Merge branch 'feature/micro-ecc-only-in-bootloader' into 'master'
Use micro_ecc library only in bootloader See merge request idf/esp-idf!4082
This commit is contained in:
commit
5136b76798
11 changed files with 59 additions and 16 deletions
2
.flake8
2
.flake8
|
@ -141,7 +141,7 @@ exclude =
|
||||||
__pycache__,
|
__pycache__,
|
||||||
# submodules
|
# submodules
|
||||||
components/esptool_py/esptool,
|
components/esptool_py/esptool,
|
||||||
components/micro-ecc/micro-ecc,
|
components/bootloader/subproject/components/micro-ecc/micro-ecc,
|
||||||
components/nghttp/nghttp2,
|
components/nghttp/nghttp2,
|
||||||
components/libsodium/libsodium,
|
components/libsodium/libsodium,
|
||||||
components/json/cJSON,
|
components/json/cJSON,
|
||||||
|
|
|
@ -46,7 +46,7 @@ variables:
|
||||||
find . -name '.git' -not -path './.git' -printf '%P\n'
|
find . -name '.git' -not -path './.git' -printf '%P\n'
|
||||||
| sed 's|/.git||'
|
| sed 's|/.git||'
|
||||||
| xargs -I {} sh -c '
|
| xargs -I {} sh -c '
|
||||||
grep -q {} .gitmodules
|
grep -q "path = {}" .gitmodules
|
||||||
|| (echo "Removing {}, has .git directory but not in .gitmodules file"
|
|| (echo "Removing {}, has .git directory but not in .gitmodules file"
|
||||||
&& rm -rf {});'
|
&& rm -rf {});'
|
||||||
|
|
||||||
|
|
4
.gitmodules
vendored
4
.gitmodules
vendored
|
@ -6,8 +6,8 @@
|
||||||
path = components/bt/lib
|
path = components/bt/lib
|
||||||
url = https://github.com/espressif/esp32-bt-lib.git
|
url = https://github.com/espressif/esp32-bt-lib.git
|
||||||
|
|
||||||
[submodule "components/micro-ecc/micro-ecc"]
|
[submodule "components/bootloader/subproject/components/micro-ecc/micro-ecc"]
|
||||||
path = components/micro-ecc/micro-ecc
|
path = components/bootloader/subproject/components/micro-ecc/micro-ecc
|
||||||
url = https://github.com/kmackay/micro-ecc.git
|
url = https://github.com/kmackay/micro-ecc.git
|
||||||
|
|
||||||
[submodule "components/coap/libcoap"]
|
[submodule "components/coap/libcoap"]
|
||||||
|
|
|
@ -108,13 +108,6 @@ static esp_err_t image_validate(const esp_partition_t *partition, esp_image_load
|
||||||
return ESP_ERR_OTA_VALIDATE_FAILED;
|
return ESP_ERR_OTA_VALIDATE_FAILED;
|
||||||
}
|
}
|
||||||
|
|
||||||
#ifdef CONFIG_SECURE_SIGNED_ON_UPDATE
|
|
||||||
esp_err_t ret = esp_secure_boot_verify_signature(partition->address, data.image_len);
|
|
||||||
if (ret != ESP_OK) {
|
|
||||||
return ESP_ERR_OTA_VALIDATE_FAILED;
|
|
||||||
}
|
|
||||||
#endif
|
|
||||||
|
|
||||||
return ESP_OK;
|
return ESP_OK;
|
||||||
}
|
}
|
||||||
|
|
||||||
|
|
|
@ -234,6 +234,7 @@ menu "Security features"
|
||||||
config SECURE_SIGNED_ON_UPDATE
|
config SECURE_SIGNED_ON_UPDATE
|
||||||
bool
|
bool
|
||||||
default y
|
default y
|
||||||
|
select MBEDTLS_ECP_DP_SECP256R1_ENABLED
|
||||||
depends on SECURE_BOOT_ENABLED || SECURE_SIGNED_ON_UPDATE_NO_SECURE_BOOT
|
depends on SECURE_BOOT_ENABLED || SECURE_SIGNED_ON_UPDATE_NO_SECURE_BOOT
|
||||||
|
|
||||||
config SECURE_SIGNED_APPS
|
config SECURE_SIGNED_APPS
|
||||||
|
|
|
@ -54,7 +54,7 @@ else()
|
||||||
set(COMPONENT_ADD_INCLUDEDIRS "include")
|
set(COMPONENT_ADD_INCLUDEDIRS "include")
|
||||||
set(COMPONENT_PRIV_INCLUDEDIRS "include_bootloader")
|
set(COMPONENT_PRIV_INCLUDEDIRS "include_bootloader")
|
||||||
set(COMPONENT_REQUIRES)
|
set(COMPONENT_REQUIRES)
|
||||||
set(COMPONENT_PRIV_REQUIRES spi_flash mbedtls micro-ecc efuse)
|
set(COMPONENT_PRIV_REQUIRES spi_flash mbedtls efuse)
|
||||||
endif()
|
endif()
|
||||||
|
|
||||||
register_component()
|
register_component()
|
||||||
|
|
|
@ -19,13 +19,13 @@
|
||||||
#include "esp_image_format.h"
|
#include "esp_image_format.h"
|
||||||
#include "esp_secure_boot.h"
|
#include "esp_secure_boot.h"
|
||||||
|
|
||||||
#include "uECC.h"
|
|
||||||
|
|
||||||
#ifdef BOOTLOADER_BUILD
|
#ifdef BOOTLOADER_BUILD
|
||||||
#include "esp32/rom/sha.h"
|
#include "esp32/rom/sha.h"
|
||||||
|
#include "uECC.h"
|
||||||
typedef SHA_CTX sha_context;
|
typedef SHA_CTX sha_context;
|
||||||
#else
|
#else
|
||||||
#include "mbedtls/sha256.h"
|
#include "mbedtls/sha256.h"
|
||||||
|
#include "mbedtls/x509.h"
|
||||||
#endif
|
#endif
|
||||||
|
|
||||||
static const char* TAG = "secure_boot";
|
static const char* TAG = "secure_boot";
|
||||||
|
@ -71,7 +71,6 @@ esp_err_t esp_secure_boot_verify_signature(uint32_t src_addr, uint32_t length)
|
||||||
esp_err_t esp_secure_boot_verify_signature_block(const esp_secure_boot_sig_block_t *sig_block, const uint8_t *image_digest)
|
esp_err_t esp_secure_boot_verify_signature_block(const esp_secure_boot_sig_block_t *sig_block, const uint8_t *image_digest)
|
||||||
{
|
{
|
||||||
ptrdiff_t keylen;
|
ptrdiff_t keylen;
|
||||||
bool is_valid;
|
|
||||||
|
|
||||||
keylen = signature_verification_key_end - signature_verification_key_start;
|
keylen = signature_verification_key_end - signature_verification_key_start;
|
||||||
if(keylen != SIGNATURE_VERIFICATION_KEYLEN) {
|
if(keylen != SIGNATURE_VERIFICATION_KEYLEN) {
|
||||||
|
@ -86,6 +85,8 @@ esp_err_t esp_secure_boot_verify_signature_block(const esp_secure_boot_sig_block
|
||||||
|
|
||||||
ESP_LOGD(TAG, "Verifying secure boot signature");
|
ESP_LOGD(TAG, "Verifying secure boot signature");
|
||||||
|
|
||||||
|
#ifdef BOOTLOADER_BUILD
|
||||||
|
bool is_valid;
|
||||||
is_valid = uECC_verify(signature_verification_key_start,
|
is_valid = uECC_verify(signature_verification_key_start,
|
||||||
image_digest,
|
image_digest,
|
||||||
DIGEST_LEN,
|
DIGEST_LEN,
|
||||||
|
@ -93,4 +94,52 @@ esp_err_t esp_secure_boot_verify_signature_block(const esp_secure_boot_sig_block
|
||||||
uECC_secp256r1());
|
uECC_secp256r1());
|
||||||
ESP_LOGD(TAG, "Verification result %d", is_valid);
|
ESP_LOGD(TAG, "Verification result %d", is_valid);
|
||||||
return is_valid ? ESP_OK : ESP_ERR_IMAGE_INVALID;
|
return is_valid ? ESP_OK : ESP_ERR_IMAGE_INVALID;
|
||||||
|
#else /* BOOTLOADER_BUILD */
|
||||||
|
int ret;
|
||||||
|
mbedtls_mpi r, s;
|
||||||
|
|
||||||
|
mbedtls_mpi_init(&r);
|
||||||
|
mbedtls_mpi_init(&s);
|
||||||
|
|
||||||
|
/* Extract r and s components from RAW ECDSA signature of 64 bytes */
|
||||||
|
#define ECDSA_INTEGER_LEN 32
|
||||||
|
ret = mbedtls_mpi_read_binary(&r, &sig_block->signature[0], ECDSA_INTEGER_LEN);
|
||||||
|
if (ret != 0) {
|
||||||
|
ESP_LOGE(TAG, "Failed mbedtls_mpi_read_binary(1), err:%d", ret);
|
||||||
|
return ESP_FAIL;
|
||||||
|
}
|
||||||
|
|
||||||
|
ret = mbedtls_mpi_read_binary(&s, &sig_block->signature[ECDSA_INTEGER_LEN], ECDSA_INTEGER_LEN);
|
||||||
|
if (ret != 0) {
|
||||||
|
ESP_LOGE(TAG, "Failed mbedtls_mpi_read_binary(2), err:%d", ret);
|
||||||
|
mbedtls_mpi_free(&r);
|
||||||
|
return ESP_FAIL;
|
||||||
|
}
|
||||||
|
|
||||||
|
/* Initialise ECDSA context */
|
||||||
|
mbedtls_ecdsa_context ecdsa_context;
|
||||||
|
mbedtls_ecdsa_init(&ecdsa_context);
|
||||||
|
|
||||||
|
mbedtls_ecp_group_load(&ecdsa_context.grp, MBEDTLS_ECP_DP_SECP256R1);
|
||||||
|
size_t plen = mbedtls_mpi_size(&ecdsa_context.grp.P);
|
||||||
|
if (keylen != 2*plen) {
|
||||||
|
ESP_LOGE(TAG, "Incorrect ECDSA key length %d", keylen);
|
||||||
|
ret = ESP_FAIL;
|
||||||
|
goto cleanup;
|
||||||
|
}
|
||||||
|
|
||||||
|
/* Extract X and Y components from ECDSA public key */
|
||||||
|
MBEDTLS_MPI_CHK(mbedtls_mpi_read_binary(&ecdsa_context.Q.X, signature_verification_key_start, plen));
|
||||||
|
MBEDTLS_MPI_CHK(mbedtls_mpi_read_binary(&ecdsa_context.Q.Y, signature_verification_key_start + plen, plen));
|
||||||
|
MBEDTLS_MPI_CHK(mbedtls_mpi_lset(&ecdsa_context.Q.Z, 1));
|
||||||
|
|
||||||
|
ret = mbedtls_ecdsa_verify(&ecdsa_context.grp, image_digest, DIGEST_LEN, &ecdsa_context.Q, &r, &s);
|
||||||
|
ESP_LOGD(TAG, "Verification result %d", ret);
|
||||||
|
|
||||||
|
cleanup:
|
||||||
|
mbedtls_mpi_free(&r);
|
||||||
|
mbedtls_mpi_free(&s);
|
||||||
|
mbedtls_ecdsa_free(&ecdsa_context);
|
||||||
|
return ret == 0 ? ESP_OK : ESP_ERR_IMAGE_INVALID;
|
||||||
|
#endif /* !BOOTLOADER_BUILD */
|
||||||
}
|
}
|
||||||
|
|
|
@ -8,7 +8,7 @@ components/json/cJSON @GENERAL_MIRROR_SERV
|
||||||
components/libsodium/libsodium @GENERAL_MIRROR_SERVER@/idf/libsodium.git ALLOW_TO_SYNC_FROM_PUBLIC
|
components/libsodium/libsodium @GENERAL_MIRROR_SERVER@/idf/libsodium.git ALLOW_TO_SYNC_FROM_PUBLIC
|
||||||
components/mbedtls/mbedtls @GENERAL_MIRROR_SERVER@/idf/mbedtls.git ALLOW_TO_SYNC_FROM_PUBLIC
|
components/mbedtls/mbedtls @GENERAL_MIRROR_SERVER@/idf/mbedtls.git ALLOW_TO_SYNC_FROM_PUBLIC
|
||||||
components/expat/expat @GENERAL_MIRROR_SERVER@/idf/libexpat.git ALLOW_TO_SYNC_FROM_PUBLIC
|
components/expat/expat @GENERAL_MIRROR_SERVER@/idf/libexpat.git ALLOW_TO_SYNC_FROM_PUBLIC
|
||||||
components/micro-ecc/micro-ecc @GENERAL_MIRROR_SERVER@/idf/micro-ecc.git ALLOW_TO_SYNC_FROM_PUBLIC
|
components/bootloader/subproject/components/micro-ecc/micro-ecc @GENERAL_MIRROR_SERVER@/idf/micro-ecc.git ALLOW_TO_SYNC_FROM_PUBLIC
|
||||||
components/nghttp/nghttp2 @GENERAL_MIRROR_SERVER@/idf/nghttp2.git ALLOW_TO_SYNC_FROM_PUBLIC
|
components/nghttp/nghttp2 @GENERAL_MIRROR_SERVER@/idf/nghttp2.git ALLOW_TO_SYNC_FROM_PUBLIC
|
||||||
components/spiffs/spiffs @GENERAL_MIRROR_SERVER@/idf/spiffs.git ALLOW_TO_SYNC_FROM_PUBLIC
|
components/spiffs/spiffs @GENERAL_MIRROR_SERVER@/idf/spiffs.git ALLOW_TO_SYNC_FROM_PUBLIC
|
||||||
components/asio/asio @GENERAL_MIRROR_SERVER@/idf/asio.git
|
components/asio/asio @GENERAL_MIRROR_SERVER@/idf/asio.git
|
||||||
|
|
Loading…
Reference in a new issue