alex/esp-idf
alex/esp-idf
1
0
Fork 0
mirror of https://github.com/espressif/esp-idf.git synced 2024-10-05 20:47:46 -04:00
Code Issues Actions 2 Packages Projects Releases Wiki Activity

docs: secure-boot-v2: add a section about secure padding

Browse Source
This commit is contained in:
Mahavir Jain 2023-02-08 09:59:45 +05:30 committed by harshal.patil
parent 3beea950b7
commit d55b870ff2
1 changed files with 38 additions and 1 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

39
docs/en/security/secure-boot-v2.rst
View File

@ -112,7 +112,7 @@ The Secure Boot V2 process follows these steps:
Signature Block Format
----------------------
The bootloader and application images are padded to the next 4096 byte boundary, thus the signature has a flash sector of its own. The signature is calculated over all bytes in the image including the padding bytes.
The signature block starts on a 4KB aligned boundary and has a flash sector of its own. The signature is calculated over all bytes in the image including the padding bytes (:ref:`secure_padding`).
The content of each signature block is shown in the following table:
@ -205,6 +205,41 @@ The content of each signature block is shown in the following table:
The remainder of the signature sector is erased flash (0xFF) which allows writing other signature blocks after previous signature block.
.. _secure_padding:
Secure Padding
--------------
In Secure Boot V2 scheme, the application image is padded to the flash MMU page size boundary to ensure that only verified contents are mapped in the internal address space. This is known as secure padding. Signature of the image is calculated after padding and then signature block (4KB) gets appended to the image.
.. list::
- Default flash MMU page size is 64KB
:SOC_MMU_PAGE_SIZE_CONFIGURABLE: - {IDF_TARGET_NAME} supports configurable flash MMU page size, it (``CONFIG_MMU_PAGE_SIZE``) gets set based on the :ref:`CONFIG_ESPTOOLPY_FLASHSIZE`
- Secure padding is applied through the option ``--secure-pad-v2`` in the ``elf2image`` conversion using ``esptool.py``
Following table explains the Secure Boot V2 signed image with secure padding and signature block appended:
.. list-table:: Contents of a signed application
:widths: 20 20 20
:header-rows: 1
* - **Offset**
- **Size (KB)**
- **Description**
* - 0
- 580
- Unsigned application size (as an example)
* - 580
- 60
- Secure padding (aligned to next 64KB boundary)
* - 640
- 4
- Signature block
.. note::
Please note that the application image always starts on the next flash MMU page size boundary (default 64KB) and hence the space left over after the signature block shown above can be utilized to store any other data partitions (e.g., ``nvs``).
.. _verify_signature-block:
Verifying a Signature Block
@ -238,6 +273,8 @@ Bootloader Size
Enabling Secure boot and/or flash encryption will increase the size of bootloader, which might require updating partition table offset. See :ref:`bootloader-size`.
In the case when :ref:`CONFIG_SECURE_BOOT_BUILD_SIGNED_BINARIES` is disabled, the bootloader is sector padded (4KB) using the ``--pad-to-size`` option in ``elf2image`` command of ``esptool``.
.. _efuse-usage:
eFuse usage