctx, data, data_len);
+    assert(ret == 0);
+    (void)ret;
+}
+
+void bootloader_sha256_finish(bootloader_sha256_handle_t handle, uint8_t *digest)
+{
+    assert(handle != NULL);
+    mbedtls_sha256_context *ctx = (mbedtls_sha256_context *)handle;
+    if (digest != NULL) {
+        int ret = mbedtls_sha256_finish(ctx, digest);
+        assert(ret == 0);
+        (void)ret;
+    }
+    mbedtls_sha256_free(ctx);
+    free(handle);
+    handle = NULL;
+}
+#endif /* !(NON_OS_BUILD || CONFIG_APP_BUILD_TYPE_RAM) */

components/bootloader_support/src/esp32c2/bootloader_sha.c

@@ -1,44 +0,0 @@
-/*
- * SPDX-FileCopyrightText: 2020-2022 Espressif Systems (Shanghai) CO LTD
- *
- * SPDX-License-Identifier: Apache-2.0
- */
-#include "bootloader_sha.h"
-#include <stdbool.h>
-#include <string.h>
-#include <assert.h>
-#include <sys/param.h>
-
-#include "esp32c2/rom/sha.h"
-
-static SHA_CTX ctx;
-
-bootloader_sha256_handle_t bootloader_sha256_start()
-{
-    // Enable SHA hardware
-    ets_sha_enable();
-    ets_sha_init(&ctx, SHA2_256);
-    return &ctx; // Meaningless non-NULL value
-}
-
-void bootloader_sha256_data(bootloader_sha256_handle_t handle, const void *data, size_t data_len)
-{
-    assert(handle != NULL);
-    /* C2 secure boot key field consists of 1 byte of curve identifier and 64 bytes of ECDSA public key.
-     * While verifying the signature block, we need to calculate the SHA of this key field which is of 65 bytes.
-     * ets_sha_update handles it cleanly so we can safely remove the check:
-     * assert(data_len % 4) == 0
-     */
-    ets_sha_update(&ctx, data, data_len, false);
-}
-
-void bootloader_sha256_finish(bootloader_sha256_handle_t handle, uint8_t *digest)
-{
-    assert(handle != NULL);
-
-    if (digest == NULL) {
-        bzero(&ctx, sizeof(ctx));
-        return;
-    }
-    ets_sha_finish(&ctx, digest);
-}

components/bootloader_support/src/esp32c3/bootloader_sha.c

@@ -1,40 +0,0 @@
-/*
- * SPDX-FileCopyrightText: 2020-2021 Espressif Systems (Shanghai) CO LTD
- *
- * SPDX-License-Identifier: Apache-2.0
- */
-#include "bootloader_sha.h"
-#include <stdbool.h>
-#include <string.h>
-#include <assert.h>
-#include <sys/param.h>
-
-#include "esp32c3/rom/sha.h"
-
-static SHA_CTX ctx;
-
-bootloader_sha256_handle_t bootloader_sha256_start()
-{
-    // Enable SHA hardware
-    ets_sha_enable();
-    ets_sha_init(&ctx, SHA2_256);
-    return &ctx; // Meaningless non-NULL value
-}
-
-void bootloader_sha256_data(bootloader_sha256_handle_t handle, const void *data, size_t data_len)
-{
-    assert(handle != NULL);
-    assert(data_len % 4 == 0);
-    ets_sha_update(&ctx, data, data_len, false);
-}
-
-void bootloader_sha256_finish(bootloader_sha256_handle_t handle, uint8_t *digest)
-{
-    assert(handle != NULL);
-
-    if (digest == NULL) {
-        bzero(&ctx, sizeof(ctx));
-        return;
-    }
-    ets_sha_finish(&ctx, digest);
-}

components/bootloader_support/src/esp32c5/bootloader_sha.c

@@ -1,44 +0,0 @@
-/*
- * SPDX-FileCopyrightText: 2024 Espressif Systems (Shanghai) CO LTD
- *
- * SPDX-License-Identifier: Apache-2.0
- */
-#include "bootloader_sha.h"
-#include <stdbool.h>
-#include <string.h>
-#include <assert.h>
-#include <sys/param.h>
-
-#include "esp32c5/rom/sha.h"
-
-static SHA_CTX ctx;
-
-bootloader_sha256_handle_t bootloader_sha256_start()
-{
-    // Enable SHA hardware
-    ets_sha_enable();
-    ets_sha_init(&ctx, SHA2_256);
-    return &ctx; // Meaningless non-NULL value
-}
-
-void bootloader_sha256_data(bootloader_sha256_handle_t handle, const void *data, size_t data_len)
-{
-    assert(handle != NULL);
-    /* C5 secure boot key field consists of 1 byte of curve identifier and 64 bytes of ECDSA public key.
-     * While verifying the signature block, we need to calculate the SHA of this key field which is of 65 bytes.
-     * ets_sha_update handles it cleanly so we can safely remove the check:
-     * assert(data_len % 4) == 0
-     */
-    ets_sha_update(&ctx, data, data_len, false);
-}
-
-void bootloader_sha256_finish(bootloader_sha256_handle_t handle, uint8_t *digest)
-{
-    assert(handle != NULL);
-
-    if (digest == NULL) {
-        bzero(&ctx, sizeof(ctx));
-        return;
-    }
-    ets_sha_finish(&ctx, digest);
-}

components/bootloader_support/src/esp32c6/bootloader_sha.c

@@ -1,44 +0,0 @@
-/*
- * SPDX-FileCopyrightText: 2022-2023 Espressif Systems (Shanghai) CO LTD
- *
- * SPDX-License-Identifier: Apache-2.0
- */
-#include "bootloader_sha.h"
-#include <stdbool.h>
-#include <string.h>
-#include <assert.h>
-#include <sys/param.h>
-
-#include "esp32c6/rom/sha.h"
-
-static SHA_CTX ctx;
-
-bootloader_sha256_handle_t bootloader_sha256_start()
-{
-    // Enable SHA hardware
-    ets_sha_enable();
-    ets_sha_init(&ctx, SHA2_256);
-    return &ctx; // Meaningless non-NULL value
-}
-
-void bootloader_sha256_data(bootloader_sha256_handle_t handle, const void *data, size_t data_len)
-{
-    assert(handle != NULL);
-    /* C6 secure boot key field consists of 1 byte of curve identifier and 64 bytes of ECDSA public key.
-     * While verifying the signature block, we need to calculate the SHA of this key field which is of 65 bytes.
-     * ets_sha_update handles it cleanly so we can safely remove the check:
-     * assert(data_len % 4) == 0
-     */
-    ets_sha_update(&ctx, data, data_len, false);
-}
-
-void bootloader_sha256_finish(bootloader_sha256_handle_t handle, uint8_t *digest)
-{
-    assert(handle != NULL);
-
-    if (digest == NULL) {
-        bzero(&ctx, sizeof(ctx));
-        return;
-    }
-    ets_sha_finish(&ctx, digest);
-}

components/bootloader_support/src/esp32c61/bootloader_sha.c

@@ -1,44 +0,0 @@
-/*
- * SPDX-FileCopyrightText: 2024 Espressif Systems (Shanghai) CO LTD
- *
- * SPDX-License-Identifier: Apache-2.0
- */
-#include "bootloader_sha.h"
-#include <stdbool.h>
-#include <string.h>
-#include <assert.h>
-#include <sys/param.h>
-
-#include "esp32c61/rom/sha.h"
-
-static SHA_CTX ctx;
-
-bootloader_sha256_handle_t bootloader_sha256_start()
-{
-    // Enable SHA hardware
-    ets_sha_enable();
-    ets_sha_init(&ctx, SHA2_256);
-    return &ctx; // Meaningless non-NULL value
-}
-
-void bootloader_sha256_data(bootloader_sha256_handle_t handle, const void *data, size_t data_len)
-{
-    assert(handle != NULL);
-    /* C61 secure boot key field consists of 1 byte of curve identifier and 64 bytes of ECDSA public key.
-     * While verifying the signature block, we need to calculate the SHA of this key field which is of 65 bytes.
-     * ets_sha_update handles it cleanly so we can safely remove the check:
-     * assert(data_len % 4) == 0
-     */
-    ets_sha_update(&ctx, data, data_len, false);
-}
-
-void bootloader_sha256_finish(bootloader_sha256_handle_t handle, uint8_t *digest)
-{
-    assert(handle != NULL);
-
-    if (digest == NULL) {
-        bzero(&ctx, sizeof(ctx));
-        return;
-    }
-    ets_sha_finish(&ctx, digest);
-}

components/bootloader_support/src/esp32h2/bootloader_sha.c

@@ -1,44 +0,0 @@
-/*
- * SPDX-FileCopyrightText: 2022-2023 Espressif Systems (Shanghai) CO LTD
- *
- * SPDX-License-Identifier: Apache-2.0
- */
-#include "bootloader_sha.h"
-#include <stdbool.h>
-#include <string.h>
-#include <assert.h>
-#include <sys/param.h>
-
-#include "esp32h2/rom/sha.h"
-
-static SHA_CTX ctx;
-
-bootloader_sha256_handle_t bootloader_sha256_start()
-{
-    // Enable SHA hardware
-    ets_sha_enable();
-    ets_sha_init(&ctx, SHA2_256);
-    return &ctx; // Meaningless non-NULL value
-}
-
-void bootloader_sha256_data(bootloader_sha256_handle_t handle, const void *data, size_t data_len)
-{
-    assert(handle != NULL);
-    /* H2 secure boot key field consists of 1 byte of curve identifier and 64 bytes of ECDSA public key.
-     * While verifying the signature block, we need to calculate the SHA of this key field which is of 65 bytes.
-     * ets_sha_update handles it cleanly so we can safely remove the check:
-     * assert(data_len % 4) == 0
-     */
-    ets_sha_update(&ctx, data, data_len, false);
-}
-
-void bootloader_sha256_finish(bootloader_sha256_handle_t handle, uint8_t *digest)
-{
-    assert(handle != NULL);
-
-    if (digest == NULL) {
-        bzero(&ctx, sizeof(ctx));
-        return;
-    }
-    ets_sha_finish(&ctx, digest);
-}

components/bootloader_support/src/esp32h21/bootloader_sha.c

@@ -1,46 +0,0 @@
-/*
- * SPDX-FileCopyrightText: 2024 Espressif Systems (Shanghai) CO LTD
- *
- * SPDX-License-Identifier: Apache-2.0
- */
-#include "bootloader_sha.h"
-#include <stdbool.h>
-#include <string.h>
-#include <assert.h>
-#include <sys/param.h>
-
-#include "rom/sha.h"
-
-//TODO: [ESP32H21] IDF-11501
-
-static SHA_CTX ctx;
-
-bootloader_sha256_handle_t bootloader_sha256_start()
-{
-    // Enable SHA hardware
-    ets_sha_enable();
-    ets_sha_init(&ctx, SHA2_256);
-    return &ctx; // Meaningless non-NULL value
-}
-
-void bootloader_sha256_data(bootloader_sha256_handle_t handle, const void *data, size_t data_len)
-{
-    assert(handle != NULL);
-    /* H21 secure boot key field consists of 1 byte of curve identifier and 64 bytes of ECDSA public key.
-     * While verifying the signature block, we need to calculate the SHA of this key field which is of 65 bytes.
-     * ets_sha_update handles it cleanly so we can safely remove the check:
-     * assert(data_len % 4) == 0
-     */
-    ets_sha_update(&ctx, data, data_len, false);
-}
-
-void bootloader_sha256_finish(bootloader_sha256_handle_t handle, uint8_t *digest)
-{
-    assert(handle != NULL);
-
-    if (digest == NULL) {
-        bzero(&ctx, sizeof(ctx));
-        return;
-    }
-    ets_sha_finish(&ctx, digest);
-}

components/bootloader_support/src/esp32h4/bootloader_sha.c

@@ -1,44 +0,0 @@
-/*
- * SPDX-FileCopyrightText: 2025 Espressif Systems (Shanghai) CO LTD
- *
- * SPDX-License-Identifier: Apache-2.0
- */
-#include "bootloader_sha.h"
-#include <stdbool.h>
-#include <string.h>
-#include <assert.h>
-#include <sys/param.h>
-
-#include "rom/sha.h"
-
-static SHA_CTX ctx;
-
-bootloader_sha256_handle_t bootloader_sha256_start()
-{
-    // Enable SHA hardware
-    ets_sha_enable();
-    ets_sha_init(&ctx, SHA2_256);
-    return &ctx; // Meaningless non-NULL value
-}
-
-void bootloader_sha256_data(bootloader_sha256_handle_t handle, const void *data, size_t data_len)
-{
-    assert(handle != NULL);
-    /* H4 secure boot key field consists of 1 byte of curve identifier and 64 bytes of ECDSA public key.
-     * While verifying the signature block, we need to calculate the SHA of this key field which is of 65 bytes.
-     * ets_sha_update handles it cleanly so we can safely remove the check:
-     * assert(data_len % 4) == 0
-     */
-    ets_sha_update(&ctx, data, data_len, false);
-}
-
-void bootloader_sha256_finish(bootloader_sha256_handle_t handle, uint8_t *digest)
-{
-    assert(handle != NULL);
-
-    if (digest == NULL) {
-        bzero(&ctx, sizeof(ctx));
-        return;
-    }
-    ets_sha_finish(&ctx, digest);
-}

components/bootloader_support/src/esp32p4/bootloader_sha.c

@@ -1,44 +0,0 @@
-/*
- * SPDX-FileCopyrightText: 2022-2023 Espressif Systems (Shanghai) CO LTD
- *
- * SPDX-License-Identifier: Apache-2.0
- */
-#include "bootloader_sha.h"
-#include <stdbool.h>
-#include <string.h>
-#include <assert.h>
-#include <sys/param.h>
-
-#include "esp32p4/rom/sha.h"
-
-static SHA_CTX ctx;
-
-bootloader_sha256_handle_t bootloader_sha256_start()
-{
-    // Enable SHA hardware
-    ets_sha_enable();
-    ets_sha_init(&ctx, SHA2_256);
-    return &ctx; // Meaningless non-NULL value
-}
-
-void bootloader_sha256_data(bootloader_sha256_handle_t handle, const void *data, size_t data_len)
-{
-    assert(handle != NULL);
-    /* P4 secure boot key field consists of 1 byte of curve identifier and 64 bytes of ECDSA public key.
-     * While verifying the signature block, we need to calculate the SHA of this key field which is of 65 bytes.
-     * ets_sha_update handles it cleanly so we can safely remove the check:
-     * assert(data_len % 4) == 0
-     */
-    ets_sha_update(&ctx, data, data_len, false);
-}
-
-void bootloader_sha256_finish(bootloader_sha256_handle_t handle, uint8_t *digest)
-{
-    assert(handle != NULL);
-
-    if (digest == NULL) {
-        bzero(&ctx, sizeof(ctx));
-        return;
-    }
-    ets_sha_finish(&ctx, digest);
-}

components/bootloader_support/src/esp32s2/bootloader_sha.c

@@ -1,45 +0,0 @@
-/*
- * SPDX-FileCopyrightText: 2017-2021 Espressif Systems (Shanghai) CO LTD
- *
- * SPDX-License-Identifier: Apache-2.0
- */
-#include "bootloader_sha.h"
-#include <stdbool.h>
-#include <string.h>
-#include <assert.h>
-#include <sys/param.h>
-
-#include "esp32s2/rom/sha.h"
-
-static SHA_CTX ctx;
-
-// Words per SHA256 block
-// static const size_t BLOCK_WORDS = (64/sizeof(uint32_t));
-// Words in final SHA256 digest
-// static const size_t DIGEST_WORDS = (32/sizeof(uint32_t));
-
-bootloader_sha256_handle_t bootloader_sha256_start()
-{
-    // Enable SHA hardware
-    ets_sha_enable();
-    ets_sha_init(&ctx, SHA2_256);
-    return &ctx; // Meaningless non-NULL value
-}
-
-void bootloader_sha256_data(bootloader_sha256_handle_t handle, const void *data, size_t data_len)
-{
-    assert(handle != NULL);
-    assert(data_len % 4 == 0);
-    ets_sha_update(&ctx, data, data_len, false);
-}
-
-void bootloader_sha256_finish(bootloader_sha256_handle_t handle, uint8_t *digest)
-{
-    assert(handle != NULL);
-
-    if (digest == NULL) {
-        bzero(&ctx, sizeof(ctx));
-        return;
-    }
-    ets_sha_finish(&ctx, digest);
-}

components/bootloader_support/src/esp32s3/bootloader_sha.c

@@ -1,40 +0,0 @@
-/*
- * SPDX-FileCopyrightText: 2020-2021 Espressif Systems (Shanghai) CO LTD
- *
- * SPDX-License-Identifier: Apache-2.0
- */
-#include "bootloader_sha.h"
-#include <stdbool.h>
-#include <string.h>
-#include <assert.h>
-#include <sys/param.h>
-
-#include "esp32s3/rom/sha.h"
-
-static SHA_CTX ctx;
-
-bootloader_sha256_handle_t bootloader_sha256_start()
-{
-    // Enable SHA hardware
-    ets_sha_enable();
-    ets_sha_init(&ctx, SHA2_256);
-    return &ctx; // Meaningless non-NULL value
-}
-
-void bootloader_sha256_data(bootloader_sha256_handle_t handle, const void *data, size_t data_len)
-{
-    assert(handle != NULL);
-    assert(data_len % 4 == 0);
-    ets_sha_update(&ctx, data, data_len, false);
-}
-
-void bootloader_sha256_finish(bootloader_sha256_handle_t handle, uint8_t *digest)
-{
-    assert(handle != NULL);
-
-    if (digest == NULL) {
-        bzero(&ctx, sizeof(ctx));
-        return;
-    }
-    ets_sha_finish(&ctx, digest);
-}

components/bootloader_support/src/idf/bootloader_sha.c

@@ -1,49 +0,0 @@
-/*
- * SPDX-FileCopyrightText: 2017-2021 Espressif Systems (Shanghai) CO LTD
- *
- * SPDX-License-Identifier: Apache-2.0
- */
-#include "bootloader_sha.h"
-#include "bootloader_flash_priv.h"
-#include <stdbool.h>
-#include <string.h>
-#include <assert.h>
-#include <sys/param.h>
-#include <mbedtls/sha256.h>
-
-bootloader_sha256_handle_t bootloader_sha256_start(void)
-{
-    mbedtls_sha256_context *ctx = (mbedtls_sha256_context *)malloc(sizeof(mbedtls_sha256_context));
-    if (!ctx) {
-        return NULL;
-    }
-    mbedtls_sha256_init(ctx);
-    int ret = mbedtls_sha256_starts(ctx, false);
-    if (ret != 0) {
-        return NULL;
-    }
-    return ctx;
-}
-
-void bootloader_sha256_data(bootloader_sha256_handle_t handle, const void *data, size_t data_len)
-{
-    assert(handle != NULL);
-    mbedtls_sha256_context *ctx = (mbedtls_sha256_context *)handle;
-    int ret = mbedtls_sha256_update(ctx, data, data_len);
-    assert(ret == 0);
-    (void)ret;
-}
-
-void bootloader_sha256_finish(bootloader_sha256_handle_t handle, uint8_t *digest)
-{
-    assert(handle != NULL);
-    mbedtls_sha256_context *ctx = (mbedtls_sha256_context *)handle;
-    if (digest != NULL) {
-        int ret = mbedtls_sha256_finish(ctx, digest);
-        assert(ret == 0);
-        (void)ret;
-    }
-    mbedtls_sha256_free(ctx);
-    free(handle);
-    handle = NULL;
-}