build: make 2nd stage bootloader and app update/ota verify 2 signatur…

…es are valid for esp32s3

CMakeLists.txt

@@ -1,4 +1,5 @@
 cmake_minimum_required(VERSION 3.16)
+set(EXTRA_COMPONENT_DIRS bootloader_components/bootloader_support)
 
 include($ENV{IDF_PATH}/tools/cmake/project.cmake)
 idf_build_set_property(DEPENDENCIES_LOCK dependencies.lock.${IDF_TARGET})

bootloader_components/bootloader_support/src/secure_boot_v2/secure_boot_signatures_app.c

@@ -218,6 +218,26 @@ esp_err_t esp_secure_boot_verify_sbv2_signature_block(const ets_secure_boot_sign
  const unsigned secure_boot_num_blocks = 1;
 #else
  const unsigned secure_boot_num_blocks = SECURE_BOOT_NUM_BLOCKS;
+#endif
+#if CONFIG_JADE_MINIMUM_SIGNATURES > 1
+_Static_assert(SOC_EFUSE_SECURE_BOOT_KEY_DIGESTS == 3 && SECURE_BOOT_NUM_BLOCKS == 3,
+ "We rely on 3 keys in the trusted digests");
+ size_t validated_keys = 0;
+
+#if CONFIG_SECURE_SIGNED_APPS_RSA_SCHEME
+ if (memcmp(&sig_block->block[0].key, &sig_block->block[1].key, sizeof(sig_block->block[0].key)) == 0 ||
+ memcmp(&sig_block->block[1].key, &sig_block->block[2].key, sizeof(sig_block->block[0].key)) == 0 ||
+ memcmp(&sig_block->block[2].key, &sig_block->block[0].key, sizeof(sig_block->block[0].key)) == 0) {
+ return ESP_ERR_IMAGE_INVALID;
+ }
+#elif CONFIG_SECURE_SIGNED_APPS_ECDSA_V2_SCHEME
+ if (memcmp(&sig_block->block[0].ecdsa.key, &sig_block->block[1].ecdsa.key, sizeof(sig_block->block[0].ecdsa.key)) == 0 ||
+ memcmp(&sig_block->block[1].ecdsa.key, &sig_block->block[2].ecdsa.key, sizeof(sig_block->block[0].ecdsa.key)) == 0 ||
+ memcmp(&sig_block->block[2].ecdsa.key, &sig_block->block[0].ecdsa.key, sizeof(sig_block->block[0].ecsda.key)) == 0) {
+ return ESP_ERR_IMAGE_INVALID;
+ }
+#endif
+
 #endif
 
  for (unsigned app_blk_idx = 0; app_blk_idx < secure_boot_num_blocks; app_blk_idx++) {
@@ -262,10 +282,21 @@ esp_err_t esp_secure_boot_verify_sbv2_signature_block(const ets_secure_boot_sign
  ret = verify_ecdsa_signature_block(sig_block, image_digest, trusted_block);
 #endif
  if (ret == 0) {
+#if CONFIG_JADE_MINIMUM_SIGNATURES > 1
+ validated_keys++;
+ if (validated_keys >= CONFIG_JADE_MINIMUM_SIGNATURES) {
+ break;
+ }
+#else
  break;
+#endif
  }
  }
+#if CONFIG_JADE_MINIMUM_SIGNATURES > 1
+ return (validated_keys < CONFIG_JADE_MINIMUM_SIGNATURES || any_trusted_key == false) ? ESP_ERR_IMAGE_INVALID: ESP_OK;
+#else
  return (ret != 0 || any_trusted_key == false) ? ESP_ERR_IMAGE_INVALID: ESP_OK;
+#endif
 }
 
 #if CONFIG_SECURE_SIGNED_APPS_RSA_SCHEME

bootloader_components/bootloader_support/src/secure_boot_v2/secure_boot_signatures_bootloader.c

@@ -137,6 +137,23 @@ esp_err_t esp_secure_boot_verify_sbv2_signature_block(const ets_secure_boot_sign
  }
  ESP_FAULT_ASSERT(!esp_secure_boot_enabled());
  }
+#if CONFIG_JADE_MINIMUM_SIGNATURES > 1
+_Static_assert(SOC_EFUSE_SECURE_BOOT_KEY_DIGESTS == 3 && SECURE_BOOT_NUM_BLOCKS == 3,
+ "We rely on 3 keys in the trusted digests");
+#if CONFIG_SECURE_SIGNED_APPS_RSA_SCHEME
+ if (memcmp(&sig_block->block[0].key, &sig_block->block[1].key, sizeof(sig_block->block[0].key)) == 0 ||
+ memcmp(&sig_block->block[1].key, &sig_block->block[2].key, sizeof(sig_block->block[0].key)) == 0 ||
+ memcmp(&sig_block->block[2].key, &sig_block->block[0].key, sizeof(sig_block->block[0].key)) == 0) {
+ return ESP_ERR_IMAGE_INVALID;
+ }
+#elif CONFIG_SECURE_SIGNED_APPS_ECDSA_V2_SCHEME
+ if (memcmp(&sig_block->block[0].ecdsa.key, &sig_block->block[1].ecdsa.key, sizeof(sig_block->block[0].ecdsa.key)) == 0 ||
+ memcmp(&sig_block->block[1].ecdsa.key, &sig_block->block[2].ecdsa.key, sizeof(sig_block->block[0].ecdsa.key)) == 0 ||
+ memcmp(&sig_block->block[2].ecdsa.key, &sig_block->block[0].ecdsa.key, sizeof(sig_block->block[0].ecsda.key)) == 0) {
+ return ESP_ERR_IMAGE_INVALID;
+ }
+#endif
+#endif
 
 #if CONFIG_SECURE_SIGNED_APPS_RSA_SCHEME
  ESP_LOGI(TAG, "Verifying with RSA-PSS...");
@@ -156,7 +173,26 @@ esp_err_t esp_secure_boot_verify_sbv2_signature_block(const ets_secure_boot_sign
  // Do NOT allow key revocation while verifying application
  trusted_key_digests.allow_key_revoke = false;
 
+#if CONFIG_JADE_MINIMUM_SIGNATURES > 1
+ size_t validated_keys = 0;
+ int sb_result = SB_FAILED;
+
+ ets_secure_boot_sig_block_t sig_block_copy[SECURE_BOOT_NUM_BLOCKS] = {0};
+ for (unsigned i = 0; i < SECURE_BOOT_NUM_BLOCKS; i++) {
+ memcpy(&sig_block_copy[0], &sig_block->block[i], sizeof(ets_secure_boot_sig_block_t));
+ int sb_sub_result = ets_secure_boot_verify_signature((ets_secure_boot_signature_t*)&sig_block_copy[0], image_digest, &trusted_key_digests, verified_digest);
+ if (sb_sub_result == SB_SUCCESS) {
+ validated_keys++;
+ if (validated_keys >= CONFIG_JADE_MINIMUM_SIGNATURES) {
+ sb_result = sb_sub_result;
+ break;
+ }
+ }
+ }
+#else
  int sb_result = ets_secure_boot_verify_signature(sig_block, image_digest, &trusted_key_digests, verified_digest);
+#endif
+
 #endif // CONFIG_IDF_TARGET_ESP32
 
  if (sb_result != SB_SUCCESS) {

bootloader_components/main/Kconfig

@@ -1,8 +1,9 @@
-menu "Bootloader welcome message"
-
- config EXAMPLE_BOOTLOADER_WELCOME_MESSAGE
- string "Bootloader welcome message"
- default "Custom bootloader message defined in the KConfig file."
+menu "2nd stage bootloader/ota minimum signatures"
+ config JADE_MINIMUM_SIGNATURES
+ int "bootloader 2nd stage and ota verifies minimum signatures"
+ range 1 3
+ default 2 if BOARD_TYPE_JADE_V2
+ default 1
  help
- Message to print by the custom bootloader when booting up.
+ Number of signatures required for app-images from 2nd stage and ota
 endmenu

bootloader_components/main/bootloader_start.c

@@ -41,9 +41,6 @@ void __attribute__((noreturn)) call_start_cpu0(void)
  bootloader_reset();
  }
 
- // 2.1 Print a custom message!
- esp_rom_printf("[%s] %s\n", TAG, CONFIG_EXAMPLE_BOOTLOADER_WELCOME_MESSAGE);
-
  // 3. Load the app image for booting
  bootloader_utility_load_boot_image(&bs, boot_index);
 }