secure boot: Support secure boot signatures without hardware secure boot

Allows OTA updates to be secured via signature checks, without requiring the overhead or complexity of a full secure boot implementation. Uses same signing mechanisms (build system and/or espsecure.py as Secure Boot). Requires: * [ ] More testing * [ ] Documentation
2025-08-16 23:05:38 +00:00 · 2018-07-19 15:15:37 +10:00
parent 27f3c3e668
commit b364f23e17
5 changed files with 88 additions and 14 deletions
--- a/components/bootloader_support/src/esp_image_format.c
+++ b/components/bootloader_support/src/esp_image_format.c
@@ -24,6 +24,20 @@
 #include <bootloader_random.h>
 #include <bootloader_sha.h>

+/* Checking signatures as part of verifying images is necessary:
+   - Always if secure boot is enabled
+   - Differently in bootloader and/or app, depending on kconfig
+*/
+#ifdef BOOTLOADER_BUILD
+#ifdef CONFIG_SECURE_SIGNED_ON_BOOT
+#define SECURE_BOOT_CHECK_SIGNATURE
+#endif
+#else /* !BOOTLOADER_BUILD */
+#ifdef CONFIG_SECURE_SIGNED_ON_UPDATE
+#define SECURE_BOOT_CHECK_SIGNATURE
+#endif
+#endif
+
 static const char *TAG = "esp_image";

 #define HASH_LEN 32 /* SHA-256 digest length */
@@ -107,7 +121,7 @@ static esp_err_t image_load(esp_image_load_mode_t mode, const esp_partition_pos_
    }

    // Calculate SHA-256 of image if secure boot is on, or if image has a hash appended
-#ifdef CONFIG_SECURE_BOOT_ENABLED
+#ifdef SECURE_BOOT_CHECK_SIGNATURE
    if (1) {
 #else
    if (data->image.hash_appended) {
@@ -174,7 +188,7 @@ static esp_err_t image_load(esp_image_load_mode_t mode, const esp_partition_pos_
       rewritten the header - rely on esptool.py having verified the bootloader at flashing time, instead.
    */
    if (!is_bootloader) {
-#ifdef CONFIG_SECURE_BOOT_ENABLED
+#ifdef SECURE_BOOT_CHECK_SIGNATURE
        // secure boot images have a signature appended
        err = verify_secure_boot_signature(sha_handle, data);
 #else
@@ -182,7 +196,7 @@ static esp_err_t image_load(esp_image_load_mode_t mode, const esp_partition_pos_
        if (sha_handle != NULL && !esp_cpu_in_ocd_debug_mode()) {
            err = verify_simple_hash(sha_handle, data);
        }
-#endif // CONFIG_SECURE_BOOT_ENABLED
+#endif // SECURE_BOOT_CHECK_SIGNATURE
    } else { // is_bootloader
        // bootloader may still have a sha256 digest handle open
        if (sha_handle != NULL) {
@@ -519,6 +533,8 @@ static esp_err_t verify_secure_boot_signature(bootloader_sha256_handle_t sha_han
 {
    uint8_t image_hash[HASH_LEN] = { 0 };

+    ESP_LOGI(TAG, "Verifying image signature...");
+
    // For secure boot, we calculate the signature hash over the whole file, which includes any "simple" hash
    // appended to the image for corruption detection
    if (data->image.hash_appended) {