secure boot: Encrypt the bootloader signature when enabling flash encryption + secure boot v2
This commit is contained in:
parent
073ba0a608
commit
0dacff4df4
1 changed files with 11 additions and 0 deletions
|
@ -236,6 +236,17 @@ static esp_err_t encrypt_bootloader(void)
|
||||||
/* Check for plaintext bootloader (verification will fail if it's already encrypted) */
|
/* Check for plaintext bootloader (verification will fail if it's already encrypted) */
|
||||||
if (esp_image_verify_bootloader(&image_length) == ESP_OK) {
|
if (esp_image_verify_bootloader(&image_length) == ESP_OK) {
|
||||||
ESP_LOGD(TAG, "bootloader is plaintext. Encrypting...");
|
ESP_LOGD(TAG, "bootloader is plaintext. Encrypting...");
|
||||||
|
|
||||||
|
#if CONFIG_SECURE_BOOT_V2_ENABLED
|
||||||
|
// Account for the signature sector after the bootloader
|
||||||
|
image_length = (image_length + FLASH_SECTOR_SIZE - 1) & ~(FLASH_SECTOR_SIZE - 1);
|
||||||
|
image_length += FLASH_SECTOR_SIZE;
|
||||||
|
if (ESP_BOOTLOADER_OFFSET + image_length > ESP_PARTITION_TABLE_OFFSET) {
|
||||||
|
ESP_LOGE(TAG, "Bootloader is too large to fit Secure Boot V2 signature sector and partition table (configured offset 0x%x)", ESP_PARTITION_TABLE_OFFSET);
|
||||||
|
return ESP_ERR_INVALID_STATE;
|
||||||
|
}
|
||||||
|
#endif // CONFIG_SECURE_BOOT_V2_ENABLED
|
||||||
|
|
||||||
err = esp_flash_encrypt_region(ESP_BOOTLOADER_OFFSET, image_length);
|
err = esp_flash_encrypt_region(ESP_BOOTLOADER_OFFSET, image_length);
|
||||||
if (err != ESP_OK) {
|
if (err != ESP_OK) {
|
||||||
ESP_LOGE(TAG, "Failed to encrypt bootloader in place: 0x%x", err);
|
ESP_LOGE(TAG, "Failed to encrypt bootloader in place: 0x%x", err);
|
||||||
|
|
Loading…
Reference in a new issue