secure boot: Support secure boot signatures without hardware secure boot

Allows OTA updates to be secured via signature checks, without requiring the overhead or complexity of a full secure boot implementation. Uses same signing mechanisms (build system and/or espsecure.py as Secure Boot). Requires: * [ ] More testing * [ ] Documentation
2018-07-19 15:15:37 +10:00 · 2018-07-19 15:15:37 +10:00 · b364f23e17
parent 27f3c3e668
commit b364f23e17
5 changed files with 88 additions and 14 deletions
--- a/components/app_update/esp_ota_ops.c
+++ b/components/app_update/esp_ota_ops.c
@ -376,7 +376,7 @@ esp_err_t esp_ota_set_boot_partition(const esp_partition_t *partition)
        return ESP_ERR_OTA_VALIDATE_FAILED;
    }

-#ifdef CONFIG_SECURE_BOOT_ENABLED
+#ifdef CONFIG_SECURE_SIGNED_ON_UPDATE
    esp_err_t ret = esp_secure_boot_verify_signature(partition->address, data.image_len);
    if (ret != ESP_OK) {
        return ESP_ERR_OTA_VALIDATE_FAILED;
--- a/components/bootloader/Kconfig.projbuild
+++ b/components/bootloader/Kconfig.projbuild
@ -132,9 +132,59 @@ endmenu  # Bootloader

 menu "Security features"

+# These three are the actual options to check in code,
+# selected by the displayed options
+config SECURE_SIGNED_ON_BOOT
+    bool
+    default y
+    depends on SECURE_BOOT_ENABLED || SECURE_SIGNED_ON_BOOT_NO_SECURE_BOOT
+
+config SECURE_SIGNED_ON_UPDATE
+    bool
+    default y
+    depends on SECURE_BOOT_ENABLED || SECURE_SIGNED_ON_UPDATE_NO_SECURE_BOOT
+
+config SECURE_SIGNED_APPS
+   bool
+   default y
+   depends on SECURE_SIGNED_ON_BOOT || SECURE_SIGNED_ON_UPDATE
+
+
+config SECURE_SIGNED_APPS_NO_SECURE_BOOT
+    bool "Require signed app images"
+    default n
+    depends on !SECURE_BOOT_ENABLED
+    help
+        Require apps to be signed to verify their integrity.
+
+        This option uses the same app signature scheme as hardware secure boot, but unlike hardware secure boot it does not prevent the bootloader from being physically updated. This means that the device can be secured against remote network access, but not physical access. Compared to using hardware Secure Boot this option is much simpler to implement.
+
+config SECURE_SIGNED_ON_BOOT_NO_SECURE_BOOT
+    bool "Bootloader verifies app signatures"
+    default n
+    depends on SECURE_SIGNED_APPS_NO_SECURE_BOOT
+    help
+        If this option is set, the bootloader will be compiled with code to verify that an app is signed before booting it.
+
+        If hardware secure boot is enabled, this option is always enabled and cannot be disabled.
+        If hardware secure boot is not enabled, this option doesn't add significant security by itself so most users will want to leave it disabled.
+
+config SECURE_SIGNED_ON_UPDATE_NO_SECURE_BOOT
+    bool "Verify app signature on update"
+    default y
+    depends on SECURE_SIGNED_APPS_NO_SECURE_BOOT
+    help
+         If this option is set, any OTA updated apps will have the signature verified before being considered valid.
+
+         When enabled, the signature is automatically checked whenever the esp_ota_ops.h APIs are used for OTA updates,
+         or esp_image_format.h APIs are used to verify apps.
+
+         If hardware secure boot is enabled, this option is always enabled and cannot be disabled.
+         If hardware secure boot is not enabled, this option still adds significant security against network-based attackers by preventing spoofing of OTA updates.
+
 config SECURE_BOOT_ENABLED
-    bool "Enable secure boot in bootloader (READ DOCS FIRST)"
-    default N
+    bool "Enable hardware secure boot in bootloader (READ DOCS FIRST)"
+    default n
    help
        Build a bootloader which enables secure boot on first boot.

@ -169,12 +219,12 @@ endchoice

 config SECURE_BOOT_BUILD_SIGNED_BINARIES
     bool "Sign binaries during build"
-     depends on SECURE_BOOT_ENABLED
+     depends on SECURE_SIGNED_APPS
     default y
     help
-        Once secure boot is enabled, bootloader will only boot if partition table and app image are signed.
+        Once secure boot or signed app requirement is enabled, app images are required to be signed.

-        If enabled, these binary files are signed as part of the build process. The file named in "Secure boot private signing key" will be used to sign the image.
+        If enabled (default), these binary files are signed as part of the build process. The file named in "Secure boot private signing key" will be used to sign the image.

        If disabled, unsigned app/partition data will be built. They must be signed manually using espsecure.py (for example, on a remote signing server.)

@ -183,7 +233,7 @@ config SECURE_BOOT_SIGNING_KEY
     depends on SECURE_BOOT_BUILD_SIGNED_BINARIES
     default secure_boot_signing_key.pem
     help
-        Path to the key file used to sign partition tables and app images for secure boot. Once secure boot is enabled, bootloader will only boot if partition table and app image are signed.
+        Path to the key file used to sign app images.

        Key file is an ECDSA private key (NIST256p curve) in PEM format.

@ -196,11 +246,11 @@ config SECURE_BOOT_SIGNING_KEY

 config SECURE_BOOT_VERIFICATION_KEY
    string "Secure boot public signature verification key"
-    depends on SECURE_BOOT_ENABLED && !SECURE_BOOT_BUILD_SIGNED_BINARIES
+    depends on SECURE_SIGNED_APPS && !SECURE_BOOT_BUILD_SIGNED_BINARIES
    default signature_verification_key.bin
    help
-       Path to a public key file used to verify signed images. This key is compiled into the bootloader,
-       and may also be used to verify signatures on OTA images after download.
+       Path to a public key file used to verify signed images. This key is compiled into the bootloader and/or app,
+       to verify app images.

       Key file is in raw binary format, and can be extracted from a
       PEM formatted private key using the espsecure.py
--- a/components/bootloader_support/component.mk
+++ b/components/bootloader_support/component.mk
@ -12,7 +12,7 @@ COMPONENT_SRCDIRS := src
 #
 # Secure boot signing key support
 #
-ifdef CONFIG_SECURE_BOOT_ENABLED
+ifdef CONFIG_SECURE_SIGNED_APPS

 # this path is created relative to the component build directory
 SECURE_BOOT_VERIFICATION_KEY := $(abspath signature_verification_key.bin)
--- a/components/bootloader_support/include/esp_secure_boot.h
+++ b/components/bootloader_support/include/esp_secure_boot.h
@ -17,6 +17,14 @@
 #include <esp_err.h>
 #include "soc/efuse_reg.h"

+#include "sdkconfig.h"
+
+#ifdef CONFIG_SECURE_BOOT_ENABLED
+#if !defined(CONFIG_SECURE_SIGNED_ON_BOOT) || !defined(CONFIG_SECURE_SIGNED_ON_UPDATE) || !defined(CONFIG_SECURE_SIGNED_APPS)
+#error "internal sdkconfig error, secure boot should always enable all signature options"
+#endif
+#endif
+
 #ifdef __cplusplus
 extern "C" {
 #endif
--- a/components/bootloader_support/src/esp_image_format.c
+++ b/components/bootloader_support/src/esp_image_format.c
@ -24,6 +24,20 @@
 #include <bootloader_random.h>
 #include <bootloader_sha.h>

+/* Checking signatures as part of verifying images is necessary:
+   - Always if secure boot is enabled
+   - Differently in bootloader and/or app, depending on kconfig
+*/
+#ifdef BOOTLOADER_BUILD
+#ifdef CONFIG_SECURE_SIGNED_ON_BOOT
+#define SECURE_BOOT_CHECK_SIGNATURE
+#endif
+#else /* !BOOTLOADER_BUILD */
+#ifdef CONFIG_SECURE_SIGNED_ON_UPDATE
+#define SECURE_BOOT_CHECK_SIGNATURE
+#endif
+#endif
+
 static const char *TAG = "esp_image";

 #define HASH_LEN 32 /* SHA-256 digest length */
@ -107,7 +121,7 @@ static esp_err_t image_load(esp_image_load_mode_t mode, const esp_partition_pos_
    }

    // Calculate SHA-256 of image if secure boot is on, or if image has a hash appended
-#ifdef CONFIG_SECURE_BOOT_ENABLED
+#ifdef SECURE_BOOT_CHECK_SIGNATURE
    if (1) {
 #else
    if (data->image.hash_appended) {
@ -174,7 +188,7 @@ static esp_err_t image_load(esp_image_load_mode_t mode, const esp_partition_pos_
       rewritten the header - rely on esptool.py having verified the bootloader at flashing time, instead.
    */
    if (!is_bootloader) {
-#ifdef CONFIG_SECURE_BOOT_ENABLED
+#ifdef SECURE_BOOT_CHECK_SIGNATURE
        // secure boot images have a signature appended
        err = verify_secure_boot_signature(sha_handle, data);
 #else
@ -182,7 +196,7 @@ static esp_err_t image_load(esp_image_load_mode_t mode, const esp_partition_pos_
        if (sha_handle != NULL && !esp_cpu_in_ocd_debug_mode()) {
            err = verify_simple_hash(sha_handle, data);
        }
-#endif // CONFIG_SECURE_BOOT_ENABLED
+#endif // SECURE_BOOT_CHECK_SIGNATURE
    } else { // is_bootloader
        // bootloader may still have a sha256 digest handle open
        if (sha_handle != NULL) {
@ -519,6 +533,8 @@ static esp_err_t verify_secure_boot_signature(bootloader_sha256_handle_t sha_han
 {
    uint8_t image_hash[HASH_LEN] = { 0 };

+    ESP_LOGI(TAG, "Verifying image signature...");
+
    // For secure boot, we calculate the signature hash over the whole file, which includes any "simple" hash
    // appended to the image for corruption detection
    if (data->image.hash_appended) {