alex/esp-idf
alex/esp-idf
1
0
Fork 0
mirror of https://github.com/espressif/esp-idf.git synced 2024-10-05 20:47:46 -04:00
Code Issues Actions 2 Packages Projects Releases Wiki Activity

Merge branch 'bugfix/add_signature_in_image_len_v5.0' into 'release/v5.0'

Browse Source 
bootloader_support: consider signature sector in image length validation (v5.0)

See merge request espressif/esp-idf!19483
This commit is contained in:
Ivan Grokhotkov 2022-08-23 20:19:24 +08:00
commit 9cd98fbd4a
1 changed files with 35 additions and 7 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

42
components/bootloader_support/src/esp_image_format.c
View File

@ -36,6 +36,8 @@
#include "esp32c2/rom/secure_boot.h"
#endif
#define ALIGN_UP(num, align) (((num) + ((align) - 1)) & ~((align) - 1))
/* Checking signatures as part of verifying images is necessary:
- Always if secure boot is enabled
- Differently in bootloader and/or app, depending on kconfig
@ -107,7 +109,7 @@ static esp_err_t verify_segment_header(int index, const esp_image_segment_header
while(0)
static esp_err_t process_image_header(esp_image_metadata_t *data, uint32_t part_offset, bootloader_sha256_handle_t *sha_handle, bool do_verify, bool silent);
static esp_err_t process_appended_hash(esp_image_metadata_t *data, uint32_t part_len, bool do_verify, bool silent);
static esp_err_t process_appended_hash_and_sig(esp_image_metadata_t *data, uint32_t part_offset, uint32_t part_len, bool do_verify, bool silent);
static esp_err_t process_checksum(bootloader_sha256_handle_t sha_handle, uint32_t checksum_word, esp_image_metadata_t *data, bool silent, bool skip_check_checksum);
static esp_err_t __attribute__((unused)) verify_secure_boot_signature(bootloader_sha256_handle_t sha_handle, esp_image_metadata_t *data, uint8_t *image_digest, uint8_t *verified_digest);
@ -159,7 +161,7 @@ static esp_err_t image_load(esp_image_load_mode_t mode, const esp_partition_pos_
CHECK_ERR(process_segments(data, silent, do_load, sha_handle, checksum));
bool skip_check_checksum = !do_verify || esp_cpu_dbgr_is_attached();
CHECK_ERR(process_checksum(sha_handle, checksum_word, data, silent, skip_check_checksum));
CHECK_ERR(process_appended_hash(data, part->size, do_verify, silent));
CHECK_ERR(process_appended_hash_and_sig(data, part->offset, part->size, do_verify, silent));
if (verify_sha) {
#if (SECURE_BOOT_CHECK_SIGNATURE == 1)
// secure boot images have a signature appended
@ -299,7 +301,7 @@ esp_err_t esp_image_get_metadata(const esp_partition_pos_t *part, esp_image_meta
CHECK_ERR(process_segments(metadata, silent, do_load, NULL, NULL));
bool skip_check_checksum = true;
CHECK_ERR(process_checksum(NULL, 0, metadata, silent, skip_check_checksum));
CHECK_ERR(process_appended_hash(metadata, part->size, true, silent));
CHECK_ERR(process_appended_hash_and_sig(metadata, part->offset, part->size, true, silent));
return ESP_OK;
err:
return err;
@ -762,7 +764,7 @@ esp_err_t esp_image_verify_bootloader_data(esp_image_metadata_t *data)
data);
}
static esp_err_t process_appended_hash(esp_image_metadata_t *data, uint32_t part_len, bool do_verify, bool silent)
static esp_err_t process_appended_hash_and_sig(esp_image_metadata_t *data, uint32_t part_offset, uint32_t part_len, bool do_verify, bool silent)
{
esp_err_t err = ESP_OK;
if (data->image.hash_appended) {
@ -773,8 +775,34 @@ static esp_err_t process_appended_hash(esp_image_metadata_t *data, uint32_t part
data->image_len += HASH_LEN;
}
if (data->image_len > part_len) {
FAIL_LOAD("Image length %d doesn't fit in partition length %d", data->image_len, part_len);
uint32_t sig_block_len = 0;
const uint32_t end = data->image_len;
#if CONFIG_SECURE_BOOT || CONFIG_SECURE_SIGNED_APPS_NO_SECURE_BOOT
// Case I: Bootloader part
if (part_offset == ESP_BOOTLOADER_OFFSET) {
// For bootloader with secure boot v1, signature stays in an independant flash
// sector (offset 0x0) and does not get appended to the image.
#if CONFIG_SECURE_BOOT_V2_ENABLED
// Sanity check - secure boot v2 signature block starts on 4K boundary
sig_block_len = ALIGN_UP(end, FLASH_SECTOR_SIZE) - end;
sig_block_len += sizeof(ets_secure_boot_signature_t);
#endif
} else {
// Case II: Application part
#if CONFIG_SECURE_SIGNED_APPS_ECDSA_SCHEME
sig_block_len = sizeof(esp_secure_boot_sig_block_t);
#else
// Sanity check - secure boot v2 signature block starts on 4K boundary
sig_block_len = ALIGN_UP(end, FLASH_SECTOR_SIZE) - end;
sig_block_len += sizeof(ets_secure_boot_signature_t);
#endif
}
#endif // CONFIG_SECURE_BOOT || CONFIG_SECURE_SIGNED_APPS_NO_SECURE_BOOT
const uint32_t full_image_len = end + sig_block_len;
if (full_image_len > part_len) {
FAIL_LOAD("Image length %d doesn't fit in partition length %d", full_image_len, part_len);
}
return err;
err:
@ -835,7 +863,7 @@ static esp_err_t verify_secure_boot_signature(bootloader_sha256_handle_t sha_han
#if CONFIG_SECURE_BOOT_V2_ENABLED
// End of the image needs to be padded all the way to a 4KB boundary, after the simple hash
// (for apps they are usually already padded due to --secure-pad-v2, only a problem if this option was not used.)
uint32_t padded_end = (end + FLASH_SECTOR_SIZE - 1) & ~(FLASH_SECTOR_SIZE-1);
uint32_t padded_end = ALIGN_UP(end, FLASH_SECTOR_SIZE);
if (padded_end > end) {
const void *padding = bootloader_mmap(end, padded_end - end);
bootloader_sha256_data(sha_handle, padding, padded_end - end);