diff --git a/components/bootloader/Kconfig.projbuild b/components/bootloader/Kconfig.projbuild index 917f04cc8c..f3d1b3faec 100644 --- a/components/bootloader/Kconfig.projbuild +++ b/components/bootloader/Kconfig.projbuild @@ -707,7 +707,8 @@ menu "Security features" Path to the key file used to sign app images. Key file is an ECDSA private key (NIST256p curve) in PEM format for Secure Boot V1. - Key file is an RSA private key in PEM format for Secure Boot V2. + Key file is an RSA private key in PEM format for Secure Boot V2 (RSA scheme). + Key file is an ECDSA private key (NIST 192p, 256p or 384p) in PEM format for Secure Boot V2 (ECDSA scheme). Path is evaluated relative to the project directory. diff --git a/components/bootloader_support/include/esp_secure_boot.h b/components/bootloader_support/include/esp_secure_boot.h index 8e43bb6f79..4da6c38c68 100644 --- a/components/bootloader_support/include/esp_secure_boot.h +++ b/components/bootloader_support/include/esp_secure_boot.h @@ -1,5 +1,5 @@ /* - * SPDX-FileCopyrightText: 2015-2025 Espressif Systems (Shanghai) CO LTD + * SPDX-FileCopyrightText: 2015-2026 Espressif Systems (Shanghai) CO LTD * * SPDX-License-Identifier: Apache-2.0 */ @@ -70,6 +70,17 @@ typedef enum { #define ESP_SECURE_BOOT_SCHEME ESP_SECURE_BOOT_V2_ECDSA #endif +/* Expected ECDSA curve ID from menuconfig "ECDSA key size" (matches ECDSA_CURVE_P192/P256/P384 in ROM) */ +#if CONFIG_SECURE_SIGNED_APPS_ECDSA_V2_SCHEME +#if CONFIG_SECURE_BOOT_ECDSA_KEY_LEN_192_BITS +#define ESP_SECURE_BOOT_ECDSA_CURVE_ID ECDSA_CURVE_P192 +#elif CONFIG_SECURE_BOOT_ECDSA_KEY_LEN_256_BITS +#define ESP_SECURE_BOOT_ECDSA_CURVE_ID ECDSA_CURVE_P256 +#elif CONFIG_SECURE_BOOT_ECDSA_KEY_LEN_384_BITS +#define ESP_SECURE_BOOT_ECDSA_CURVE_ID ECDSA_CURVE_P384 +#endif +#endif + #if CONFIG_SECURE_BOOT || CONFIG_SECURE_SIGNED_APPS_NO_SECURE_BOOT /** @brief Get the selected secure boot scheme key type * diff --git a/components/bootloader_support/src/secure_boot_v2/secure_boot_ecdsa_signature.c b/components/bootloader_support/src/secure_boot_v2/secure_boot_ecdsa_signature.c index 6f716b24e1..67bbff382c 100644 --- a/components/bootloader_support/src/secure_boot_v2/secure_boot_ecdsa_signature.c +++ b/components/bootloader_support/src/secure_boot_v2/secure_boot_ecdsa_signature.c @@ -1,5 +1,5 @@ /* - * SPDX-FileCopyrightText: 2022-2025 Espressif Systems (Shanghai) CO LTD + * SPDX-FileCopyrightText: 2022-2026 Espressif Systems (Shanghai) CO LTD * * SPDX-License-Identifier: Apache-2.0 */ @@ -13,11 +13,13 @@ ESP_LOG_ATTR_TAG(TAG, "secure_boot_v2_ecdsa"); -#if CONFIG_SECURE_BOOT_ECDSA_KEY_LEN_384_BITS +#if CONFIG_SECURE_BOOT_ECDSA_KEY_LEN_192_BITS +#define ECDSA_INTEGER_LEN 24 +#elif CONFIG_SECURE_BOOT_ECDSA_KEY_LEN_384_BITS #define ECDSA_INTEGER_LEN 48 #else #define ECDSA_INTEGER_LEN 32 -#endif /* CONFIG_SECURE_BOOT_ECDSA_KEY_LEN_384_BITS */ +#endif esp_err_t verify_ecdsa_signature_block(const ets_secure_boot_signature_t *sig_block, const uint8_t *image_digest, const ets_secure_boot_sig_block_t *trusted_block) { @@ -39,16 +41,20 @@ esp_err_t verify_ecdsa_signature_block(const ets_secure_boot_signature_t *sig_bl psa_ecc_family_t curve_family; switch(trusted_block->ecdsa.key.curve_id) { +#if CONFIG_SECURE_BOOT_ECDSA_KEY_LEN_192_BITS case ECDSA_CURVE_P192: key_size = 24; curve_family = PSA_ECC_FAMILY_SECP_R1; psa_set_key_bits(&key_attributes, PSA_BYTES_TO_BITS(key_size)); break; +#endif /* CONFIG_SECURE_BOOT_ECDSA_KEY_LEN_192_BITS */ +#if CONFIG_SECURE_BOOT_ECDSA_KEY_LEN_256_BITS case ECDSA_CURVE_P256: key_size = 32; curve_family = PSA_ECC_FAMILY_SECP_R1; psa_set_key_bits(&key_attributes, PSA_BYTES_TO_BITS(key_size)); break; +#endif /* CONFIG_SECURE_BOOT_ECDSA_KEY_LEN_256_BITS */ #if CONFIG_SECURE_BOOT_ECDSA_KEY_LEN_384_BITS case ECDSA_CURVE_P384: key_size = 48; diff --git a/components/bootloader_support/src/secure_boot_v2/secure_boot_signatures_app.c b/components/bootloader_support/src/secure_boot_v2/secure_boot_signatures_app.c index 2c7347a15b..7af567d2b1 100644 --- a/components/bootloader_support/src/secure_boot_v2/secure_boot_signatures_app.c +++ b/components/bootloader_support/src/secure_boot_v2/secure_boot_signatures_app.c @@ -1,5 +1,5 @@ /* - * SPDX-FileCopyrightText: 2015-2025 Espressif Systems (Shanghai) CO LTD + * SPDX-FileCopyrightText: 2015-2026 Espressif Systems (Shanghai) CO LTD * * SPDX-License-Identifier: Apache-2.0 */ @@ -43,6 +43,13 @@ static esp_err_t validate_signature_block(const ets_secure_boot_sig_block_t *blo return ESP_FAIL; } +#if CONFIG_SECURE_SIGNED_APPS_ECDSA_V2_SCHEME + if (block->ecdsa.key.curve_id != ESP_SECURE_BOOT_ECDSA_CURVE_ID) { + ESP_LOGE(TAG, "ECDSA curve mismatch: actual (curve_id %u), expected (curve_id %u)", (unsigned) block->ecdsa.key.curve_id, (unsigned) ESP_SECURE_BOOT_ECDSA_CURVE_ID); + return ESP_FAIL; + } +#endif + #if SOC_ECDSA_P192_CURVE_DEFAULT_DISABLED && CONFIG_SECURE_SIGNED_APPS_ECDSA_V2_SCHEME if (block->ecdsa.key.curve_id == ECDSA_CURVE_P192) { // Enabling ECDSA-192 Curve mode diff --git a/components/bootloader_support/src/secure_boot_v2/secure_boot_signatures_bootloader.c b/components/bootloader_support/src/secure_boot_v2/secure_boot_signatures_bootloader.c index dd94c28057..55e5e77451 100644 --- a/components/bootloader_support/src/secure_boot_v2/secure_boot_signatures_bootloader.c +++ b/components/bootloader_support/src/secure_boot_v2/secure_boot_signatures_bootloader.c @@ -1,5 +1,5 @@ /* - * SPDX-FileCopyrightText: 2015-2025 Espressif Systems (Shanghai) CO LTD + * SPDX-FileCopyrightText: 2015-2026 Espressif Systems (Shanghai) CO LTD * * SPDX-License-Identifier: Apache-2.0 */ @@ -72,6 +72,13 @@ static esp_err_t validate_signature_block(const ets_secure_boot_sig_block_t *blo return ESP_FAIL; } +#if CONFIG_SECURE_SIGNED_APPS_ECDSA_V2_SCHEME + if (block->ecdsa.key.curve_id != ESP_SECURE_BOOT_ECDSA_CURVE_ID) { + ESP_LOGE(TAG, "ECDSA curve mismatch: actual (curve_id %u), expected (curve_id %u)", (unsigned) block->ecdsa.key.curve_id, (unsigned) ESP_SECURE_BOOT_ECDSA_CURVE_ID); + return ESP_FAIL; + } +#endif + #if SOC_ECDSA_P192_CURVE_DEFAULT_DISABLED && CONFIG_SECURE_SIGNED_APPS_ECDSA_V2_SCHEME if (block->ecdsa.key.curve_id == ECDSA_CURVE_P192) { // Enabling ECDSA-192 Curve mode