From 2356be7c7a883a5f21d2cdb547bb0e0e103fd700 Mon Sep 17 00:00:00 2001 From: Supreet Deshpande Date: Fri, 25 Sep 2020 05:28:37 +0530 Subject: [PATCH] Secure Boot V2: Fixes the OTA regression with secure boot in ESP32-V3 Closes https://github.com/espressif/esp-idf/issues/5905 --- .../src/idf/secure_boot_signatures.c | 18 +++++++++--------- 1 file changed, 9 insertions(+), 9 deletions(-) diff --git a/components/bootloader_support/src/idf/secure_boot_signatures.c b/components/bootloader_support/src/idf/secure_boot_signatures.c index fd7017424a..57d753adc2 100644 --- a/components/bootloader_support/src/idf/secure_boot_signatures.c +++ b/components/bootloader_support/src/idf/secure_boot_signatures.c @@ -206,11 +206,19 @@ esp_err_t esp_secure_boot_verify_rsa_signature_block(const ets_secure_boot_signa during boot-time verification. */ memset(verified_digest, 0, DIGEST_LEN); + /* Generating the SHA of the public key components in the signature block */ + for (i = 0; i < SECURE_BOOT_NUM_BLOCKS; i++) { + bootloader_sha256_handle_t sig_block_sha; + sig_block_sha = bootloader_sha256_start(); + bootloader_sha256_data(sig_block_sha, &sig_block->block[i].key, sizeof(sig_block->block[i].key)); + bootloader_sha256_finish(sig_block_sha, (unsigned char *)sig_block_key_digest[i]); + } + #if CONFIG_IDF_TARGET_ESP32 uint8_t efuse_trusted_digest[DIGEST_LEN] = {0}; memcpy(efuse_trusted_digest, (uint8_t *) EFUSE_BLK2_RDATA0_REG, sizeof(efuse_trusted_digest)); - if (memcmp(efuse_trusted_digest, sig_block_key_digest, DIGEST_LEN) != 0) { + if (memcmp(efuse_trusted_digest, sig_block_key_digest[0], DIGEST_LEN) != 0) { const uint8_t zeroes[DIGEST_LEN] = {0}; /* Can't continue if secure boot is enabled, OR if a different digest is already written in efuse BLK2 @@ -231,14 +239,6 @@ esp_err_t esp_secure_boot_verify_rsa_signature_block(const ets_secure_boot_signa return ESP_FAIL; } #endif /* CONFIG_IDF_TARGET_ESP32 */ - - /* Generating the SHA of the public key components in the signature block */ - for (i = 0; i < SECURE_BOOT_NUM_BLOCKS; i++) { - bootloader_sha256_handle_t sig_block_sha; - sig_block_sha = bootloader_sha256_start(); - bootloader_sha256_data(sig_block_sha, &sig_block->block[i].key, sizeof(sig_block->block[i].key)); - bootloader_sha256_finish(sig_block_sha, (unsigned char *)sig_block_key_digest[i]); - } #endif /* CONFIG_SECURE_BOOT_V2_ENABLED */ ESP_LOGI(TAG, "Verifying with RSA-PSS...");