secure boot: Ensure mbedTLS enables ECDSA if signatures are checked in app

and all ECDSA to be disabled if secure boot is not enabled Previously if ECDSA disabled in config then secure_boot_signatures.c would fail to build (whether or not secure boot was enabled). To avoid breaking apps that might be using the signature scheme with custom OTA without enabling secure boot signatures in config, this change just disables this functionality if unavailable in mbedTLS config. Possible fix for root cause of https://github.com/espressif/esp-idf/pull/3703 Closes https://github.com/espressif/esp-idf/issues/4758
2019-08-30 09:35:47 +10:00
parent 2cc9d28a35
commit 904b85e365
2 changed files with 9 additions and 1 deletions
--- a/components/bootloader/Kconfig.projbuild
+++ b/components/bootloader/Kconfig.projbuild
@@ -234,12 +234,15 @@ menu "Security features"
    config SECURE_SIGNED_ON_UPDATE
        bool
        default y
-        select MBEDTLS_ECP_DP_SECP256R1_ENABLED
        depends on SECURE_BOOT_ENABLED || SECURE_SIGNED_ON_UPDATE_NO_SECURE_BOOT

    config SECURE_SIGNED_APPS
        bool
        default y
+        select MBEDTLS_ECP_DP_SECP256R1_ENABLED
+        select MBEDTLS_ECP_C
+        select MBEDTLS_ECDH_C
+        select MBEDTLS_ECDSA_C
        depends on SECURE_SIGNED_ON_BOOT || SECURE_SIGNED_ON_UPDATE