secure boot v2: Don't check efuse BLK2 if only boot-time signature verification is enabled

2020-04-24 14:41:42 +10:00 · 2020-04-24 14:41:42 +10:00 · 3c6b1b4c0a
parent 2c531d5bb3
commit 3c6b1b4c0a
2 changed files with 9 additions and 3 deletions
--- a/components/bootloader_support/src/esp32/secure_boot_signatures.c
+++ b/components/bootloader_support/src/esp32/secure_boot_signatures.c
@ -137,13 +137,13 @@ esp_err_t esp_secure_boot_verify_signature(uint32_t src_addr, uint32_t length)

 esp_err_t esp_secure_boot_verify_rsa_signature_block(const ets_secure_boot_signature_t *sig_block, const uint8_t *image_digest, uint8_t *verified_digest)
 {
+    secure_boot_v2_status_t r;
    uint8_t efuse_trusted_digest[DIGEST_LEN] = {0}, sig_block_trusted_digest[DIGEST_LEN] = {0};

-    secure_boot_v2_status_t r;
    memcpy(efuse_trusted_digest, (uint8_t *)EFUSE_BLK2_RDATA0_REG, DIGEST_LEN); /* EFUSE_BLK2_RDATA0_REG - Stores the Secure Boot Public Key Digest */

    if (!ets_use_secure_boot_v2()) {
-        ESP_LOGI(TAG, "Secure Boot EFuse bit(ABS_DONE_1) not yet programmed.");
+        ESP_LOGI(TAG, "Secure Boot eFuse bit(ABS_DONE_1) not yet programmed.");

        /* Generating the SHA of the public key components in the signature block */
        bootloader_sha256_handle_t sig_block_sha;
@ -151,6 +151,7 @@ esp_err_t esp_secure_boot_verify_rsa_signature_block(const ets_secure_boot_signa
        bootloader_sha256_data(sig_block_sha, &sig_block->block[0].key, sizeof(sig_block->block[0].key));
        bootloader_sha256_finish(sig_block_sha, (unsigned char *)sig_block_trusted_digest);

+#if CONFIG_SECURE_BOOT_V2_ENABLED
        if (memcmp(efuse_trusted_digest, sig_block_trusted_digest, DIGEST_LEN) != 0) {
            /* Most likely explanation for this is that BLK2 is empty, and we're going to burn it
               after we verify that the signature is valid. However, if BLK2 is not empty then we need to
@ -165,6 +166,7 @@ esp_err_t esp_secure_boot_verify_rsa_signature_block(const ets_secure_boot_signa
                return ESP_ERR_INVALID_STATE;
            }
        }
+#endif

        memcpy(efuse_trusted_digest, sig_block_trusted_digest, DIGEST_LEN);
    }
--- a/components/bootloader_support/src/idf/secure_boot_signatures.c
+++ b/components/bootloader_support/src/idf/secure_boot_signatures.c
@ -173,7 +173,10 @@ esp_err_t esp_secure_boot_verify_signature(uint32_t src_addr, uint32_t length)

 esp_err_t esp_secure_boot_verify_rsa_signature_block(const ets_secure_boot_signature_t *sig_block, const uint8_t *image_digest, uint8_t *verified_digest)
 {
-    uint8_t i = 0, efuse_trusted_digest[DIGEST_LEN] = {0}, sig_block_trusted_digest[DIGEST_LEN] = {0};
+    int i = 0;
+
+#if CONFIG_SECURE_BOOT_V2_ENABLED /* Verify key against efuse block */
+    uint8_t efuse_trusted_digest[DIGEST_LEN] = {0}, sig_block_trusted_digest[DIGEST_LEN] = {0};
    memcpy(efuse_trusted_digest, (uint8_t *) EFUSE_BLK2_RDATA0_REG, sizeof(efuse_trusted_digest));

    /* Note: in IDF verification we don't add any fault injection resistance, as we don't expect this to be called
@ -197,6 +200,7 @@ esp_err_t esp_secure_boot_verify_rsa_signature_block(const ets_secure_boot_signa
            return ESP_FAIL;
        }
    }
+#endif

    ESP_LOGI(TAG, "Verifying with RSA-PSS...");
    int ret = 0;