Merge branch 'feat/flash_enc_encrypt_app_image_of_size_image_length_v5.1' into 'release/v5.1'

feat(bootloader_support): Encrypt only the app image instead of the whole partition (v5.1) See merge request espressif/esp-idf!28266
2024-10-05 20:47:46 -04:00 · 2024-02-28 10:57:45 +08:00 · 2024-02-28 10:57:45 +08:00 · 8b7bd28549
commit 8b7bd28549
parent 76152c80a2 a24715d822
3 changed files with 32 additions and 5 deletions
--- a/components/bootloader/Kconfig.projbuild
+++ b/components/bootloader/Kconfig.projbuild
@ -1022,6 +1022,22 @@ menu "Security features"
                DIS_DOWNLOAD_MANUAL_ENCRYPT, DIS_USB_JTAG, DIS_USB_SERIAL_JTAG, STRAP_JTAG_SEL, USB_PHY_SEL.
    endmenu  # Potentially Insecure

+    config SECURE_FLASH_ENCRYPT_ONLY_IMAGE_LEN_IN_APP_PART
+        bool "Encrypt only the app image that is present in the partition of type app"
+        depends on SECURE_FLASH_ENC_ENABLED && !SECURE_FLASH_REQUIRE_ALREADY_ENABLED
+        default n
+        help
+            If set, optimise encryption time for the partition of type APP,
+            by only encrypting the app image that is present in the partition,
+            instead of the whole partition.
+            The image length used for encryption is derived from the image metadata, which
+            includes the size of the app image, checksum, hash and also the signature sector
+            when secure boot is enabled.
+
+            If not set (default), the whole partition of type APP would be encrypted,
+            which increases the encryption time but might be useful if there
+            is any custom data appended to the firmware image.
+
    config SECURE_FLASH_CHECK_ENC_EN_IN_APP
        bool "Check Flash Encryption enabled on app startup"
        depends on SECURE_FLASH_ENC_ENABLED
--- a/components/bootloader_support/src/esp_image_format.c
+++ b/components/bootloader_support/src/esp_image_format.c
@ -980,9 +980,13 @@ static esp_err_t verify_secure_boot_signature(bootloader_sha256_handle_t sha_han
        return ESP_ERR_IMAGE_INVALID;
    }

-#if CONFIG_SECURE_SIGNED_APPS_RSA_SCHEME || CONFIG_SECURE_SIGNED_APPS_ECDSA_V2_SCHEME
    // Adjust image length result to include the appended signature
+#if CONFIG_SECURE_SIGNED_APPS_RSA_SCHEME || CONFIG_SECURE_SIGNED_APPS_ECDSA_V2_SCHEME
    data->image_len = end - data->start_addr + sizeof(ets_secure_boot_signature_t);
+#elif defined(CONFIG_SECURE_SIGNED_APPS_ECDSA_SCHEME)
+    if (data->start_addr != ESP_BOOTLOADER_OFFSET) {
+        data->image_len = end - data->start_addr + sizeof(esp_secure_boot_sig_block_t);
+    }
 #endif

 #endif // SECURE_BOOT_CHECK_SIGNATURE
--- a/components/bootloader_support/src/flash_encryption/flash_encrypt.c
+++ b/components/bootloader_support/src/flash_encryption/flash_encrypt.c
@ -393,14 +393,21 @@ static esp_err_t encrypt_partition(int index, const esp_partition_info_t *partit
 {
    esp_err_t err;
    bool should_encrypt = (partition->flags & PART_FLAG_ENCRYPTED);
+    uint32_t size = partition->pos.size;

    if (partition->type == PART_TYPE_APP) {
        /* check if the partition holds a valid unencrypted app */
-        esp_image_metadata_t data_ignored;
+        esp_image_metadata_t image_data = {};
        err = esp_image_verify(ESP_IMAGE_VERIFY,
                               &partition->pos,
-                               &data_ignored);
+                               &image_data);
        should_encrypt = (err == ESP_OK);
+#ifdef SECURE_FLASH_ENCRYPT_ONLY_IMAGE_LEN_IN_APP_PART
+        if (should_encrypt) {
+            // Encrypt only the app image instead of encrypting the whole partition
+            size = image_data.image_len;
+        }
+#endif
    } else if ((partition->type == PART_TYPE_DATA && partition->subtype == PART_SUBTYPE_DATA_OTA)
                || (partition->type == PART_TYPE_DATA && partition->subtype == PART_SUBTYPE_DATA_NVS_KEYS)) {
        /* check if we have ota data partition and the partition should be encrypted unconditionally */
@ -411,9 +418,9 @@ static esp_err_t encrypt_partition(int index, const esp_partition_info_t *partit
        return ESP_OK;
    } else {
        /* should_encrypt */
-        ESP_LOGI(TAG, "Encrypting partition %d at offset 0x%x (length 0x%x)...", index, partition->pos.offset, partition->pos.size);
+        ESP_LOGI(TAG, "Encrypting partition %d at offset 0x%x (length 0x%x)...", index, partition->pos.offset, size);

-        err = esp_flash_encrypt_region(partition->pos.offset, partition->pos.size);
+        err = esp_flash_encrypt_region(partition->pos.offset, size);
        ESP_LOGI(TAG, "Done encrypting");
        if (err != ESP_OK) {
            ESP_LOGE(TAG, "Failed to encrypt partition %d", index);