Merge branch 'feature/add_data_partition_secure_boot_verification' into 'master'

feat(secure_boot): adds api to verify data partition integrity

Closes IDFGH-16339

See merge request espressif/esp-idf!41721

docs/en/api-reference/system/ota.rst

@@ -229,6 +229,23 @@ The verification of signed OTA updates can be performed even without enabling ha
 
   For more information, please refer to :ref:`signed-app-verify`.
 
+.. _secure-signed-data-partition:
+
+Signed Data Partition Updates
+------------------------------
+
+Data partition images can be verified using the same Secure Boot v2 signature mechanism as application images. Enable :ref:`CONFIG_SECURE_SIGNED_DATA_PARTITION` to verify data partitions with subtype ``ESP_PARTITION_SUBTYPE_DATA_UNDEFINED`` during OTA updates.
+
+Sign data partition images using:
+
+.. code-block:: bash
+
+    idf.py secure-sign-data --keyfile PRIVATE_SIGNING_KEY --output signed_data.bin data.bin
+
+The signing key must match the one used for application signing, with its public key digest programmed into eFuse. The signed image format is: data content (padded to 4 KB) + 4 KB signature block (see :ref:`signature-block-format` in :doc:`/security/secure-boot-v2`).
+
+For a complete example, see :example:`system/ota/partitions_ota`.
+
 Tuning OTA Performance
 ----------------------
 

docs/en/security/secure-boot-v2.rst

@@ -408,6 +408,16 @@ An image is verified if the public key stored in any signature block is valid fo
     3. Use the public key to verify the signature of the bootloader image, using either RSA-PSS (section 8.1.2 of RFC8017) or ECDSA signature verification (section 5.3.3 of RFC6090) with the image digest calculated in step (2) for comparison.
 
 
+Verifying Data Partitions
+--------------------------
+
+The Secure Boot v2 signature verification can also verify data partition images during OTA updates. Enable :ref:`CONFIG_SECURE_SIGNED_DATA_PARTITION` to verify data partitions with subtype ``ESP_PARTITION_SUBTYPE_DATA_UNDEFINED``.
+
+Data partition images must be signed using ``idf.py secure-sign-data`` with the same signing key and follow the same format as application images. The verification uses the public key digest(s) stored in eFuse and follows the process described in :ref:`verify_image`.
+
+For detailed information including OTA procedures and partition configuration, see :ref:`secure-signed-data-partition`.
+
+
 Bootloader Size
 ---------------
 

docs/zh_CN/api-reference/system/ota.rst

@@ -229,6 +229,23 @@ Kconfig 中的 :ref:`CONFIG_BOOTLOADER_APP_ROLLBACK_ENABLE` 可以帮助用户
 
   具体可参考 :ref:`signed-app-verify`。
 
+.. _secure-signed-data-partition:
+
+签名数据分区的更新
+------------------
+
+数据分区镜像可以使用与应用镜像相同的 Secure Boot v2 签名机制进行验证。启用 :ref:`CONFIG_SECURE_SIGNED_DATA_PARTITION`，以便在 OTA 更新期间验证子类型为 ``ESP_PARTITION_SUBTYPE_DATA_UNDEFINED`` 的数据分区。
+
+使用以下命令对数据分区镜像进行签名：
+
+.. code-block:: bash
+
+    idf.py secure-sign-data --keyfile PRIVATE_SIGNING_KEY --output signed_data.bin data.bin
+
+签名密钥必须与用于应用签名的密钥一致，并将其公钥摘要写入 eFuse。签名镜像格式为：数据内容（填充到 4 KB）+ 4 KB 签名块（参见 :doc:`/security/secure-boot-v2` 中的 :ref:`signature-block-format`）。
+
+如需完整示例，请参见 :example:`system/ota/partitions_ota`。
+
 OTA 性能调优
 ------------
 

docs/zh_CN/security/secure-boot-v2.rst

@@ -408,6 +408,16 @@
     3. 使用公钥，采用 RSA-PSS（RFC8017 的第 8.1.2 节）算法或 ECDSA（RFC6090 的第 5.3.3 节）算法，验证引导加载程序镜像的签名，并与步骤 (2) 中计算的镜像摘要比较。
 
 
+验证数据分区
+------------
+
+Secure Boot v2 签名验证也可以在 OTA 更新期间验证数据分区镜像。启用 :ref:`CONFIG_SECURE_SIGNED_DATA_PARTITION` 以验证子类型为 ``ESP_PARTITION_SUBTYPE_DATA_UNDEFINED`` 的数据分区。
+
+数据分区镜像必须使用相同的签名密钥，通过 ``idf.py secure-sign-data`` 进行签名，并采用与应用镜像相同的格式。验证使用存储在 eFuse 中的一个或多个公钥摘要，并遵循 :ref:`verify_image` 中所述的流程。
+
+关于包括 OTA 流程和分区配置在内的详细信息，请参见 :ref:`secure-signed-data-partition`。
+
+
 引导加载程序的大小
 ------------------