Crash_Override/OVMS3-idf
1
0
Fork 0
Code Issues Pull requests Projects Releases Wiki Activity

secure boot v2: Don't log warnings when BLK2 is empty as expected

Browse source 
If BLK2 is empty then it's OK to continue with a warning (otherwise it may spook users into thinking
something this is wrong, but this is the expected workflow.)

If BLK2 is not empty and doesn't match then we need to fail because it won't be possible to
trust the signature.
This commit is contained in:
Angus Gratton 2020-04-24 14:40:24 +10:00 committed by Angus Gratton
parent 69895387ee
commit 2c531d5bb3
2 changed files with 18 additions and 4 deletions
Show stats Download patch file Download diff file Expand all files Collapse all files

13
components/bootloader_support/src/esp32/secure_boot_signatures.c
View file

@ -152,7 +152,18 @@ esp_err_t esp_secure_boot_verify_rsa_signature_block(const ets_secure_boot_signa
bootloader_sha256_finish(sig_block_sha, (unsigned char *)sig_block_trusted_digest);
if (memcmp(efuse_trusted_digest, sig_block_trusted_digest, DIGEST_LEN) != 0) {
ESP_LOGW(TAG, "Public key digest in eFuse BLK2 and the signature block don't match.");
/* Most likely explanation for this is that BLK2 is empty, and we're going to burn it
after we verify that the signature is valid. However, if BLK2 is not empty then we need to
fail here.
*/
bool all_zeroes = true;
for (int i = 0; i < DIGEST_LEN; i++) {
all_zeroes = all_zeroes && (efuse_trusted_digest[i] == 0);
}
if (!all_zeroes) {
ESP_LOGE(TAG, "Different public key digest burned to eFuse BLK2");
return ESP_ERR_INVALID_STATE;
}
}
memcpy(efuse_trusted_digest, sig_block_trusted_digest, DIGEST_LEN);

9
components/bootloader_support/src/idf/secure_boot_signatures.c
View file

@ -187,11 +187,14 @@ esp_err_t esp_secure_boot_verify_rsa_signature_block(const ets_secure_boot_signa
bootloader_sha256_finish(sig_block_sha, (unsigned char *)sig_block_trusted_digest);
if (memcmp(efuse_trusted_digest, sig_block_trusted_digest, DIGEST_LEN) != 0) {
if (esp_secure_boot_enabled()) {
const uint8_t zeroes[DIGEST_LEN] = {0};
/* Can't continue if secure boot is enabled, OR if a different digest is already written in efuse BLK2
(If BLK2 is empty and Secure Boot is disabled then we assume that it will be enabled later.)
*/
if (esp_secure_boot_enabled() || memcmp(efuse_trusted_digest, zeroes, DIGEST_LEN) != 0) {
ESP_LOGE(TAG, "Public key digest in eFuse BLK2 and the signature block don't match.");
return ESP_FAIL;
} else {
ESP_LOGW(TAG, "Public key digest in eFuse BLK2 and the signature block don't match.");
}
}