From 46fea6dbc4bd90743d588df2417c6346ad2d608d Mon Sep 17 00:00:00 2001 From: Catalin Ioana Date: Fri, 16 Feb 2018 09:18:59 +0200 Subject: [PATCH 1/6] Enabled Secure Boot in wifi_scan project, replaced ifdefs with runtime ifs --- .../subproject/signature_verification_key.bin | Bin 0 -> 64 bytes .../bootloader_support/src/esp_image_format.c | 24 +++++++++++------- .../bootloader_support/src/secure_boot.c | 1 + .../src/secure_boot_signatures.c | 1 + examples/wifi/scan/sdkconfig | 7 ++++- .../wifi/scan/signature_verification_key.bin | Bin 0 -> 64 bytes 6 files changed, 23 insertions(+), 10 deletions(-) create mode 100644 components/bootloader/subproject/signature_verification_key.bin create mode 100644 examples/wifi/scan/signature_verification_key.bin diff --git a/components/bootloader/subproject/signature_verification_key.bin b/components/bootloader/subproject/signature_verification_key.bin new file mode 100644 index 0000000000000000000000000000000000000000..9017fd98b5f67d928cc64c59b2c025472ce74f8c GIT binary patch literal 64 LcmZQzpbP*206+i% literal 0 HcmV?d00001 diff --git a/components/bootloader_support/src/esp_image_format.c b/components/bootloader_support/src/esp_image_format.c index f053a20692..753d7bcfa5 100644 --- a/components/bootloader_support/src/esp_image_format.c +++ b/components/bootloader_support/src/esp_image_format.c @@ -18,6 +18,7 @@ #include #include #include +#define LOG_LOCAL_LEVEL ESP_LOG_INFO #include #include #include @@ -100,11 +101,13 @@ esp_err_t esp_image_load(esp_image_load_mode_t mode, const esp_partition_pos_t * } // Calculate SHA-256 of image if secure boot is on, or if image has a hash appended -#ifdef CONFIG_SECURE_BOOT_ENABLED +/*#ifdef CONFIG_SECURE_BOOT_ENABLED if (1) { #else if (data->image.hash_appended) { #endif +*/ + if (esp_secure_boot_enabled() || data->image.hash_appended) { sha_handle = bootloader_sha256_start(); if (sha_handle == NULL) { return ESP_ERR_NO_MEM; @@ -166,15 +169,18 @@ goto err; rewritten the header - rely on esptool.py having verified the bootloader at flashing time, instead. */ if (!is_bootloader) { -#ifdef CONFIG_SECURE_BOOT_ENABLED - // secure boot images have a signature appended - err = verify_secure_boot_signature(sha_handle, data); -#else - // No secure boot, but SHA-256 can be appended for basic corruption detection - if (sha_handle != NULL) { - err = verify_simple_hash(sha_handle, data); +//#ifdef CONFIG_SECURE_BOOT_ENABLED + if (esp_secure_boot_enabled()) { + // secure boot images have a signature appended + err = verify_secure_boot_signature(sha_handle, data); +//#else + } else { + // No secure boot, but SHA-256 can be appended for basic corruption detection + if (sha_handle != NULL) { + err = verify_simple_hash(sha_handle, data); + } } -#endif // CONFIG_SECURE_BOOT_ENABLED +//#endif // CONFIG_SECURE_BOOT_ENABLED } else { // is_bootloader // bootloader may still have a sha256 digest handle open if (sha_handle != NULL) { diff --git a/components/bootloader_support/src/secure_boot.c b/components/bootloader_support/src/secure_boot.c index ef9744ffc8..6fe01932c6 100644 --- a/components/bootloader_support/src/secure_boot.c +++ b/components/bootloader_support/src/secure_boot.c @@ -16,6 +16,7 @@ #include "esp_attr.h" #include "esp_types.h" +#define LOG_LOCAL_LEVEL ESP_LOG_VERBOSE #include "esp_log.h" #include "rom/cache.h" diff --git a/components/bootloader_support/src/secure_boot_signatures.c b/components/bootloader_support/src/secure_boot_signatures.c index 988ab7935f..7d222864f6 100644 --- a/components/bootloader_support/src/secure_boot_signatures.c +++ b/components/bootloader_support/src/secure_boot_signatures.c @@ -15,6 +15,7 @@ #include "bootloader_flash.h" #include "bootloader_sha.h" +#define LOG_LOCAL_LEVEL ESP_LOG_VERBOSE #include "esp_log.h" #include "esp_image_format.h" #include "esp_secure_boot.h" diff --git a/examples/wifi/scan/sdkconfig b/examples/wifi/scan/sdkconfig index ffd0b95b12..3d19c78751 100644 --- a/examples/wifi/scan/sdkconfig +++ b/examples/wifi/scan/sdkconfig @@ -26,7 +26,12 @@ CONFIG_BOOTLOADER_VDDSDIO_BOOST=y # # Security features # -CONFIG_SECURE_BOOT_ENABLED= +CONFIG_SECURE_BOOT_ENABLED=y +CONFIG_SECURE_BOOTLOADER_ONE_TIME_FLASH=y +CONFIG_SECURE_BOOTLOADER_REFLASHABLE= +CONFIG_SECURE_BOOT_BUILD_SIGNED_BINARIES= +CONFIG_SECURE_BOOT_VERIFICATION_KEY="signature_verification_key.bin" +CONFIG_SECURE_BOOT_INSECURE= CONFIG_FLASH_ENCRYPTION_ENABLED= # diff --git a/examples/wifi/scan/signature_verification_key.bin b/examples/wifi/scan/signature_verification_key.bin new file mode 100644 index 0000000000000000000000000000000000000000..9017fd98b5f67d928cc64c59b2c025472ce74f8c GIT binary patch literal 64 LcmZQzpbP*206+i% literal 0 HcmV?d00001 From 099b3ca7b1aea1a8bbf3b91944578c7f81cbbff1 Mon Sep 17 00:00:00 2001 From: Catalin Ioana Date: Mon, 19 Feb 2018 10:31:38 +0200 Subject: [PATCH 2/6] add a real key for signing partitions for secure boot --- .../subproject/signature_verification_key.bin | Bin 64 -> 64 bytes examples/wifi/scan/secure_boot_signing_key.pem | 5 +++++ examples/wifi/scan/signature_verification_key.bin | Bin 64 -> 64 bytes 3 files changed, 5 insertions(+) create mode 100644 examples/wifi/scan/secure_boot_signing_key.pem diff --git a/components/bootloader/subproject/signature_verification_key.bin b/components/bootloader/subproject/signature_verification_key.bin index 9017fd98b5f67d928cc64c59b2c025472ce74f8c..758554001583873584ebe5fc3b77d914b69c135e 100644 GIT binary patch literal 64 zcmV-G0KflP&*w=&DJhB6Ej}Ua1yEu%Yv=;GN}S59NM(YVqjV5&$f3msic6s{xt!RB Wl=pI*#u#Qz(;XL=L_7Zfd?-b_>K-fr literal 64 LcmZQzpbP*206+i% diff --git a/examples/wifi/scan/secure_boot_signing_key.pem b/examples/wifi/scan/secure_boot_signing_key.pem new file mode 100644 index 0000000000..13e6fc7958 --- /dev/null +++ b/examples/wifi/scan/secure_boot_signing_key.pem @@ -0,0 +1,5 @@ +-----BEGIN EC PRIVATE KEY----- +MHcCAQEEICMyAIK9+SQEoSM06ju1q2PHfyQf34uN0J6WS0OFwP9OoAoGCCqGSM49 +AwEHoUQDQgAEWc/nSUEpKYnULT4h7AVQYjRr6AK5SpzKrEhlgpmjdBBvyKHFBopL +oS+5nNiGlPdym8YYZk3THReXRDv+/3woRQ== +-----END EC PRIVATE KEY----- diff --git a/examples/wifi/scan/signature_verification_key.bin b/examples/wifi/scan/signature_verification_key.bin index 9017fd98b5f67d928cc64c59b2c025472ce74f8c..758554001583873584ebe5fc3b77d914b69c135e 100644 GIT binary patch literal 64 zcmV-G0KflP&*w=&DJhB6Ej}Ua1yEu%Yv=;GN}S59NM(YVqjV5&$f3msic6s{xt!RB Wl=pI*#u#Qz(;XL=L_7Zfd?-b_>K-fr literal 64 LcmZQzpbP*206+i% From 32a42ddb843408471b4583ad79b7cdd71eff16be Mon Sep 17 00:00:00 2001 From: Catalin Ioana Date: Mon, 19 Feb 2018 17:14:53 +0200 Subject: [PATCH 3/6] remove debug level --- components/bootloader_support/src/esp_image_format.c | 1 - components/bootloader_support/src/secure_boot.c | 1 - components/bootloader_support/src/secure_boot_signatures.c | 1 - 3 files changed, 3 deletions(-) diff --git a/components/bootloader_support/src/esp_image_format.c b/components/bootloader_support/src/esp_image_format.c index 753d7bcfa5..a190ce310e 100644 --- a/components/bootloader_support/src/esp_image_format.c +++ b/components/bootloader_support/src/esp_image_format.c @@ -18,7 +18,6 @@ #include #include #include -#define LOG_LOCAL_LEVEL ESP_LOG_INFO #include #include #include diff --git a/components/bootloader_support/src/secure_boot.c b/components/bootloader_support/src/secure_boot.c index 6fe01932c6..ef9744ffc8 100644 --- a/components/bootloader_support/src/secure_boot.c +++ b/components/bootloader_support/src/secure_boot.c @@ -16,7 +16,6 @@ #include "esp_attr.h" #include "esp_types.h" -#define LOG_LOCAL_LEVEL ESP_LOG_VERBOSE #include "esp_log.h" #include "rom/cache.h" diff --git a/components/bootloader_support/src/secure_boot_signatures.c b/components/bootloader_support/src/secure_boot_signatures.c index 7d222864f6..988ab7935f 100644 --- a/components/bootloader_support/src/secure_boot_signatures.c +++ b/components/bootloader_support/src/secure_boot_signatures.c @@ -15,7 +15,6 @@ #include "bootloader_flash.h" #include "bootloader_sha.h" -#define LOG_LOCAL_LEVEL ESP_LOG_VERBOSE #include "esp_log.h" #include "esp_image_format.h" #include "esp_secure_boot.h" From 1d4627327b1cd3d8d1594fafa163c9c7201f23e1 Mon Sep 17 00:00:00 2001 From: Catalin Ioana Date: Tue, 13 Mar 2018 12:29:57 +0200 Subject: [PATCH 4/6] added secure_boot re-flashable bootloader --- .../bootloader_support/src/esp_image_format.c | 13 ++++--------- examples/wifi/scan/sdkconfig | 8 ++++---- 2 files changed, 8 insertions(+), 13 deletions(-) diff --git a/components/bootloader_support/src/esp_image_format.c b/components/bootloader_support/src/esp_image_format.c index a190ce310e..9b3c98cccb 100644 --- a/components/bootloader_support/src/esp_image_format.c +++ b/components/bootloader_support/src/esp_image_format.c @@ -100,13 +100,11 @@ esp_err_t esp_image_load(esp_image_load_mode_t mode, const esp_partition_pos_t * } // Calculate SHA-256 of image if secure boot is on, or if image has a hash appended -/*#ifdef CONFIG_SECURE_BOOT_ENABLED +#ifdef CONFIG_SECURE_BOOT_ENABLED if (1) { #else if (data->image.hash_appended) { #endif -*/ - if (esp_secure_boot_enabled() || data->image.hash_appended) { sha_handle = bootloader_sha256_start(); if (sha_handle == NULL) { return ESP_ERR_NO_MEM; @@ -168,18 +166,15 @@ goto err; rewritten the header - rely on esptool.py having verified the bootloader at flashing time, instead. */ if (!is_bootloader) { -//#ifdef CONFIG_SECURE_BOOT_ENABLED - if (esp_secure_boot_enabled()) { +#ifdef CONFIG_SECURE_BOOT_ENABLED // secure boot images have a signature appended err = verify_secure_boot_signature(sha_handle, data); -//#else - } else { +#else // No secure boot, but SHA-256 can be appended for basic corruption detection if (sha_handle != NULL) { err = verify_simple_hash(sha_handle, data); } - } -//#endif // CONFIG_SECURE_BOOT_ENABLED +#endif // CONFIG_SECURE_BOOT_ENABLED } else { // is_bootloader // bootloader may still have a sha256 digest handle open if (sha_handle != NULL) { diff --git a/examples/wifi/scan/sdkconfig b/examples/wifi/scan/sdkconfig index 3d19c78751..f7b174fb91 100644 --- a/examples/wifi/scan/sdkconfig +++ b/examples/wifi/scan/sdkconfig @@ -27,10 +27,10 @@ CONFIG_BOOTLOADER_VDDSDIO_BOOST=y # Security features # CONFIG_SECURE_BOOT_ENABLED=y -CONFIG_SECURE_BOOTLOADER_ONE_TIME_FLASH=y -CONFIG_SECURE_BOOTLOADER_REFLASHABLE= -CONFIG_SECURE_BOOT_BUILD_SIGNED_BINARIES= -CONFIG_SECURE_BOOT_VERIFICATION_KEY="signature_verification_key.bin" +CONFIG_SECURE_BOOTLOADER_ONE_TIME_FLASH= +CONFIG_SECURE_BOOTLOADER_REFLASHABLE=y +CONFIG_SECURE_BOOT_BUILD_SIGNED_BINARIES=y +CONFIG_SECURE_BOOT_SIGNING_KEY="secure_boot_signing_key.pem" CONFIG_SECURE_BOOT_INSECURE= CONFIG_FLASH_ENCRYPTION_ENABLED= From b105e338f598075cd41953d0d474fbcade910400 Mon Sep 17 00:00:00 2001 From: Catalin Ioana Date: Tue, 13 Mar 2018 14:27:25 +0200 Subject: [PATCH 5/6] workaround for an IDF bug, debug has to enabled for reflashable bootloader --- components/bootloader_support/src/esp_image_format.c | 1 + 1 file changed, 1 insertion(+) diff --git a/components/bootloader_support/src/esp_image_format.c b/components/bootloader_support/src/esp_image_format.c index 9b3c98cccb..7e6e90b3c9 100644 --- a/components/bootloader_support/src/esp_image_format.c +++ b/components/bootloader_support/src/esp_image_format.c @@ -18,6 +18,7 @@ #include #include #include +#define LOG_LOCAL_LEVEL ESP_LOG_ERROR #include #include #include From 0a501b687689d2f0b34994568ab75c542a927ca4 Mon Sep 17 00:00:00 2001 From: Catalin Ioana Date: Wed, 14 Mar 2018 12:02:48 +0200 Subject: [PATCH 6/6] bootloader_support/src/esp_image_format.c checking of application signature only if secure_boot was enabled --- components/bootloader_support/src/esp_image_format.c | 9 ++++++--- 1 file changed, 6 insertions(+), 3 deletions(-) diff --git a/components/bootloader_support/src/esp_image_format.c b/components/bootloader_support/src/esp_image_format.c index 7e6e90b3c9..0f29ab054d 100644 --- a/components/bootloader_support/src/esp_image_format.c +++ b/components/bootloader_support/src/esp_image_format.c @@ -167,15 +167,18 @@ goto err; rewritten the header - rely on esptool.py having verified the bootloader at flashing time, instead. */ if (!is_bootloader) { -#ifdef CONFIG_SECURE_BOOT_ENABLED +//#ifdef CONFIG_SECURE_BOOT_ENABLED + if (esp_secure_boot_enabled()) { // secure boot images have a signature appended err = verify_secure_boot_signature(sha_handle, data); -#else +//#else + } else { // No secure boot, but SHA-256 can be appended for basic corruption detection if (sha_handle != NULL) { err = verify_simple_hash(sha_handle, data); } -#endif // CONFIG_SECURE_BOOT_ENABLED + } +//#endif // CONFIG_SECURE_BOOT_ENABLED } else { // is_bootloader // bootloader may still have a sha256 digest handle open if (sha_handle != NULL) {