change: Add error logs for secure boot scheme and key mismatch

2024-10-05 20:47:46 -04:00 · 2024-05-30 16:19:49 +05:30 · 2024-05-30 16:19:49 +05:30 · ff16ce4314
commit ff16ce4314
parent e863e6069c
6 changed files with 59 additions and 3 deletions
--- a/components/bootloader_support/include/esp_secure_boot.h
+++ b/components/bootloader_support/include/esp_secure_boot.h
@ -63,6 +63,42 @@ extern "C" {
 #include "esp_efuse_table.h"
 #endif

+/**
+ * @brief   Secure Boot Signature Block Version field
+ */
+typedef enum {
+    ESP_SECURE_BOOT_V1_ECDSA = 0,           /*!< Secure Boot v1 */
+    ESP_SECURE_BOOT_V2_RSA   = 2,           /*!< Secure Boot v2 with RSA key */
+    ESP_SECURE_BOOT_V2_ECDSA = 3,           /*!< Secure Boot v2 with ECDSA key */
+} esp_secure_boot_sig_scheme_t;
+
+#if CONFIG_SECURE_SIGNED_APPS_ECDSA_SCHEME
+#define ESP_SECURE_BOOT_SCHEME ESP_SECURE_BOOT_V1_ECDSA
+#elif CONFIG_SECURE_SIGNED_APPS_RSA_SCHEME
+#define ESP_SECURE_BOOT_SCHEME ESP_SECURE_BOOT_V2_RSA
+#elif CONFIG_SECURE_SIGNED_APPS_ECDSA_V2_SCHEME
+#define ESP_SECURE_BOOT_SCHEME ESP_SECURE_BOOT_V2_ECDSA
+#endif
+
+#if CONFIG_SECURE_BOOT || CONFIG_SECURE_SIGNED_APPS_NO_SECURE_BOOT
+/** @brief Get the selected secure boot scheme key type
+ *
+ * @return key type for the selected secure boot scheme
+ */
+static inline char* esp_secure_boot_get_scheme_name(esp_secure_boot_sig_scheme_t scheme)
+{
+    switch (scheme) {
+        case ESP_SECURE_BOOT_V2_RSA:
+            return "RSA";
+        case ESP_SECURE_BOOT_V1_ECDSA:
+        case ESP_SECURE_BOOT_V2_ECDSA:
+            return "ECDSA";
+        default:
+            return "Unknown";
+    }
+}
+#endif
+
 /** @brief Is secure boot currently enabled in hardware?
 *
 * This means that the ROM bootloader code will only boot
--- a/components/bootloader_support/src/secure_boot_v1/secure_boot_signatures_app.c
+++ b/components/bootloader_support/src/secure_boot_v1/secure_boot_signatures_app.c
@ -70,7 +70,7 @@ esp_err_t esp_secure_boot_verify_ecdsa_signature_block(const esp_secure_boot_sig
        return ESP_FAIL;
    }

-    if (sig_block->version != 0) {
+    if (sig_block->version != ESP_SECURE_BOOT_SCHEME) {
        ESP_LOGE(TAG, "image has invalid signature version field 0x%08"PRIx32" (image without a signature?)", sig_block->version);
        return ESP_FAIL;
    }
--- a/components/bootloader_support/src/secure_boot_v1/secure_boot_signatures_bootloader.c
+++ b/components/bootloader_support/src/secure_boot_v1/secure_boot_signatures_bootloader.c
@ -69,7 +69,7 @@ esp_err_t esp_secure_boot_verify_ecdsa_signature_block(const esp_secure_boot_sig
        return ESP_FAIL;
    }

-    if (sig_block->version != 0) {
+    if (sig_block->version != ESP_SECURE_BOOT_SCHEME) {
        ESP_LOGE(TAG, "image has invalid signature version field 0x%08" PRIx32 " (image without a signature?)", sig_block->version);
        return ESP_FAIL;
    }
--- a/components/bootloader_support/src/secure_boot_v2/secure_boot.c
+++ b/components/bootloader_support/src/secure_boot_v2/secure_boot.c
@ -1,5 +1,5 @@
 /*
- * SPDX-FileCopyrightText: 2015-2022 Espressif Systems (Shanghai) CO LTD
+ * SPDX-FileCopyrightText: 2015-2024 Espressif Systems (Shanghai) CO LTD
 *
 * SPDX-License-Identifier: Apache-2.0
 */
--- a/components/bootloader_support/src/secure_boot_v2/secure_boot_signatures_app.c
+++ b/components/bootloader_support/src/secure_boot_v2/secure_boot_signatures_app.c
@ -44,6 +44,10 @@ static esp_err_t validate_signature_block(const ets_secure_boot_sig_block_t *blo
        || block->block_crc != esp_rom_crc32_le(0, (uint8_t *)block, CRC_SIGN_BLOCK_LEN)) {
        return ESP_FAIL;
    }
+    if (block->version != ESP_SECURE_BOOT_SCHEME) {
+        ESP_LOGE(TAG, "%s signing scheme selected but signature block generated for %s scheme", esp_secure_boot_get_scheme_name(ESP_SECURE_BOOT_SCHEME), esp_secure_boot_get_scheme_name(block->version));
+        return ESP_FAIL;
+    }
    return ESP_OK;
 }

--- a/components/bootloader_support/src/secure_boot_v2/secure_boot_signatures_bootloader.c
+++ b/components/bootloader_support/src/secure_boot_v2/secure_boot_signatures_bootloader.c
@ -61,6 +61,10 @@ static esp_err_t validate_signature_block(const ets_secure_boot_sig_block_t *blo
        || block->block_crc != esp_rom_crc32_le(0, (uint8_t *)block, CRC_SIGN_BLOCK_LEN)) {
        return ESP_FAIL;
    }
+    if (block->version != ESP_SECURE_BOOT_SCHEME) {
+        ESP_LOGE(TAG, "%s signing scheme selected but signature block generated for %s scheme", esp_secure_boot_get_scheme_name(ESP_SECURE_BOOT_SCHEME), esp_secure_boot_get_scheme_name(block->version));
+        return ESP_FAIL;
+    }
    return ESP_OK;
 }

@ -148,9 +152,21 @@ esp_err_t esp_secure_boot_verify_sbv2_signature_block(const ets_secure_boot_sign
    int sb_result = ets_secure_boot_verify_signature(sig_block, image_digest, trusted.key_digests[0], verified_digest);
 #else
    ets_secure_boot_key_digests_t trusted_key_digests = {0};
+    bool valid_sig_blk = false;
    for (unsigned i = 0; i < SECURE_BOOT_NUM_BLOCKS; i++) {
+        if (sig_block->block[i].version != ESP_SECURE_BOOT_SCHEME) {
+            ESP_LOGD(TAG, "%s signing scheme selected but signature block %d generated for %s scheme", esp_secure_boot_get_scheme_name(ESP_SECURE_BOOT_SCHEME), i, esp_secure_boot_get_scheme_name(sig_block->block[i].version));
+            continue;
+        } else {
+            valid_sig_blk = true;
+        }
        trusted_key_digests.key_digests[i] = &trusted.key_digests[i];
    }
+    if (valid_sig_blk != true) {
+        ESP_LOGE(TAG, "No signature block generated for valid scheme");
+        ESP_LOGE(TAG, "%s signing scheme selected but no signature block for the selected scheme", esp_secure_boot_get_scheme_name(ESP_SECURE_BOOT_SCHEME));
+        return ESP_FAIL;
+    }

    // Key revocation happens in ROM bootloader.
    // Do NOT allow key revocation while verifying application