diff --git a/components/bootloader_support/src/esp_image_format.c b/components/bootloader_support/src/esp_image_format.c
index 803a8879d3..ebfd92c9c8 100644
--- a/components/bootloader_support/src/esp_image_format.c
+++ b/components/bootloader_support/src/esp_image_format.c
@@ -127,25 +127,27 @@ static esp_err_t image_load(esp_image_load_mode_t mode, const esp_partition_pos_
     uint32_t checksum_word = ESP_ROM_CHECKSUM_INITIAL;
     uint32_t *checksum = (do_verify) ? &checksum_word : NULL;
     bootloader_sha256_handle_t sha_handle = NULL;
+    bool verify_sha;
 #if (SECURE_BOOT_CHECK_SIGNATURE == 1)
      /* used for anti-FI checks */
     uint8_t image_digest[HASH_LEN] = { [ 0 ... 31] = 0xEE };
     uint8_t verified_digest[HASH_LEN] = { [ 0 ... 31 ] = 0x01 };
 #endif
-#if CONFIG_SECURE_BOOT_V2_ENABLED
-    // For Secure Boot V2, we do verify signature on bootloader which includes the SHA calculation.
-    bool verify_sha = do_verify;
-#else // Secure boot not enabled
-    // For secure boot V1 on ESP32, we don't calculate SHA or verify signature on bootloaders.
-    // (For non-secure boot, we don't verify any SHA-256 hash appended to the bootloader because
-    // esptool.py may have rewritten the header - rely on esptool.py having verified the bootloader at flashing time, instead.)
-    bool verify_sha = (part->offset != ESP_BOOTLOADER_OFFSET) && do_verify;
-#endif
 
     if (data == NULL || part == NULL) {
         return ESP_ERR_INVALID_ARG;
     }
 
+#if CONFIG_SECURE_BOOT_V2_ENABLED
+    // For Secure Boot V2, we do verify signature on bootloader which includes the SHA calculation.
+    verify_sha = do_verify;
+#else // Secure boot not enabled
+    // For secure boot V1 on ESP32, we don't calculate SHA or verify signature on bootloaders.
+    // (For non-secure boot, we don't verify any SHA-256 hash appended to the bootloader because
+    // esptool.py may have rewritten the header - rely on esptool.py having verified the bootloader at flashing time, instead.)
+    verify_sha = (part->offset != ESP_BOOTLOADER_OFFSET) && do_verify;
+#endif
+
     if (part->size > SIXTEEN_MB) {
         err = ESP_ERR_INVALID_ARG;
         FAIL_LOAD("partition size 0x%x invalid, larger than 16MB", part->size);
diff --git a/docs/en/security/secure-boot-v2.rst b/docs/en/security/secure-boot-v2.rst
index ef34fea7b0..2242105da6 100644
--- a/docs/en/security/secure-boot-v2.rst
+++ b/docs/en/security/secure-boot-v2.rst
@@ -132,7 +132,7 @@ The content of each signature block is shown in the following table:
       - Pre-calculated M’, derived from ‘n’
     * - 812
       - 384 
-      - RSA-PSS Signature result (section 8.1.1 of RFC8017) of image content, computed using following PSS parameters: SHA256 hash, MFG1 function, 0 length salt, default trailer field (0xBC).
+      - RSA-PSS Signature result (section 8.1.1 of RFC8017) of image content, computed using following PSS parameters: SHA256 hash, MFG1 function, salt length 32 bytes, default trailer field (0xBC).
     * - 1196
       - 4 
       - CRC32 of the preceding 1095 bytes.