Merge branch 'bugfix/fix_condition_to_verify_when_no_SB' into 'master'

fix(bootloader_support): Fix condition for checking signature in the application

See merge request espressif/esp-idf!26026

components/bootloader/Kconfig.projbuild

@@ -709,14 +709,12 @@ menu "Security features"
 
     config SECURE_BOOT_VERIFICATION_KEY
         string "Secure boot public signature verification key"
-        depends on SECURE_SIGNED_APPS && !SECURE_BOOT_BUILD_SIGNED_BINARIES && !SECURE_SIGNED_APPS_RSA_SCHEME
+        depends on SECURE_SIGNED_APPS && SECURE_SIGNED_APPS_ECDSA_SCHEME && !SECURE_BOOT_BUILD_SIGNED_BINARIES
         default "signature_verification_key.bin"
         help
             Path to a public key file used to verify signed images.
             Secure Boot V1: This ECDSA public key is compiled into the bootloader and/or
             app, to verify app images.
-            Secure Boot V2: This RSA public key is compiled into the signature block at
-            the end of the bootloader/app.
 
             Key file is in raw binary format, and can be extracted from a
             PEM formatted private key using the espsecure.py

components/bootloader_support/src/secure_boot.c

@@ -144,9 +144,9 @@ static esp_err_t secure_boot_v2_check(bool *need_fix)
 #endif
 #endif // CONFIG_SECURE_BOOT
 
-#if CONFIG_SECURE_SIGNED_APPS_RSA_SCHEME && CONFIG_SECURE_SIGNED_ON_UPDATE_NO_SECURE_BOOT
+#if (CONFIG_SECURE_SIGNED_APPS_RSA_SCHEME || CONFIG_SECURE_SIGNED_APPS_ECDSA_V2_SCHEME) && CONFIG_SECURE_SIGNED_ON_UPDATE_NO_SECURE_BOOT
 
-static void rsa_check_signature_on_update_check(void)
+static void check_signature_on_update_check(void)
 {
     // We rely on the keys used to sign this app to verify the next app on OTA, so make sure there is at
     // least one to avoid a stuck firmware
@@ -164,7 +164,7 @@ static void rsa_check_signature_on_update_check(void)
     }
 #endif
 }
-#endif // CONFIG_SECURE_SIGNED_APPS_RSA_SCHEME && CONFIG_SECURE_SIGNED_ON_UPDATE_NO_SECURE_BOOT
+#endif // (CONFIG_SECURE_SIGNED_APPS_RSA_SCHEME || CONFIG_SECURE_SIGNED_APPS_ECDSA_V2_SCHEME) && CONFIG_SECURE_SIGNED_ON_UPDATE_NO_SECURE_BOOT
 
 void esp_secure_boot_init_checks(void)
 {
@@ -184,9 +184,9 @@ void esp_secure_boot_init_checks(void)
 #endif // CONFIG_SECURE_BOOT
 
 
-#if CONFIG_SECURE_SIGNED_APPS_RSA_SCHEME && CONFIG_SECURE_SIGNED_ON_UPDATE_NO_SECURE_BOOT
-    rsa_check_signature_on_update_check();
-#endif // CONFIG_SECURE_SIGNED_APPS_RSA_SCHEME && CONFIG_SECURE_SIGNED_ON_UPDATE_NO_SECURE_BOOT
+#if (CONFIG_SECURE_SIGNED_APPS_RSA_SCHEME || CONFIG_SECURE_SIGNED_APPS_ECDSA_V2_SCHEME) && CONFIG_SECURE_SIGNED_ON_UPDATE_NO_SECURE_BOOT
+    check_signature_on_update_check();
+#endif // (CONFIG_SECURE_SIGNED_APPS_RSA_SCHEME || CONFIG_SECURE_SIGNED_APPS_ECDSA_V2_SCHEME) && CONFIG_SECURE_SIGNED_ON_UPDATE_NO_SECURE_BOOT
 
 }
 

tools/test_apps/.build-test-rules.yml

@@ -68,6 +68,12 @@ tools/test_apps/security/secure_boot:
     - if: IDF_ENV_FPGA != 1
       reason: the test can only run on an FPGA as efuses need to be reset during the test.
 
+tools/test_apps/security/signed_app_no_secure_boot:
+  enable:
+    - if: IDF_TARGET in ["esp32c2", "esp32c3"]
+      temporary: true
+      reason: No need to test on all targets
+
 tools/test_apps/system/bootloader_sections:
   disable:
     - if: IDF_TARGET == "esp32c2"

tools/test_apps/security/signed_app_no_secure_boot/CMakeLists.txt

@@ -0,0 +1,7 @@
+# The following lines of boilerplate have to be in your project's
+# CMakeLists in this exact order for cmake to work correctly
+cmake_minimum_required(VERSION 3.16)
+
+# Secure Boot not currently supported for ESP32-S2
+include($ENV{IDF_PATH}/tools/cmake/project.cmake)
+project(secure_boot)

tools/test_apps/security/signed_app_no_secure_boot/README.md

@@ -0,0 +1,11 @@
+| Supported Targets | ESP32-C2 | ESP32-C3 |
+| ----------------- | -------- | -------- |
+
+# Secure Signed On Update No Secure Boot
+
+This examples verifies the case when CONFIG_SECURE_SIGNED_ON_UPDATE_NO_SECURE_BOOT is selected and application is not signed. The application should abort its execution with the logs:
+
+```
+secure_boot_v2: No signatures were found for the running app
+secure_boot: This app is not signed, but check signature on update is enabled in config. It won't be possible to verify any update.
+```

tools/test_apps/security/signed_app_no_secure_boot/main/CMakeLists.txt

@@ -0,0 +1,2 @@
+idf_component_register(SRCS "main.c"
+                    INCLUDE_DIRS ".")

tools/test_apps/security/signed_app_no_secure_boot/main/main.c

@@ -0,0 +1,15 @@
+/*
+ * SPDX-FileCopyrightText: 2023 Espressif Systems (Shanghai) CO LTD
+ *
+ * SPDX-License-Identifier: Unlicense OR CC0-1.0
+ */
+#include <stdio.h>
+#include "freertos/FreeRTOS.h"
+#include "freertos/task.h"
+
+#define TAG "example_secure_boot"
+
+void app_main(void)
+{
+    printf("\nExample for secured signed with no secure boot\n");
+}

tools/test_apps/security/signed_app_no_secure_boot/pytest_signed_app_no_secure_boot.py

@@ -0,0 +1,12 @@
+# SPDX-FileCopyrightText: 2023 Espressif Systems (Shanghai) CO LTD
+# SPDX-License-Identifier: Unlicense OR CC0-1.0
+
+import pytest
+from pytest_embedded import Dut
+
+
+@pytest.mark.esp32c2
+@pytest.mark.esp32c3
+@pytest.mark.generic
+def test_examples_security_on_update_no_secure_boot(dut: Dut) -> None:
+    dut.expect("This app is not signed, but check signature on update is enabled in config. It won't be possible to verify any update.", timeout=10)

tools/test_apps/security/signed_app_no_secure_boot/sdkconfig.defaults

@@ -0,0 +1,8 @@
+CONFIG_SECURE_SIGNED_ON_UPDATE=y
+CONFIG_SECURE_SIGNED_APPS=y
+CONFIG_SECURE_BOOT_V2_PREFERRED=y
+CONFIG_SECURE_SIGNED_APPS_NO_SECURE_BOOT=y
+CONFIG_SECURE_SIGNED_ON_UPDATE_NO_SECURE_BOOT=y
+# CONFIG_SECURE_BOOT is not set
+# CONFIG_SECURE_BOOT_BUILD_SIGNED_BINARIES is not set
+# CONFIG_SECURE_FLASH_ENC_ENABLED is not set