bootloader: Add fault injection resistance to Secure Boot bootloader verification

Goal is that multiple faults would be required to bypass a boot-time signature check.

- Also strengthens some address range checks for safe app memory addresses
- Change pre-enable logic to also check the bootloader signature before enabling SBV2 on ESP32

Add some additional checks for invalid sections:

- Sections only partially in DRAM or IRAM are invalid
- If a section is in D/IRAM, allow the possibility only some is in D/IRAM
- Only pass sections that are entirely in the same type of RTC memory region

components/esp_rom/include/esp32s2/rom/secure_boot.h

@@ -1,4 +1,4 @@
-// Copyright 2015-2018 Espressif Systems (Shanghai) PTE LTD
+// Copyright 2020 Espressif Systems (Shanghai) PTE LTD
 //
 // Licensed under the Apache License, Version 2.0 (the "License");
 // you may not use this file except in compliance with the License.
@@ -29,45 +29,77 @@ typedef struct ets_secure_boot_sig_block ets_secure_boot_sig_block_t;
 typedef struct ets_secure_boot_signature ets_secure_boot_signature_t;
 typedef struct ets_secure_boot_key_digests ets_secure_boot_key_digests_t;
 
-/* Verify bootloader image (reconfigures cache to map,
- loads trusted key digests from efuse)
+/* 64KB 'staging buffer' for loading the verified bootloader
 
- If allow_key_revoke is true and aggressive revoke efuse is set,
- any failed signature has its associated key revoked in efuse.
+   Comes from the "shared buffers" region (see shared_buffers.h)
 
- If result is ETS_OK, the "simple hash" of the bootloader
- is copied into verified_hash.
+   The bootloader can't be safely linked into this address range
+   (may be possible with some cleverness.)
 */
-int ets_secure_boot_verify_bootloader(uint8_t *verified_hash, bool allow_key_revoke);
+#define SECURE_BOOT_STAGING_BUFFER_START ((uint32_t)(g_shared_buffers.secure_boot_staging_buf))
+#define SECURE_BOOT_STAGING_BUFFER_SZ    sizeof(g_shared_buffers.secure_boot_staging_buf)
+#define SECURE_BOOT_STAGING_BUFFER_END   (SECURE_BOOT_STAGING_BUFFER_START + SECURE_BOOT_STAGING_BUFFER_SZ)
 
-/* Verify bootloader image (reconfigures cache to map), with
-   key digests provided as parameters.)
+/* Anti-FI measure: use full words for success/fail, instead of
+   0/non-zero
+*/
+typedef enum {
+    SB_SUCCESS = 0x3A5A5AA5,
+    SB_FAILED = 0x7533885E,
+} ets_secure_boot_status_t;
+
+
+/* Verify and stage-load the bootloader image
+   (reconfigures cache to map, loads trusted key digests from efuse,
+   copies the bootloader into the staging buffer.)
+
+   If allow_key_revoke is true and aggressive revoke efuse is set,
+   any failed signature has its associated key revoked in efuse.
+
+   If result is SB_SUCCESS, the "simple hash" of the bootloader
+   is copied into verified_hash.
+*/
+ets_secure_boot_status_t ets_secure_boot_verify_stage_bootloader(uint8_t *verified_hash, bool allow_key_revoke);
+
+/* Verify bootloader image (reconfigures cache to map),
+   with key digests provided as parameters.)
 
    Can be used to verify secure boot status before enabling
    secure boot permanently.
 
-   If result is ETS_OK, the "simple hash" of the bootloader is
+   If stage_load parameter is true, bootloader is copied into staging
+   buffer in RAM at the same time.
+
+   If result is SB_SUCCESS, the "simple hash" of the bootloader is
    copied into verified_hash.
 */
-int ets_secure_boot_verify_bootloader_with_keys(uint8_t *verified_hash, const ets_secure_boot_key_digests_t *trusted_keys);
+ets_secure_boot_status_t ets_secure_boot_verify_bootloader_with_keys(uint8_t *verified_hash, const ets_secure_boot_key_digests_t *trusted_keys, bool stage_load);
+
+/* Read key digests from efuse. Any revoked/missing digests will be
+   marked as NULL
+*/
+ETS_STATUS ets_secure_boot_read_key_digests(ets_secure_boot_key_digests_t *trusted_keys);
 
 /* Verify supplied signature against supplied digest, using
    supplied trusted key digests.
 
-   Doesn't reconfigure cache or any other hardware access.
-*/
-int ets_secure_boot_verify_signature(const ets_secure_boot_signature_t *sig, const uint8_t *image_digest, const ets_secure_boot_key_digests_t *trusted_keys);
+   Doesn't reconfigure cache or any other hardware access except for RSA peripheral.
 
-/* Read key digests from efuse. Any revoked/missing digests will be
-   marked as NULL
-
-   Returns 0 if at least one valid digest was found.
+   If result is SB_SUCCESS, the image_digest value is copied into verified_digest.
 */
-int ets_secure_boot_read_key_digests(ets_secure_boot_key_digests_t *trusted_keys);
+ets_secure_boot_status_t ets_secure_boot_verify_signature(const ets_secure_boot_signature_t *sig, const uint8_t *image_digest, const ets_secure_boot_key_digests_t *trusted_keys, uint8_t *verified_digest);
+
+/* Revoke a public key digest in efuse.
+   @param index Digest to revoke. Must be 0, 1 or 2.
+ */
+void ets_secure_boot_revoke_public_key_digest(int index);
 
 #define ETS_SECURE_BOOT_V2_SIGNATURE_MAGIC 0xE7
 
-/* Secure Boot V2 signature block (up to 3 can be appended) */
+/* Secure Boot V2 signature block
+
+   (Up to 3 in a signature sector are appended to the image)
+ */
 struct ets_secure_boot_sig_block {
     uint8_t magic_byte;
     uint8_t version;
@@ -92,8 +124,10 @@ struct ets_secure_boot_signature {
 
 _Static_assert(sizeof(ets_secure_boot_signature_t) == 4096, "invalid sig sector size");
 
+#define MAX_KEY_DIGESTS 3
+
 struct ets_secure_boot_key_digests {
-    const void *key_digests[3];
+    const void *key_digests[MAX_KEY_DIGESTS];
     bool allow_key_revoke;
 };