secure boot: Ensure mbedTLS enables ECDSA if signatures are checked in app

and all ECDSA to be disabled if secure boot is not enabled

Previously if ECDSA disabled in config then secure_boot_signatures.c would
fail to build (whether or not secure boot was enabled).

To avoid breaking apps that might be using the signature scheme with custom OTA
without enabling secure boot signatures in config, this change just disables
this functionality if unavailable in mbedTLS config.

Possible fix for root cause of https://github.com/espressif/esp-idf/pull/3703

Closes https://github.com/espressif/esp-idf/issues/4758

components/bootloader/Kconfig.projbuild

@@ -234,12 +234,15 @@ menu "Security features"
     config SECURE_SIGNED_ON_UPDATE
         bool
         default y
-        select MBEDTLS_ECP_DP_SECP256R1_ENABLED
         depends on SECURE_BOOT_ENABLED || SECURE_SIGNED_ON_UPDATE_NO_SECURE_BOOT
 
     config SECURE_SIGNED_APPS
         bool
         default y
+        select MBEDTLS_ECP_DP_SECP256R1_ENABLED
+        select MBEDTLS_ECP_C
+        select MBEDTLS_ECDH_C
+        select MBEDTLS_ECDSA_C
         depends on SECURE_SIGNED_ON_BOOT || SECURE_SIGNED_ON_UPDATE
 
 

components/bootloader_support/src/idf/secure_boot_signatures.c

@@ -56,6 +56,10 @@ esp_err_t esp_secure_boot_verify_signature(uint32_t src_addr, uint32_t length)
 
 esp_err_t esp_secure_boot_verify_signature_block(const esp_secure_boot_sig_block_t *sig_block, const uint8_t *image_digest)
 {
+#if !(defined(CONFIG_MBEDTLS_ECDSA_C) && defined(CONFIG_MBEDTLS_ECP_DP_SECP256R1_ENABLED))
+    ESP_LOGE(TAG, "Signature verification requires ECDSA & SECP256R1 curve enabled");
+    return ESP_ERR_NOT_SUPPORTED;
+#else
     ptrdiff_t keylen;
 
     keylen = signature_verification_key_end - signature_verification_key_start;
@@ -117,4 +121,5 @@ cleanup:
     mbedtls_mpi_free(&s);
     mbedtls_ecdsa_free(&ecdsa_context);
     return ret == 0 ? ESP_OK : ESP_ERR_IMAGE_INVALID;
+#endif // CONFIG_MBEDTLS_ECDSA_C && CONFIG_MBEDTLS_ECP_DP_SECP256R1_ENABLED
 }