esp-idf/components/bootloader_support/src/secure_boot_signatures.c

// Copyright 2015-2016 Espressif Systems (Shanghai) PTE LTD
//
// Licensed under the Apache License, Version 2.0 (the "License");
// you may not use this file except in compliance with the License.
// You may obtain a copy of the License at

//     http://www.apache.org/licenses/LICENSE-2.0
//
// Unless required by applicable law or agreed to in writing, software
// distributed under the License is distributed on an "AS IS" BASIS,
// WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
// See the License for the specific language governing permissions and
// limitations under the License.
#include "sdkconfig.h"

#include "bootloader_flash.h"
#include "bootloader_sha.h"
#include "esp_log.h"
#include "esp_image_format.h"
#include "esp_secure_boot.h"

#ifdef BOOTLOADER_BUILD
#include "esp32/rom/sha.h"
#include "uECC.h"
typedef SHA_CTX sha_context;
#else
#include "mbedtls/sha256.h"
#include "mbedtls/x509.h"
#endif

static const char* TAG = "secure_boot";

extern const uint8_t signature_verification_key_start[] asm("_binary_signature_verification_key_bin_start");
extern const uint8_t signature_verification_key_end[] asm("_binary_signature_verification_key_bin_end");

#define SIGNATURE_VERIFICATION_KEYLEN 64

#define DIGEST_LEN 32

esp_err_t esp_secure_boot_verify_signature(uint32_t src_addr, uint32_t length)
{
    uint8_t digest[DIGEST_LEN];
    const uint8_t *data;
    const esp_secure_boot_sig_block_t *sigblock;

    ESP_LOGD(TAG, "verifying signature src_addr 0x%x length 0x%x", src_addr, length);

    data = bootloader_mmap(src_addr, length + sizeof(esp_secure_boot_sig_block_t));
    if(data == NULL) {
        ESP_LOGE(TAG, "bootloader_mmap(0x%x, 0x%x) failed", src_addr, length+sizeof(esp_secure_boot_sig_block_t));
        return ESP_FAIL;
    }

    // Calculate digest of main image
#ifdef BOOTLOADER_BUILD
    bootloader_sha256_handle_t handle = bootloader_sha256_start();
    bootloader_sha256_data(handle, data, length);
    bootloader_sha256_finish(handle, digest);
#else
    /* Use thread-safe mbedTLS version */
    mbedtls_sha256_ret(data, length, digest, 0);
#endif

    // Map the signature block and verify the signature
    sigblock = (const esp_secure_boot_sig_block_t *)(data + length);
    esp_err_t err = esp_secure_boot_verify_signature_block(sigblock, digest);
    bootloader_munmap(data);
    return err;
}

esp_err_t esp_secure_boot_verify_signature_block(const esp_secure_boot_sig_block_t *sig_block, const uint8_t *image_digest)
{
    ptrdiff_t keylen;

    keylen = signature_verification_key_end - signature_verification_key_start;
    if(keylen != SIGNATURE_VERIFICATION_KEYLEN) {
        ESP_LOGE(TAG, "Embedded public verification key has wrong length %d", keylen);
        return ESP_FAIL;
    }

    if (sig_block->version != 0) {
        ESP_LOGE(TAG, "image has invalid signature version field 0x%08x", sig_block->version);
        return ESP_FAIL;
    }

    ESP_LOGD(TAG, "Verifying secure boot signature");

#ifdef BOOTLOADER_BUILD
    bool is_valid;
    is_valid = uECC_verify(signature_verification_key_start,
                                image_digest,
                                DIGEST_LEN,
                                sig_block->signature,
                                uECC_secp256r1());
    ESP_LOGD(TAG, "Verification result %d", is_valid);
    return is_valid ? ESP_OK : ESP_ERR_IMAGE_INVALID;
#else /* BOOTLOADER_BUILD */
    int ret;
    mbedtls_mpi r, s;

    mbedtls_mpi_init(&r);
    mbedtls_mpi_init(&s);

    /* Extract r and s components from RAW ECDSA signature of 64 bytes */
    #define ECDSA_INTEGER_LEN 32
    ret = mbedtls_mpi_read_binary(&r, &sig_block->signature[0], ECDSA_INTEGER_LEN);
    if (ret != 0) {
        ESP_LOGE(TAG, "Failed mbedtls_mpi_read_binary(1), err:%d", ret);
        return ESP_FAIL;
    }

    ret = mbedtls_mpi_read_binary(&s, &sig_block->signature[ECDSA_INTEGER_LEN], ECDSA_INTEGER_LEN);
    if (ret != 0) {
        ESP_LOGE(TAG, "Failed mbedtls_mpi_read_binary(2), err:%d", ret);
        mbedtls_mpi_free(&r);
        return ESP_FAIL;
    }

    /* Initialise ECDSA context */
    mbedtls_ecdsa_context ecdsa_context;
    mbedtls_ecdsa_init(&ecdsa_context);

    mbedtls_ecp_group_load(&ecdsa_context.grp, MBEDTLS_ECP_DP_SECP256R1);
    size_t plen = mbedtls_mpi_size(&ecdsa_context.grp.P);
    if (keylen != 2*plen) {
        ESP_LOGE(TAG, "Incorrect ECDSA key length %d", keylen);
        ret = ESP_FAIL;
        goto cleanup;
    }

    /* Extract X and Y components from ECDSA public key */
    MBEDTLS_MPI_CHK(mbedtls_mpi_read_binary(&ecdsa_context.Q.X, signature_verification_key_start, plen));
    MBEDTLS_MPI_CHK(mbedtls_mpi_read_binary(&ecdsa_context.Q.Y, signature_verification_key_start + plen, plen));
    MBEDTLS_MPI_CHK(mbedtls_mpi_lset(&ecdsa_context.Q.Z, 1));

    ret = mbedtls_ecdsa_verify(&ecdsa_context.grp, image_digest, DIGEST_LEN, &ecdsa_context.Q, &r, &s);
    ESP_LOGD(TAG, "Verification result %d", ret);

cleanup:
    mbedtls_mpi_free(&r);
    mbedtls_mpi_free(&s);
    mbedtls_ecdsa_free(&ecdsa_context);
    return ret == 0 ? ESP_OK : ESP_ERR_IMAGE_INVALID;
#endif /* !BOOTLOADER_BUILD */
}
Secure boot: initial image signature support 2016-11-03 02:33:30 -04:00			`// Copyright 2015-2016 Espressif Systems (Shanghai) PTE LTD`
			`//`
			`// Licensed under the Apache License, Version 2.0 (the "License");`
			`// you may not use this file except in compliance with the License.`
			`// You may obtain a copy of the License at`

			`// http://www.apache.org/licenses/LICENSE-2.0`
			`//`
			`// Unless required by applicable law or agreed to in writing, software`
			`// distributed under the License is distributed on an "AS IS" BASIS,`
			`// WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.`
			`// See the License for the specific language governing permissions and`
			`// limitations under the License.`
			`#include "sdkconfig.h"`

			`#include "bootloader_flash.h"`
bootloader: Calculate SHA256 hash of image on every boot Makes app image booting more reliable (256-bit rather than 8-bit verification.) Some measurements, time to boot a 655KB app.bin file and run to app_main() execution. (All for rev 1 silicon, ie no 340ms spurious WDT delay.) 80MHz QIO mode: before = 300ms after = 140ms 40MHz DIO mode: before = 712ms after = 577ms 40MHz DIO mode, secure boot enabled before = 1380ms after = 934ms (Secure boot involves two ECC signature verifications (partition table, app) that take approx 300ms each with 80MHz CPU.) 2017-06-28 02:46:34 -04:00			`#include "bootloader_sha.h"`
Secure boot: initial image signature support 2016-11-03 02:33:30 -04:00			`#include "esp_log.h"`
			`#include "esp_image_format.h"`
			`#include "esp_secure_boot.h"`

			`#ifdef BOOTLOADER_BUILD`
separate rom from esp32 component to esp_rom 1. separate rom include files and linkscript to esp_rom 2. modefiy "include rom/xxx.h" to "include esp32/rom/xxx.h" 3. Forward compatible 4. update mqtt 2019-03-14 05:29:32 -04:00			`#include "esp32/rom/sha.h"`
bootloader: use mbedTLS for secure boot verification in firmware 2019-01-04 02:18:28 -05:00			`#include "uECC.h"`
Secure boot: initial image signature support 2016-11-03 02:33:30 -04:00			`typedef SHA_CTX sha_context;`
			`#else`
secure boot: Use mbedtls_sha256() not esp_sha() Latter is probably compiled into most firmwares already, saves some size. Ref https://github.com/espressif/esp-idf/issues/3127 2019-03-08 00:16:55 -05:00			`#include "mbedtls/sha256.h"`
bootloader: use mbedTLS for secure boot verification in firmware 2019-01-04 02:18:28 -05:00			`#include "mbedtls/x509.h"`
Secure boot: initial image signature support 2016-11-03 02:33:30 -04:00			`#endif`

			`static const char* TAG = "secure_boot";`

			`extern const uint8_t signature_verification_key_start[] asm("_binary_signature_verification_key_bin_start");`
			`extern const uint8_t signature_verification_key_end[] asm("_binary_signature_verification_key_bin_end");`

			`#define SIGNATURE_VERIFICATION_KEYLEN 64`

bootloader: Calculate SHA256 hash of image on every boot Makes app image booting more reliable (256-bit rather than 8-bit verification.) Some measurements, time to boot a 655KB app.bin file and run to app_main() execution. (All for rev 1 silicon, ie no 340ms spurious WDT delay.) 80MHz QIO mode: before = 300ms after = 140ms 40MHz DIO mode: before = 712ms after = 577ms 40MHz DIO mode, secure boot enabled before = 1380ms after = 934ms (Secure boot involves two ECC signature verifications (partition table, app) that take approx 300ms each with 80MHz CPU.) 2017-06-28 02:46:34 -04:00			`#define DIGEST_LEN 32`

Secure boot: initial image signature support 2016-11-03 02:33:30 -04:00			`esp_err_t esp_secure_boot_verify_signature(uint32_t src_addr, uint32_t length)`
			`{`
bootloader: Calculate SHA256 hash of image on every boot Makes app image booting more reliable (256-bit rather than 8-bit verification.) Some measurements, time to boot a 655KB app.bin file and run to app_main() execution. (All for rev 1 silicon, ie no 340ms spurious WDT delay.) 80MHz QIO mode: before = 300ms after = 140ms 40MHz DIO mode: before = 712ms after = 577ms 40MHz DIO mode, secure boot enabled before = 1380ms after = 934ms (Secure boot involves two ECC signature verifications (partition table, app) that take approx 300ms each with 80MHz CPU.) 2017-06-28 02:46:34 -04:00			`uint8_t digest[DIGEST_LEN];`
Build system: Raise warning level Default esp-idf builds now show -Wextra warnings (except for a few: signed/unsigned comparison, unused parameters, old-style C declarations.) CI building of examples runs with that level raised to -Werror, to catch those changes going into the main repo. 2016-11-15 23:42:38 -05:00			`const uint8_t *data;`
Flash encryption: Support enabling flash encryption in bootloader, app support * App access functions are all flash encryption-aware * Documentation for flash encryption * Partition read/write is flash aware * New encrypted write function 2016-11-11 01:00:34 -05:00			`const esp_secure_boot_sig_block_t *sigblock;`
Secure boot: initial image signature support 2016-11-03 02:33:30 -04:00
			`ESP_LOGD(TAG, "verifying signature src_addr 0x%x length 0x%x", src_addr, length);`

Flash encryption: Support enabling flash encryption in bootloader, app support * App access functions are all flash encryption-aware * Documentation for flash encryption * Partition read/write is flash aware * New encrypted write function 2016-11-11 01:00:34 -05:00			`data = bootloader_mmap(src_addr, length + sizeof(esp_secure_boot_sig_block_t));`
Secure boot: initial image signature support 2016-11-03 02:33:30 -04:00			`if(data == NULL) {`
Flash encryption: Support enabling flash encryption in bootloader, app support * App access functions are all flash encryption-aware * Documentation for flash encryption * Partition read/write is flash aware * New encrypted write function 2016-11-11 01:00:34 -05:00			`ESP_LOGE(TAG, "bootloader_mmap(0x%x, 0x%x) failed", src_addr, length+sizeof(esp_secure_boot_sig_block_t));`
Secure boot: initial image signature support 2016-11-03 02:33:30 -04:00			`return ESP_FAIL;`
			`}`

bootloader: Calculate SHA256 hash of image on every boot Makes app image booting more reliable (256-bit rather than 8-bit verification.) Some measurements, time to boot a 655KB app.bin file and run to app_main() execution. (All for rev 1 silicon, ie no 340ms spurious WDT delay.) 80MHz QIO mode: before = 300ms after = 140ms 40MHz DIO mode: before = 712ms after = 577ms 40MHz DIO mode, secure boot enabled before = 1380ms after = 934ms (Secure boot involves two ECC signature verifications (partition table, app) that take approx 300ms each with 80MHz CPU.) 2017-06-28 02:46:34 -04:00			`// Calculate digest of main image`
Secure boot: initial image signature support 2016-11-03 02:33:30 -04:00			`#ifdef BOOTLOADER_BUILD`
bootloader: Calculate SHA256 hash of image on every boot Makes app image booting more reliable (256-bit rather than 8-bit verification.) Some measurements, time to boot a 655KB app.bin file and run to app_main() execution. (All for rev 1 silicon, ie no 340ms spurious WDT delay.) 80MHz QIO mode: before = 300ms after = 140ms 40MHz DIO mode: before = 712ms after = 577ms 40MHz DIO mode, secure boot enabled before = 1380ms after = 934ms (Secure boot involves two ECC signature verifications (partition table, app) that take approx 300ms each with 80MHz CPU.) 2017-06-28 02:46:34 -04:00			`bootloader_sha256_handle_t handle = bootloader_sha256_start();`
			`bootloader_sha256_data(handle, data, length);`
			`bootloader_sha256_finish(handle, digest);`
Secure boot: initial image signature support 2016-11-03 02:33:30 -04:00			`#else`
secure boot: Use mbedtls_sha256() not esp_sha() Latter is probably compiled into most firmwares already, saves some size. Ref https://github.com/espressif/esp-idf/issues/3127 2019-03-08 00:16:55 -05:00			`/* Use thread-safe mbedTLS version */`
			`mbedtls_sha256_ret(data, length, digest, 0);`
Secure boot: initial image signature support 2016-11-03 02:33:30 -04:00			`#endif`

bootloader: Calculate SHA256 hash of image on every boot Makes app image booting more reliable (256-bit rather than 8-bit verification.) Some measurements, time to boot a 655KB app.bin file and run to app_main() execution. (All for rev 1 silicon, ie no 340ms spurious WDT delay.) 80MHz QIO mode: before = 300ms after = 140ms 40MHz DIO mode: before = 712ms after = 577ms 40MHz DIO mode, secure boot enabled before = 1380ms after = 934ms (Secure boot involves two ECC signature verifications (partition table, app) that take approx 300ms each with 80MHz CPU.) 2017-06-28 02:46:34 -04:00			`// Map the signature block and verify the signature`
			`sigblock = (const esp_secure_boot_sig_block_t *)(data + length);`
			`esp_err_t err = esp_secure_boot_verify_signature_block(sigblock, digest);`
			`bootloader_munmap(data);`
			`return err;`
			`}`

			`esp_err_t esp_secure_boot_verify_signature_block(const esp_secure_boot_sig_block_t sig_block, const uint8_t image_digest)`
			`{`
			`ptrdiff_t keylen;`

Secure boot: initial image signature support 2016-11-03 02:33:30 -04:00			`keylen = signature_verification_key_end - signature_verification_key_start;`
			`if(keylen != SIGNATURE_VERIFICATION_KEYLEN) {`
			`ESP_LOGE(TAG, "Embedded public verification key has wrong length %d", keylen);`
bootloader: Calculate SHA256 hash of image on every boot Makes app image booting more reliable (256-bit rather than 8-bit verification.) Some measurements, time to boot a 655KB app.bin file and run to app_main() execution. (All for rev 1 silicon, ie no 340ms spurious WDT delay.) 80MHz QIO mode: before = 300ms after = 140ms 40MHz DIO mode: before = 712ms after = 577ms 40MHz DIO mode, secure boot enabled before = 1380ms after = 934ms (Secure boot involves two ECC signature verifications (partition table, app) that take approx 300ms each with 80MHz CPU.) 2017-06-28 02:46:34 -04:00			`return ESP_FAIL;`
Secure boot: initial image signature support 2016-11-03 02:33:30 -04:00			`}`

bootloader: Calculate SHA256 hash of image on every boot Makes app image booting more reliable (256-bit rather than 8-bit verification.) Some measurements, time to boot a 655KB app.bin file and run to app_main() execution. (All for rev 1 silicon, ie no 340ms spurious WDT delay.) 80MHz QIO mode: before = 300ms after = 140ms 40MHz DIO mode: before = 712ms after = 577ms 40MHz DIO mode, secure boot enabled before = 1380ms after = 934ms (Secure boot involves two ECC signature verifications (partition table, app) that take approx 300ms each with 80MHz CPU.) 2017-06-28 02:46:34 -04:00			`if (sig_block->version != 0) {`
			`ESP_LOGE(TAG, "image has invalid signature version field 0x%08x", sig_block->version);`
			`return ESP_FAIL;`
			`}`
Secure boot: initial image signature support 2016-11-03 02:33:30 -04:00
secure boot: Pad to avoid data after the signature mapping into the address space Because address space is mapped in 64KB pages, it was possible for unauthenticated data after the app .bin to become mapped into the flash cache address space. This problem is solved by 2 changes: * "esptool elf2image --secure-pad" will pad the image so that the signature block ends close to the 64KB boundary. Due to alignment constraints it will be 12 bytes too short after signing (but with flash encryption, these 12 bytes are still encrypted as part of the last block and can't be arbitrarily changed). * By default, secure boot now requires all app partitions to be a multiple of 64KB in size. 2018-07-12 21:52:57 -04:00			`ESP_LOGD(TAG, "Verifying secure boot signature");`

bootloader: use mbedTLS for secure boot verification in firmware 2019-01-04 02:18:28 -05:00			`#ifdef BOOTLOADER_BUILD`
			`bool is_valid;`
bootloader: Calculate SHA256 hash of image on every boot Makes app image booting more reliable (256-bit rather than 8-bit verification.) Some measurements, time to boot a 655KB app.bin file and run to app_main() execution. (All for rev 1 silicon, ie no 340ms spurious WDT delay.) 80MHz QIO mode: before = 300ms after = 140ms 40MHz DIO mode: before = 712ms after = 577ms 40MHz DIO mode, secure boot enabled before = 1380ms after = 934ms (Secure boot involves two ECC signature verifications (partition table, app) that take approx 300ms each with 80MHz CPU.) 2017-06-28 02:46:34 -04:00			`is_valid = uECC_verify(signature_verification_key_start,`
			`image_digest,`
			`DIGEST_LEN,`
			`sig_block->signature,`
			`uECC_secp256r1());`
secure boot: Pad to avoid data after the signature mapping into the address space Because address space is mapped in 64KB pages, it was possible for unauthenticated data after the app .bin to become mapped into the flash cache address space. This problem is solved by 2 changes: * "esptool elf2image --secure-pad" will pad the image so that the signature block ends close to the 64KB boundary. Due to alignment constraints it will be 12 bytes too short after signing (but with flash encryption, these 12 bytes are still encrypted as part of the last block and can't be arbitrarily changed). * By default, secure boot now requires all app partitions to be a multiple of 64KB in size. 2018-07-12 21:52:57 -04:00			`ESP_LOGD(TAG, "Verification result %d", is_valid);`
Secure boot: initial image signature support 2016-11-03 02:33:30 -04:00			`return is_valid ? ESP_OK : ESP_ERR_IMAGE_INVALID;`
bootloader: use mbedTLS for secure boot verification in firmware 2019-01-04 02:18:28 -05:00			`#else /* BOOTLOADER_BUILD */`
			`int ret;`
			`mbedtls_mpi r, s;`

			`mbedtls_mpi_init(&r);`
			`mbedtls_mpi_init(&s);`

			`/* Extract r and s components from RAW ECDSA signature of 64 bytes */`
			`#define ECDSA_INTEGER_LEN 32`
			`ret = mbedtls_mpi_read_binary(&r, &sig_block->signature[0], ECDSA_INTEGER_LEN);`
			`if (ret != 0) {`
			`ESP_LOGE(TAG, "Failed mbedtls_mpi_read_binary(1), err:%d", ret);`
			`return ESP_FAIL;`
			`}`

			`ret = mbedtls_mpi_read_binary(&s, &sig_block->signature[ECDSA_INTEGER_LEN], ECDSA_INTEGER_LEN);`
			`if (ret != 0) {`
			`ESP_LOGE(TAG, "Failed mbedtls_mpi_read_binary(2), err:%d", ret);`
			`mbedtls_mpi_free(&r);`
			`return ESP_FAIL;`
			`}`

			`/* Initialise ECDSA context */`
			`mbedtls_ecdsa_context ecdsa_context;`
			`mbedtls_ecdsa_init(&ecdsa_context);`

			`mbedtls_ecp_group_load(&ecdsa_context.grp, MBEDTLS_ECP_DP_SECP256R1);`
			`size_t plen = mbedtls_mpi_size(&ecdsa_context.grp.P);`
			`if (keylen != 2*plen) {`
			`ESP_LOGE(TAG, "Incorrect ECDSA key length %d", keylen);`
			`ret = ESP_FAIL;`
			`goto cleanup;`
			`}`

			`/* Extract X and Y components from ECDSA public key */`
			`MBEDTLS_MPI_CHK(mbedtls_mpi_read_binary(&ecdsa_context.Q.X, signature_verification_key_start, plen));`
			`MBEDTLS_MPI_CHK(mbedtls_mpi_read_binary(&ecdsa_context.Q.Y, signature_verification_key_start + plen, plen));`
			`MBEDTLS_MPI_CHK(mbedtls_mpi_lset(&ecdsa_context.Q.Z, 1));`

			`ret = mbedtls_ecdsa_verify(&ecdsa_context.grp, image_digest, DIGEST_LEN, &ecdsa_context.Q, &r, &s);`
			`ESP_LOGD(TAG, "Verification result %d", ret);`

			`cleanup:`
			`mbedtls_mpi_free(&r);`
			`mbedtls_mpi_free(&s);`
			`mbedtls_ecdsa_free(&ecdsa_context);`
			`return ret == 0 ? ESP_OK : ESP_ERR_IMAGE_INVALID;`
			`#endif /* !BOOTLOADER_BUILD */`
Secure boot: initial image signature support 2016-11-03 02:33:30 -04:00			`}`