secure boot v2: Don't log warnings when BLK2 is empty as expected
If BLK2 is empty then it's OK to continue with a warning (otherwise it may spook users into thinking something this is wrong, but this is the expected workflow.) If BLK2 is not empty and doesn't match then we need to fail because it won't be possible to trust the signature.
This commit is contained in:
Angus Gratton
Angus Gratton
parent
69895387ee
commit
2c531d5bb3
2 changed files with 18 additions and 4 deletions
|
|
@ -152,7 +152,18 @@ esp_err_t esp_secure_boot_verify_rsa_signature_block(const ets_secure_boot_signa
|
||||||
bootloader_sha256_finish(sig_block_sha, (unsigned char *)sig_block_trusted_digest);
|
bootloader_sha256_finish(sig_block_sha, (unsigned char *)sig_block_trusted_digest);
|
||||||
|
|
||||||
if (memcmp(efuse_trusted_digest, sig_block_trusted_digest, DIGEST_LEN) != 0) {
|
if (memcmp(efuse_trusted_digest, sig_block_trusted_digest, DIGEST_LEN) != 0) {
|
||||||
ESP_LOGW(TAG, "Public key digest in eFuse BLK2 and the signature block don't match.");
|
/* Most likely explanation for this is that BLK2 is empty, and we're going to burn it
|
||||||
|
after we verify that the signature is valid. However, if BLK2 is not empty then we need to
|
||||||
|
fail here.
|
||||||
|
*/
|
||||||
|
bool all_zeroes = true;
|
||||||
|
for (int i = 0; i < DIGEST_LEN; i++) {
|
||||||
|
all_zeroes = all_zeroes && (efuse_trusted_digest[i] == 0);
|
||||||
|
}
|
||||||
|
if (!all_zeroes) {
|
||||||
|
ESP_LOGE(TAG, "Different public key digest burned to eFuse BLK2");
|
||||||
|
return ESP_ERR_INVALID_STATE;
|
||||||
|
}
|
||||||
}
|
}
|
||||||
|
|
||||||
memcpy(efuse_trusted_digest, sig_block_trusted_digest, DIGEST_LEN);
|
memcpy(efuse_trusted_digest, sig_block_trusted_digest, DIGEST_LEN);
|
||||||
|
|
|
||||||
|
|
@ -187,11 +187,14 @@ esp_err_t esp_secure_boot_verify_rsa_signature_block(const ets_secure_boot_signa
|
||||||
bootloader_sha256_finish(sig_block_sha, (unsigned char *)sig_block_trusted_digest);
|
bootloader_sha256_finish(sig_block_sha, (unsigned char *)sig_block_trusted_digest);
|
||||||
|
|
||||||
if (memcmp(efuse_trusted_digest, sig_block_trusted_digest, DIGEST_LEN) != 0) {
|
if (memcmp(efuse_trusted_digest, sig_block_trusted_digest, DIGEST_LEN) != 0) {
|
||||||
if (esp_secure_boot_enabled()) {
|
const uint8_t zeroes[DIGEST_LEN] = {0};
|
||||||
|
/* Can't continue if secure boot is enabled, OR if a different digest is already written in efuse BLK2
|
||||||
|
|
||||||
|
(If BLK2 is empty and Secure Boot is disabled then we assume that it will be enabled later.)
|
||||||
|
*/
|
||||||
|
if (esp_secure_boot_enabled() || memcmp(efuse_trusted_digest, zeroes, DIGEST_LEN) != 0) {
|
||||||
ESP_LOGE(TAG, "Public key digest in eFuse BLK2 and the signature block don't match.");
|
ESP_LOGE(TAG, "Public key digest in eFuse BLK2 and the signature block don't match.");
|
||||||
return ESP_FAIL;
|
return ESP_FAIL;
|
||||||
} else {
|
|
||||||
ESP_LOGW(TAG, "Public key digest in eFuse BLK2 and the signature block don't match.");
|
|
||||||
}
|
}
|
||||||
}
|
}
|
||||||
|
|
||||||
|
|
|
||||||
Loading…
Reference in a new issue