1 /*
2 * SPDX-FileCopyrightText: 2015-2023 Espressif Systems (Shanghai) CO LTD
3 *
4 * SPDX-License-Identifier: Apache-2.0
5 */
6 #include "sdkconfig.h"
7
8 #include "bootloader_flash_priv.h"
9 #include "bootloader_sha.h"
10 #include "bootloader_utility.h"
11 #include "bootloader_signature.h"
12 #include "esp_log.h"
13 #include "esp_image_format.h"
14 #include "mbedtls/sha256.h"
15 #include "mbedtls/x509.h"
16 #include "mbedtls/md.h"
17 #include "mbedtls/platform.h"
18 #include "mbedtls/entropy.h"
19 #include "mbedtls/ctr_drbg.h"
20 #include <string.h>
21 #include <sys/param.h>
22 #include "esp_secure_boot.h"
23 #include "esp_ota_ops.h"
24 #include "esp_efuse.h"
25 #include "esp_efuse_chip.h"
26
27 #include "secure_boot_signature_priv.h"
28
29 // Secure boot V2 for app
30
31 _Static_assert(SOC_EFUSE_SECURE_BOOT_KEY_DIGESTS == SECURE_BOOT_NUM_BLOCKS,
32 "Parts of this code rely on the max number of signatures appended to an image"
33 "being the same as the max number of trusted keys.");
34
35 #if CONFIG_SECURE_SIGNED_APPS_RSA_SCHEME || CONFIG_SECURE_SIGNED_APPS_ECDSA_V2_SCHEME || CONFIG_SECURE_SIGNED_ON_UPDATE_NO_SECURE_BOOT
36
37 static const char *TAG = "secure_boot_v2";
38 #define ALIGN_UP(num, align) (((num) + ((align) - 1)) & ~((align) - 1))
39
40 /* A signature block is valid when it has correct magic byte, crc. */
validate_signature_block(const ets_secure_boot_sig_block_t * block)41 static esp_err_t validate_signature_block(const ets_secure_boot_sig_block_t *block)
42 {
43 if (block->magic_byte != ETS_SECURE_BOOT_V2_SIGNATURE_MAGIC
44 || block->block_crc != esp_rom_crc32_le(0, (uint8_t *)block, CRC_SIGN_BLOCK_LEN)) {
45 return ESP_FAIL;
46 }
47 return ESP_OK;
48 }
49
calculate_image_public_key_digests(bool verify_image_digest,bool digest_public_keys,esp_image_sig_public_key_digests_t * public_key_digests,esp_partition_pos_t * part_pos)50 static esp_err_t calculate_image_public_key_digests(bool verify_image_digest, bool digest_public_keys, esp_image_sig_public_key_digests_t *public_key_digests, esp_partition_pos_t *part_pos)
51 {
52 esp_image_metadata_t img_metadata = {0};
53 esp_err_t ret = esp_image_get_metadata(part_pos, &img_metadata);
54 if (ret != ESP_OK) {
55 ESP_LOGE(TAG, "Error reading metadata from running app (err=0x%x)", ret);
56 return ESP_FAIL;
57 }
58
59 uint8_t image_digest[ESP_SECURE_BOOT_DIGEST_LEN] = {0};
60 uint8_t __attribute__((aligned(4))) key_digest[ESP_SECURE_BOOT_DIGEST_LEN] = {0};
61 size_t sig_block_addr = img_metadata.start_addr + ALIGN_UP(img_metadata.image_len, FLASH_SECTOR_SIZE);
62
63 ESP_LOGD(TAG, "calculating public key digests for sig blocks of image offset 0x%"PRIu32" (sig block offset 0x%u)", img_metadata.start_addr, sig_block_addr);
64
65 bzero(public_key_digests, sizeof(esp_image_sig_public_key_digests_t));
66
67 if (verify_image_digest) {
68 ret = bootloader_sha256_flash_contents(img_metadata.start_addr, sig_block_addr - img_metadata.start_addr, image_digest);
69 if (ret != ESP_OK) {
70 ESP_LOGE(TAG, "error generating image digest, %d", ret);
71 return ret;
72 }
73 }
74
75 ESP_LOGD(TAG, "reading signature(s)");
76 for (unsigned i = 0; i < SECURE_BOOT_NUM_BLOCKS; i++) {
77 ets_secure_boot_sig_block_t block;
78 size_t addr = sig_block_addr + sizeof(ets_secure_boot_sig_block_t) * i;
79 esp_err_t err = bootloader_flash_read(addr, &block, sizeof(ets_secure_boot_sig_block_t), true);
80 if (err == ESP_OK) {
81 if (validate_signature_block(&block) == ESP_OK) {
82 if (digest_public_keys) {
83 bootloader_sha256_handle_t sig_block_sha = bootloader_sha256_start();
84 #if CONFIG_SECURE_SIGNED_APPS_RSA_SCHEME
85 bootloader_sha256_data(sig_block_sha, &block.key, sizeof(block.key));
86 #elif CONFIG_SECURE_SIGNED_APPS_ECDSA_V2_SCHEME
87 bootloader_sha256_data(sig_block_sha, &block.ecdsa.key, sizeof(block.ecdsa.key));
88 #endif
89 bootloader_sha256_finish(sig_block_sha, key_digest);
90 if (verify_image_digest) {
91 // Check we can verify the image using this signature and this key
92 uint8_t temp_verified_digest[ESP_SECURE_BOOT_DIGEST_LEN];
93 #if CONFIG_SECURE_SIGNED_APPS_RSA_SCHEME
94 bool verified = ets_rsa_pss_verify(&block.key, block.signature, image_digest, temp_verified_digest);
95 #elif CONFIG_SECURE_SIGNED_APPS_ECDSA_V2_SCHEME
96 bool verified = ets_ecdsa_verify(&block.ecdsa.key.point[0], block.ecdsa.signature, block.ecdsa.key.curve_id, image_digest, temp_verified_digest);
97 #endif
98 if (!verified) {
99 ESP_LOGE(TAG, "Secure boot key (%d) verification failed.", i);
100 continue;
101 }
102 ESP_LOGD(TAG, "Signature block (%d) is verified", i);
103 }
104 /* Copy the key digest to the buffer provided by the caller */
105 memcpy((void *)public_key_digests->key_digests[public_key_digests->num_digests], key_digest, ESP_SECURE_BOOT_DIGEST_LEN);
106 }
107 public_key_digests->num_digests++;
108 }
109 } else {
110 ESP_LOGE(TAG, "Secure boot sign blocks cannot be read from image at %lx (err=0x%x)", part_pos->offset, err);
111 return ESP_FAIL;
112 }
113 }
114
115 if (ret == ESP_OK && public_key_digests->num_digests > 0) {
116 ESP_LOGD(TAG, "Digests successfully calculated, %d valid signatures (image offset 0x%"PRIu32")",
117 public_key_digests->num_digests, img_metadata.start_addr);
118 }
119
120 if (public_key_digests->num_digests == 0) {
121 return ESP_ERR_NOT_FOUND;
122 }
123 return ret;
124 }
125
esp_secure_boot_get_signature_blocks_for_running_app(bool digest_public_keys,esp_image_sig_public_key_digests_t * public_key_digests)126 esp_err_t esp_secure_boot_get_signature_blocks_for_running_app(bool digest_public_keys, esp_image_sig_public_key_digests_t *public_key_digests)
127 {
128 esp_partition_pos_t part_pos;
129 const esp_partition_t* running_app_part = esp_ota_get_running_partition();
130 if (running_app_part == NULL) {
131 ESP_LOGE(TAG, "Cannot get running partition");
132 return ESP_FAIL;
133 }
134 part_pos.offset = running_app_part->address;
135 part_pos.size = running_app_part->size;
136
137 esp_err_t err = calculate_image_public_key_digests(false, digest_public_keys, public_key_digests, &part_pos);
138 if (public_key_digests->num_digests == 0) {
139 ESP_LOGE(TAG, "No signatures were found for the running app");
140 }
141 return err;
142 }
143
get_secure_boot_key_digests(esp_image_sig_public_key_digests_t * public_key_digests)144 static esp_err_t get_secure_boot_key_digests(esp_image_sig_public_key_digests_t *public_key_digests)
145 {
146 #ifdef CONFIG_SECURE_SIGNED_ON_UPDATE_NO_SECURE_BOOT
147 // Gets key digests from running app
148 ESP_LOGI(TAG, "Take trusted digest key(s) from running app");
149 return esp_secure_boot_get_signature_blocks_for_running_app(true, public_key_digests);
150 #elif CONFIG_SECURE_BOOT_V2_ENABLED
151 ESP_LOGI(TAG, "Take trusted digest key(s) from eFuse block(s)");
152 // Read key digests from efuse
153 esp_secure_boot_key_digests_t efuse_trusted;
154 if (esp_secure_boot_read_key_digests(&efuse_trusted) == ESP_OK) {
155 for (unsigned i = 0; i < SECURE_BOOT_NUM_BLOCKS; i++) {
156 if (efuse_trusted.key_digests[i] != NULL) {
157 memcpy(public_key_digests->key_digests[i], (uint8_t *)efuse_trusted.key_digests[i], ESP_SECURE_BOOT_KEY_DIGEST_LEN);
158 public_key_digests->num_digests++;
159 }
160 }
161 }
162 if (public_key_digests->num_digests > 0) {
163 return ESP_OK;
164 }
165 return ESP_ERR_NOT_FOUND;
166 #endif // CONFIG_SECURE_BOOT_V2_ENABLED
167 }
168
esp_secure_boot_verify_signature(uint32_t src_addr,uint32_t length)169 esp_err_t esp_secure_boot_verify_signature(uint32_t src_addr, uint32_t length)
170 {
171 uint8_t digest[ESP_SECURE_BOOT_KEY_DIGEST_LEN] = {0};
172 uint8_t verified_digest[ESP_SECURE_BOOT_KEY_DIGEST_LEN] = {0};
173
174 /* Rounding off length to the upper 4k boundary */
175 uint32_t padded_length = ALIGN_UP(length, FLASH_SECTOR_SIZE);
176 ESP_LOGD(TAG, "verifying signature src_addr 0x%"PRIx32" length 0x%"PRIx32, src_addr, length);
177
178 esp_err_t err = bootloader_sha256_flash_contents(src_addr, padded_length, digest);
179 if (err != ESP_OK) {
180 ESP_LOGE(TAG, "Digest calculation failed 0x%"PRIx32", 0x%"PRIx32, src_addr, padded_length);
181 return err;
182 }
183
184 const ets_secure_boot_signature_t *sig_block = bootloader_mmap(src_addr + padded_length, sizeof(ets_secure_boot_signature_t));
185 if (sig_block == NULL) {
186 ESP_LOGE(TAG, "Failed to mmap data at offset 0x%"PRIx32, src_addr + padded_length);
187 return ESP_FAIL;
188 }
189
190 err = esp_secure_boot_verify_sbv2_signature_block(sig_block, digest, verified_digest);
191 if (err != ESP_OK) {
192 ESP_LOGE(TAG, "Secure Boot V2 verification failed.");
193 }
194 bootloader_munmap(sig_block);
195 return err;
196 }
197
198 // This verify function is called only from app, during ota update.
199 // This function is compiled in case when CONFIG_SECURE_BOOT_V2_ENABLED==y or CONFIG_SECURE_SIGNED_ON_UPDATE_NO_SECURE_BOOT==y.
200 // if CONFIG_SECURE_BOOT_V2_ENABLED==y and key digests from eFuse are missing, then FAIL (eFuse blocks should be set).
esp_secure_boot_verify_sbv2_signature_block(const ets_secure_boot_signature_t * sig_block,const uint8_t * image_digest,uint8_t * verified_digest)201 esp_err_t esp_secure_boot_verify_sbv2_signature_block(const ets_secure_boot_signature_t *sig_block, const uint8_t *image_digest, uint8_t *verified_digest)
202 {
203 bool any_trusted_key = false;
204
205 /* Note: in IDF verification we don't add any fault injection resistance, as we don't expect this to be called
206 during boot-time verification. */
207 memset(verified_digest, 0, ESP_SECURE_BOOT_KEY_DIGEST_LEN);
208
209 esp_image_sig_public_key_digests_t trusted = {0};
210
211 if (get_secure_boot_key_digests(&trusted) != ESP_OK) {
212 ESP_LOGE(TAG, "Could not read secure boot digests!");
213 return ESP_FAIL;
214 }
215
216 int ret = 0;
217 #ifdef CONFIG_SECURE_SIGNED_ON_UPDATE_NO_SECURE_BOOT
218 const unsigned secure_boot_num_blocks = 1;
219 #else
220 const unsigned secure_boot_num_blocks = SECURE_BOOT_NUM_BLOCKS;
221 #endif
222
223 for (unsigned app_blk_idx = 0; app_blk_idx < secure_boot_num_blocks; app_blk_idx++) {
224 uint8_t app_blk_digest[ESP_SECURE_BOOT_DIGEST_LEN] = { 0 };
225 const ets_secure_boot_sig_block_t *app_blk = &sig_block->block[app_blk_idx];
226 const ets_secure_boot_sig_block_t *trusted_block = NULL;
227
228 if (validate_signature_block(app_blk) != ESP_OK) {
229 continue; // Skip invalid signature blocks
230 }
231
232 /* Generate the SHA of the public key components in the signature block */
233 bootloader_sha256_handle_t sig_block_sha = bootloader_sha256_start();
234 #if CONFIG_SECURE_SIGNED_APPS_RSA_SCHEME
235 bootloader_sha256_data(sig_block_sha, &app_blk->key, sizeof(app_blk->key));
236 #elif CONFIG_SECURE_SIGNED_APPS_ECDSA_V2_SCHEME
237 bootloader_sha256_data(sig_block_sha, &app_blk->ecdsa.key, sizeof(app_blk->ecdsa.key));
238 #endif
239
240 bootloader_sha256_finish(sig_block_sha, app_blk_digest);
241
242 /* Check if the key is one we trust */
243 for (unsigned trusted_key_idx = 0; trusted_key_idx < secure_boot_num_blocks; trusted_key_idx++) {
244 if (memcmp(app_blk_digest, trusted.key_digests[trusted_key_idx], ESP_SECURE_BOOT_KEY_DIGEST_LEN) == 0) {
245 ESP_LOGI(TAG, "#%d app key digest == #%d trusted key digest", app_blk_idx, trusted_key_idx);
246 trusted_block = app_blk;
247 any_trusted_key = true;
248 break;
249 }
250 ESP_LOGV(TAG, "not trusting app sig %d trust idx %d", app_blk_idx, trusted_key_idx);
251 }
252
253 if (trusted_block == NULL) {
254 continue; // Skip the signature blocks with no trusted digest
255 }
256
257 #if CONFIG_SECURE_SIGNED_APPS_RSA_SCHEME
258 ESP_LOGI(TAG, "Verifying with RSA-PSS...");
259 ret = verify_rsa_signature_block(sig_block, image_digest, trusted_block);
260 #elif CONFIG_SECURE_SIGNED_APPS_ECDSA_V2_SCHEME
261 ESP_LOGI(TAG, "Verifying with ECDSA...");
262 ret = verify_ecdsa_signature_block(sig_block, image_digest, trusted_block);
263 #endif
264 if (ret == 0) {
265 break;
266 }
267 }
268 return (ret != 0 || any_trusted_key == false) ? ESP_ERR_IMAGE_INVALID: ESP_OK;
269 }
270
271 #if CONFIG_SECURE_SIGNED_APPS_RSA_SCHEME
272 // To maintain backward compatibility
esp_secure_boot_verify_rsa_signature_block(const ets_secure_boot_signature_t * sig_block,const uint8_t * image_digest,uint8_t * verified_digest)273 esp_err_t esp_secure_boot_verify_rsa_signature_block(const ets_secure_boot_signature_t *sig_block, const uint8_t *image_digest, uint8_t *verified_digest)
274 {
275 return esp_secure_boot_verify_sbv2_signature_block(sig_block, image_digest, verified_digest);
276 }
277 #endif
278
279 #endif // CONFIG_SECURE_SIGNED_APPS_RSA_SCHEME || CONFIG_SECURE_SIGNED_APPS_ECDSA_V2_SCHEME || CONFIG_SECURE_SIGNED_ON_UPDATE_NO_SECURE_BOOT
280
281 #if SOC_SUPPORT_SECURE_BOOT_REVOKE_KEY && CONFIG_SECURE_BOOT_V2_ENABLED
282
esp_secure_boot_verify_with_efuse_digest_index(int efuse_digest_index,esp_partition_pos_t * part_pos)283 esp_err_t esp_secure_boot_verify_with_efuse_digest_index(int efuse_digest_index, esp_partition_pos_t *part_pos)
284 {
285 if (!part_pos || (efuse_digest_index < 0 || efuse_digest_index >= SOC_EFUSE_SECURE_BOOT_KEY_DIGESTS)) {
286 return ESP_ERR_INVALID_ARG;
287 }
288 esp_image_sig_public_key_digests_t img_key_digests = {0};
289 esp_err_t ret = calculate_image_public_key_digests(true, true, &img_key_digests, part_pos);
290 if (ret != ESP_OK) {
291 return ESP_FAIL;
292 }
293 if (esp_efuse_get_digest_revoke(efuse_digest_index)) {
294 return ESP_FAIL;
295 }
296
297 // Read key digests from efuse
298 esp_secure_boot_key_digests_t efuse_key_digests;
299 memset(&efuse_key_digests, 0, sizeof(esp_secure_boot_key_digests_t));
300 esp_secure_boot_read_key_digests(&efuse_key_digests);
301
302 for (int i = 0; i < img_key_digests.num_digests; i++) {
303 if (!memcmp(img_key_digests.key_digests[i], efuse_key_digests.key_digests[efuse_digest_index], ESP_SECURE_BOOT_KEY_DIGEST_LEN)) {
304 return ESP_OK;
305 }
306 }
307 return ESP_FAIL;
308 }
309 #endif // SOC_SUPPORT_SECURE_BOOT_REVOKE_KEY && CONFIG_SECURE_BOOT_V2_ENABLED
310
