blackbeard420/esp-idf
1
0
Fork 0
mirror of https://github.com/espressif/esp-idf synced 2025-03-10 17:49:10 -04:00
Code Issues Projects Releases Wiki Activity

Merge branch 'feat/flash_enc_encrypt_app_image_of_size_image_length_v5.2' into 'release/v5.2'

Browse Source 
feat(bootloader_support): Encrypt only the app image instead of the whole partition (v5.2)

See merge request espressif/esp-idf!28265
This commit is contained in:
Mahavir Jain 2024-02-16 13:49:01 +08:00
commit 4beadd4c57
3 changed files with 32 additions and 5 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

16
components/bootloader/Kconfig.projbuild
View File

@ -1071,6 +1071,22 @@ menu "Security features"
DIS_DOWNLOAD_MANUAL_ENCRYPT, DIS_USB_JTAG, DIS_USB_SERIAL_JTAG, STRAP_JTAG_SEL, USB_PHY_SEL. DIS_DOWNLOAD_MANUAL_ENCRYPT, DIS_USB_JTAG, DIS_USB_SERIAL_JTAG, STRAP_JTAG_SEL, USB_PHY_SEL.
endmenu # Potentially Insecure endmenu # Potentially Insecure
config SECURE_FLASH_ENCRYPT_ONLY_IMAGE_LEN_IN_APP_PART
bool "Encrypt only the app image that is present in the partition of type app"
depends on SECURE_FLASH_ENC_ENABLED && !SECURE_FLASH_REQUIRE_ALREADY_ENABLED
default n
help
If set, optimise encryption time for the partition of type APP,
by only encrypting the app image that is present in the partition,
instead of the whole partition.
The image length used for encryption is derived from the image metadata, which
includes the size of the app image, checksum, hash and also the signature sector
when secure boot is enabled.
If not set (default), the whole partition of type APP would be encrypted,
which increases the encryption time but might be useful if there
is any custom data appended to the firmware image.
config SECURE_FLASH_CHECK_ENC_EN_IN_APP config SECURE_FLASH_CHECK_ENC_EN_IN_APP
bool "Check Flash Encryption enabled on app startup" bool "Check Flash Encryption enabled on app startup"
depends on SECURE_FLASH_ENC_ENABLED depends on SECURE_FLASH_ENC_ENABLED

6
components/bootloader_support/src/esp_image_format.c
View File

@ -932,9 +932,13 @@ static esp_err_t verify_secure_boot_signature(bootloader_sha256_handle_t sha_han
return ESP_ERR_IMAGE_INVALID; return ESP_ERR_IMAGE_INVALID;
} }
#if CONFIG_SECURE_SIGNED_APPS_RSA_SCHEME || CONFIG_SECURE_SIGNED_APPS_ECDSA_V2_SCHEME
// Adjust image length result to include the appended signature // Adjust image length result to include the appended signature
#if CONFIG_SECURE_SIGNED_APPS_RSA_SCHEME || CONFIG_SECURE_SIGNED_APPS_ECDSA_V2_SCHEME
data->image_len = end - data->start_addr + sizeof(ets_secure_boot_signature_t); data->image_len = end - data->start_addr + sizeof(ets_secure_boot_signature_t);
#elif defined(CONFIG_SECURE_SIGNED_APPS_ECDSA_SCHEME)
if (data->start_addr != ESP_BOOTLOADER_OFFSET) {
data->image_len = end - data->start_addr + sizeof(esp_secure_boot_sig_block_t);
}
#endif #endif
#endif // SECURE_BOOT_CHECK_SIGNATURE #endif // SECURE_BOOT_CHECK_SIGNATURE

15
components/bootloader_support/src/flash_encryption/flash_encrypt.c
View File

@ -393,14 +393,21 @@ static esp_err_t encrypt_partition(int index, const esp_partition_info_t *partit
{ {
esp_err_t err; esp_err_t err;
bool should_encrypt = (partition->flags & PART_FLAG_ENCRYPTED); bool should_encrypt = (partition->flags & PART_FLAG_ENCRYPTED);
uint32_t size = partition->pos.size;
if (partition->type == PART_TYPE_APP) { if (partition->type == PART_TYPE_APP) {
/* check if the partition holds a valid unencrypted app */ /* check if the partition holds a valid unencrypted app */
esp_image_metadata_t data_ignored; esp_image_metadata_t image_data = {};
err = esp_image_verify(ESP_IMAGE_VERIFY, err = esp_image_verify(ESP_IMAGE_VERIFY,
&partition->pos, &partition->pos,
&data_ignored); &image_data);
should_encrypt = (err == ESP_OK); should_encrypt = (err == ESP_OK);
#ifdef SECURE_FLASH_ENCRYPT_ONLY_IMAGE_LEN_IN_APP_PART
if (should_encrypt) {
// Encrypt only the app image instead of encrypting the whole partition
size = image_data.image_len;
}
#endif
} else if ((partition->type == PART_TYPE_DATA && partition->subtype == PART_SUBTYPE_DATA_OTA) } else if ((partition->type == PART_TYPE_DATA && partition->subtype == PART_SUBTYPE_DATA_OTA)
|| (partition->type == PART_TYPE_DATA && partition->subtype == PART_SUBTYPE_DATA_NVS_KEYS)) { || (partition->type == PART_TYPE_DATA && partition->subtype == PART_SUBTYPE_DATA_NVS_KEYS)) {
/* check if we have ota data partition and the partition should be encrypted unconditionally */ /* check if we have ota data partition and the partition should be encrypted unconditionally */
@ -411,9 +418,9 @@ static esp_err_t encrypt_partition(int index, const esp_partition_info_t *partit
return ESP_OK; return ESP_OK;
} else { } else {
/* should_encrypt */ /* should_encrypt */
ESP_LOGI(TAG, "Encrypting partition %d at offset 0x%x (length 0x%x)...", index, partition->pos.offset, partition->pos.size); ESP_LOGI(TAG, "Encrypting partition %d at offset 0x%x (length 0x%x)...", index, partition->pos.offset, size);
err = esp_flash_encrypt_region(partition->pos.offset, partition->pos.size); err = esp_flash_encrypt_region(partition->pos.offset, size);
ESP_LOGI(TAG, "Done encrypting"); ESP_LOGI(TAG, "Done encrypting");
if (err != ESP_OK) { if (err != ESP_OK) {
ESP_LOGE(TAG, "Failed to encrypt partition %d", index); ESP_LOGE(TAG, "Failed to encrypt partition %d", index);