1 /*
2 * SPDX-FileCopyrightText: 2015-2021 Espressif Systems (Shanghai) CO LTD
3 *
4 * SPDX-License-Identifier: Apache-2.0
5 */
6 #include "sdkconfig.h"
7
8 #include <string.h>
9 #include "esp_fault.h"
10 #include "bootloader_flash_priv.h"
11 #include "bootloader_sha.h"
12 #include "bootloader_utility.h"
13 #include "bootloader_signature.h"
14 #include "esp_log.h"
15 #include "esp_image_format.h"
16 #include "esp_secure_boot.h"
17 #include "esp_efuse.h"
18
19 // Secure boot V2 for bootloader.
20
21 #if CONFIG_SECURE_BOOT_V2_ENABLED
22
23 static const char* TAG = "secure_boot_v2";
24
25 #define ALIGN_UP(num, align) (((num) + ((align) - 1)) & ~((align) - 1))
26
esp_secure_boot_verify_signature(uint32_t src_addr,uint32_t length)27 esp_err_t esp_secure_boot_verify_signature(uint32_t src_addr, uint32_t length)
28 {
29 uint8_t digest[ESP_SECURE_BOOT_DIGEST_LEN] = {0};
30 uint8_t verified_digest[ESP_SECURE_BOOT_DIGEST_LEN] = { 0 }; /* Note: this function doesn't do any anti-FI checks on this buffer */
31
32 /* Rounding off length to the upper 4k boundary */
33 uint32_t padded_length = ALIGN_UP(length, FLASH_SECTOR_SIZE);
34 ESP_LOGD(TAG, "verifying signature src_addr 0x%x length 0x%x", src_addr, length);
35
36 /* Calculate digest of main image */
37 esp_err_t err = bootloader_sha256_flash_contents(src_addr, padded_length, digest);
38 if (err != ESP_OK) {
39 ESP_LOGE(TAG, "Digest calculation failed 0x%x, 0x%x", src_addr, padded_length);
40 return err;
41 }
42
43 const ets_secure_boot_signature_t *sig_block = bootloader_mmap(src_addr + padded_length, sizeof(ets_secure_boot_signature_t));
44 if (sig_block == NULL) {
45 ESP_LOGE(TAG, "Failed to mmap data at offset 0x%x", src_addr + padded_length);
46 return ESP_FAIL;
47 }
48
49 err = esp_secure_boot_verify_sbv2_signature_block(sig_block, digest, verified_digest);
50 if (err != ESP_OK) {
51 ESP_LOGE(TAG, "Secure Boot V2 verification failed.");
52 }
53 bootloader_munmap(sig_block);
54 return err;
55 }
56
57 /* A signature block is valid when it has correct magic byte, crc. */
validate_signature_block(const ets_secure_boot_sig_block_t * block)58 static esp_err_t validate_signature_block(const ets_secure_boot_sig_block_t *block)
59 {
60 if (block->magic_byte != ETS_SECURE_BOOT_V2_SIGNATURE_MAGIC
61 || block->block_crc != esp_rom_crc32_le(0, (uint8_t *)block, CRC_SIGN_BLOCK_LEN)) {
62 return ESP_FAIL;
63 }
64 return ESP_OK;
65 }
66
get_secure_boot_key_digests(esp_image_sig_public_key_digests_t * public_key_digests)67 static esp_err_t get_secure_boot_key_digests(esp_image_sig_public_key_digests_t *public_key_digests)
68 {
69 // Read key digests from efuse
70 esp_secure_boot_key_digests_t trusted_keys;
71 esp_secure_boot_key_digests_t trusted_key_copies[2];
72
73 memset(&trusted_keys, 0, sizeof(esp_secure_boot_key_digests_t));
74 memset(trusted_key_copies, 0, 2 * sizeof(esp_secure_boot_key_digests_t));
75
76 esp_err_t err = esp_secure_boot_read_key_digests(&trusted_keys);
77
78 // Create the copies for FI checks (assuming result is ETS_OK, if it's not then it'll fail the fault check anyhow)
79 esp_secure_boot_read_key_digests(&trusted_key_copies[0]);
80 esp_secure_boot_read_key_digests(&trusted_key_copies[1]);
81 ESP_FAULT_ASSERT(memcmp(&trusted_keys, &trusted_key_copies[0], sizeof(esp_secure_boot_key_digests_t)) == 0);
82 ESP_FAULT_ASSERT(memcmp(&trusted_keys, &trusted_key_copies[1], sizeof(esp_secure_boot_key_digests_t)) == 0);
83
84 if (err == ESP_OK) {
85 for (unsigned i = 0; i < SECURE_BOOT_NUM_BLOCKS; i++) {
86 if (trusted_keys.key_digests[i] != NULL) {
87 memcpy(public_key_digests->key_digests[i], (uint8_t *)trusted_keys.key_digests[i], ESP_SECURE_BOOT_KEY_DIGEST_LEN);
88 public_key_digests->num_digests++;
89 }
90 }
91 #if SOC_EFUSE_SECURE_BOOT_KEY_DIGESTS == 1
92 if (esp_efuse_block_is_empty(EFUSE_BLK_SECURE_BOOT)) {
93 return ESP_ERR_NOT_FOUND;
94 }
95 #endif // SOC_EFUSE_SECURE_BOOT_KEY_DIGESTS
96 if (public_key_digests->num_digests > 0) {
97 return ESP_OK;
98 }
99 }
100 return ESP_ERR_NOT_FOUND;
101 }
102
103 // if CONFIG_SECURE_BOOT_V2_ENABLED==y and key digests from eFuse are missing, then it is the first boot,
104 // trusted.key_digests are filled from app sig_block.
esp_secure_boot_verify_sbv2_signature_block(const ets_secure_boot_signature_t * sig_block,const uint8_t * image_digest,uint8_t * verified_digest)105 esp_err_t esp_secure_boot_verify_sbv2_signature_block(const ets_secure_boot_signature_t *sig_block, const uint8_t *image_digest, uint8_t *verified_digest)
106 {
107 esp_image_sig_public_key_digests_t trusted = {0};
108 bool efuse_keys_are_not_set = false;
109 if (get_secure_boot_key_digests(&trusted) != ESP_OK) {
110 if (esp_secure_boot_enabled()) {
111 ESP_LOGE(TAG, "Could not read eFuse secure boot digests!");
112 return ESP_FAIL;
113 } else {
114 ESP_LOGI(TAG, "Secure boot V2 is not enabled yet and eFuse digest keys are not set");
115 efuse_keys_are_not_set = true;
116 ESP_FAULT_ASSERT(!esp_secure_boot_enabled());
117 }
118 }
119
120 if (!esp_secure_boot_enabled()) {
121 // It is the first boot. eFuse secure boot bit is not set yet. eFuse block(s) can be written or not.
122 // Generating the SHA of the public key components in the signature block
123 for (unsigned i = 0; i < SECURE_BOOT_NUM_BLOCKS; i++) {
124 if (validate_signature_block(&sig_block->block[i]) == ESP_OK) {
125 if (efuse_keys_are_not_set) {
126 // if efuse key digests are not in eFuse yet due to it is the first boot
127 // then use digests from app to skip error in ets_secure_boot_verify_signature().
128 bootloader_sha256_handle_t sig_block_sha = bootloader_sha256_start();
129 #if CONFIG_SECURE_SIGNED_APPS_RSA_SCHEME
130 bootloader_sha256_data(sig_block_sha, &sig_block->block[i].key, sizeof(sig_block->block[i].key));
131 #elif CONFIG_SECURE_SIGNED_APPS_ECDSA_V2_SCHEME
132 bootloader_sha256_data(sig_block_sha, &sig_block->block[i].ecdsa.key, sizeof(sig_block->block[i].ecdsa.key));
133 #endif
134 bootloader_sha256_finish(sig_block_sha, trusted.key_digests[i]);
135 }
136 }
137 }
138 ESP_FAULT_ASSERT(!esp_secure_boot_enabled());
139 }
140
141 #if CONFIG_SECURE_SIGNED_APPS_RSA_SCHEME
142 ESP_LOGI(TAG, "Verifying with RSA-PSS...");
143 #else
144 ESP_LOGI(TAG, "Verifying with ECDSA...");
145 #endif
146
147 #if CONFIG_IDF_TARGET_ESP32
148 int sb_result = ets_secure_boot_verify_signature(sig_block, image_digest, trusted.key_digests[0], verified_digest);
149 #else
150 ets_secure_boot_key_digests_t trusted_key_digests = {0};
151 for (unsigned i = 0; i < SECURE_BOOT_NUM_BLOCKS; i++) {
152 trusted_key_digests.key_digests[i] = &trusted.key_digests[i];
153 }
154
155 // Key revocation happens in ROM bootloader.
156 // Do NOT allow key revocation while verifying application
157 trusted_key_digests.allow_key_revoke = false;
158
159 int sb_result = ets_secure_boot_verify_signature(sig_block, image_digest, &trusted_key_digests, verified_digest);
160 #endif // CONFIG_IDF_TARGET_ESP32
161
162 if (sb_result != SB_SUCCESS) {
163 ESP_LOGE(TAG, "Secure Boot V2 verification failed.");
164 return ESP_ERR_IMAGE_INVALID;
165 } else {
166 ESP_LOGI(TAG, "Signature verified successfully!");
167 return ESP_OK;
168 }
169 }
170
171 #if CONFIG_SECURE_SIGNED_APPS_RSA_SCHEME
172 // To maintain backward compatibility
esp_secure_boot_verify_rsa_signature_block(const ets_secure_boot_signature_t * sig_block,const uint8_t * image_digest,uint8_t * verified_digest)173 esp_err_t esp_secure_boot_verify_rsa_signature_block(const ets_secure_boot_signature_t *sig_block, const uint8_t *image_digest, uint8_t *verified_digest)
174 {
175 return esp_secure_boot_verify_sbv2_signature_block(sig_block, image_digest, verified_digest);
176 }
177 #endif
178
179 #endif // CONFIG_SECURE_BOOT_V2_ENABLED
180