1 // Copyright 2015-2016 Espressif Systems (Shanghai) PTE LTD 2 // 3 // Licensed under the Apache License, Version 2.0 (the "License"); 4 // you may not use this file except in compliance with the License. 5 // You may obtain a copy of the License at 6 7 // http://www.apache.org/licenses/LICENSE-2.0 8 // 9 // Unless required by applicable law or agreed to in writing, software 10 // distributed under the License is distributed on an "AS IS" BASIS, 11 // WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. 12 // See the License for the specific language governing permissions and 13 // limitations under the License. 14 15 #include "sdkconfig.h" 16 17 #ifndef _ROM_SECURE_BOOT_H_ 18 #define _ROM_SECURE_BOOT_H_ 19 20 #include <stdint.h> 21 #include "ets_sys.h" 22 23 #ifdef __cplusplus 24 extern "C" { 25 #endif 26 27 void ets_secure_boot_start(void); 28 29 void ets_secure_boot_finish(void); 30 31 void ets_secure_boot_hash(const uint32_t *buf); 32 33 void ets_secure_boot_obtain(void); 34 35 int ets_secure_boot_check(uint32_t *buf); 36 37 void ets_secure_boot_rd_iv(uint32_t *buf); 38 39 void ets_secure_boot_rd_abstract(uint32_t *buf); 40 41 bool ets_secure_boot_check_start(uint8_t abs_index, uint32_t iv_addr); 42 43 int ets_secure_boot_check_finish(uint32_t *abstract); 44 45 #ifdef CONFIG_ESP32_REV_MIN_3 46 #include "rsa_pss.h" 47 48 #define SECURE_BOOT_NUM_BLOCKS 1 49 50 #define CRC_SIGN_BLOCK_LEN 1196 51 #define SIG_BLOCK_PADDING 4096 52 #define ETS_SECURE_BOOT_V2_SIGNATURE_MAGIC 0xE7 53 54 // Anti-FI measure: use full words for success/fail internally, instead of 0/non-zero 55 typedef enum { 56 SBV2_SUCCESS = 0x3A5A5AA5, 57 SB_SUCCESS = 0x3A5A5AA5, 58 SBV2_FAILED = 0xA533885A, 59 SB_FAILED = 0xA533885A, 60 } secure_boot_v2_status_t; 61 62 /* Secure Boot Version 2 signature format for ESP32 ECO3 */ 63 typedef struct { 64 uint8_t magic_byte; 65 uint8_t version; 66 uint8_t _reserved1; 67 uint8_t _reserved2; 68 uint8_t image_digest[32]; 69 ets_rsa_pubkey_t key; 70 uint8_t signature[384]; 71 uint32_t block_crc; 72 uint8_t _padding[16]; 73 } ets_secure_boot_sig_block_t; 74 _Static_assert(sizeof(ets_secure_boot_sig_block_t) == 1216, "invalid sig block size"); 75 76 /* ROM supports up to 3, but IDF only checks the first one (SECURE_BOOT_NUM_BLOCKS) */ 77 #define SECURE_BOOT_MAX_APPENDED_SIGN_BLOCKS_TO_IMAGE 3 78 79 /* Multiple key block support */ 80 typedef struct { 81 ets_secure_boot_sig_block_t block[SECURE_BOOT_MAX_APPENDED_SIGN_BLOCKS_TO_IMAGE]; 82 uint8_t _padding[4096 - (sizeof(ets_secure_boot_sig_block_t) * SECURE_BOOT_MAX_APPENDED_SIGN_BLOCKS_TO_IMAGE)]; 83 } ets_secure_boot_signature_t; 84 85 _Static_assert(sizeof(ets_secure_boot_signature_t) == 4096, "invalid sig sector size"); 86 87 typedef struct { 88 const void *key_digests[SECURE_BOOT_NUM_BLOCKS]; 89 } ets_secure_boot_key_digests_t; 90 91 /** @brief Verifies the signature block appended to a firmware image. Implemented in the ROM. 92 * 93 * This function is used to verify the bootloader before burning its public key hash into Efuse. 94 * Also, it is used to verify the app on loading the image on boot and on OTA. 95 * 96 * @param sig The signature block flashed aligned 4096 bytes from the firmware. (ROM implementation expects 3 blocks, sig->block[3]). 97 * @param image_digest The SHA-256 Digest of the firmware to be verified 98 * @param trusted_key_digest The SHA-256 Digest of the public key (ets_rsa_pubkey_t) of a single signature block. 99 * @param verified_digest RSA-PSS signature of image_digest. Pass an uninitialised array. 100 * 101 * @return SBV2_SUCCESS if signature is valid 102 * SBV2_FAILED for failures. 103 */ 104 secure_boot_v2_status_t ets_secure_boot_verify_signature(const ets_secure_boot_signature_t *sig, const uint8_t *image_digest, const uint8_t *trusted_key_digest, uint8_t *verified_digest); 105 106 /** @brief This function verifies the 1st stage bootloader. Implemented in the ROM. 107 * Reboots post verification. It reads the Efuse key for verification of the public key. 108 * 109 * This function is not used in the current workflow. 110 * 111 */ 112 void ets_secure_boot_verify_boot_bootloader(void); 113 114 /** @brief Confirms if the secure boot V2 has been enabled. Implemented in the ROM. 115 * 116 * In ESP32-ECO3 - It checks the value of ABS_DONE_1 in EFuse. 117 * 118 * @return true if is Secure boot v2 has been enabled 119 * False if Secure boot v2 has not been enabled. 120 */ 121 bool ets_use_secure_boot_v2(void); 122 123 #else 124 #define SECURE_BOOT_NUM_BLOCKS 0 125 126 #endif /* CONFIG_ESP32_REV_MIN_3 */ 127 128 #ifdef __cplusplus 129 } 130 #endif 131 132 #endif /* _ROM_SECURE_BOOT_H_ */ 133