build: make 2nd stage bootloader and app update/ota verify 2 signatur…

…es are valid for esp32s3
Blockstream · Sep 30, 2024 · 1b841ac · 1b841ac
1 parent 7f9a323
commit 1b841ac
Show file tree

Hide file tree

Showing 5 changed files with 75 additions and 9 deletions.
diff --git a/CMakeLists.txt b/CMakeLists.txt
@@ -1,4 +1,5 @@
 cmake_minimum_required(VERSION 3.16)
+set(EXTRA_COMPONENT_DIRS bootloader_components/bootloader_support)
 
 include($ENV{IDF_PATH}/tools/cmake/project.cmake)
 idf_build_set_property(DEPENDENCIES_LOCK dependencies.lock.${IDF_TARGET})

diff --git a/bootloader_components/bootloader_support/src/secure_boot_v2/secure_boot_signatures_app.c b/bootloader_components/bootloader_support/src/secure_boot_v2/secure_boot_signatures_app.c
@@ -218,6 +218,26 @@ esp_err_t esp_secure_boot_verify_sbv2_signature_block(const ets_secure_boot_sign
     const unsigned secure_boot_num_blocks = 1;
 #else
     const unsigned secure_boot_num_blocks = SECURE_BOOT_NUM_BLOCKS;
+#endif
+#if CONFIG_JADE_MINIMUM_SIGNATURES > 1
+_Static_assert(SOC_EFUSE_SECURE_BOOT_KEY_DIGESTS == 3 && SECURE_BOOT_NUM_BLOCKS == 3,
+               "We rely on 3 keys in the trusted digests");
+    size_t validated_keys = 0;
+
+#if CONFIG_SECURE_SIGNED_APPS_RSA_SCHEME
+    if (memcmp(&sig_block->block[0].key, &sig_block->block[1].key, sizeof(sig_block->block[0].key)) == 0 ||
+        memcmp(&sig_block->block[1].key, &sig_block->block[2].key, sizeof(sig_block->block[0].key)) == 0 ||
+        memcmp(&sig_block->block[2].key, &sig_block->block[0].key, sizeof(sig_block->block[0].key)) == 0) {
+        return ESP_ERR_IMAGE_INVALID;
+    }
+#elif CONFIG_SECURE_SIGNED_APPS_ECDSA_V2_SCHEME
+    if (memcmp(&sig_block->block[0].ecdsa.key, &sig_block->block[1].ecdsa.key, sizeof(sig_block->block[0].ecdsa.key)) == 0 ||
+        memcmp(&sig_block->block[1].ecdsa.key, &sig_block->block[2].ecdsa.key, sizeof(sig_block->block[0].ecdsa.key)) == 0 ||
+        memcmp(&sig_block->block[2].ecdsa.key, &sig_block->block[0].ecdsa.key, sizeof(sig_block->block[0].ecsda.key)) == 0) {
+        return ESP_ERR_IMAGE_INVALID;
+    }
+#endif
+
 #endif
 
     for (unsigned app_blk_idx = 0; app_blk_idx < secure_boot_num_blocks; app_blk_idx++) {
@@ -262,10 +282,21 @@ esp_err_t esp_secure_boot_verify_sbv2_signature_block(const ets_secure_boot_sign
         ret = verify_ecdsa_signature_block(sig_block, image_digest, trusted_block);
 #endif
         if (ret == 0) {
+#if CONFIG_JADE_MINIMUM_SIGNATURES > 1
+            validated_keys++;
+            if (validated_keys >= CONFIG_JADE_MINIMUM_SIGNATURES) {
+                break;
+            }
+#else
             break;
+#endif
         }
     }
+#if CONFIG_JADE_MINIMUM_SIGNATURES > 1
+    return (validated_keys < CONFIG_JADE_MINIMUM_SIGNATURES || any_trusted_key == false) ? ESP_ERR_IMAGE_INVALID: ESP_OK;
+#else
     return (ret != 0 || any_trusted_key == false) ? ESP_ERR_IMAGE_INVALID: ESP_OK;
+#endif
 }
 
 #if CONFIG_SECURE_SIGNED_APPS_RSA_SCHEME

diff --git a/...ader_components/bootloader_support/src/secure_boot_v2/secure_boot_signatures_bootloader.c b/...ader_components/bootloader_support/src/secure_boot_v2/secure_boot_signatures_bootloader.c
@@ -137,6 +137,23 @@ esp_err_t esp_secure_boot_verify_sbv2_signature_block(const ets_secure_boot_sign
         }
         ESP_FAULT_ASSERT(!esp_secure_boot_enabled());
     }
+#if CONFIG_JADE_MINIMUM_SIGNATURES > 1
+_Static_assert(SOC_EFUSE_SECURE_BOOT_KEY_DIGESTS == 3 && SECURE_BOOT_NUM_BLOCKS == 3,
+               "We rely on 3 keys in the trusted digests");
+#if CONFIG_SECURE_SIGNED_APPS_RSA_SCHEME
+    if (memcmp(&sig_block->block[0].key, &sig_block->block[1].key, sizeof(sig_block->block[0].key)) == 0 ||
+        memcmp(&sig_block->block[1].key, &sig_block->block[2].key, sizeof(sig_block->block[0].key)) == 0 ||
+        memcmp(&sig_block->block[2].key, &sig_block->block[0].key, sizeof(sig_block->block[0].key)) == 0) {
+        return ESP_ERR_IMAGE_INVALID;
+    }
+#elif CONFIG_SECURE_SIGNED_APPS_ECDSA_V2_SCHEME
+    if (memcmp(&sig_block->block[0].ecdsa.key, &sig_block->block[1].ecdsa.key, sizeof(sig_block->block[0].ecdsa.key)) == 0 ||
+        memcmp(&sig_block->block[1].ecdsa.key, &sig_block->block[2].ecdsa.key, sizeof(sig_block->block[0].ecdsa.key)) == 0 ||
+        memcmp(&sig_block->block[2].ecdsa.key, &sig_block->block[0].ecdsa.key, sizeof(sig_block->block[0].ecsda.key)) == 0) {
+        return ESP_ERR_IMAGE_INVALID;
+    }
+#endif
+#endif
 
 #if CONFIG_SECURE_SIGNED_APPS_RSA_SCHEME
     ESP_LOGI(TAG, "Verifying with RSA-PSS...");
@@ -156,7 +173,26 @@ esp_err_t esp_secure_boot_verify_sbv2_signature_block(const ets_secure_boot_sign
     // Do NOT allow key revocation while verifying application
     trusted_key_digests.allow_key_revoke = false;
 
+#if CONFIG_JADE_MINIMUM_SIGNATURES > 1
+    size_t validated_keys = 0;
+    int sb_result = SB_FAILED;
+
+    ets_secure_boot_sig_block_t sig_block_copy[SECURE_BOOT_NUM_BLOCKS] = {0};
+    for (unsigned i = 0; i < SECURE_BOOT_NUM_BLOCKS; i++) {
+        memcpy(&sig_block_copy[0], &sig_block->block[i], sizeof(ets_secure_boot_sig_block_t));
+        int sb_sub_result = ets_secure_boot_verify_signature((ets_secure_boot_signature_t*)&sig_block_copy[0], image_digest, &trusted_key_digests, verified_digest);
+        if (sb_sub_result == SB_SUCCESS) {
+            validated_keys++;
+            if (validated_keys >= CONFIG_JADE_MINIMUM_SIGNATURES) {
+                sb_result = sb_sub_result;
+                break;
+            }
+        }
+    }
+#else
     int sb_result = ets_secure_boot_verify_signature(sig_block, image_digest, &trusted_key_digests, verified_digest);
+#endif
+
 #endif // CONFIG_IDF_TARGET_ESP32
 
     if (sb_result != SB_SUCCESS) {

diff --git a/bootloader_components/main/Kconfig b/bootloader_components/main/Kconfig
@@ -1,8 +1,9 @@
-menu "Bootloader welcome message"
-
-    config EXAMPLE_BOOTLOADER_WELCOME_MESSAGE
-        string "Bootloader welcome message"
-        default "Custom bootloader message defined in the KConfig file."
+menu "2nd stage bootloader/ota minimum signatures"
+    config JADE_MINIMUM_SIGNATURES
+        int "bootloader 2nd stage and ota verifies minimum signatures"
+        range 1 3
+        default 2 if BOARD_TYPE_JADE_V2
+        default 1
         help
-            Message to print by the custom bootloader when booting up.
+            Number of signatures required for app-images from 2nd stage and ota
 endmenu
diff --git a/bootloader_components/main/bootloader_start.c b/bootloader_components/main/bootloader_start.c
@@ -41,9 +41,6 @@ void __attribute__((noreturn)) call_start_cpu0(void)
         bootloader_reset();
     }
 
-    // 2.1 Print a custom message!
-    esp_rom_printf("[%s] %s\n", TAG, CONFIG_EXAMPLE_BOOTLOADER_WELCOME_MESSAGE);
-
     // 3. Load the app image for booting
     bootloader_utility_load_boot_image(&bs, boot_index);
 }