Accueil Explorer Aide
Connexion
RT-Thread-packages
/
esp-idf
miroir de https://github-proxy.rt-thread.io/RT-Thread-packages/esp-idf.git
2
0
Fork 0
Fichiers Tickets 0 Wiki
Parcourir la source

secure_boot: Do not allow key revocation in bootloader

Sachin Parekh il y a 4 ans
Parent
812a92c703
commit
017f7a241a
1 fichiers modifiés avec 4 ajouts et 1 suppressions
Vue séparée Afficher les stats Diff
  1. 4 1
      components/bootloader_support/src/secure_boot_v2/secure_boot_signatures_bootloader.c

+ 4 - 1
components/bootloader_support/src/secure_boot_v2/secure_boot_signatures_bootloader.c
Voir le fichier 

@@ -155,10 +155,13 @@ esp_err_t esp_secure_boot_verify_rsa_signature_block(const ets_secure_boot_signa
 
 #if SOC_EFUSE_SECURE_BOOT_KEY_DIGESTS == 1
 
     int sb_result = ets_secure_boot_verify_signature(sig_block, image_digest, trusted.key_digests[0], verified_digest);
 
 #else
 
-    ets_secure_boot_key_digests_t trusted_key_digests;
 
+    ets_secure_boot_key_digests_t trusted_key_digests = {0};
 
     for (unsigned i = 0; i < SECURE_BOOT_NUM_BLOCKS; i++) {
 
         trusted_key_digests.key_digests[i] = &trusted.key_digests[i];
 
     }
 
+    // Key revocation happens in ROM bootloader.
 
+    // Do NOT allow key revocation while verifying application
 
+    trusted_key_digests.allow_key_revoke = false;
 
     int sb_result = ets_secure_boot_verify_signature(sig_block, image_digest, &trusted_key_digests, verified_digest);
 
 #endif
 
     if (sb_result != SB_SUCCESS) {