Merge branch 'bugfix/secure_ota_without_padding' into 'master'

fix(secure_ota): secure app verification issue without padding bytes

Closes IDFGH-10784

See merge request espressif/esp-idf!25156

components/bootloader_support/src/esp_image_format.c

@@ -864,7 +864,7 @@ static esp_err_t verify_secure_boot_signature(bootloader_sha256_handle_t sha_han
         bootloader_munmap(simple_hash);
     }
 
-#if CONFIG_SECURE_BOOT_V2_ENABLED
+#if CONFIG_SECURE_SIGNED_APPS_RSA_SCHEME || CONFIG_SECURE_SIGNED_APPS_ECDSA_V2_SCHEME
     // End of the image needs to be padded all the way to a 4KB boundary, after the simple hash
     // (for apps they are usually already padded due to --secure-pad-v2, only a problem if this option was not used.)
     uint32_t padded_end = ALIGN_UP(end, FLASH_SECTOR_SIZE);
@@ -874,7 +874,7 @@ static esp_err_t verify_secure_boot_signature(bootloader_sha256_handle_t sha_han
         bootloader_munmap(padding);
         end = padded_end;
     }
-#endif
+#endif // CONFIG_SECURE_SIGNED_APPS_RSA_SCHEME || CONFIG_SECURE_SIGNED_APPS_ECDSA_V2_SCHEME
 
     bootloader_sha256_finish(sha_handle, image_digest);
 

examples/system/ota/simple_ota_example/sdkconfig.ci.on_update_no_sb_rsa

@@ -11,6 +11,7 @@ CONFIG_SECURE_SIGNED_APPS_NO_SECURE_BOOT=y
 CONFIG_SECURE_SIGNED_ON_UPDATE_NO_SECURE_BOOT=y
 CONFIG_SECURE_SIGNED_APPS_RSA_SCHEME=y
 CONFIG_SECURE_BOOT_SIGNING_KEY="test/secure_boot_signing_key.pem"
+CONFIG_SECURE_BOOT_ALLOW_SHORT_APP_PARTITION=y
 
 CONFIG_EXAMPLE_CONNECT_ETHERNET=y
 CONFIG_EXAMPLE_CONNECT_WIFI=n