make bootloader_support support esp32s2beta

components/bootloader_support/src/esp32s2beta/bootloader_clock_esp32s2beta.c

@@ -0,0 +1,12 @@
+#include "sdkconfig.h"
+#include "bootloader_clock.h"
+
+int bootloader_clock_get_rated_freq_mhz()
+{
+#ifndef CONFIG_HARDWARE_IS_FPGA
+    #warning "FIXME this needs to be filled in for real hardware"
+#endif
+    return 999;
+}
+
+

components/bootloader_support/src/esp32s2beta/bootloader_esp32s2beta.c

@@ -0,0 +1,54 @@
+#include "bootloader_common.h"
+#include "sdkconfig.h"
+#include "soc/efuse_reg.h"
+#include "soc/gpio_sig_map.h"
+#include "soc/io_mux_reg.h"
+#include "esp32s2beta/rom/efuse.h"
+#include "esp32s2beta/rom/gpio.h"
+#include "esp32s2beta/rom/spi_flash.h"
+
+#define FLASH_CLK_IO SPI_CLK_GPIO_NUM
+#define FLASH_CS_IO SPI_CS0_GPIO_NUM
+#define FLASH_SPIQ_IO SPI_Q_GPIO_NUM
+#define FLASH_SPID_IO SPI_D_GPIO_NUM
+#define FLASH_SPIWP_IO SPI_WP_GPIO_NUM
+#define FLASH_SPIHD_IO SPI_HD_GPIO_NUM
+
+void bootloader_configure_spi_pins(int drv)
+{
+    const uint32_t spiconfig = ets_efuse_get_spiconfig();
+    if (spiconfig == EFUSE_SPICONFIG_SPI_DEFAULTS) {
+        gpio_matrix_out(FLASH_CS_IO, SPICS0_OUT_IDX, 0, 0);
+        gpio_matrix_out(FLASH_SPIQ_IO, SPIQ_OUT_IDX, 0, 0);
+        gpio_matrix_in(FLASH_SPIQ_IO, SPIQ_IN_IDX, 0);
+        gpio_matrix_out(FLASH_SPID_IO, SPID_OUT_IDX, 0, 0);
+        gpio_matrix_in(FLASH_SPID_IO, SPID_IN_IDX, 0);
+        gpio_matrix_out(FLASH_SPIWP_IO, SPIWP_OUT_IDX, 0, 0);
+        gpio_matrix_in(FLASH_SPIWP_IO, SPIWP_IN_IDX, 0);
+        gpio_matrix_out(FLASH_SPIHD_IO, SPIHD_OUT_IDX, 0, 0);
+        gpio_matrix_in(FLASH_SPIHD_IO, SPIHD_IN_IDX, 0);
+        //select pin function gpio
+        PIN_FUNC_SELECT(PERIPHS_IO_MUX_SPIHD_U, PIN_FUNC_GPIO);
+        PIN_FUNC_SELECT(PERIPHS_IO_MUX_SPIWP_U, PIN_FUNC_GPIO);
+        PIN_FUNC_SELECT(PERIPHS_IO_MUX_SPICS0_U, PIN_FUNC_GPIO);
+        PIN_FUNC_SELECT(PERIPHS_IO_MUX_SPIQ_U, PIN_FUNC_GPIO);
+        PIN_FUNC_SELECT(PERIPHS_IO_MUX_SPID_U, PIN_FUNC_GPIO);
+        // flash clock signal should come from IO MUX.
+        // set drive ability for clock
+        PIN_FUNC_SELECT(PERIPHS_IO_MUX_SPICLK_U, FUNC_SPICLK_SPICLK);
+        SET_PERI_REG_BITS(PERIPHS_IO_MUX_SPICLK_U, FUN_DRV, drv, FUN_DRV_S);
+
+#if CONFIG_SPIRAM_TYPE_ESPPSRAM32 || CONFIG_SPIRAM_TYPE_ESPPSRAM64
+        uint32_t flash_id = g_rom_flashchip.device_id;
+        if (flash_id == FLASH_ID_GD25LQ32C) {
+            // Set drive ability for 1.8v flash in 80Mhz.
+            SET_PERI_REG_BITS(PERIPHS_IO_MUX_SPIHD_U, FUN_DRV, 3, FUN_DRV_S);
+            SET_PERI_REG_BITS(PERIPHS_IO_MUX_SPIWP_U, FUN_DRV, 3, FUN_DRV_S);
+            SET_PERI_REG_BITS(PERIPHS_IO_MUX_SPICS0_U, FUN_DRV, 3, FUN_DRV_S);
+            SET_PERI_REG_BITS(PERIPHS_IO_MUX_SPICLK_U, FUN_DRV, 3, FUN_DRV_S);
+            SET_PERI_REG_BITS(PERIPHS_IO_MUX_SPIQ_U, FUN_DRV, 3, FUN_DRV_S);
+            SET_PERI_REG_BITS(PERIPHS_IO_MUX_SPID_U, FUN_DRV, 3, FUN_DRV_S);
+        }
+#endif
+    }
+}

components/bootloader_support/src/esp32s2beta/bootloader_sha.c

@@ -0,0 +1,53 @@
+// Copyright 2017 Espressif Systems (Shanghai) PTE LTD
+//
+// Licensed under the Apache License, Version 2.0 (the "License");
+// you may not use this file except in compliance with the License.
+// You may obtain a copy of the License at
+
+//     http://www.apache.org/licenses/LICENSE-2.0
+//
+// Unless required by applicable law or agreed to in writing, software
+// distributed under the License is distributed on an "AS IS" BASIS,
+// WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+// See the License for the specific language governing permissions and
+// limitations under the License.
+#include "bootloader_sha.h"
+#include <stdbool.h>
+#include <string.h>
+#include <assert.h>
+#include <sys/param.h>
+
+#include "esp32s2beta/rom/sha.h"
+
+static SHA_CTX ctx;
+
+// Words per SHA256 block
+// static const size_t BLOCK_WORDS = (64/sizeof(uint32_t));
+// Words in final SHA256 digest
+// static const size_t DIGEST_WORDS = (32/sizeof(uint32_t));
+
+bootloader_sha256_handle_t bootloader_sha256_start()
+{
+    // Enable SHA hardware
+    ets_sha_enable();
+    ets_sha_init(&ctx, SHA2_256);
+    return &ctx; // Meaningless non-NULL value
+}
+
+void bootloader_sha256_data(bootloader_sha256_handle_t handle, const void *data, size_t data_len)
+{
+    assert(handle != NULL);
+    assert(data_len % 4 == 0);
+    ets_sha_update(&ctx, data, data_len, false);
+}
+
+void bootloader_sha256_finish(bootloader_sha256_handle_t handle, uint8_t *digest)
+{
+    assert(handle != NULL);
+
+    if (digest == NULL) {
+        bzero(&ctx, sizeof(ctx));
+        return;
+    }
+    ets_sha_finish(&ctx, digest);
+}

components/bootloader_support/src/esp32s2beta/flash_encrypt.c

@@ -0,0 +1,303 @@
+// Copyright 2015-2016 Espressif Systems (Shanghai) PTE LTD
+//
+// Licensed under the Apache License, Version 2.0 (the "License");
+// you may not use this file except in compliance with the License.
+// You may obtain a copy of the License at
+
+//     http://www.apache.org/licenses/LICENSE-2.0
+//
+// Unless required by applicable law or agreed to in writing, software
+// distributed under the License is distributed on an "AS IS" BASIS,
+// WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+// See the License for the specific language governing permissions and
+// limitations under the License.
+
+#include <strings.h>
+
+#include "bootloader_flash.h"
+#include "bootloader_random.h"
+#include "bootloader_utility.h"
+#include "esp_image_format.h"
+#include "esp_flash_encrypt.h"
+#include "esp_flash_partitions.h"
+#include "esp_secure_boot.h"
+#include "esp_log.h"
+#include "esp32s2beta/rom/secure_boot.h"
+#include "esp32s2beta/rom/cache.h"
+#include "esp32s2beta/rom/efuse.h"
+
+static const char *TAG = "flash_encrypt";
+
+/* Static functions for stages of flash encryption */
+static esp_err_t initialise_flash_encryption(void);
+static esp_err_t encrypt_flash_contents(uint32_t flash_crypt_cnt, bool flash_crypt_wr_dis);
+static esp_err_t encrypt_bootloader();
+static esp_err_t encrypt_and_load_partition_table(esp_partition_info_t *partition_table, int *num_partitions);
+static esp_err_t encrypt_partition(int index, const esp_partition_info_t *partition);
+
+esp_err_t esp_flash_encrypt_check_and_update(void)
+{
+    // TODO: not clear why this is read from DATA1 and written to PGM_DATA2
+    uint32_t cnt = REG_GET_FIELD(EFUSE_RD_REPEAT_DATA1_REG, EFUSE_SPI_BOOT_CRYPT_CNT);
+    ESP_LOGV(TAG, "SPI_BOOT_CRYPT_CNT 0x%x", cnt);
+
+    bool flash_crypt_wr_dis = false; // TODO: check if CRYPT_CNT is write disabled
+
+    _Static_assert(EFUSE_SPI_BOOT_CRYPT_CNT == 0x7, "assuming CRYPT_CNT is only 3 bits wide");
+
+    if (cnt == 1 || cnt == 3 || cnt == 7) {
+        /* Flash is already encrypted */
+        int left;
+        if (cnt == 7 /* || disabled */) {
+            left = 0;
+        } else if (cnt == 3) {
+            left = 1;
+        } else {
+            left = 2;
+        }
+        ESP_LOGI(TAG, "flash encryption is enabled (%d plaintext flashes left)", left);
+        return ESP_OK;
+    }
+    else {
+        /* Flash is not encrypted, so encrypt it! */
+        return encrypt_flash_contents(cnt, flash_crypt_wr_dis);
+    }
+}
+
+static esp_err_t initialise_flash_encryption(void)
+{
+    /* Before first flash encryption pass, need to initialise key & crypto config */
+
+    /* Find out if a key is already set */
+    bool has_aes128 = ets_efuse_find_purpose(ETS_EFUSE_KEY_PURPOSE_XTS_AES_128_KEY, NULL);
+    bool has_aes256_1 = ets_efuse_find_purpose(ETS_EFUSE_KEY_PURPOSE_XTS_AES_256_KEY_1, NULL);
+    bool has_aes256_2 = ets_efuse_find_purpose(ETS_EFUSE_KEY_PURPOSE_XTS_AES_256_KEY_2, NULL);
+
+    bool has_key = has_aes128 || (has_aes256_1 && has_aes256_2);
+
+    if (!has_key && (has_aes256_1 || has_aes256_2)) {
+        ESP_LOGE(TAG, "Invalid efuse key blocks: Both AES-256 key blocks must be set.");
+        return ESP_ERR_INVALID_STATE;
+    }
+
+    if (has_key) {
+        ESP_LOGI(TAG, "Using pre-existing key in efuse");
+
+        ESP_LOGE(TAG, "TODO: Check key is read & write protected"); // TODO
+    } else {
+        ESP_LOGI(TAG, "Generating new flash encryption key...");
+#ifdef CONFIG_FLASH_ENCRYPTION_AES256
+        const unsigned BLOCKS_NEEDED = 2;
+        const ets_efuse_purpose_t PURPOSE_START = ETS_EFUSE_KEY_PURPOSE_XTS_AES_256_KEY_1;
+        const ets_efuse_purpose_t PURPOSE_END = ETS_EFUSE_KEY_PURPOSE_XTS_AES_256_KEY_2;
+#else
+        const unsigned BLOCKS_NEEDED = 1;
+        const ets_efuse_purpose_t PURPOSE_START = ETS_EFUSE_KEY_PURPOSE_XTS_AES_128_KEY;
+        const ets_efuse_purpose_t PURPOSE_END = ETS_EFUSE_KEY_PURPOSE_XTS_AES_128_KEY;
+#endif
+
+        if (ets_efuse_count_unused_key_blocks() < BLOCKS_NEEDED) {
+            ESP_LOGE(TAG, "Not enough free efuse key blocks (need %d) to continue", BLOCKS_NEEDED);
+            return ESP_ERR_INVALID_STATE;
+        }
+
+        for(ets_efuse_purpose_t purpose = PURPOSE_START; purpose <= PURPOSE_END; purpose++) {
+            uint32_t buf[8];
+            bootloader_fill_random(buf, sizeof(buf));
+            ets_efuse_block_t block = ets_efuse_find_unused_key_block();
+            ESP_LOGD(TAG, "Writing ETS_EFUSE_BLOCK_KEY%d with purpose %d",
+                     block - ETS_EFUSE_BLOCK_KEY0, purpose);
+            bootloader_debug_buffer(buf, sizeof(buf), "Key content");
+            int r = ets_efuse_write_key(block, purpose, buf, sizeof(buf));
+            bzero(buf, sizeof(buf));
+            if (r != 0) {
+                ESP_LOGE(TAG, "Failed to write efuse block %d with purpose %d. Can't continue.");
+                return ESP_FAIL;
+            }
+        }
+
+        ESP_LOGD(TAG, "Key generation complete");
+    }
+
+    ESP_LOGE(TAG, "TODO: burn remaining security protection bits"); // TODO
+
+    return ESP_OK;
+}
+
+/* Encrypt all flash data that should be encrypted */
+static esp_err_t encrypt_flash_contents(uint32_t spi_boot_crypt_cnt, bool flash_crypt_wr_dis)
+{
+    esp_err_t err;
+    esp_partition_info_t partition_table[ESP_PARTITION_TABLE_MAX_ENTRIES];
+    int num_partitions;
+
+    /* If the last spi_boot_crypt_cnt bit is burned or write-disabled, the
+       device can't re-encrypt itself. */
+    if (flash_crypt_wr_dis || spi_boot_crypt_cnt == EFUSE_SPI_BOOT_CRYPT_CNT) {
+        ESP_LOGE(TAG, "Cannot re-encrypt data (SPI_BOOT_CRYPT_CNT 0x%02x write disabled %d", spi_boot_crypt_cnt, flash_crypt_wr_dis);
+        return ESP_FAIL;
+    }
+
+    if (spi_boot_crypt_cnt == 0) {
+        /* Very first flash of encrypted data: generate keys, etc. */
+        err = initialise_flash_encryption();
+        if (err != ESP_OK) {
+            return err;
+        }
+    }
+
+    err = encrypt_bootloader();
+    if (err != ESP_OK) {
+        return err;
+    }
+
+    err = encrypt_and_load_partition_table(partition_table, &num_partitions);
+    if (err != ESP_OK) {
+        return err;
+    }
+
+    /* Now iterate the just-loaded partition table, looking for entries to encrypt
+     */
+
+    /* Go through each partition and encrypt if necessary */
+    for (int i = 0; i < num_partitions; i++) {
+        err = encrypt_partition(i, &partition_table[i]);
+        if (err != ESP_OK) {
+            return err;
+        }
+    }
+
+    ESP_LOGD(TAG, "All flash regions checked for encryption pass");
+
+    /* Set least significant 0-bit in spi_boot_crypt_cnt */
+    int ffs_inv = __builtin_ffs((~spi_boot_crypt_cnt) & 0x7);
+    /* ffs_inv shouldn't be zero, as zero implies spi_boot_crypt_cnt == 0xFF */
+    uint32_t new_spi_boot_crypt_cnt = spi_boot_crypt_cnt + (1 << (ffs_inv - 1));
+    ESP_LOGD(TAG, "SPI_BOOT_CRYPT_CNT 0x%x -> 0x%x", spi_boot_crypt_cnt, new_spi_boot_crypt_cnt);
+
+    ets_efuse_clear_program_registers();
+    REG_SET_FIELD(EFUSE_PGM_DATA2_REG, EFUSE_SPI_BOOT_CRYPT_CNT, new_spi_boot_crypt_cnt);
+    ets_efuse_program(ETS_EFUSE_BLOCK0);
+
+    ESP_LOGI(TAG, "Flash encryption completed");
+
+    return ESP_OK;
+}
+
+static esp_err_t encrypt_bootloader()
+{
+    esp_err_t err;
+    uint32_t image_length;
+    /* Check for plaintext bootloader (verification will fail if it's already encrypted) */
+    if (esp_image_verify_bootloader(&image_length) == ESP_OK) {
+        ESP_LOGD(TAG, "bootloader is plaintext. Encrypting...");
+        err = esp_flash_encrypt_region(ESP_BOOTLOADER_OFFSET, image_length);
+        if (err != ESP_OK) {
+            ESP_LOGE(TAG, "Failed to encrypt bootloader in place: 0x%x", err);
+            return err;
+        }
+
+        if (esp_secure_boot_enabled()) {
+            // TODO: anything different for secure boot?
+        }
+    }
+    else {
+        ESP_LOGW(TAG, "no valid bootloader was found");
+    }
+
+    return ESP_OK;
+}
+
+static esp_err_t encrypt_and_load_partition_table(esp_partition_info_t *partition_table, int *num_partitions)
+{
+    esp_err_t err;
+    /* Check for plaintext partition table */
+    err = bootloader_flash_read(ESP_PARTITION_TABLE_OFFSET, partition_table, ESP_PARTITION_TABLE_MAX_LEN, false);
+    if (err != ESP_OK) {
+        ESP_LOGE(TAG, "Failed to read partition table data");
+        return err;
+    }
+    if (esp_partition_table_basic_verify(partition_table, false, num_partitions) == ESP_OK) {
+        ESP_LOGD(TAG, "partition table is plaintext. Encrypting...");
+        esp_err_t err = esp_flash_encrypt_region(ESP_PARTITION_TABLE_OFFSET,
+                                                 FLASH_SECTOR_SIZE);
+        if (err != ESP_OK) {
+            ESP_LOGE(TAG, "Failed to encrypt partition table in place. %x", err);
+            return err;
+        }
+    }
+    else {
+        ESP_LOGE(TAG, "Failed to read partition table data - not plaintext?");
+        return ESP_ERR_INVALID_STATE;
+    }
+
+    /* Valid partition table loded */
+    return ESP_OK;
+}
+
+
+static esp_err_t encrypt_partition(int index, const esp_partition_info_t *partition)
+{
+    esp_err_t err;
+    bool should_encrypt = (partition->flags & PART_FLAG_ENCRYPTED);
+
+    if (partition->type == PART_TYPE_APP) {
+      /* check if the partition holds a valid unencrypted app */
+      esp_image_metadata_t data_ignored;
+      err = esp_image_load(ESP_IMAGE_VERIFY,
+                           &partition->pos,
+                           &data_ignored);
+      should_encrypt = (err == ESP_OK);
+    } else if (partition->type == PART_TYPE_DATA && partition->subtype == PART_SUBTYPE_DATA_OTA) {
+        /* check if we have ota data partition and the partition should be encrypted unconditionally */
+        should_encrypt = true;
+    }
+
+    if (!should_encrypt) {
+        return ESP_OK;
+    }
+    else {
+        /* should_encrypt */
+        ESP_LOGI(TAG, "Encrypting partition %d at offset 0x%x (length 0x%x)...", index, partition->pos.offset, partition->pos.size);
+
+        err = esp_flash_encrypt_region(partition->pos.offset, partition->pos.size);
+        ESP_LOGI(TAG, "Done encrypting");
+        if (err != ESP_OK) {
+            ESP_LOGE(TAG, "Failed to encrypt partition %d", index);
+        }
+        return err;
+    }
+}
+
+
+esp_err_t esp_flash_encrypt_region(uint32_t src_addr, size_t data_length)
+{
+    esp_err_t err;
+    uint32_t buf[FLASH_SECTOR_SIZE / sizeof(uint32_t)];
+
+    if (src_addr % FLASH_SECTOR_SIZE != 0) {
+        ESP_LOGE(TAG, "esp_flash_encrypt_region bad src_addr 0x%x",src_addr);
+        return ESP_FAIL;
+    }
+
+    for (size_t i = 0; i < data_length; i += FLASH_SECTOR_SIZE) {
+        uint32_t sec_start = i + src_addr;
+        err = bootloader_flash_read(sec_start, buf, FLASH_SECTOR_SIZE, false);
+        if (err != ESP_OK) {
+            goto flash_failed;
+        }
+        err = bootloader_flash_erase_sector(sec_start / FLASH_SECTOR_SIZE);
+        if (err != ESP_OK) {
+            goto flash_failed;
+        }
+        err = bootloader_flash_write(sec_start, buf, FLASH_SECTOR_SIZE, true);
+        if (err != ESP_OK) {
+            goto flash_failed;
+        }
+    }
+    return ESP_OK;
+
+ flash_failed:
+    ESP_LOGE(TAG, "flash operation failed: 0x%x", err);
+    return err;
+}

components/bootloader_support/src/esp32s2beta/secure_boot.c

@@ -0,0 +1,45 @@
+// Copyright 2015-2018 Espressif Systems (Shanghai) PTE LTD
+//
+// Licensed under the Apache License, Version 2.0 (the "License");
+// you may not use this file except in compliance with the License.
+// You may obtain a copy of the License at
+
+//     http://www.apache.org/licenses/LICENSE-2.0
+//
+// Unless required by applicable law or agreed to in writing, software
+// distributed under the License is distributed on an "AS IS" BASIS,
+// WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+// See the License for the specific language governing permissions and
+// limitations under the License.
+#include "esp_secure_boot.h"
+#include "esp_log.h"
+#include "esp32s2beta/rom/secure_boot.h"
+
+#define TAG "secure_boot"
+
+esp_err_t esp_secure_boot_permanently_enable(void)
+{
+    uint8_t hash[32];
+
+    if (ets_efuse_secure_boot_enabled())
+    {
+        ESP_LOGI(TAG, "secure boot is already enabled, continuing..");
+        return ESP_OK;
+    }
+
+    ESP_LOGI(TAG, "Verifying bootloader signature...\n");
+    int r = ets_secure_boot_verify_bootloader(hash, false);
+    if (r != ESP_OK) {
+        ESP_LOGE(TAG, "Failed to verify bootloader signature");
+        return r;
+    }
+
+    ets_efuse_clear_program_registers();
+    REG_SET_BIT(EFUSE_PGM_DATA3_REG, EFUSE_SECURE_BOOT_EN);
+    ets_efuse_program(ETS_EFUSE_BLOCK0);
+
+    assert(ets_efuse_secure_boot_enabled());
+    ESP_LOGI(TAG, "Secure boot permanently enabled");
+
+    return ESP_OK;
+}

components/bootloader_support/src/esp32s2beta/secure_boot_signatures.c

@@ -0,0 +1,92 @@
+// Copyright 2015-2016 Espressif Systems (Shanghai) PTE LTD
+//
+// Licensed under the Apache License, Version 2.0 (the "License");
+// you may not use this file except in compliance with the License.
+// You may obtain a copy of the License at
+
+//     http://www.apache.org/licenses/LICENSE-2.0
+//
+// Unless required by applicable law or agreed to in writing, software
+// distributed under the License is distributed on an "AS IS" BASIS,
+// WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+// See the License for the specific language governing permissions and
+// limitations under the License.
+#include "sdkconfig.h"
+
+#include "bootloader_flash.h"
+#include "bootloader_sha.h"
+#include "esp_log.h"
+#include "esp_image_format.h"
+#include "esp32s2beta/rom/secure_boot.h"
+
+static const char* TAG = "secure_boot";
+
+#define DIGEST_LEN 32
+
+esp_err_t esp_secure_boot_verify_signature(uint32_t src_addr, uint32_t length)
+{
+    ets_secure_boot_key_digests_t trusted_keys = { 0 };
+    uint8_t digest[DIGEST_LEN];
+    const uint8_t *data;
+
+    ESP_LOGD(TAG, "verifying signature src_addr 0x%x length 0x%x", src_addr, length);
+
+    if ((src_addr + length) % 4096 != 0) {
+        ESP_LOGE(TAG, "addr 0x%x length 0x%x doesn't end on a sector boundary", src_addr, length);
+        return ESP_ERR_INVALID_ARG;
+    }
+
+    data = bootloader_mmap(src_addr, length + sizeof(struct ets_secure_boot_sig_block));
+    if(data == NULL) {
+        ESP_LOGE(TAG, "bootloader_mmap(0x%x, 0x%x) failed", src_addr, length+sizeof(ets_secure_boot_signature_t));
+        return ESP_FAIL;
+    }
+
+    // Calculate digest of main image
+#ifdef BOOTLOADER_BUILD
+    bootloader_sha256_handle_t handle = bootloader_sha256_start();
+    bootloader_sha256_data(handle, data, length);
+    bootloader_sha256_finish(handle, digest);
+#else
+    /* Use thread-safe esp-idf SHA function */
+    esp_sha(SHA2_256, data, length, digest);
+#endif
+
+    int r = ets_secure_boot_read_key_digests(&trusted_keys);
+
+    if (r == ETS_OK) {
+        const ets_secure_boot_signature_t *sig = (const ets_secure_boot_signature_t *)(data + length);
+        // TODO: calling this function in IDF app context is unsafe
+        r = ets_secure_boot_verify_signature(sig, digest, &trusted_keys);
+    }
+    bootloader_munmap(data);
+
+    return (r == ETS_OK) ? ESP_OK : ESP_FAIL;
+}
+
+esp_err_t esp_secure_boot_verify_signature_block(uint32_t sig_block_flash_offs, const uint8_t *image_digest)
+{
+    ets_secure_boot_key_digests_t trusted_keys;
+
+    assert(sig_block_flash_offs % 4096 == 0); // TODO: enforce this in a better way
+
+    const ets_secure_boot_signature_t *sig = bootloader_mmap(sig_block_flash_offs, sizeof(ets_secure_boot_signature_t));
+
+    if (sig == NULL) {
+        ESP_LOGE(TAG, "Failed to mmap data at offset 0x%x", sig_block_flash_offs);
+        return ESP_FAIL;
+    }
+
+    int r = ets_secure_boot_read_key_digests(&trusted_keys);
+    if (r != 0) {
+        ESP_LOGE(TAG, "No trusted key digests were found in efuse!");
+    } else {
+        ESP_LOGD(TAG, "Verifying with RSA-PSS...");
+        // TODO: calling this function in IDF app context is unsafe
+        r = ets_secure_boot_verify_signature(sig, image_digest, &trusted_keys);
+    }
+
+    bootloader_munmap(sig);
+
+    return (r == 0) ? ESP_OK : ESP_ERR_IMAGE_INVALID;
+}