feat(bootloader_support): enabled RSA based secure boot scheme for ESP32C5 ECO1

This commit enabled RSA based secure boot scheme for ESP32C5 ECO1 module. This update also adds a check to ensure the selected secure boot scheme is valid for ECO0 modules.
2025-03-09 09:09:10 -04:00 · 2024-11-21 17:04:12 +05:30 · 2024-11-21 17:04:12 +05:30 · 1e11340061
commit 1e11340061
parent bcd80c92f3
7 changed files with 21 additions and 2 deletions
--- a/components/bootloader/Kconfig.projbuild
+++ b/components/bootloader/Kconfig.projbuild
@ -534,6 +534,7 @@ menu "Security features"
        config SECURE_SIGNED_APPS_RSA_SCHEME
            bool "RSA"
            depends on SECURE_BOOT_V2_RSA_SUPPORTED && (SECURE_SIGNED_APPS_NO_SECURE_BOOT || SECURE_BOOT_V2_ENABLED)
+            depends on !(IDF_TARGET_ESP32C5 && ESP32C5_REV_MIN_FULL < 1)
            help
                Appends the RSA-3072 based Signature block to the application.
                Refer to <Secure Boot Version 2 documentation link> before enabling.
--- a/components/bootloader_support/private_include/bootloader_init.h
+++ b/components/bootloader_support/private_include/bootloader_init.h
@ -51,6 +51,7 @@ void bootloader_print_banner(void);

 *  @return ESP_OK   - If the setting is successful.
 *          ESP_FAIL - If the setting is not successful.
+ *          ESP_ERR_NOT_SUPPORTED - If selected secure boot scheme is not supported.
 */
 esp_err_t bootloader_init(void);

--- a/components/bootloader_support/src/esp32c5/bootloader_esp32c5.c
+++ b/components/bootloader_support/src/esp32c5/bootloader_esp32c5.c
@ -103,6 +103,15 @@ static inline void bootloader_ana_reset_config(void)

 esp_err_t bootloader_init(void)
 {
+#if CONFIG_SECURE_BOOT
+#if CONFIG_SECURE_SIGNED_APPS_RSA_SCHEME
+    if (efuse_hal_chip_revision() == 0) {
+        ESP_LOGE(TAG, "Chip version 0.0 is not supported with RSA secure boot scheme. Please select the ECDSA scheme.");
+        return ESP_ERR_NOT_SUPPORTED;
+    }
+#endif /* CONFIG_SECURE_SIGNED_APPS_RSA_SCHEME */
+#endif /* CONFIG_SECURE_BOOT */
+
    esp_err_t ret = ESP_OK;

    bootloader_hardware_init();
--- a/components/esp_hw_support/port/esp32c5/Kconfig.hw_support
+++ b/components/esp_hw_support/port/esp32c5/Kconfig.hw_support
@ -10,12 +10,15 @@ choice ESP32C5_REV_MIN
        this will also help to reduce binary size.

    config ESP32C5_REV_MIN_0
-        bool "Rev v0.0"
+        bool "Rev v0.0 (ECO0)"
+    config ESP32C5_REV_MIN_1
+        bool "Rev v0.1 (ECO1)"
 endchoice

 config ESP32C5_REV_MIN_FULL
    int
    default 0 if ESP32C5_REV_MIN_0
+    default 1 if ESP32C5_REV_MIN_1

 config ESP_REV_MIN_FULL
    int
--- a/components/soc/esp32c5/include/soc/Kconfig.soc_caps.in
+++ b/components/soc/esp32c5/include/soc/Kconfig.soc_caps.in
@ -1219,6 +1219,10 @@ config SOC_KEY_MANAGER_FE_KEY_DEPLOY
    bool
    default y

+config SOC_SECURE_BOOT_V2_RSA
+    bool
+    default y
+
 config SOC_SECURE_BOOT_V2_ECC
    bool
    default y
--- a/components/soc/esp32c5/include/soc/soc_caps.h
+++ b/components/soc/esp32c5/include/soc/soc_caps.h
@ -511,6 +511,7 @@
 #define SOC_KEY_MANAGER_FE_KEY_DEPLOY       1 /*!< Key manager responsible to deploy Flash Encryption key */

 /*-------------------------- Secure Boot CAPS----------------------------*/
+#define SOC_SECURE_BOOT_V2_RSA              1
 #define SOC_SECURE_BOOT_V2_ECC              1
 #define SOC_EFUSE_SECURE_BOOT_KEY_DIGESTS   3
 #define SOC_EFUSE_REVOKE_BOOT_KEY_DIGESTS   1
--- a/docs/en/security/secure-boot-v2.rst
+++ b/docs/en/security/secure-boot-v2.rst
@ -9,7 +9,7 @@ Secure Boot v2

 {IDF_TARGET_SBV2_KEY:default="RSA-3072", esp32c2="ECDSA-256 or ECDSA-192", esp32c6="RSA-3072, ECDSA-256, or ECDSA-192", esp32h2="RSA-3072, ECDSA-256, or ECDSA-192", esp32p4="RSA-3072, ECDSA-256, or ECDSA-192", esp32c5="RSA-3072, ECDSA-256, or ECDSA-192", esp32c61="ECDSA-256 or ECDSA-192"}

-{IDF_TARGET_SECURE_BOOT_OPTION_TEXT:default="", esp32c6="RSA is recommended because of faster verification time. You can choose between RSA and ECDSA scheme from the menu.", esp32h2="RSA is recommended because of faster verification time. You can choose between RSA and ECDSA scheme from the menu.", esp32p4="RSA is recommended because of faster verification time. You can choose between RSA and ECDSA scheme from the menu."}
+{IDF_TARGET_SECURE_BOOT_OPTION_TEXT:default="", esp32c6="RSA is recommended because of faster verification time. You can choose between RSA and ECDSA scheme from the menu.", esp32h2="RSA is recommended because of faster verification time. You can choose between RSA and ECDSA scheme from the menu.", esp32p4="RSA is recommended because of faster verification time. You can choose between RSA and ECDSA scheme from the menu.", esp32c5="RSA is recommended because of faster verification time. You can choose between RSA and ECDSA scheme from the menu."}

 {IDF_TARGET_ECO_VERSION:default="", esp32="(v3.0 onwards)", esp32c3="(v0.3 onwards)"}