Merge branch 'bugfix/secure_boot_ecdsa_config_v4.0' into 'release/v4.0'
secure boot: Ensure mbedTLS enables ECDSA if signatures are checked in app See merge request espressif/esp-idf!8196
This commit is contained in:
commit
2ee765ffaf
3 changed files with 10 additions and 2 deletions
|
@ -234,12 +234,15 @@ menu "Security features"
|
||||||
config SECURE_SIGNED_ON_UPDATE
|
config SECURE_SIGNED_ON_UPDATE
|
||||||
bool
|
bool
|
||||||
default y
|
default y
|
||||||
select MBEDTLS_ECP_DP_SECP256R1_ENABLED
|
|
||||||
depends on SECURE_BOOT_ENABLED || SECURE_SIGNED_ON_UPDATE_NO_SECURE_BOOT
|
depends on SECURE_BOOT_ENABLED || SECURE_SIGNED_ON_UPDATE_NO_SECURE_BOOT
|
||||||
|
|
||||||
config SECURE_SIGNED_APPS
|
config SECURE_SIGNED_APPS
|
||||||
bool
|
bool
|
||||||
default y
|
default y
|
||||||
|
select MBEDTLS_ECP_DP_SECP256R1_ENABLED
|
||||||
|
select MBEDTLS_ECP_C
|
||||||
|
select MBEDTLS_ECDH_C
|
||||||
|
select MBEDTLS_ECDSA_C
|
||||||
depends on SECURE_SIGNED_ON_BOOT || SECURE_SIGNED_ON_UPDATE
|
depends on SECURE_SIGNED_ON_BOOT || SECURE_SIGNED_ON_UPDATE
|
||||||
|
|
||||||
|
|
||||||
|
|
|
@ -56,6 +56,10 @@ esp_err_t esp_secure_boot_verify_signature(uint32_t src_addr, uint32_t length)
|
||||||
|
|
||||||
esp_err_t esp_secure_boot_verify_signature_block(const esp_secure_boot_sig_block_t *sig_block, const uint8_t *image_digest)
|
esp_err_t esp_secure_boot_verify_signature_block(const esp_secure_boot_sig_block_t *sig_block, const uint8_t *image_digest)
|
||||||
{
|
{
|
||||||
|
#if !(defined(CONFIG_MBEDTLS_ECDSA_C) && defined(CONFIG_MBEDTLS_ECP_DP_SECP256R1_ENABLED))
|
||||||
|
ESP_LOGE(TAG, "Signature verification requires ECDSA & SECP256R1 curve enabled");
|
||||||
|
return ESP_ERR_NOT_SUPPORTED;
|
||||||
|
#else
|
||||||
ptrdiff_t keylen;
|
ptrdiff_t keylen;
|
||||||
|
|
||||||
keylen = signature_verification_key_end - signature_verification_key_start;
|
keylen = signature_verification_key_end - signature_verification_key_start;
|
||||||
|
@ -117,4 +121,5 @@ cleanup:
|
||||||
mbedtls_mpi_free(&s);
|
mbedtls_mpi_free(&s);
|
||||||
mbedtls_ecdsa_free(&ecdsa_context);
|
mbedtls_ecdsa_free(&ecdsa_context);
|
||||||
return ret == 0 ? ESP_OK : ESP_ERR_IMAGE_INVALID;
|
return ret == 0 ? ESP_OK : ESP_ERR_IMAGE_INVALID;
|
||||||
|
#endif // CONFIG_MBEDTLS_ECDSA_C && CONFIG_MBEDTLS_ECP_DP_SECP256R1_ENABLED
|
||||||
}
|
}
|
||||||
|
|
|
@ -254,7 +254,7 @@ menu "mbedTLS"
|
||||||
|
|
||||||
config MBEDTLS_KEY_EXCHANGE_ECDHE_PSK
|
config MBEDTLS_KEY_EXCHANGE_ECDHE_PSK
|
||||||
bool "Enable ECDHE-PSK based ciphersuite modes"
|
bool "Enable ECDHE-PSK based ciphersuite modes"
|
||||||
depends on MBEDTLS_PSK_MODES
|
depends on MBEDTLS_PSK_MODES && MBEDTLS_ECDH_C
|
||||||
default y
|
default y
|
||||||
help
|
help
|
||||||
Enable to support Elliptic-Curve-Diffie-Hellman PSK (pre-shared-key) TLS authentication modes.
|
Enable to support Elliptic-Curve-Diffie-Hellman PSK (pre-shared-key) TLS authentication modes.
|
||||||
|
|
Loading…
Reference in a new issue