1 /*
2  * SPDX-FileCopyrightText: 2022-2023 Espressif Systems (Shanghai) CO LTD
3  *
4  * SPDX-License-Identifier: Apache-2.0
5  */
6 #pragma once
7 
8 #include "sdkconfig.h"
9 #include <esp_err.h>
10 #include <stdint.h>
11 
12 #if CONFIG_IDF_TARGET_ESP32
13 #include "esp32/rom/secure_boot.h"
14 #elif CONFIG_IDF_TARGET_ESP32S2
15 #include "esp32s2/rom/secure_boot.h"
16 #elif CONFIG_IDF_TARGET_ESP32C3
17 #include "esp32c3/rom/secure_boot.h"
18 #elif CONFIG_IDF_TARGET_ESP32S3
19 #include "esp32s3/rom/secure_boot.h"
20 #elif CONFIG_IDF_TARGET_ESP32C2
21 #include "esp32c2/rom/secure_boot.h"
22 #elif CONFIG_IDF_TARGET_ESP32C6
23 #include "esp32c6/rom/secure_boot.h"
24 #elif CONFIG_IDF_TARGET_ESP32H2
25 #include "esp32h2/rom/secure_boot.h"
26 #endif
27 
28 #if !CONFIG_IDF_TARGET_ESP32 || CONFIG_ESP32_REV_MIN_FULL >= 300
29 
30 #if CONFIG_SECURE_BOOT_V2_ENABLED || CONFIG_SECURE_SIGNED_APPS_NO_SECURE_BOOT
31 
32 /** @brief Verify the secure boot signature block for Secure Boot V2.
33  *
34  *  Performs RSA-PSS or ECDSA verification of the SHA-256 image based on the public key
35  *  in the signature block, compared against the public key digest stored in efuse.
36  *
37  * Similar to esp_secure_boot_verify_signature(), but can be used when the digest is precalculated.
38  * @param sig_block Pointer to signature block data
39  * @param image_digest Pointer to 32 byte buffer holding SHA-256 hash.
40  * @param verified_digest Pointer to 32 byte buffer that will receive verified digest if verification completes. (Used during bootloader implementation only, result is invalid otherwise.)
41  *
42  */
43 esp_err_t esp_secure_boot_verify_sbv2_signature_block(const ets_secure_boot_signature_t *sig_block, const uint8_t *image_digest, uint8_t *verified_digest);
44 
45 /** @brief Legacy function to verify RSA secure boot signature block for Secure Boot V2.
46  *
47  * @note This is kept for backward compatibility. It internally calls esp_secure_boot_verify_sbv2_signature_block.
48  *
49  * @param sig_block Pointer to RSA signature block data
50  * @param image_digest Pointer to 32 byte buffer holding SHA-256 hash.
51  * @param verified_digest Pointer to 32 byte buffer that will receive verified digest if verification completes. (Used during bootloader implementation only, result is invalid otherwise.)
52  *
53  */
54 esp_err_t esp_secure_boot_verify_rsa_signature_block(const ets_secure_boot_signature_t *sig_block, const uint8_t *image_digest, uint8_t *verified_digest);
55 
56 #endif /* CONFIG_SECURE_BOOT_V2_ENABLED || CONFIG_SECURE_SIGNED_APPS_NO_SECURE_BOOT */
57 
58 #endif
59