esp32c2: Support Secure Boot V2 based on ECDSA scheme

components/bootloader_support/include/esp_secure_boot.h

@@ -51,6 +51,12 @@ extern "C" {
 
 #define ESP_SECURE_BOOT_DIGEST_LEN 32
 
+#if CONFIG_IDF_TARGET_ESP32C2
+#define ESP_SECURE_BOOT_KEY_DIGEST_LEN 16
+#else
+#define ESP_SECURE_BOOT_KEY_DIGEST_LEN 32
+#endif
+
 #ifdef CONFIG_EFUSE_VIRTUAL_KEEP_IN_FLASH
 #include "esp_efuse.h"
 #include "esp_efuse_table.h"
@@ -215,18 +221,30 @@ typedef struct {
     unsigned num_digests;                                       /* Number of valid digests, starting at index 0 */
 } esp_image_sig_public_key_digests_t;
 
-/** @brief Verify the RSA secure boot signature block for Secure Boot V2.
+/** @brief Verify the secure boot signature block for Secure Boot V2.
  *
- *  Performs RSA-PSS Verification of the SHA-256 image based on the public key
+ *  Performs RSA-PSS or ECDSA verification of the SHA-256 image based on the public key
  *  in the signature block, compared against the public key digest stored in efuse.
  *
  * Similar to esp_secure_boot_verify_signature(), but can be used when the digest is precalculated.
+ * @param sig_block Pointer to signature block data
+ * @param image_digest Pointer to 32 byte buffer holding SHA-256 hash.
+ * @param verified_digest Pointer to 32 byte buffer that will receive verified digest if verification completes. (Used during bootloader implementation only, result is invalid otherwise.)
+ *
+ */
+esp_err_t esp_secure_boot_verify_sbv2_signature_block(const ets_secure_boot_signature_t *sig_block, const uint8_t *image_digest, uint8_t *verified_digest);
+
+/** @brief Legacy function to verify RSA secure boot signature block for Secure Boot V2.
+ *
+ * @note This is kept for backward compatibility. It internally calls esp_secure_boot_verify_sbv2_signature_block.
+ *
  * @param sig_block Pointer to RSA signature block data
  * @param image_digest Pointer to 32 byte buffer holding SHA-256 hash.
  * @param verified_digest Pointer to 32 byte buffer that will receive verified digest if verification completes. (Used during bootloader implementation only, result is invalid otherwise.)
  *
  */
 esp_err_t esp_secure_boot_verify_rsa_signature_block(const ets_secure_boot_signature_t *sig_block, const uint8_t *image_digest, uint8_t *verified_digest);
+
 #endif // !CONFIG_IDF_TARGET_ESP32 || CONFIG_ESP32_REV_MIN_3
 
 /** @brief Legacy ECDSA verification function
@@ -259,7 +277,7 @@ typedef struct {
  */
 void esp_secure_boot_init_checks(void);
 
-#if !BOOTLOADER_BUILD && CONFIG_SECURE_SIGNED_APPS_RSA_SCHEME
+#if !BOOTLOADER_BUILD && (CONFIG_SECURE_SIGNED_APPS_RSA_SCHEME || CONFIG_SECURE_SIGNED_APPS_ECDSA_V2_SCHEME)
 
 /** @brief Scan the current running app for signature blocks
  *
@@ -285,7 +303,7 @@ void esp_secure_boot_init_checks(void);
  */
 esp_err_t esp_secure_boot_get_signature_blocks_for_running_app(bool digest_public_keys, esp_image_sig_public_key_digests_t *public_key_digests);
 
-#endif // !BOOTLOADER_BUILD && CONFIG_SECURE_SIGNED_APPS_RSA_SCHEME
+#endif // !BOOTLOADER_BUILD && (CONFIG_SECURE_SIGNED_APPS_RSA_SCHEME || CONFIG_SECURE_SIGNED_APPS_ECDSA_V2_SCHEME)
 
 /** @brief Set all secure eFuse features related to secure_boot
  *