feat: Add test app to verify SECURE_SIGNED_ON_UPDATE_NO_SECURE_BOOT

Add a test app to verify the working of the application when
SECURE_SIGNED_ON_UPDATE_NO_SECURE_BOOT is selected in the menuconfig
and the application is not signed

tools/test_apps/.build-test-rules.yml

@@ -68,6 +68,12 @@ tools/test_apps/security/secure_boot:
     - if: IDF_ENV_FPGA != 1
       reason: the test can only run on an FPGA as efuses need to be reset during the test.
 
+tools/test_apps/security/signed_app_no_secure_boot:
+  enable:
+    - if: IDF_TARGET in ["esp32c2", "esp32c3"]
+      temporary: true
+      reason: No need to test on all targets
+
 tools/test_apps/system/bootloader_sections:
   disable:
     - if: IDF_TARGET == "esp32c2"

tools/test_apps/security/signed_app_no_secure_boot/CMakeLists.txt

@@ -0,0 +1,7 @@
+# The following lines of boilerplate have to be in your project's
+# CMakeLists in this exact order for cmake to work correctly
+cmake_minimum_required(VERSION 3.16)
+
+# Secure Boot not currently supported for ESP32-S2
+include($ENV{IDF_PATH}/tools/cmake/project.cmake)
+project(secure_boot)

tools/test_apps/security/signed_app_no_secure_boot/README.md

@@ -0,0 +1,11 @@
+| Supported Targets | ESP32-C2 | ESP32-C3 |
+| ----------------- | -------- | -------- |
+
+# Secure Signed On Update No Secure Boot
+
+This examples verifies the case when CONFIG_SECURE_SIGNED_ON_UPDATE_NO_SECURE_BOOT is selected and application is not signed. The application should abort its execution with the logs:
+
+```
+secure_boot_v2: No signatures were found for the running app
+secure_boot: This app is not signed, but check signature on update is enabled in config. It won't be possible to verify any update.
+```

tools/test_apps/security/signed_app_no_secure_boot/main/CMakeLists.txt

@@ -0,0 +1,2 @@
+idf_component_register(SRCS "main.c"
+                    INCLUDE_DIRS ".")

tools/test_apps/security/signed_app_no_secure_boot/main/main.c

@@ -0,0 +1,15 @@
+/*
+ * SPDX-FileCopyrightText: 2023 Espressif Systems (Shanghai) CO LTD
+ *
+ * SPDX-License-Identifier: Unlicense OR CC0-1.0
+ */
+#include <stdio.h>
+#include "freertos/FreeRTOS.h"
+#include "freertos/task.h"
+
+#define TAG "example_secure_boot"
+
+void app_main(void)
+{
+    printf("\nExample for secured signed with no secure boot\n");
+}

tools/test_apps/security/signed_app_no_secure_boot/pytest_signed_app_no_secure_boot.py

@@ -0,0 +1,12 @@
+# SPDX-FileCopyrightText: 2023 Espressif Systems (Shanghai) CO LTD
+# SPDX-License-Identifier: Unlicense OR CC0-1.0
+
+import pytest
+from pytest_embedded import Dut
+
+
+@pytest.mark.esp32c2
+@pytest.mark.esp32c3
+@pytest.mark.generic
+def test_examples_security_on_update_no_secure_boot(dut: Dut) -> None:
+    dut.expect("This app is not signed, but check signature on update is enabled in config. It won't be possible to verify any update.", timeout=10)

tools/test_apps/security/signed_app_no_secure_boot/sdkconfig.defaults

@@ -0,0 +1,8 @@
+CONFIG_SECURE_SIGNED_ON_UPDATE=y
+CONFIG_SECURE_SIGNED_APPS=y
+CONFIG_SECURE_BOOT_V2_PREFERRED=y
+CONFIG_SECURE_SIGNED_APPS_NO_SECURE_BOOT=y
+CONFIG_SECURE_SIGNED_ON_UPDATE_NO_SECURE_BOOT=y
+# CONFIG_SECURE_BOOT is not set
+# CONFIG_SECURE_BOOT_BUILD_SIGNED_BINARIES is not set
+# CONFIG_SECURE_FLASH_ENC_ENABLED is not set