Some additional checks related to secure version of the application in
anti-rollback case have been added to avoid any attempts to boot lower
security version but valid application (e.g., passive partition image).
- Read secure_version under sha256 protection
- First check has been added in the bootloader to ensure correct secure
version after application verification and loading stage. This check
happens before setting up the flash cache mapping and handling over
the final control to application. This check ensures that application
was not swapped (e.g., to lower security version but valid image) just
before the load stage in bootloader.
- Second check has been added in the application startup code to ensure
that currently booting app has higher security version than the one
programmed in the eFuse for anti-rollback scenario. This will ensure
that only the legit application boots-up on the device for
anti-rollback case.
Many places in the ESP_SYSTEM are using CONFIG_FREERTOS_UNICORE instead of CONFIG_ESP_SYSTEM_SINGLE_CORE_MODE (GitHub PR)
Closes IDFGH-11333
See merge request espressif/esp-idf!27435
Added an API to verify the bootloader and app image before revoking the key in Secure Boot V2.
This will help in preventing the device to be bricked if the bootloader/application cannot be
verified by any other keys in efuse
Since DRAM and IRAM are superposed on esp32c6 it is not necessary to convert a freshly allocated
DRAM addr to its IRAM equivalent when MALLOC_CAP_EXEC is passed to heap_caps_malloc(). Instead,
proceed with a default allocation since the address returned by multi_heap_malloc() already belongs
to the IRAM region.
Applies for esp32c6 and every boards with superposed DRAM and IRAM addresses.
User's custom data are not taken into account during the CRC calculation anymore.
Which means taht the retained mem structure is not systematically erased
on each reboot anymore.
The following two functions in bootloader_support are private now:
* esp_secure_boot_verify_sbv2_signature_block()
* esp_secure_boot_verify_rsa_signature_block()
They have been moved into private header files
inside bootloader_private/
* Removed bootloader_reset_reason.h and
bootloader_common_get_reset_reason() completely.
Alternative in ROM component is available.
* made esp_efuse.h independent of target-specific rom header
In c4bcf111, soc_memory_types.h header was moved from soc to
esp_hw_support. Since some of the functions are also used in
bootloader and because esp_hw_support is not part of the bootloader
build, part of the functions were moved into bootloader_support.
To make these functions available to the app, bootloader_support was
added as a public dependency of esp_hw_support.
Since esp_hw_support is in common requirements list, this has added
bootloader_support as a public requirement to every component in the
build. Adding new public requirements outside of common components
is undesirable, since components may accidentally include headers
from bootloader_support without explicitly declaring it as a
requirement.
This commit reverts this addition. Until a better solution is found,
some part of esp_memory_utils.h is duplicated into
bootloader_memory_utils.h. A CI check is added to make sure these
files stay in sync.