1 /* 2 * SPDX-FileCopyrightText: 2021 Espressif Systems (Shanghai) CO LTD 3 * 4 * SPDX-License-Identifier: Apache-2.0 5 */ 6 7 #include "sdkconfig.h" 8 9 #pragma once 10 11 #include <stdint.h> 12 #include "ets_sys.h" 13 14 #ifdef __cplusplus 15 extern "C" { 16 #endif 17 18 void ets_secure_boot_start(void); 19 20 void ets_secure_boot_finish(void); 21 22 void ets_secure_boot_hash(const uint32_t *buf); 23 24 void ets_secure_boot_obtain(void); 25 26 int ets_secure_boot_check(uint32_t *buf); 27 28 void ets_secure_boot_rd_iv(uint32_t *buf); 29 30 void ets_secure_boot_rd_abstract(uint32_t *buf); 31 32 bool ets_secure_boot_check_start(uint8_t abs_index, uint32_t iv_addr); 33 34 int ets_secure_boot_check_finish(uint32_t *abstract); 35 36 #ifdef CONFIG_ESP32_REV_MIN_3 37 #include "rsa_pss.h" 38 39 #define SECURE_BOOT_NUM_BLOCKS 1 40 41 #define CRC_SIGN_BLOCK_LEN 1196 42 #define SIG_BLOCK_PADDING 4096 43 #define ETS_SECURE_BOOT_V2_SIGNATURE_MAGIC 0xE7 44 45 // Anti-FI measure: use full words for success/fail internally, instead of 0/non-zero 46 typedef enum { 47 SBV2_SUCCESS = 0x3A5A5AA5, 48 SB_SUCCESS = 0x3A5A5AA5, 49 SBV2_FAILED = 0xA533885A, 50 SB_FAILED = 0xA533885A, 51 } secure_boot_v2_status_t; 52 53 /* Secure Boot Version 2 signature format for ESP32 ECO3 */ 54 typedef struct { 55 uint8_t magic_byte; 56 uint8_t version; 57 uint8_t _reserved1; 58 uint8_t _reserved2; 59 uint8_t image_digest[32]; 60 ets_rsa_pubkey_t key; 61 uint8_t signature[384]; 62 uint32_t block_crc; 63 uint8_t _padding[16]; 64 } ets_secure_boot_sig_block_t; 65 _Static_assert(sizeof(ets_secure_boot_sig_block_t) == 1216, "invalid sig block size"); 66 67 /* ROM supports up to 3, but IDF only checks the first one (SECURE_BOOT_NUM_BLOCKS) */ 68 #define SECURE_BOOT_MAX_APPENDED_SIGN_BLOCKS_TO_IMAGE 3 69 70 /* Multiple key block support */ 71 typedef struct { 72 ets_secure_boot_sig_block_t block[SECURE_BOOT_MAX_APPENDED_SIGN_BLOCKS_TO_IMAGE]; 73 uint8_t _padding[4096 - (sizeof(ets_secure_boot_sig_block_t) * SECURE_BOOT_MAX_APPENDED_SIGN_BLOCKS_TO_IMAGE)]; 74 } ets_secure_boot_signature_t; 75 76 _Static_assert(sizeof(ets_secure_boot_signature_t) == 4096, "invalid sig sector size"); 77 78 typedef struct { 79 const void *key_digests[SECURE_BOOT_NUM_BLOCKS]; 80 } ets_secure_boot_key_digests_t; 81 82 /** @brief Verifies the signature block appended to a firmware image. Implemented in the ROM. 83 * 84 * This function is used to verify the bootloader before burning its public key hash into Efuse. 85 * Also, it is used to verify the app on loading the image on boot and on OTA. 86 * 87 * @param sig The signature block flashed aligned 4096 bytes from the firmware. (ROM implementation expects 3 blocks, sig->block[3]). 88 * @param image_digest The SHA-256 Digest of the firmware to be verified 89 * @param trusted_key_digest The SHA-256 Digest of the public key (ets_rsa_pubkey_t) of a single signature block. 90 * @param verified_digest RSA-PSS signature of image_digest. Pass an uninitialised array. 91 * 92 * @return SBV2_SUCCESS if signature is valid 93 * SBV2_FAILED for failures. 94 */ 95 secure_boot_v2_status_t ets_secure_boot_verify_signature(const ets_secure_boot_signature_t *sig, const uint8_t *image_digest, const uint8_t *trusted_key_digest, uint8_t *verified_digest); 96 97 /** @brief This function verifies the 1st stage bootloader. Implemented in the ROM. 98 * Reboots post verification. It reads the Efuse key for verification of the public key. 99 * 100 * This function is not used in the current workflow. 101 * 102 */ 103 void ets_secure_boot_verify_boot_bootloader(void); 104 105 /** @brief Confirms if the secure boot V2 has been enabled. Implemented in the ROM. 106 * 107 * In ESP32-ECO3 - It checks the value of ABS_DONE_1 in EFuse. 108 * 109 * @return true if is Secure boot v2 has been enabled 110 * False if Secure boot v2 has not been enabled. 111 */ 112 bool ets_use_secure_boot_v2(void); 113 114 #else 115 #define SECURE_BOOT_NUM_BLOCKS 0 116 117 #endif /* CONFIG_ESP32_REV_MIN_3 */ 118 119 #ifdef __cplusplus 120 } 121 #endif 122
