1 /*
2  * SPDX-FileCopyrightText: 2015-2021 Espressif Systems (Shanghai) CO LTD
3  *
4  * SPDX-License-Identifier: Apache-2.0
5  */
6 #include "sdkconfig.h"
7 
8 #include <string.h>
9 #include "esp_fault.h"
10 #include "bootloader_flash_priv.h"
11 #include "bootloader_sha.h"
12 #include "bootloader_utility.h"
13 #include "esp_log.h"
14 #include "esp_image_format.h"
15 #include "esp_secure_boot.h"
16 #include "esp_efuse.h"
17 
18 // Secure boot V2 for bootloader.
19 
20 #if CONFIG_SECURE_SIGNED_APPS_RSA_SCHEME && CONFIG_SECURE_BOOT_V2_ENABLED
21 
22 static const char* TAG = "secure_boot_v2";
23 
24 #define ALIGN_UP(num, align) (((num) + ((align) - 1)) & ~((align) - 1))
25 
esp_secure_boot_verify_signature(uint32_t src_addr,uint32_t length)26 esp_err_t esp_secure_boot_verify_signature(uint32_t src_addr, uint32_t length)
27 {
28     uint8_t digest[ESP_SECURE_BOOT_DIGEST_LEN] = {0};
29     uint8_t verified_digest[ESP_SECURE_BOOT_DIGEST_LEN] = { 0 }; /* Note: this function doesn't do any anti-FI checks on this buffer */
30 
31     /* Rounding off length to the upper 4k boundary */
32     uint32_t padded_length = ALIGN_UP(length, FLASH_SECTOR_SIZE);
33     ESP_LOGD(TAG, "verifying signature src_addr 0x%x length 0x%x", src_addr, length);
34 
35     /* Calculate digest of main image */
36     esp_err_t err = bootloader_sha256_flash_contents(src_addr, padded_length, digest);
37     if (err != ESP_OK) {
38         ESP_LOGE(TAG, "Digest calculation failed 0x%x, 0x%x", src_addr, padded_length);
39         return err;
40     }
41 
42     const ets_secure_boot_signature_t *sig_block = bootloader_mmap(src_addr + padded_length, sizeof(ets_secure_boot_signature_t));
43     if (sig_block == NULL) {
44         ESP_LOGE(TAG, "Failed to mmap data at offset 0x%x", src_addr + padded_length);
45         return ESP_FAIL;
46     }
47 
48     err = esp_secure_boot_verify_rsa_signature_block(sig_block, digest, verified_digest);
49     if (err != ESP_OK) {
50         ESP_LOGE(TAG, "Secure Boot V2 verification failed.");
51     }
52     bootloader_munmap(sig_block);
53     return err;
54 }
55 
56 /* A signature block is valid when it has correct magic byte, crc. */
validate_signature_block(const ets_secure_boot_sig_block_t * block)57 static esp_err_t validate_signature_block(const ets_secure_boot_sig_block_t *block)
58 {
59     if (block->magic_byte != ETS_SECURE_BOOT_V2_SIGNATURE_MAGIC
60         || block->block_crc != esp_rom_crc32_le(0, (uint8_t *)block, CRC_SIGN_BLOCK_LEN)) {
61         return ESP_FAIL;
62     }
63     return ESP_OK;
64 }
65 
get_secure_boot_key_digests(esp_image_sig_public_key_digests_t * public_key_digests)66 static esp_err_t get_secure_boot_key_digests(esp_image_sig_public_key_digests_t *public_key_digests)
67 {
68     // Read key digests from efuse
69     ets_secure_boot_key_digests_t trusted_keys;
70     ets_secure_boot_key_digests_t trusted_key_copies[2];
71 
72     memset(&trusted_keys, 0, sizeof(ets_secure_boot_key_digests_t));
73     memset(trusted_key_copies, 0, 2 * sizeof(ets_secure_boot_key_digests_t));
74 
75     esp_err_t err = esp_secure_boot_read_key_digests(&trusted_keys);
76 
77     // Create the copies for FI checks (assuming result is ETS_OK, if it's not then it'll fail the fault check anyhow)
78     esp_secure_boot_read_key_digests(&trusted_key_copies[0]);
79     esp_secure_boot_read_key_digests(&trusted_key_copies[1]);
80     ESP_FAULT_ASSERT(memcmp(&trusted_keys, &trusted_key_copies[0], sizeof(ets_secure_boot_key_digests_t)) == 0);
81     ESP_FAULT_ASSERT(memcmp(&trusted_keys, &trusted_key_copies[1], sizeof(ets_secure_boot_key_digests_t)) == 0);
82 
83     if (err == ESP_OK) {
84         for (unsigned i = 0; i < SECURE_BOOT_NUM_BLOCKS; i++) {
85             if (trusted_keys.key_digests[i] != NULL) {
86                 memcpy(public_key_digests->key_digests[i], (uint8_t *)trusted_keys.key_digests[i], ESP_SECURE_BOOT_DIGEST_LEN);
87                 public_key_digests->num_digests++;
88             }
89         }
90 #if SOC_EFUSE_SECURE_BOOT_KEY_DIGESTS == 1
91         if (esp_efuse_block_is_empty(EFUSE_BLK_SECURE_BOOT)) {
92             return ESP_ERR_NOT_FOUND;
93         }
94 #endif // SOC_EFUSE_SECURE_BOOT_KEY_DIGESTS
95         if (public_key_digests->num_digests > 0) {
96             return ESP_OK;
97         }
98     }
99     return ESP_ERR_NOT_FOUND;
100 }
101 
102 // if CONFIG_SECURE_BOOT_V2_ENABLED==y and key digests from eFuse are missing, then it is the first boot,
103 // trusted.key_digests are filled from app sig_block.
esp_secure_boot_verify_rsa_signature_block(const ets_secure_boot_signature_t * sig_block,const uint8_t * image_digest,uint8_t * verified_digest)104 esp_err_t esp_secure_boot_verify_rsa_signature_block(const ets_secure_boot_signature_t *sig_block, const uint8_t *image_digest, uint8_t *verified_digest)
105 {
106     esp_image_sig_public_key_digests_t trusted = {0};
107     bool efuse_keys_are_not_set = false;
108     if (get_secure_boot_key_digests(&trusted) != ESP_OK) {
109         if (esp_secure_boot_enabled()) {
110             ESP_LOGE(TAG, "Could not read eFuse secure boot digests!");
111             return ESP_FAIL;
112         } else {
113             ESP_LOGI(TAG, "Secure boot V2 is not enabled yet and eFuse digest keys are not set");
114             efuse_keys_are_not_set = true;
115             ESP_FAULT_ASSERT(!esp_secure_boot_enabled());
116         }
117     }
118 
119     if (!esp_secure_boot_enabled()) {
120         // It is the first boot. eFuse secure boot bit is not set yet. eFuse block(s) can be written or not.
121         // Generating the SHA of the public key components in the signature block
122         for (unsigned i = 0; i < SECURE_BOOT_NUM_BLOCKS; i++) {
123             if (validate_signature_block(&sig_block->block[i]) == ESP_OK) {
124                 if (efuse_keys_are_not_set) {
125                     // if efuse key digests are not in eFuse yet due to it is the first boot
126                     // then use digests from app to skip error in ets_secure_boot_verify_signature().
127                     bootloader_sha256_handle_t sig_block_sha = bootloader_sha256_start();
128                     bootloader_sha256_data(sig_block_sha, &sig_block->block[i].key, sizeof(sig_block->block[i].key));
129                     bootloader_sha256_finish(sig_block_sha, trusted.key_digests[i]);
130                 }
131             }
132         }
133         ESP_FAULT_ASSERT(!esp_secure_boot_enabled());
134     }
135 
136     ESP_LOGI(TAG, "Verifying with RSA-PSS...");
137 #if SOC_EFUSE_SECURE_BOOT_KEY_DIGESTS == 1
138     int sb_result = ets_secure_boot_verify_signature(sig_block, image_digest, trusted.key_digests[0], verified_digest);
139 #else
140     ets_secure_boot_key_digests_t trusted_key_digests = {0};
141     for (unsigned i = 0; i < SECURE_BOOT_NUM_BLOCKS; i++) {
142         trusted_key_digests.key_digests[i] = &trusted.key_digests[i];
143     }
144     // Key revocation happens in ROM bootloader.
145     // Do NOT allow key revocation while verifying application
146     trusted_key_digests.allow_key_revoke = false;
147     int sb_result = ets_secure_boot_verify_signature(sig_block, image_digest, &trusted_key_digests, verified_digest);
148 #endif
149     if (sb_result != SB_SUCCESS) {
150         ESP_LOGE(TAG, "Secure Boot V2 verification failed.");
151         return ESP_ERR_IMAGE_INVALID;
152     } else {
153         ESP_LOGI(TAG, "Signature verified successfully!");
154         return ESP_OK;
155     }
156 }
157 #endif // CONFIG_SECURE_SIGNED_APPS_RSA_SCHEME && CONFIG_SECURE_BOOT_V2_ENABLED
158