secure boot: Add boot check for SBV2 "check app signature on update"

As this mode uses the public keys attached to the existing app's signatures to
verify the next app, checking that a signature block is found on boot prevents
the possibility of deploying a non-updatable device from the factory.

components/bootloader_support/include/esp_secure_boot.h

@@ -243,6 +243,34 @@ typedef struct {
  */
 void esp_secure_boot_init_checks(void);
 
+#if !BOOTLOADER_BUILD && CONFIG_SECURE_SIGNED_APPS_RSA_SCHEME
+
+/** @brief Scan the current running app for signature blocks
+ *
+ * @note This function doesn't verify that the signatures are valid or the
+ * corresponding public keys are trusted, it only reads the number of signature
+ * blocks present and optionally calculates the digests of the public keys
+ * provided in the signature blocks.
+ *
+ * @param digest_public_keys If true, the key_digests fields in the
+ * public_key_digests structure will be filled with the digests of the public
+ * key provided in each signature block. Note that if Secure Boot V2 is enabled,
+ * each public key will only be trusted if the same digest is also present in
+ * eFuse (but this is not checked by this function).
+ *
+ * @param public_key_digests[out] Structure is initialized with the num_digests
+ * field set to the number of signatures found. If digest_public_keys is set,
+ * the public key digests are also calculated and stored here.
+ *
+ * @return
+ *  - ESP_OK - At least one signature was found
+ *  - ESP_ERR_NOT_FOUND - No signatures were found, num_digests value will be zero
+ *  - ESP_FAIL - An error occured trying to read the signature blocks from flash
+ */
+esp_err_t esp_secure_boot_get_signature_blocks_for_running_app(bool digest_public_keys, esp_image_sig_public_key_digests_t *public_key_digests);
+
+#endif // !BOOTLOADER_BUILD && CONFIG_SECURE_SIGNED_APPS_RSA_SCHEME
+
 #ifdef __cplusplus
 }
 #endif