1 /*
2 * SPDX-FileCopyrightText: 2015-2022 Espressif Systems (Shanghai) CO LTD
3 *
4 * SPDX-License-Identifier: Apache-2.0
5 */
6 #pragma once
7
8 #include <stdbool.h>
9 #include <esp_err.h>
10 #include "soc/efuse_periph.h"
11 #include "soc/soc_caps.h"
12 #include "esp_image_format.h"
13 #include "esp_rom_efuse.h"
14 #include "sdkconfig.h"
15 #include "esp_rom_crc.h"
16 #include "hal/efuse_ll.h"
17
18 #ifdef CONFIG_SECURE_BOOT_V1_ENABLED
19 #if !defined(CONFIG_SECURE_SIGNED_ON_BOOT) || !defined(CONFIG_SECURE_SIGNED_ON_UPDATE) || !defined(CONFIG_SECURE_SIGNED_APPS)
20 #error "internal sdkconfig error, secure boot should always enable all signature options"
21 #endif
22 #endif
23
24 #ifdef __cplusplus
25 extern "C" {
26 #endif
27
28 /* Support functions for secure boot features.
29
30 Can be compiled as part of app or bootloader code.
31 */
32
33 #define ESP_SECURE_BOOT_DIGEST_LEN 32
34
35 #if CONFIG_IDF_TARGET_ESP32C2
36 #define ESP_SECURE_BOOT_KEY_DIGEST_LEN 16
37 #else
38 #define ESP_SECURE_BOOT_KEY_DIGEST_LEN 32
39 #endif
40
41 #ifdef CONFIG_EFUSE_VIRTUAL_KEEP_IN_FLASH
42 #include "esp_efuse.h"
43 #include "esp_efuse_table.h"
44 #endif
45
46 /** @brief Is secure boot currently enabled in hardware?
47 *
48 * This means that the ROM bootloader code will only boot
49 * a verified secure bootloader from now on.
50 *
51 * @return true if secure boot is enabled.
52 */
esp_secure_boot_enabled(void)53 static inline bool esp_secure_boot_enabled(void)
54 {
55 #if CONFIG_IDF_TARGET_ESP32
56 #ifdef CONFIG_SECURE_BOOT_V1_ENABLED
57 #ifndef CONFIG_EFUSE_VIRTUAL_KEEP_IN_FLASH
58 return efuse_ll_get_secure_boot_v1_en();
59 #else
60 return esp_efuse_read_field_bit(ESP_EFUSE_ABS_DONE_0);
61 #endif
62 #elif CONFIG_SECURE_BOOT_V2_ENABLED
63 #ifndef CONFIG_EFUSE_VIRTUAL_KEEP_IN_FLASH
64 return efuse_ll_get_secure_boot_v2_en();
65 #else
66 return esp_efuse_read_field_bit(ESP_EFUSE_ABS_DONE_1);
67 #endif
68 #endif
69 #else
70 #ifndef CONFIG_EFUSE_VIRTUAL_KEEP_IN_FLASH
71 return efuse_ll_get_secure_boot_v2_en();
72 #else
73 return esp_efuse_read_field_bit(ESP_EFUSE_SECURE_BOOT_EN);
74 #endif
75 #endif
76 return false; /* Secure Boot not enabled in menuconfig */
77 }
78
79 /** @brief Generate secure digest from bootloader image
80 *
81 * @important This function is intended to be called from bootloader code only.
82 *
83 * This function is only used in the context of the Secure Boot V1 scheme.
84 *
85 * If secure boot is not yet enabled for bootloader, this will:
86 * 1) generate the secure boot key and burn it on EFUSE
87 * (without enabling R/W protection)
88 * 2) generate the digest from bootloader and save it
89 * to flash address 0x0
90 *
91 * If first boot gets interrupted after calling this function
92 * but before esp_secure_boot_permanently_enable() is called, then
93 * the key burned on EFUSE will not be regenerated, unless manually
94 * done using espefuse.py tool
95 *
96 * @return ESP_OK if secure boot digest is generated
97 * successfully or found to be already present
98 */
99 esp_err_t esp_secure_boot_generate_digest(void);
100
101 /** @brief Enable secure boot V1 if it is not already enabled.
102 *
103 * @important If this function succeeds, secure boot V1 is permanently
104 * enabled on the chip via efuse.
105 *
106 * @important This function is intended to be called from bootloader code only.
107 *
108 * @important In case of Secure Boot V1, this will enable r/w protection
109 * of secure boot key on EFUSE, therefore it is to be ensured that
110 * esp_secure_boot_generate_digest() is called before this .If secure boot is not
111 * yet enabled for bootloader, this will
112 * 1) enable R/W protection of secure boot key on EFUSE
113 * 2) enable secure boot by blowing the EFUSE_RD_ABS_DONE_0 efuse.
114 *
115 * This function does not verify secure boot of the bootloader (the
116 * ROM bootloader does this.)
117 *
118 * Will fail if efuses have been part-burned in a way that indicates
119 * secure boot should not or could not be correctly enabled.
120 *
121 * @return ESP_ERR_INVALID_STATE if efuse state doesn't allow
122 * secure boot to be enabled cleanly. ESP_OK if secure boot
123 * is enabled on this chip from now on.
124 */
125 esp_err_t esp_secure_boot_permanently_enable(void);
126
127 /** @brief Enables secure boot V2 if it is not already enabled.
128 *
129 * @important If this function succeeds, secure boot V2 is permanently
130 * enabled on the chip via efuse.
131 *
132 * @important This function is intended to be called from bootloader code only.
133 *
134 * @important In case of Secure Boot V2, this will enable write protection
135 * of secure boot key on EFUSE in BLK2. .If secure boot is not
136 * yet enabled for bootloader, this will
137 * 1) enable W protection of secure boot key on EFUSE
138 * 2) enable secure boot by blowing the EFUSE_RD_ABS_DONE_1 efuse.
139 *
140 * This function does not verify secure boot of the bootloader (the
141 * ROM bootloader does this.)
142 *
143 * @param image_data Image metadata of the application to be loaded.
144 *
145 * Will fail if efuses have been part-burned in a way that indicates
146 * secure boot should not or could not be correctly enabled.
147 *
148 * @return ESP_ERR_INVALID_STATE if efuse state doesn't allow
149 * secure boot to be enabled cleanly. ESP_OK if secure boot
150 * is enabled on this chip from now on.
151 */
152 esp_err_t esp_secure_boot_v2_permanently_enable(const esp_image_metadata_t *image_data);
153
154 /** @brief Verify the secure boot signature appended to some binary data in flash.
155 *
156 * For ECDSA Scheme (Secure Boot V1) - deterministic ECDSA w/ SHA256 image
157 * For RSA Scheme (Secure Boot V2) - RSA-PSS Verification of the SHA-256 image
158 *
159 * Public key is compiled into the calling program in the ECDSA Scheme.
160 * See the apt docs/security/secure-boot-v1.rst or docs/security/secure-boot-v2.rst for details.
161 *
162 * @param src_addr Starting offset of the data in flash.
163 * @param length Length of data in bytes. Signature is appended -after- length bytes.
164 *
165 * If flash encryption is enabled, the image will be transparently decrypted while being verified.
166 *
167 * @note This function doesn't have any fault injection resistance so should not be called
168 * during a secure boot itself (but can be called when verifying an update, etc.)
169 *
170 * @return ESP_OK if signature is valid, ESP_ERR_INVALID_STATE if
171 * signature fails, ESP_FAIL for other failures (ie can't read flash).
172 */
173 esp_err_t esp_secure_boot_verify_signature(uint32_t src_addr, uint32_t length);
174
175 /** @brief Secure boot verification block, on-flash data format. */
176 typedef struct {
177 uint32_t version;
178 uint8_t signature[64];
179 } esp_secure_boot_sig_block_t;
180
181 /** @brief Verify the ECDSA secure boot signature block for Secure Boot V1.
182 *
183 * Calculates Deterministic ECDSA w/ SHA256 based on the SHA256 hash of the image. ECDSA signature
184 * verification must be enabled in project configuration to use this function.
185 *
186 * Similar to esp_secure_boot_verify_signature(), but can be used when the digest is precalculated.
187 * @param sig_block Pointer to ECDSA signature block data
188 * @param image_digest Pointer to 32 byte buffer holding SHA-256 hash.
189 * @param verified_digest Pointer to 32 byte buffer that will receive verified digest if verification completes. (Used during bootloader implementation only, result is invalid otherwise.)
190 *
191 */
192 esp_err_t esp_secure_boot_verify_ecdsa_signature_block(const esp_secure_boot_sig_block_t *sig_block, const uint8_t *image_digest, uint8_t *verified_digest);
193
194 #if !CONFIG_IDF_TARGET_ESP32 || CONFIG_ESP32_REV_MIN_FULL >= 300
195 /**
196 * @brief Structure to hold public key digests calculated from the signature blocks of a single image.
197 *
198 * Each image can have one or more signature blocks (up to SECURE_BOOT_NUM_BLOCKS). Each signature block includes a public key.
199 */
200 typedef struct {
201 uint8_t key_digests[SOC_EFUSE_SECURE_BOOT_KEY_DIGESTS][ESP_SECURE_BOOT_DIGEST_LEN]; /* SHA of the public key components in the signature block */
202 unsigned num_digests; /* Number of valid digests, starting at index 0 */
203 } esp_image_sig_public_key_digests_t;
204
205 #endif // !CONFIG_IDF_TARGET_ESP32 || CONFIG_ESP32_REV_MIN_FULL >= 300
206
207 /** @brief Legacy ECDSA verification function
208 *
209 * @note Deprecated, call either esp_secure_boot_verify_ecdsa_signature_block() or esp_secure_boot_verify_rsa_signature_block() instead.
210 *
211 * @param sig_block Pointer to ECDSA signature block data
212 * @param image_digest Pointer to 32 byte buffer holding SHA-256 hash.
213 */
214 esp_err_t esp_secure_boot_verify_signature_block(const esp_secure_boot_sig_block_t *sig_block, const uint8_t *image_digest)
215 __attribute__((deprecated("use esp_secure_boot_verify_ecdsa_signature_block instead")));
216
217
218 #define FLASH_OFFS_SECURE_BOOT_IV_DIGEST 0
219
220 /** @brief Secure boot IV+digest header */
221 typedef struct {
222 uint8_t iv[128];
223 uint8_t digest[64];
224 } esp_secure_boot_iv_digest_t;
225
226 /** @brief Check the secure boot V2 during startup
227 *
228 * @note This function is called automatically during app startup,
229 * it doesn't need to be called from the app.
230 *
231 * Verifies the secure boot config during startup:
232 *
233 * - Correct any insecure secure boot settings
234 */
235 void esp_secure_boot_init_checks(void);
236
237 #if !BOOTLOADER_BUILD && (CONFIG_SECURE_SIGNED_APPS_RSA_SCHEME || CONFIG_SECURE_SIGNED_APPS_ECDSA_V2_SCHEME)
238
239 /** @brief Scan the current running app for signature blocks
240 *
241 * @note This function doesn't verify that the signatures are valid or the
242 * corresponding public keys are trusted, it only reads the number of signature
243 * blocks present and optionally calculates the digests of the public keys
244 * provided in the signature blocks.
245 *
246 * @param digest_public_keys If true, the key_digests fields in the
247 * public_key_digests structure will be filled with the digests of the public
248 * key provided in each signature block. Note that if Secure Boot V2 is enabled,
249 * each public key will only be trusted if the same digest is also present in
250 * eFuse (but this is not checked by this function).
251 *
252 * @param public_key_digests[out] Structure is initialized with the num_digests
253 * field set to the number of signatures found. If digest_public_keys is set,
254 * the public key digests are also calculated and stored here.
255 *
256 * @return
257 * - ESP_OK - At least one signature was found
258 * - ESP_ERR_NOT_FOUND - No signatures were found, num_digests value will be zero
259 * - ESP_FAIL - An error occured trying to read the signature blocks from flash
260 */
261 esp_err_t esp_secure_boot_get_signature_blocks_for_running_app(bool digest_public_keys, esp_image_sig_public_key_digests_t *public_key_digests);
262
263 #endif // !BOOTLOADER_BUILD && (CONFIG_SECURE_SIGNED_APPS_RSA_SCHEME || CONFIG_SECURE_SIGNED_APPS_ECDSA_V2_SCHEME)
264
265 /** @brief Set all secure eFuse features related to secure_boot
266 *
267 * @return
268 * - ESP_OK - Successfully
269 */
270 esp_err_t esp_secure_boot_enable_secure_features(void);
271
272 /** @brief Returns the verification status for all physical security features of secure boot in release mode
273 *
274 * If the device has secure boot feature configured in the release mode,
275 * then it is highly recommended to call this API in the application startup code.
276 * This API verifies the sanity of the eFuse configuration against
277 * the release (production) mode of the secure boot feature.
278 *
279 * @return
280 * - True - all eFuses are configured correctly
281 * - False - not all eFuses are configured correctly.
282 */
283 bool esp_secure_boot_cfg_verify_release_mode(void);
284
285 #ifdef __cplusplus
286 }
287 #endif
288
