From 4504fa267bc4b5a2fe79f79182abfbfc956387a4 Mon Sep 17 00:00:00 2001 From: "harshal.patil" Date: Fri, 12 Dec 2025 12:27:18 +0530 Subject: [PATCH] fix(secure_boot): Application's Secure Boot verify API support ECDSA-P384 --- .../secure_boot_v2/secure_boot_ecdsa_signature.c | 13 ++++++++++++- 1 file changed, 12 insertions(+), 1 deletion(-) diff --git a/components/bootloader_support/src/secure_boot_v2/secure_boot_ecdsa_signature.c b/components/bootloader_support/src/secure_boot_v2/secure_boot_ecdsa_signature.c index f737b1658c..2eeff0da55 100644 --- a/components/bootloader_support/src/secure_boot_v2/secure_boot_ecdsa_signature.c +++ b/components/bootloader_support/src/secure_boot_v2/secure_boot_ecdsa_signature.c @@ -1,5 +1,5 @@ /* - * SPDX-FileCopyrightText: 2022 Espressif Systems (Shanghai) CO LTD + * SPDX-FileCopyrightText: 2022-2025 Espressif Systems (Shanghai) CO LTD * * SPDX-License-Identifier: Apache-2.0 */ @@ -13,12 +13,17 @@ #include "mbedtls/ctr_drbg.h" #include "mbedtls/ecp.h" #include "rom/ecdsa.h" +#include "sdkconfig.h" #include "secure_boot_signature_priv.h" ESP_LOG_ATTR_TAG(TAG, "secure_boot_v2_ecdsa"); +#if CONFIG_SECURE_BOOT_ECDSA_KEY_LEN_384_BITS +#define ECDSA_INTEGER_LEN 48 +#else #define ECDSA_INTEGER_LEN 32 +#endif /* CONFIG_SECURE_BOOT_ECDSA_KEY_LEN_384_BITS */ esp_err_t verify_ecdsa_signature_block(const ets_secure_boot_signature_t *sig_block, const uint8_t *image_digest, const ets_secure_boot_sig_block_t *trusted_block) { @@ -48,6 +53,12 @@ esp_err_t verify_ecdsa_signature_block(const ets_secure_boot_signature_t *sig_bl key_size = 32; mbedtls_ecp_group_load(&ecdsa_context.MBEDTLS_PRIVATE(grp), MBEDTLS_ECP_DP_SECP256R1); break; +#if CONFIG_SECURE_BOOT_ECDSA_KEY_LEN_384_BITS + case ECDSA_CURVE_P384: + key_size = 48; + mbedtls_ecp_group_load(&ecdsa_context.MBEDTLS_PRIVATE(grp), MBEDTLS_ECP_DP_SECP384R1); + break; +#endif /* CONFIG_SECURE_BOOT_ECDSA_KEY_LEN_384_BITS */ default: ESP_LOGE(TAG, "Invalid curve ID"); return ESP_ERR_INVALID_ARG;