Merge branch 'feat/flash_enc_encrypt_app_image_of_size_image_length' into 'master'

feat(bootloader_support): Encrypt only the app image instead of the whole partition

Closes IDFGH-11439

See merge request espressif/esp-idf!27295

components/bootloader/Kconfig.projbuild

@@ -1070,6 +1070,22 @@ menu "Security features"
                 DIS_DOWNLOAD_MANUAL_ENCRYPT, DIS_USB_JTAG, DIS_USB_SERIAL_JTAG, STRAP_JTAG_SEL, USB_PHY_SEL.
     endmenu  # Potentially Insecure
 
+    config SECURE_FLASH_ENCRYPT_ONLY_IMAGE_LEN_IN_APP_PART
+        bool "Encrypt only the app image that is present in the partition of type app"
+        depends on SECURE_FLASH_ENC_ENABLED && !SECURE_FLASH_REQUIRE_ALREADY_ENABLED
+        default y
+        help
+            If set (default), optimise encryption time for the partition of type APP,
+            by only encrypting the app image that is present in the partition,
+            instead of the whole partition.
+            The image length used for encryption is derived from the image metadata, which
+            includes the size of the app image, checksum, hash and also the signature sector
+            when secure boot is enabled.
+
+            If not set, the whole partition of type APP would be encrypted,
+            which increases the encryption time but might be useful if there
+            is any custom data appended to the firmware image.
+
     config SECURE_FLASH_CHECK_ENC_EN_IN_APP
         bool "Check Flash Encryption enabled on app startup"
         depends on SECURE_FLASH_ENC_ENABLED

components/bootloader_support/src/esp_image_format.c

@@ -919,9 +919,13 @@ static esp_err_t verify_secure_boot_signature(bootloader_sha256_handle_t sha_han
         return ESP_ERR_IMAGE_INVALID;
     }
 
-#if CONFIG_SECURE_SIGNED_APPS_RSA_SCHEME || CONFIG_SECURE_SIGNED_APPS_ECDSA_V2_SCHEME
     // Adjust image length result to include the appended signature
+#if CONFIG_SECURE_SIGNED_APPS_RSA_SCHEME || CONFIG_SECURE_SIGNED_APPS_ECDSA_V2_SCHEME
     data->image_len = end - data->start_addr + sizeof(ets_secure_boot_signature_t);
+#elif defined(CONFIG_SECURE_SIGNED_APPS_ECDSA_SCHEME)
+    if (data->start_addr != ESP_BOOTLOADER_OFFSET) {
+        data->image_len = end - data->start_addr + sizeof(esp_secure_boot_sig_block_t);
+    }
 #endif
 
 #endif // SECURE_BOOT_CHECK_SIGNATURE

components/bootloader_support/src/flash_encryption/flash_encrypt.c

@@ -404,14 +404,21 @@ static esp_err_t encrypt_partition(int index, const esp_partition_info_t *partit
 {
     esp_err_t err;
     bool should_encrypt = (partition->flags & PART_FLAG_ENCRYPTED);
+    uint32_t size = partition->pos.size;
 
     if (partition->type == PART_TYPE_APP) {
         /* check if the partition holds a valid unencrypted app */
-        esp_image_metadata_t data_ignored;
+        esp_image_metadata_t image_data = {};
         err = esp_image_verify(ESP_IMAGE_VERIFY,
                                &partition->pos,
-                               &data_ignored);
+                               &image_data);
         should_encrypt = (err == ESP_OK);
+#ifdef SECURE_FLASH_ENCRYPT_ONLY_IMAGE_LEN_IN_APP_PART
+        if (should_encrypt) {
+            // Encrypt only the app image instead of encrypting the whole partition
+            size = image_data.image_len;
+        }
+#endif
     } else if ((partition->type == PART_TYPE_DATA && partition->subtype == PART_SUBTYPE_DATA_OTA)
                 || (partition->type == PART_TYPE_DATA && partition->subtype == PART_SUBTYPE_DATA_NVS_KEYS)) {
         /* check if we have ota data partition and the partition should be encrypted unconditionally */
@@ -422,9 +429,9 @@ static esp_err_t encrypt_partition(int index, const esp_partition_info_t *partit
         return ESP_OK;
     } else {
         /* should_encrypt */
-        ESP_LOGI(TAG, "Encrypting partition %d at offset 0x%x (length 0x%x)...", index, partition->pos.offset, partition->pos.size);
+        ESP_LOGI(TAG, "Encrypting partition %d at offset 0x%x (length 0x%x)...", index, partition->pos.offset, size);
 
-        err = esp_flash_encrypt_region(partition->pos.offset, partition->pos.size);
+        err = esp_flash_encrypt_region(partition->pos.offset, size);
         ESP_LOGI(TAG, "Done encrypting");
         if (err != ESP_OK) {
             ESP_LOGE(TAG, "Failed to encrypt partition %d", index);

docs/en/migration-guides/release-5.x/5.3/index.rst

@@ -7,5 +7,6 @@ Migration from 5.2 to 5.3
     :maxdepth: 1
 
     peripherals
+    security
     storage
     system

docs/en/migration-guides/release-5.x/5.3/security.rst

@@ -0,0 +1,14 @@
+Security
+========
+
+:link_to_translation:`zh_CN:[中文]`
+
+.. only:: SOC_FLASH_ENC_SUPPORTED
+
+    Platform security features
+    --------------------------
+
+    When flash encryption is enabled, encrypt only the app image that is present partition of type app, instead of encrypting the whole partition. This can help to optimize the encryption time required during the first boot.
+
+    This could be configured using the config ``CONFIG_SECURE_FLASH_ENCRYPT_ONLY_IMAGE_LEN_IN_APP_PART``, which is enabled by default from ESP-IDF v5.3
+    and is disabled for all earlier releases to avoid any breaking behaviour.

docs/zh_CN/migration-guides/release-5.x/5.3/index.rst

@@ -7,5 +7,6 @@
     :maxdepth: 1
 
     peripherals
+    security
     storage
     system

docs/zh_CN/migration-guides/release-5.x/5.3/security.rst

@@ -0,0 +1 @@
+.. include:: ../../../../en/migration-guides/release-5.x/5.3/security.rst