diff --git a/components/bootloader_support/include/esp_secure_boot.h b/components/bootloader_support/include/esp_secure_boot.h index f15207fd0f..93396b1fe3 100644 --- a/components/bootloader_support/include/esp_secure_boot.h +++ b/components/bootloader_support/include/esp_secure_boot.h @@ -63,6 +63,42 @@ extern "C" { #include "esp_efuse_table.h" #endif +/** + * @brief Secure Boot Signature Block Version field + */ +typedef enum { + ESP_SECURE_BOOT_V1_ECDSA = 0, /*!< Secure Boot v1 */ + ESP_SECURE_BOOT_V2_RSA = 2, /*!< Secure Boot v2 with RSA key */ + ESP_SECURE_BOOT_V2_ECDSA = 3, /*!< Secure Boot v2 with ECDSA key */ +} esp_secure_boot_sig_scheme_t; + +#if CONFIG_SECURE_SIGNED_APPS_ECDSA_SCHEME +#define ESP_SECURE_BOOT_SCHEME ESP_SECURE_BOOT_V1_ECDSA +#elif CONFIG_SECURE_SIGNED_APPS_RSA_SCHEME +#define ESP_SECURE_BOOT_SCHEME ESP_SECURE_BOOT_V2_RSA +#elif CONFIG_SECURE_SIGNED_APPS_ECDSA_V2_SCHEME +#define ESP_SECURE_BOOT_SCHEME ESP_SECURE_BOOT_V2_ECDSA +#endif + +#if CONFIG_SECURE_BOOT || CONFIG_SECURE_SIGNED_APPS_NO_SECURE_BOOT +/** @brief Get the selected secure boot scheme key type + * + * @return key type for the selected secure boot scheme + */ +static inline char* esp_secure_boot_get_scheme_name(esp_secure_boot_sig_scheme_t scheme) +{ + switch (scheme) { + case ESP_SECURE_BOOT_V2_RSA: + return "RSA"; + case ESP_SECURE_BOOT_V1_ECDSA: + case ESP_SECURE_BOOT_V2_ECDSA: + return "ECDSA"; + default: + return "Unknown"; + } +} +#endif + /** @brief Is secure boot currently enabled in hardware? * * This means that the ROM bootloader code will only boot diff --git a/components/bootloader_support/src/secure_boot_v1/secure_boot_signatures_app.c b/components/bootloader_support/src/secure_boot_v1/secure_boot_signatures_app.c index e62e881a66..054adff3d3 100644 --- a/components/bootloader_support/src/secure_boot_v1/secure_boot_signatures_app.c +++ b/components/bootloader_support/src/secure_boot_v1/secure_boot_signatures_app.c @@ -70,7 +70,7 @@ esp_err_t esp_secure_boot_verify_ecdsa_signature_block(const esp_secure_boot_sig return ESP_FAIL; } - if (sig_block->version != 0) { + if (sig_block->version != ESP_SECURE_BOOT_SCHEME) { ESP_LOGE(TAG, "image has invalid signature version field 0x%08"PRIx32" (image without a signature?)", sig_block->version); return ESP_FAIL; } diff --git a/components/bootloader_support/src/secure_boot_v1/secure_boot_signatures_bootloader.c b/components/bootloader_support/src/secure_boot_v1/secure_boot_signatures_bootloader.c index ef39baee03..9118f1c65d 100644 --- a/components/bootloader_support/src/secure_boot_v1/secure_boot_signatures_bootloader.c +++ b/components/bootloader_support/src/secure_boot_v1/secure_boot_signatures_bootloader.c @@ -69,7 +69,7 @@ esp_err_t esp_secure_boot_verify_ecdsa_signature_block(const esp_secure_boot_sig return ESP_FAIL; } - if (sig_block->version != 0) { + if (sig_block->version != ESP_SECURE_BOOT_SCHEME) { ESP_LOGE(TAG, "image has invalid signature version field 0x%08" PRIx32 " (image without a signature?)", sig_block->version); return ESP_FAIL; } diff --git a/components/bootloader_support/src/secure_boot_v2/secure_boot.c b/components/bootloader_support/src/secure_boot_v2/secure_boot.c index a7de5d439d..c9d58ebee6 100644 --- a/components/bootloader_support/src/secure_boot_v2/secure_boot.c +++ b/components/bootloader_support/src/secure_boot_v2/secure_boot.c @@ -1,5 +1,5 @@ /* - * SPDX-FileCopyrightText: 2015-2022 Espressif Systems (Shanghai) CO LTD + * SPDX-FileCopyrightText: 2015-2024 Espressif Systems (Shanghai) CO LTD * * SPDX-License-Identifier: Apache-2.0 */ diff --git a/components/bootloader_support/src/secure_boot_v2/secure_boot_signatures_app.c b/components/bootloader_support/src/secure_boot_v2/secure_boot_signatures_app.c index fc2aed1792..8dc886e67d 100644 --- a/components/bootloader_support/src/secure_boot_v2/secure_boot_signatures_app.c +++ b/components/bootloader_support/src/secure_boot_v2/secure_boot_signatures_app.c @@ -44,6 +44,10 @@ static esp_err_t validate_signature_block(const ets_secure_boot_sig_block_t *blo || block->block_crc != esp_rom_crc32_le(0, (uint8_t *)block, CRC_SIGN_BLOCK_LEN)) { return ESP_FAIL; } + if (block->version != ESP_SECURE_BOOT_SCHEME) { + ESP_LOGE(TAG, "%s signing scheme selected but signature block generated for %s scheme", esp_secure_boot_get_scheme_name(ESP_SECURE_BOOT_SCHEME), esp_secure_boot_get_scheme_name(block->version)); + return ESP_FAIL; + } return ESP_OK; } diff --git a/components/bootloader_support/src/secure_boot_v2/secure_boot_signatures_bootloader.c b/components/bootloader_support/src/secure_boot_v2/secure_boot_signatures_bootloader.c index a329003886..a653707845 100644 --- a/components/bootloader_support/src/secure_boot_v2/secure_boot_signatures_bootloader.c +++ b/components/bootloader_support/src/secure_boot_v2/secure_boot_signatures_bootloader.c @@ -61,6 +61,10 @@ static esp_err_t validate_signature_block(const ets_secure_boot_sig_block_t *blo || block->block_crc != esp_rom_crc32_le(0, (uint8_t *)block, CRC_SIGN_BLOCK_LEN)) { return ESP_FAIL; } + if (block->version != ESP_SECURE_BOOT_SCHEME) { + ESP_LOGE(TAG, "%s signing scheme selected but signature block generated for %s scheme", esp_secure_boot_get_scheme_name(ESP_SECURE_BOOT_SCHEME), esp_secure_boot_get_scheme_name(block->version)); + return ESP_FAIL; + } return ESP_OK; } @@ -148,9 +152,21 @@ esp_err_t esp_secure_boot_verify_sbv2_signature_block(const ets_secure_boot_sign int sb_result = ets_secure_boot_verify_signature(sig_block, image_digest, trusted.key_digests[0], verified_digest); #else ets_secure_boot_key_digests_t trusted_key_digests = {0}; + bool valid_sig_blk = false; for (unsigned i = 0; i < SECURE_BOOT_NUM_BLOCKS; i++) { + if (sig_block->block[i].version != ESP_SECURE_BOOT_SCHEME) { + ESP_LOGD(TAG, "%s signing scheme selected but signature block %d generated for %s scheme", esp_secure_boot_get_scheme_name(ESP_SECURE_BOOT_SCHEME), i, esp_secure_boot_get_scheme_name(sig_block->block[i].version)); + continue; + } else { + valid_sig_blk = true; + } trusted_key_digests.key_digests[i] = &trusted.key_digests[i]; } + if (valid_sig_blk != true) { + ESP_LOGE(TAG, "No signature block generated for valid scheme"); + ESP_LOGE(TAG, "%s signing scheme selected but no signature block for the selected scheme", esp_secure_boot_get_scheme_name(ESP_SECURE_BOOT_SCHEME)); + return ESP_FAIL; + } // Key revocation happens in ROM bootloader. // Do NOT allow key revocation while verifying application