mirror
/
esp-idf
kopia lustrzana https://github.com/espressif/esp-idf
1
0
Forkuj 0
Kod Zgłoszenia Projekty Wydania Wiki Aktywność

Merge branch 'feature/support_esp32c3_master_cmake_secure_boot' into 'master' 

bootloader/esp32c3: Support secure boot

Closes IDF-2115

See merge request espressif/esp-idf!11797
pull/6491/head
Angus Gratton 2021-01-21 08:42:49 +08:00
rodzic f7c9f1afd7 88c5fe49b8
commit fe8a891de9
19 zmienionych plików z 451 dodań i 129 usunięć
Pokaż statystyki Ściągnij plik aktualizacji Ściągnij plik porównania Expand all files Collapse all files

5
components/app_update/esp_ota_ops.c
Wyświetl plik

@ -45,6 +45,9 @@
#elif CONFIG_IDF_TARGET_ESP32S2
#include "esp32s2/rom/crc.h"
#include "esp32s2/rom/secure_boot.h"
#elif CONFIG_IDF_TARGET_ESP32C3
#include "esp32c3/rom/crc.h"
#include "esp32c3/rom/secure_boot.h"
#endif
#define SUB_TYPE_ID(i) (i & 0x0F)
@ -891,7 +894,7 @@ esp_err_t esp_ota_erase_last_boot_app_partition(void)
return ESP_OK;
}
#if CONFIG_IDF_TARGET_ESP32S2 && CONFIG_SECURE_BOOT_V2_ENABLED
#if SOC_EFUSE_SECURE_BOOT_KEY_DIGESTS > 1 && CONFIG_SECURE_BOOT_V2_ENABLED
esp_err_t esp_ota_revoke_secure_boot_public_key(esp_ota_secure_boot_public_key_index_t index) {
if (!esp_secure_boot_enabled()) {

4
components/app_update/include/esp_ota_ops.h
Wyświetl plik

@ -312,7 +312,7 @@ esp_err_t esp_ota_erase_last_boot_app_partition(void);
*/
bool esp_ota_check_rollback_is_possible(void);
#if CONFIG_IDF_TARGET_ESP32S2 && (CONFIG_SECURE_BOOT_V2_ENABLED || __DOXYGEN__)
#if SOC_EFUSE_SECURE_BOOT_KEY_DIGESTS > 1 && (CONFIG_SECURE_BOOT_V2_ENABLED || __DOXYGEN__)
/**
* Secure Boot V2 public key indexes.
@ -338,7 +338,7 @@ typedef enum {
* - ESP_FAIL: If secure boot v2 has not been enabled.
*/
esp_err_t esp_ota_revoke_secure_boot_public_key(esp_ota_secure_boot_public_key_index_t index);
#endif /* CONFIG_IDF_TARGET_ESP32S2 */
#endif /* SOC_EFUSE_SECURE_BOOT_KEY_DIGESTS > 1 */
#ifdef __cplusplus
}

14
components/bootloader/Kconfig.projbuild
Wyświetl plik

@ -344,10 +344,15 @@ menu "Security features"
select MBEDTLS_ECDSA_C
depends on SECURE_SIGNED_ON_BOOT || SECURE_SIGNED_ON_UPDATE
config SECURE_BOOT_SUPPORTS_RSA
bool
default y
depends on ESP32_REV_MIN_3 || IDF_TARGET_ESP32S2 || IDF_TARGET_ESP32C3
config SECURE_TARGET_HAS_SECURE_ROM_DL_MODE
bool
default y
depends on IDF_TARGET_ESP32S2
depends on IDF_TARGET_ESP32S2 || IDF_TARGET_ESP32C3
config SECURE_SIGNED_APPS_NO_SECURE_BOOT
@ -384,7 +389,7 @@ menu "Security features"
config SECURE_SIGNED_APPS_RSA_SCHEME
bool "RSA"
depends on (ESP32_REV_MIN_3 || IDF_TARGET_ESP32S2) && SECURE_BOOT_V2_ENABLED
depends on SECURE_BOOT_SUPPORTS_RSA && SECURE_BOOT_V2_ENABLED
help
Appends the RSA-3072 based Signature block to the application.
Refer to <Secure Boot Version 2 documentation link> before enabling.
@ -419,6 +424,7 @@ menu "Security features"
config SECURE_BOOT
bool "Enable hardware Secure Boot in bootloader (READ DOCS FIRST)"
default n
depends on !IDF_TARGET_ESP32C3 # IDF-2647
help
Build a bootloader which enables Secure Boot on first boot.
@ -448,8 +454,8 @@ menu "Security features"
config SECURE_BOOT_V2_ENABLED
bool "Enable Secure Boot version 2"
depends on ESP32_REV_MIN_3 || IDF_TARGET_ESP32S2
select SECURE_ENABLE_SECURE_ROM_DL_MODE if IDF_TARGET_ESP32S2 && !SECURE_INSECURE_ALLOW_DL_MODE
depends on SECURE_BOOT_SUPPORTS_RSA
select SECURE_ENABLE_SECURE_ROM_DL_MODE if !IDF_TARGET_ESP32 && !SECURE_INSECURE_ALLOW_DL_MODE
select SECURE_DISABLE_ROM_DL_MODE if ESP32_REV_MIN_3 && !SECURE_INSECURE_ALLOW_DL_MODE
help
Build a bootloader which enables Secure Boot version 2 on first boot.

2
components/bootloader/subproject/CMakeLists.txt
Wyświetl plik

@ -181,7 +181,7 @@ elseif(CONFIG_SECURE_BOOTLOADER_REFLASHABLE)
"* Not recommended to re-use the same secure boot keyfile on multiple production devices."
DEPENDS gen_secure_bootloader_key gen_bootloader_digest_bin
VERBATIM)
elseif(CONFIG_SECURE_BOOT_V2_ENABLED AND CONFIG_IDF_TARGET_ESP32S2)
elseif(CONFIG_SECURE_BOOT_V2_ENABLED AND (CONFIG_IDF_TARGET_ESP32S2 OR CONFIG_IDF_TARGET_ESP32C3))
add_custom_command(TARGET bootloader.elf POST_BUILD
COMMAND ${CMAKE_COMMAND} -E echo
"=============================================================================="

303
components/bootloader_support/src/esp32c3/secure_boot.c
Wyświetl plik

@ -11,32 +11,303 @@
// WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
// See the License for the specific language governing permissions and
// limitations under the License.
#include "esp_secure_boot.h"
#include <string.h>
#include "esp_log.h"
#include "esp_secure_boot.h"
#include "soc/efuse_reg.h"
#include "bootloader_flash_priv.h"
#include "bootloader_sha.h"
#include "bootloader_utility.h"
#include "esp_rom_crc.h"
#include "esp_efuse.h"
#include "esp_efuse_table.h"
#include "esp32c3/rom/efuse.h"
#include "esp32c3/rom/secure_boot.h"
#include "esp_rom_efuse.h"
static const char *TAG = "secure_boot";
static const char *TAG = "secure_boot_v2";
#define ALIGN_UP(num, align) (((num) + ((align) - 1)) & ~((align) - 1))
esp_err_t esp_secure_boot_permanently_enable(void)
#define SIG_BLOCK_MAGIC_BYTE 0xe7
#define CRC_SIGN_BLOCK_LEN 1196
#define SIG_BLOCK_PADDING 4096
#define DIGEST_LEN 32
/* A signature block is valid when it has correct magic byte, crc and image digest. */
static esp_err_t validate_signature_block(const ets_secure_boot_sig_block_t *block, int block_num, const uint8_t *image_digest)
{
uint8_t hash[32];
if (esp_rom_efuse_is_secure_boot_enabled()) {
ESP_LOGI(TAG, "secure boot is already enabled, continuing..");
uint32_t crc = esp_rom_crc32_le(0, (uint8_t *)block, CRC_SIGN_BLOCK_LEN);
if (block->magic_byte != SIG_BLOCK_MAGIC_BYTE) {
// All signature blocks have been parsed, no new signature block present.
ESP_LOGD(TAG, "Signature block(%d) invalid/absent.", block_num);
return ESP_FAIL;
}
if (block->block_crc != crc) {
ESP_LOGE(TAG, "Magic byte correct but incorrect crc.");
return ESP_FAIL;
}
if (memcmp(image_digest, block->image_digest, DIGEST_LEN)) {
ESP_LOGE(TAG, "Magic byte & CRC correct but incorrect image digest.");
return ESP_FAIL;
} else {
ESP_LOGD(TAG, "valid signature block(%d) found", block_num);
return ESP_OK;
}
ESP_LOGI(TAG, "Verifying bootloader signature...\n");
int r = ets_secure_boot_verify_bootloader(hash, false);
if (r != ESP_OK) {
ESP_LOGE(TAG, "Failed to verify bootloader signature");
return r;
return ESP_FAIL;
}
/* Structure to hold public key digests calculated from the signature blocks of a single image.
Each image can have one or more signature blocks (up to SECURE_BOOT_NUM_BLOCKS). Each signature block
includes a public key.
Different to the ROM ets_secure_boot_key_digests_t structure which holds pointers to eFuse data with digests,
in this data structure the digest data is included.
*/
typedef struct {
uint8_t key_digests[SECURE_BOOT_NUM_BLOCKS][DIGEST_LEN];
unsigned num_digests; /* Number of valid digests, starting at index 0 */
} image_sig_public_key_digests_t;
/* Generates the public key digests of the valid public keys in an image's
signature block, verifies each signature, and stores the key digests in the
public_key_digests structure.
@param flash_offset Image offset in flash
@param flash_size Image size in flash (not including signature block)
@param[out] public_key_digests Pointer to structure to hold the key digests for valid sig blocks
Note that this function doesn't read any eFuses, so it doesn't know if the
keys are ultimately trusted by the hardware or not
@return - ESP_OK if no signatures failed to verify, or if no valid signature blocks are found at all.
- ESP_FAIL if there's a valid signature block that doesn't verify using the included public key (unexpected!)
*/
static esp_err_t s_calculate_image_public_key_digests(uint32_t flash_offset, uint32_t flash_size, image_sig_public_key_digests_t *public_key_digests)
{
esp_err_t ret;
uint8_t image_digest[DIGEST_LEN] = {0};
uint8_t __attribute__((aligned(4))) key_digest[DIGEST_LEN] = {0};
size_t sig_block_addr = flash_offset + ALIGN_UP(flash_size, FLASH_SECTOR_SIZE);
ESP_LOGD(TAG, "calculating public key digests for sig blocks of image offset 0x%x (sig block offset 0x%x)", flash_offset, sig_block_addr);
bzero(public_key_digests, sizeof(image_sig_public_key_digests_t));
ret = bootloader_sha256_flash_contents(flash_offset, sig_block_addr - flash_offset, image_digest);
if (ret != ESP_OK) {
ESP_LOGE(TAG, "error generating image digest, %d", ret);
return ret;
}
ets_efuse_clear_program_registers();
REG_SET_BIT(EFUSE_PGM_DATA3_REG, EFUSE_SECURE_BOOT_EN);
ets_efuse_program(ETS_EFUSE_BLOCK0);
ESP_LOGD(TAG, "reading signatures");
const ets_secure_boot_signature_t *signatures = bootloader_mmap(sig_block_addr, sizeof(ets_secure_boot_signature_t));
if (signatures == NULL) {
ESP_LOGE(TAG, "bootloader_mmap(0x%x, 0x%x) failed", sig_block_addr, sizeof(ets_secure_boot_signature_t));
return ESP_FAIL;
}
for (int i = 0; i < SECURE_BOOT_NUM_BLOCKS; i++) {
const ets_secure_boot_sig_block_t *block = &signatures->block[i];
ret = validate_signature_block(block, i, image_digest);
if (ret != ESP_OK) {
ret = ESP_OK; // past the last valid signature block
break;
}
/* Generating the SHA of the public key components in the signature block */
bootloader_sha256_handle_t sig_block_sha;
sig_block_sha = bootloader_sha256_start();
bootloader_sha256_data(sig_block_sha, &block->key, sizeof(block->key));
bootloader_sha256_finish(sig_block_sha, key_digest);
// Check we can verify the image using this signature and this key
uint8_t temp_verified_digest[DIGEST_LEN];
bool verified = ets_rsa_pss_verify(&block->key, block->signature, image_digest, temp_verified_digest);
if (!verified) {
/* We don't expect this: the signature blocks before we enable secure boot should all be verifiable or invalid,
so this is a fatal error
*/
ret = ESP_FAIL;
ESP_LOGE(TAG, "Secure boot key (%d) verification failed.", i);
break;
}
ESP_LOGD(TAG, "Signature block (%d) is verified", i);
/* Copy the key digest to the buffer provided by the caller */
memcpy((void *)public_key_digests->key_digests[i], key_digest, DIGEST_LEN);
public_key_digests->num_digests++;
}
if (ret == ESP_OK && public_key_digests->num_digests > 0) {
ESP_LOGI(TAG, "Digests successfully calculated, %d valid signatures (image offset 0x%x)",
public_key_digests->num_digests, flash_offset);
}
bootloader_munmap(signatures);
return ret;
}
static esp_err_t check_and_generate_secure_boot_keys(const esp_image_metadata_t *image_data)
{
esp_err_t ret;
/* Verify the bootloader */
esp_image_metadata_t bootloader_data = { 0 };
ret = esp_image_verify_bootloader_data(&bootloader_data);
if (ret != ESP_OK) {
ESP_LOGE(TAG, "bootloader image appears invalid! error %d", ret);
return ret;
}
/* Check if secure boot digests are present */
bool has_secure_boot_digest = esp_efuse_find_purpose(ESP_EFUSE_KEY_PURPOSE_SECURE_BOOT_DIGEST0, NULL);
has_secure_boot_digest |= esp_efuse_find_purpose(ESP_EFUSE_KEY_PURPOSE_SECURE_BOOT_DIGEST1, NULL);
has_secure_boot_digest |= esp_efuse_find_purpose(ESP_EFUSE_KEY_PURPOSE_SECURE_BOOT_DIGEST2, NULL);
ESP_LOGI(TAG, "Secure boot digests %s", has_secure_boot_digest ? "already present":"absent, generating..");
if (!has_secure_boot_digest) {
image_sig_public_key_digests_t boot_key_digests = {0};
image_sig_public_key_digests_t app_key_digests = {0};
/* Generate the bootloader public key digests */
ret = s_calculate_image_public_key_digests(bootloader_data.start_addr, bootloader_data.image_len - SIG_BLOCK_PADDING, &boot_key_digests);
if (ret != ESP_OK) {
ESP_LOGE(TAG, "Bootloader signature block is invalid");
return ret;
}
if (boot_key_digests.num_digests == 0) {
ESP_LOGE(TAG, "No valid bootloader signature blocks found.");
return ESP_FAIL;
}
ESP_LOGI(TAG, "%d signature block(s) found appended to the bootloader.", boot_key_digests.num_digests);
esp_efuse_purpose_t secure_boot_key_purpose[SECURE_BOOT_NUM_BLOCKS] = {
ESP_EFUSE_KEY_PURPOSE_SECURE_BOOT_DIGEST0,
ESP_EFUSE_KEY_PURPOSE_SECURE_BOOT_DIGEST1,
ESP_EFUSE_KEY_PURPOSE_SECURE_BOOT_DIGEST2,
};
ret = esp_efuse_write_keys(secure_boot_key_purpose, boot_key_digests.key_digests, boot_key_digests.num_digests);
if (ret) {
if (ret == ESP_ERR_NOT_ENOUGH_UNUSED_KEY_BLOCKS) {
ESP_LOGE(TAG, "Bootloader signatures(%d) more than available key slots.", boot_key_digests.num_digests);
} else {
ESP_LOGE(TAG, "Failed to write efuse block with purpose (err=0x%x). Can't continue.", ret);
}
return ret;
}
/* Generate the application public key digests */
ret = s_calculate_image_public_key_digests(image_data->start_addr, image_data->image_len - SIG_BLOCK_PADDING, &app_key_digests);
if (ret != ESP_OK) {
ESP_LOGE(TAG, "App signature block is invalid.");
return ret;
}
if (app_key_digests.num_digests == 0) {
ESP_LOGE(TAG, "No valid applications signature blocks found.");
return ESP_FAIL;
}
ESP_LOGI(TAG, "%d signature block(s) found appended to the app.", app_key_digests.num_digests);
if (app_key_digests.num_digests > boot_key_digests.num_digests) {
ESP_LOGW(TAG, "App has %d signature blocks but bootloader only has %d. Some keys missing from bootloader?");
}
/* Confirm if at least one public key from the application matches a public key in the bootloader
(Also, ensure if that public revoke bit is not set for the matched key) */
bool match = false;
for (int i = 0; i < boot_key_digests.num_digests; i++) {
if (esp_efuse_get_digest_revoke(i)) {
ESP_LOGI(TAG, "Key block(%d) has been revoked.", i);
continue; // skip if the key block is revoked
}
for (int j = 0; j < app_key_digests.num_digests; j++) {
if (!memcmp(boot_key_digests.key_digests[i], app_key_digests.key_digests[j], DIGEST_LEN)) {
ESP_LOGI(TAG, "Application key(%d) matches with bootloader key(%d).", j, i);
match = true;
}
}
}
if (match == false) {
ESP_LOGE(TAG, "No application key digest matches the bootloader key digest.");
return ESP_FAIL;
}
/* Revoke the empty signature blocks */
if (boot_key_digests.num_digests < SECURE_BOOT_NUM_BLOCKS) {
/* The revocation index can be 0, 1, 2. Bootloader count can be 1,2,3. */
for (uint8_t i = boot_key_digests.num_digests; i < SECURE_BOOT_NUM_BLOCKS; i++) {
ESP_LOGI(TAG, "Revoking empty key digest slot (%d)...", i);
esp_efuse_set_digest_revoke(i);
}
}
}
return ESP_OK;
}
esp_err_t esp_secure_boot_v2_permanently_enable(const esp_image_metadata_t *image_data)
{
ESP_LOGI(TAG, "enabling secure boot v2...");
if (esp_secure_boot_enabled()) {
ESP_LOGI(TAG, "secure boot v2 is already enabled, continuing..");
return ESP_OK;
}
esp_efuse_batch_write_begin(); /* Batch all efuse writes at the end of this function */
esp_err_t key_state = check_and_generate_secure_boot_keys(image_data);
if (key_state != ESP_OK) {
esp_efuse_batch_write_cancel();
return key_state;
}
esp_efuse_write_field_bit(ESP_EFUSE_DIS_LEGACY_SPI_BOOT);
#ifdef CONFIG_SECURE_ENABLE_SECURE_ROM_DL_MODE
ESP_LOGI(TAG, "Enabling Security download mode...");
esp_efuse_write_field_bit(ESP_EFUSE_ENABLE_SECURITY_DOWNLOAD);
#else
ESP_LOGW(TAG, "Not enabling Security download mode - SECURITY COMPROMISED");
#endif
#ifndef CONFIG_SECURE_BOOT_ALLOW_JTAG
ESP_LOGI(TAG, "Disable hardware & software JTAG...");
esp_efuse_write_field_bit(ESP_EFUSE_DIS_PAD_JTAG);
esp_efuse_write_field_bit(ESP_EFUSE_DIS_USB_JTAG);
esp_efuse_write_field_bit(ESP_EFUSE_SOFT_DIS_JTAG);
#else
ESP_LOGW(TAG, "Not disabling JTAG - SECURITY COMPROMISED");
#endif
#ifdef CONFIG_SECURE_BOOT_ENABLE_AGGRESSIVE_KEY_REVOKE
esp_efuse_write_field_bit(ESP_EFUSE_SECURE_BOOT_AGGRESSIVE_REVOKE);
#endif
esp_efuse_write_field_bit(ESP_EFUSE_SECURE_BOOT_EN);
esp_err_t err = esp_efuse_batch_write_commit();
if (err != ESP_OK) {
ESP_LOGE(TAG, "Error programming security eFuses (err=0x%x).", err);
return err;
}
#ifdef CONFIG_SECURE_BOOT_ENABLE_AGGRESSIVE_KEY_REVOKE
assert(ets_efuse_secure_boot_aggressive_revoke_enabled());
#endif
assert(esp_rom_efuse_is_secure_boot_enabled());
ESP_LOGI(TAG, "Secure boot permanently enabled");

81
components/bootloader_support/src/esp32c3/secure_boot_signatures.c
Wyświetl plik

@ -14,80 +14,81 @@
#include "sdkconfig.h"
#include "bootloader_flash.h"
#include <string.h>
#include "esp_fault.h"
#include "bootloader_flash_priv.h"
#include "bootloader_sha.h"
#include "bootloader_utility.h"
#include "esp_log.h"
#include "esp_image_format.h"
#include "esp_secure_boot.h"
#include "esp32c3/rom/secure_boot.h"
static const char *TAG = "secure_boot";
static const char* TAG = "secure_boot";
#define DIGEST_LEN 32
#define ALIGN_UP(num, align) (((num) + ((align) - 1)) & ~((align) - 1))
esp_err_t esp_secure_boot_verify_signature(uint32_t src_addr, uint32_t length)
{
ets_secure_boot_key_digests_t trusted_keys = { 0 };
uint8_t digest[DIGEST_LEN];
uint8_t verified_digest[DIGEST_LEN] = { 0 }; /* Note: this function doesn't do any anti-FI checks on this buffer */
const uint8_t *data;
ESP_LOGD(TAG, "verifying signature src_addr 0x%x length 0x%x", src_addr, length);
if ((src_addr + length) % 4096 != 0) {
ESP_LOGE(TAG, "addr 0x%x length 0x%x doesn't end on a sector boundary", src_addr, length);
return ESP_ERR_INVALID_ARG;
}
/* Padding to round off the input to the nearest 4k boundary */
int padded_length = ALIGN_UP(length, FLASH_SECTOR_SIZE);
ESP_LOGD(TAG, "verifying src_addr 0x%x length", src_addr, padded_length);
data = bootloader_mmap(src_addr, length + sizeof(struct ets_secure_boot_sig_block));
if (data == NULL) {
ESP_LOGE(TAG, "bootloader_mmap(0x%x, 0x%x) failed", src_addr, length + sizeof(ets_secure_boot_signature_t));
ESP_LOGE(TAG, "bootloader_mmap(0x%x, 0x%x) failed", src_addr, length+sizeof(ets_secure_boot_signature_t));
return ESP_FAIL;
}
// Calculate digest of main image
#ifdef BOOTLOADER_BUILD
bootloader_sha256_handle_t handle = bootloader_sha256_start();
bootloader_sha256_data(handle, data, length);
bootloader_sha256_finish(handle, digest);
#else
/* Use thread-safe esp-idf SHA function */
esp_sha(SHA2_256, data, length, digest);
#endif
int r = ets_secure_boot_read_key_digests(&trusted_keys);
if (r == ETS_OK) {
const ets_secure_boot_signature_t *sig = (const ets_secure_boot_signature_t *)(data + length);
// TODO: calling this function in IDF app context is unsafe
r = ets_secure_boot_verify_signature(sig, digest, &trusted_keys);
/* Calculate digest of main image */
esp_err_t err = bootloader_sha256_flash_contents(src_addr, padded_length, digest);
if (err != ESP_OK) {
ESP_LOGE(TAG, "Digest calculation failed 0x%x, 0x%x", src_addr, padded_length);
bootloader_munmap(data);
return err;
}
const ets_secure_boot_signature_t *sig = (const ets_secure_boot_signature_t *)(data + length);
int r = esp_secure_boot_verify_rsa_signature_block(sig, digest, verified_digest);
bootloader_munmap(data);
return (r == ETS_OK) ? ESP_OK : ESP_FAIL;
}
esp_err_t esp_secure_boot_verify_signature_block(uint32_t sig_block_flash_offs, const uint8_t *image_digest)
esp_err_t esp_secure_boot_verify_rsa_signature_block(const ets_secure_boot_signature_t *sig_block, const uint8_t *image_digest, uint8_t *verified_digest)
{
ets_secure_boot_key_digests_t trusted_keys;
ets_secure_boot_key_digests_t trusted_key_copies[2];
ETS_STATUS r;
ets_secure_boot_status_t sb_result;
assert(sig_block_flash_offs % 4096 == 0); // TODO: enforce this in a better way
memset(&trusted_keys, 0, sizeof(ets_secure_boot_key_digests_t));
memset(trusted_key_copies, 0, 2 * sizeof(ets_secure_boot_key_digests_t));
const ets_secure_boot_signature_t *sig = bootloader_mmap(sig_block_flash_offs, sizeof(ets_secure_boot_signature_t));
if (!esp_secure_boot_enabled()) {
return ESP_OK;
}
if (sig == NULL) {
ESP_LOGE(TAG, "Failed to mmap data at offset 0x%x", sig_block_flash_offs);
r = ets_secure_boot_read_key_digests(&trusted_keys);
if (r != ETS_OK) {
ESP_LOGI(TAG, "Could not read secure boot digests!");
return ESP_FAIL;
}
int r = ets_secure_boot_read_key_digests(&trusted_keys);
if (r != 0) {
ESP_LOGE(TAG, "No trusted key digests were found in efuse!");
} else {
ESP_LOGD(TAG, "Verifying with RSA-PSS...");
// TODO: calling this function in IDF app context is unsafe
r = ets_secure_boot_verify_signature(sig, image_digest, &trusted_keys);
}
// Create the copies for FI checks (assuming result is ETS_OK, if it's not then it'll fail the fault check anyhow)
ets_secure_boot_read_key_digests(&trusted_key_copies[0]);
ets_secure_boot_read_key_digests(&trusted_key_copies[1]);
ESP_FAULT_ASSERT(memcmp(&trusted_keys, &trusted_key_copies[0], sizeof(ets_secure_boot_key_digests_t)) == 0);
ESP_FAULT_ASSERT(memcmp(&trusted_keys, &trusted_key_copies[1], sizeof(ets_secure_boot_key_digests_t)) == 0);
bootloader_munmap(sig);
return (r == 0) ? ESP_OK : ESP_ERR_IMAGE_INVALID;
ESP_LOGI(TAG, "Verifying with RSA-PSS boot...");
sb_result = ets_secure_boot_verify_signature(sig_block, image_digest, &trusted_keys, verified_digest);
return (sb_result == SB_SUCCESS) ? ESP_OK : ESP_FAIL;
}

2
components/bootloader_support/src/esp32s2/secure_boot.c
Wyświetl plik

@ -260,7 +260,7 @@ static esp_err_t check_and_generate_secure_boot_keys(const esp_image_metadata_t
esp_err_t esp_secure_boot_v2_permanently_enable(const esp_image_metadata_t *image_data)
{
ESP_LOGI(TAG, "enabling secure boot v2 - ESP32-S2...");
ESP_LOGI(TAG, "enabling secure boot v2...");
if (esp_secure_boot_enabled()) {
ESP_LOGI(TAG, "secure boot v2 is already enabled, continuing..");

2
components/bootloader_support/src/esp32s3/secure_boot.c
Wyświetl plik

@ -260,7 +260,7 @@ static esp_err_t check_and_generate_secure_boot_keys(const esp_image_metadata_t
esp_err_t esp_secure_boot_v2_permanently_enable(const esp_image_metadata_t *image_data)
{
ESP_LOGI(TAG, "enabling secure boot v2 - ESP32-S2...");
ESP_LOGI(TAG, "enabling secure boot v2...");
if (esp_secure_boot_enabled()) {
ESP_LOGI(TAG, "secure boot v2 is already enabled, continuing..");

20
components/bootloader_support/src/idf/secure_boot_signatures.c
Wyświetl plik

@ -31,6 +31,8 @@
#ifdef CONFIG_IDF_TARGET_ESP32S2
#include <esp32s2/rom/secure_boot.h>
#elif CONFIG_IDF_TARGET_ESP32C3
#include <esp32c3/rom/secure_boot.h>
#endif
#define DIGEST_LEN 32
@ -147,7 +149,7 @@ static const char *TAG = "secure_boot_v2";
#define ALIGN_UP(num, align) (((num) + ((align) - 1)) & ~((align) - 1))
#define RSA_KEY_SIZE 384 /* RSA 3072 Bits */
#if CONFIG_IDF_TARGET_ESP32S2
#if SOC_EFUSE_SECURE_BOOT_KEY_DIGESTS > 1
inline static bool digest_matches(const void *trusted, const void *computed)
{
if (trusted == NULL) {
@ -165,7 +167,7 @@ inline static bool digest_matches(const void *trusted, const void *computed)
memcpy(computed_local, computed, ETS_DIGEST_LEN);
return memcmp(trusted_local, computed_local, ETS_DIGEST_LEN) == 0;
}
#endif /* CONFIG_IDF_TARGET_ESP32S2 */
#endif /* SOC_EFUSE_SECURE_BOOT_KEY_DIGESTS > 1 */
esp_err_t esp_secure_boot_verify_signature(uint32_t src_addr, uint32_t length)
{
@ -214,7 +216,7 @@ esp_err_t esp_secure_boot_verify_rsa_signature_block(const ets_secure_boot_signa
bootloader_sha256_finish(sig_block_sha, (unsigned char *)sig_block_key_digest[i]);
}
#if CONFIG_IDF_TARGET_ESP32
#if SOC_EFUSE_SECURE_BOOT_KEY_DIGESTS == 1
uint8_t efuse_trusted_digest[DIGEST_LEN] = {0};
memcpy(efuse_trusted_digest, (uint8_t *) EFUSE_BLK2_RDATA0_REG, sizeof(efuse_trusted_digest));
@ -229,7 +231,7 @@ esp_err_t esp_secure_boot_verify_rsa_signature_block(const ets_secure_boot_signa
return ESP_FAIL;
}
}
#elif CONFIG_IDF_TARGET_ESP32S2
#elif SOC_EFUSE_SECURE_BOOT_KEY_DIGESTS > 1
bool match = false;
ets_secure_boot_key_digests_t efuse_trusted_digest;
ETS_STATUS r;
@ -238,7 +240,7 @@ esp_err_t esp_secure_boot_verify_rsa_signature_block(const ets_secure_boot_signa
ESP_LOGI(TAG, "Could not read secure boot digests!");
return ESP_FAIL;
}
#endif /* CONFIG_IDF_TARGET_ESP32 */
#endif /* SOC_EFUSE_SECURE_BOOT_KEY_DIGESTS */
#endif /* CONFIG_SECURE_BOOT_V2_ENABLED */
ESP_LOGI(TAG, "Verifying with RSA-PSS...");
@ -261,7 +263,7 @@ esp_err_t esp_secure_boot_verify_rsa_signature_block(const ets_secure_boot_signa
}
for (i = 0; i < SECURE_BOOT_NUM_BLOCKS; i++) {
#if CONFIG_IDF_TARGET_ESP32S2
#if SOC_EFUSE_SECURE_BOOT_KEY_DIGESTS > 1
for (uint8_t j = 0; j < SECURE_BOOT_NUM_BLOCKS; j++) {
if (digest_matches(efuse_trusted_digest.key_digests[j], sig_block_key_digest[i])) {
ESP_LOGI(TAG, "eFuse key matches(%d) matches the application key(%d).", j, i);
@ -272,7 +274,7 @@ esp_err_t esp_secure_boot_verify_rsa_signature_block(const ets_secure_boot_signa
if (match == false) {
continue; // Skip the public keys whose digests don't match.
}
# endif
# endif // SOC_EFUSE_SECURE_BOOT_KEY_DIGESTS > 1
const mbedtls_mpi N = { .s = 1,
.n = sizeof(sig_block->block[i].key.n)/sizeof(mbedtls_mpi_uint),
@ -328,9 +330,9 @@ esp_err_t esp_secure_boot_verify_rsa_signature_block(const ets_secure_boot_signa
free(sig_be);
free(buf);
#if CONFIG_IDF_TARGET_ESP32
#if SOC_EFUSE_SECURE_BOOT_KEY_DIGESTS == 1
return (ret != 0) ? ESP_ERR_IMAGE_INVALID: ESP_OK;
#elif CONFIG_IDF_TARGET_ESP32S2
#elif SOC_EFUSE_SECURE_BOOT_KEY_DIGESTS > 1
return (ret != 0 || match == false) ? ESP_ERR_IMAGE_INVALID: ESP_OK;
#endif /* CONFIG_IDF_TARGET_ESP32 */
}

24
components/efuse/src/esp32c3/esp_efuse_fields.c
Wyświetl plik

@ -45,17 +45,6 @@ uint32_t esp_efuse_get_pkg_ver(void)
return pkg_ver;
}
// Disable BASIC ROM Console via efuse
void esp_efuse_disable_basic_rom_console(void)
{
uint8_t dis_legacy_spi_boot = 0;
esp_efuse_read_field_blob(ESP_EFUSE_DIS_LEGACY_SPI_BOOT, &dis_legacy_spi_boot, 1);
if (dis_legacy_spi_boot == 0) {
esp_efuse_write_field_cnt(ESP_EFUSE_DIS_LEGACY_SPI_BOOT, 1);
ESP_EARLY_LOGI(TAG, "Disable Disable_Legcy_SPI_boot mode...");
}
}
void esp_efuse_write_random_key(uint32_t blk_wdata0_reg)
{
uint32_t buf[8];
@ -71,3 +60,16 @@ void esp_efuse_write_random_key(uint32_t blk_wdata0_reg)
bzero(buf, sizeof(buf));
bzero(raw, sizeof(raw));
}
esp_err_t esp_efuse_disable_rom_download_mode(void)
{
return esp_efuse_write_field_bit(ESP_EFUSE_DIS_DOWNLOAD_MODE);
}
esp_err_t esp_efuse_enable_rom_secure_download_mode(void)
{
if (esp_efuse_read_field_bit(ESP_EFUSE_DIS_DOWNLOAD_MODE)) {
return ESP_ERR_INVALID_STATE;
}
return esp_efuse_write_field_bit(ESP_EFUSE_ENABLE_SECURITY_DOWNLOAD);
}

9
components/esp_common/include/esp_fault.h
Wyświetl plik

@ -58,6 +58,11 @@ extern "C" {
if(!(CONDITION)) _ESP_FAULT_RESET(); \
} while(0)
#ifndef CONFIG_IDF_TARGET_ARCH_RISCV
#define _ESP_FAULT_ILLEGAL_INSTRUCTION asm volatile("ill.n; ill.n; ill.n; ill.n; ill.n; ill.n; ill.n;")
#else
#define _ESP_FAULT_ILLEGAL_INSTRUCTION asm volatile("unimp; unimp; unimp; unimp; unimp;")
#endif
// Uncomment this macro to get debug output if ESP_FAULT_ASSERT() fails
//
@ -75,7 +80,7 @@ extern "C" {
#define _ESP_FAULT_RESET() do { \
REG_WRITE(RTC_CNTL_OPTIONS0_REG, RTC_CNTL_SW_SYS_RST); \
asm volatile("ill; ill; ill;"); \
_ESP_FAULT_ILLEGAL_INSTRUCTION; \
} while(0)
#else // ESP_FAULT_ASSERT_DEBUG
@ -84,7 +89,7 @@ extern "C" {
#define _ESP_FAULT_RESET() do { \
esp_rom_printf("ESP_FAULT_ASSERT %s:%d\n", __FILE__, __LINE__); \
asm volatile("ill;"); \
_ESP_FAULT_ILLEGAL_INSTRUCTION; \
} while(0)
#endif // ESP_FAULT_ASSERT_DEBUG

2
components/esp_rom/include/esp32c3/rom/rsa_pss.h
Wyświetl plik

@ -33,7 +33,7 @@ typedef struct {
uint32_t mdash;
} ets_rsa_pubkey_t;
bool ets_rsa_pss_verify(const ets_rsa_pubkey_t *key, const uint8_t *sig, const uint8_t *digest);
bool ets_rsa_pss_verify(const ets_rsa_pubkey_t *key, const uint8_t *sig, const uint8_t *digest, uint8_t *verified_digest);
void ets_mgf1_sha256(const uint8_t *mgfSeed, size_t seedLen, size_t maskLen, uint8_t *mask);

71
components/esp_rom/include/esp32c3/rom/secure_boot.h
Wyświetl plik

@ -17,7 +17,7 @@
#include <stdint.h>
#include <stdbool.h>
#include "ets_sys.h"
#include "rsa_pss.h"
#ifdef __cplusplus
@ -31,45 +31,66 @@ typedef struct ets_secure_boot_sig_block ets_secure_boot_sig_block_t;
typedef struct ets_secure_boot_signature ets_secure_boot_signature_t;
typedef struct ets_secure_boot_key_digests ets_secure_boot_key_digests_t;
/* Verify bootloader image (reconfigures cache to map,
loads trusted key digests from efuse)
If allow_key_revoke is true and aggressive revoke efuse is set,
any failed signature has its associated key revoked in efuse.
If result is ETS_OK, the "simple hash" of the bootloader
is copied into verified_hash.
/* Anti-FI measure: use full words for success/fail, instead of
0/non-zero
*/
int ets_secure_boot_verify_bootloader(uint8_t *verified_hash, bool allow_key_revoke);
typedef enum {
SB_SUCCESS = 0x3A5A5AA5,
SB_FAILED = 0x7533885E,
} ets_secure_boot_status_t;
/* Verify bootloader image (reconfigures cache to map), with
key digests provided as parameters.)
/* Verify and stage-load the bootloader image
(reconfigures cache to map, loads trusted key digests from efuse,
copies the bootloader into the staging buffer.)
If allow_key_revoke is true and aggressive revoke efuse is set,
any failed signature has its associated key revoked in efuse.
If result is SB_SUCCESS, the "simple hash" of the bootloader
is copied into verified_hash.
*/
ets_secure_boot_status_t ets_secure_boot_verify_stage_bootloader(uint8_t *verified_hash, bool allow_key_revoke);
/* Verify bootloader image (reconfigures cache to map),
with key digests provided as parameters.)
Can be used to verify secure boot status before enabling
secure boot permanently.
If result is ETS_OK, the "simple hash" of the bootloader is
If stage_load parameter is true, bootloader is copied into staging
buffer in RAM at the same time.
If result is SB_SUCCESS, the "simple hash" of the bootloader is
copied into verified_hash.
*/
int ets_secure_boot_verify_bootloader_with_keys(uint8_t *verified_hash, const ets_secure_boot_key_digests_t *trusted_keys);
ets_secure_boot_status_t ets_secure_boot_verify_bootloader_with_keys(uint8_t *verified_hash, const ets_secure_boot_key_digests_t *trusted_keys, bool stage_load);
/* Read key digests from efuse. Any revoked/missing digests will be
marked as NULL
*/
ETS_STATUS ets_secure_boot_read_key_digests(ets_secure_boot_key_digests_t *trusted_keys);
/* Verify supplied signature against supplied digest, using
supplied trusted key digests.
Doesn't reconfigure cache or any other hardware access.
*/
int ets_secure_boot_verify_signature(const ets_secure_boot_signature_t *sig, const uint8_t *image_digest, const ets_secure_boot_key_digests_t *trusted_keys);
Doesn't reconfigure cache or any other hardware access except for RSA peripheral.
/* Read key digests from efuse. Any revoked/missing digests will be
marked as NULL
Returns 0 if at least one valid digest was found.
If result is SB_SUCCESS, the image_digest value is copied into verified_digest.
*/
int ets_secure_boot_read_key_digests(ets_secure_boot_key_digests_t *trusted_keys);
ets_secure_boot_status_t ets_secure_boot_verify_signature(const ets_secure_boot_signature_t *sig, const uint8_t *image_digest, const ets_secure_boot_key_digests_t *trusted_keys, uint8_t *verified_digest);
/* Revoke a public key digest in efuse.
@param index Digest to revoke. Must be 0, 1 or 2.
*/
void ets_secure_boot_revoke_public_key_digest(int index);
#define ETS_SECURE_BOOT_V2_SIGNATURE_MAGIC 0xE7
/* Secure Boot V2 signature block (up to 3 can be appended) */
/* Secure Boot V2 signature block
(Up to 3 in a signature sector are appended to the image)
*/
struct ets_secure_boot_sig_block {
uint8_t magic_byte;
uint8_t version;
@ -94,8 +115,10 @@ struct ets_secure_boot_signature {
_Static_assert(sizeof(ets_secure_boot_signature_t) == 4096, "invalid sig sector size");
#define MAX_KEY_DIGESTS 3
struct ets_secure_boot_key_digests {
const void *key_digests[3];
const void *key_digests[MAX_KEY_DIGESTS];
bool allow_key_revoke;
};

11
components/esp_rom/include/esp32s2/rom/secure_boot.h
Wyświetl plik

@ -29,17 +29,6 @@ typedef struct ets_secure_boot_sig_block ets_secure_boot_sig_block_t;
typedef struct ets_secure_boot_signature ets_secure_boot_signature_t;
typedef struct ets_secure_boot_key_digests ets_secure_boot_key_digests_t;
/* 64KB 'staging buffer' for loading the verified bootloader
Comes from the "shared buffers" region (see shared_buffers.h)
The bootloader can't be safely linked into this address range
(may be possible with some cleverness.)
*/
#define SECURE_BOOT_STAGING_BUFFER_START ((uint32_t)(g_shared_buffers.secure_boot_staging_buf))
#define SECURE_BOOT_STAGING_BUFFER_SZ sizeof(g_shared_buffers.secure_boot_staging_buf)
#define SECURE_BOOT_STAGING_BUFFER_END (SECURE_BOOT_STAGING_BUFFER_START + SECURE_BOOT_STAGING_BUFFER_SZ)
/* Anti-FI measure: use full words for success/fail, instead of
0/non-zero
*/

1
components/soc/esp32/include/soc/soc_caps.h
Wyświetl plik

@ -72,6 +72,7 @@
#define SOC_ULP_SUPPORTED 1
#define SOC_RTC_SLOW_MEM_SUPPORTED 1
#define SOC_CCOMP_TIMER_SUPPORTED 1
#define SOC_EFUSE_SECURE_BOOT_KEY_DIGESTS 1
/*-------------------------- ADC CAPS ----------------------------------------*/
#define SOC_ADC_PERIPH_NUM (2)

4
components/soc/esp32c3/include/soc/soc_caps.h
Wyświetl plik

@ -44,6 +44,10 @@
#include "uart_caps.h"
#include "rtc_caps.h"
/*-------------------------- COMMON CAPS ---------------------------------------*/
#define SOC_SUPPORTS_SECURE_DL_MODE 1
#define SOC_EFUSE_SECURE_BOOT_KEY_DIGESTS 3
/*-------------------------- TOUCH SENSOR CAPS -------------------------------*/
#define SOC_TOUCH_SENSOR_NUM (0) /*! No touch sensors on ESP32-C3 */

1
components/soc/esp32s2/include/soc/soc_caps.h
Wyświetl plik

@ -48,6 +48,7 @@
#define SOC_ULP_SUPPORTED 1
#define SOC_RTC_SLOW_MEM_SUPPORTED 1
#define SOC_CCOMP_TIMER_SUPPORTED 1
#define SOC_EFUSE_SECURE_BOOT_KEY_DIGESTS 3
#define SOC_CACHE_SUPPORT_WRAP 1

1
components/soc/esp32s3/include/soc/soc_caps.h
Wyświetl plik

@ -15,6 +15,7 @@
#define SOC_ULP_SUPPORTED 1
#define SOC_RTC_SLOW_MEM_SUPPORTED 1
#define SOC_CCOMP_TIMER_SUPPORTED 1
#define SOC_EFUSE_SECURE_BOOT_KEY_DIGESTS 3
/*-------------------------- ADC CAPS ----------------------------------------*/

23
docs/en/security/secure-boot-v2.rst
Wyświetl plik

@ -25,11 +25,15 @@ Advantages
- The RSA public key is stored on the device. The corresponding RSA private key is kept secret on a server and is never accessed by the device.
- Up to three public keys can be generated and stored in ESP32-S2 during manufacturing. (ESP32 ECO3: only one key)
.. only:: esp32
- ESP32-S2 provides the facility to permanently revoke individual public keys. This can be configured conservatively or aggressively.
- Only one public key can be generated and stored in ESP32 ECO3 during manufacturing.
.. only:: esp32s2
- Up to three public keys can be generated and stored in the chip during manufacturing.
- {IDF_TARGET_NAME} provides the facility to permanently revoke individual public keys. This can be configured conservatively or aggressively.
- Conservatively - The old key is revoked after the bootloader and application have successfully migrated to a new key. Aggressively - The key is revoked as soon as verification with this key fails.
@ -96,7 +100,15 @@ The remainder of the signature sector is erased flash (0xFF) which allows writin
Verifying the signature Block
-----------------------------
A signature block is “valid” if the first byte is 0xe7 and a valid CRC32 is stored at offset 1196. Upto 3 signature blocks can be appended to the bootloader or application image in ESP32-S2. (ESP32 ECO3: only one key)
A signature block is “valid” if the first byte is 0xe7 and a valid CRC32 is stored at offset 1196.
.. only:: esp32
Only one signature block can be appended to the bootloader or application image in ESP32 ECO3.
.. only:: esp32s2
Upto 3 signature blocks can be appended to the bootloader or application image in {IDF_TARGET_NAME}.
An image is “verified” if the public key stored in any signature block is valid for this device, and if the stored signature is valid for the image data read from flash.
@ -153,7 +165,7 @@ eFuse usage
- SECURE_BOOT_EN - Enables secure boot protection on boot.
- KEY_PURPOSE_X - Set the purpose of the key block on ESP32-S2 by programming SECURE_BOOT_DIGESTX (X = 0, 1, 2) into KEY_PURPOSE_X (X = 0, 1, 2, 3, 4). Example: If KEY_PURPOSE_2 is set to SECURE_BOOT_DIGEST1, then BLOCK_KEY2 will have the Secure Boot V2 public key digest.
- KEY_PURPOSE_X - Set the purpose of the key block on {IDF_TARGET_NAME} by programming SECURE_BOOT_DIGESTX (X = 0, 1, 2) into KEY_PURPOSE_X (X = 0, 1, 2, 3, 4). Example: If KEY_PURPOSE_2 is set to SECURE_BOOT_DIGEST1, then BLOCK_KEY2 will have the Secure Boot V2 public key digest.
- BLOCK_KEYX - The block contains the data corresponding to its purpose programmed in KEY_PURPOSE_X. Stores the SHA-256 digest of the public key. SHA-256 hash of public key modulus, exponent, precalculated R & M values (represented as 776 bytes – offsets 36 to 812 - as per the :ref:`signature-block-format`) is written to an eFuse key block.
@ -288,6 +300,7 @@ Secure Boot Best Practices
* The bootloader can be signed with multiple keys from the factory.
Assuming a trusted private key (N-1) has been compromised, to update to new keypair (N).
1. Server sends an OTA update with an application signed with the new private key (#N).
2. The new OTA update is written to an unused OTA app partition.
3. The new application's signature block is validated. The public keys are checked against the digests programmed in the eFuse & the application is verified using the verified public key.