feat: Add API to verify the bootloader and app image

Added an API to verify the bootloader and app image before revoking the key in Secure Boot V2. This will help in preventing the device to be bricked if the bootloader/application cannot be verified by any other keys in efuse
2026-06-04 20:26:38 +03:00 · 2023-07-04 10:18:47 +05:30
parent 2472c62fff
commit 1df186d4e1
5 changed files with 176 additions and 81 deletions
--- a/docs/en/security/secure-boot-v2.rst
+++ b/docs/en/security/secure-boot-v2.rst
@@ -556,8 +556,8 @@ Secure Boot Best Practices
    2. The new OTA update is written to an unused OTA app partition.
    3. The new application's signature block is validated. The public keys are checked against the digests programmed in the eFuse & the application is verified using the verified public key.
    4. The active partition is set to the new OTA application's partition.
-    5. Device resets, loads the bootloader (verified with key #N-1) which then boots new app (verified with key #N).
-    6. The new app verifies bootloader with key #N (as a final check) and then runs code to revoke key #N-1 (sets KEY_REVOKE eFuse bit).
+    5. Device resets, loads the bootloader (verified with key #N-1 and #N) which then boots new app (verified with key #N).
+    6. The new app verifies bootloader and application with key #N (as a final check) and then runs code to revoke key #N-1 (sets KEY_REVOKE eFuse bit).
    7. The API `esp_ota_revoke_secure_boot_public_key()` can be used to revoke the key #N-1.

    * A similar approach can also be used to physically re-flash with a new key. For physical re-flashing, the bootloader content can also be changed at the same time.