esp32c6: Enable ECDSA based secure boot

- Updated documentation for C6

components/bootloader_support/CMakeLists.txt

@@ -40,6 +40,10 @@ if(BOOTLOADER_BUILD OR CONFIG_APP_BUILD_TYPE_RAM)
     "src/${IDF_TARGET}/bootloader_${IDF_TARGET}.c"
     )
     list(APPEND priv_requires hal)
+    if(CONFIG_ESP_ROM_REV0_HAS_NO_ECDSA_INTERFACE)
+        list(APPEND srcs
+            "src/${IDF_TARGET}/bootloader_ecdsa.c")
+    endif()
 else()
     list(APPEND srcs
         "src/idf/bootloader_sha.c")

components/bootloader_support/private_include/bootloader_signature.h

@@ -1,5 +1,5 @@
 /*
- * SPDX-FileCopyrightText: 2022 Espressif Systems (Shanghai) CO LTD
+ * SPDX-FileCopyrightText: 2022-2023 Espressif Systems (Shanghai) CO LTD
  *
  * SPDX-License-Identifier: Apache-2.0
  */
@@ -29,6 +29,8 @@
 
 #if !CONFIG_IDF_TARGET_ESP32 || CONFIG_ESP32_REV_MIN_FULL >= 300
 
+#if CONFIG_SECURE_BOOT_V2_ENABLED || CONFIG_SECURE_SIGNED_APPS_NO_SECURE_BOOT
+
 /** @brief Verify the secure boot signature block for Secure Boot V2.
  *
  *  Performs RSA-PSS or ECDSA verification of the SHA-256 image based on the public key
@@ -53,4 +55,6 @@ esp_err_t esp_secure_boot_verify_sbv2_signature_block(const ets_secure_boot_sign
  */
 esp_err_t esp_secure_boot_verify_rsa_signature_block(const ets_secure_boot_signature_t *sig_block, const uint8_t *image_digest, uint8_t *verified_digest);
 
+#endif /* CONFIG_SECURE_BOOT_V2_ENABLED || CONFIG_SECURE_SIGNED_APPS_NO_SECURE_BOOT */
+
 #endif

components/bootloader_support/src/esp32c6/bootloader_ecdsa.c

@@ -0,0 +1,35 @@
+/*
+ * SPDX-FileCopyrightText: 2023 Espressif Systems (Shanghai) CO LTD
+ *
+ * SPDX-License-Identifier: Apache-2.0
+ */
+#include <stdbool.h>
+#include <string.h>
+#include <sys/param.h>
+#include "rom/ecdsa.h"
+
+#define ROM_FUNC_TYPECAST  int(*)(const uint8_t*, const uint8_t*, int, const uint8_t*, uint8_t*)
+
+extern uint32_t _rom_eco_version;
+int (*_rom_ets_ecdsa_verify)(const uint8_t*, const uint8_t*, int, const uint8_t*, uint8_t*);
+
+/* On ESP32-C6 ECO 0, the ROM interface hasn't exposed ets_ecdsa_verify symbol, so for that we have defined
+ * the function here and then jump to the absolute address in ROM.
+ *
+ * There is a possibility of updating the ROM in the future chip revisions without any major upgrades,
+ * in that case, the same binary should work as is on the new chip revision. For that, we check the _rom_eco_version
+ * and if its a newer one, we jump to the new ROM interface. These addresses won't change in the future
+ *
+ * ets_ecdsa_verify symbol will be present in the upcoming ROM ECO versions so even though we have defined it here,
+ * linker will pick the symbol address from rom.ld file
+ */
+int ets_ecdsa_verify(const uint8_t *key, const uint8_t *sig, ECDSA_CURVE curve_id, const uint8_t *image_digest, uint8_t *verified_digest)
+{
+    if (_rom_eco_version == 0) {
+        _rom_ets_ecdsa_verify = (ROM_FUNC_TYPECAST)0x4001a824;
+        return _rom_ets_ecdsa_verify(key, sig, curve_id, image_digest, verified_digest);
+    } else {
+        _rom_ets_ecdsa_verify = (ROM_FUNC_TYPECAST)0x40001490;
+        return _rom_ets_ecdsa_verify(key, sig, curve_id, image_digest, verified_digest);
+    }
+}

components/bootloader_support/src/secure_boot_v2/secure_boot.c

@@ -27,6 +27,8 @@
 #include "esp32h4/rom/secure_boot.h"
 #elif CONFIG_IDF_TARGET_ESP32C2
 #include "esp32c2/rom/secure_boot.h"
+#elif CONFIG_IDF_TARGET_ESP32C6
+#include "esp32c6/rom/secure_boot.h"
 #endif
 
 /* The following API implementations are used only when called

components/bootloader_support/src/secure_boot_v2/secure_boot_signature_priv.h

@@ -1,5 +1,5 @@
 /*
- * SPDX-FileCopyrightText: 2022 Espressif Systems (Shanghai) CO LTD
+ * SPDX-FileCopyrightText: 2022-2023 Espressif Systems (Shanghai) CO LTD
  *
  * SPDX-License-Identifier: Apache-2.0
  */
@@ -17,6 +17,8 @@
 #include "esp32h4/rom/secure_boot.h"
 #elif CONFIG_IDF_TARGET_ESP32C2
 #include "esp32c2/rom/secure_boot.h"
+#elif CONFIG_IDF_TARGET_ESP32C6
+#include "esp32c6/rom/secure_boot.h"
 #endif
 
 esp_err_t verify_ecdsa_signature_block(const ets_secure_boot_signature_t *sig_block, const uint8_t *image_digest, const ets_secure_boot_sig_block_t *trusted_block);