ci(espsecure): Add tests for secure boot using ECDSA-P384 curve

test/secure_images/ecdsa384_secure_boot_signing_key.pem

@@ -0,0 +1,5 @@
+-----BEGIN EC PRIVATE KEY-----
+MIGkAgEBBDBIxytBXMNRUK/28IbGjtIOfZTLrcKU8nk0zT966n0c1kFa0VdK84k0/lxnX1ukymWg
+BwYFK4EEACKhZANiAAQohLsM+b3/8g4A4q85TpbrVb7Z+CCkDOL90FzceloEFPY9Qt+IoIMmqxvx
+0Uiz9t81CHE3+eVwoVLh7OepMJJ/lRX7leY6gLtnNYxPPpamrROAJ9BgakZ+VE9tYBlK3AY=
+-----END EC PRIVATE KEY-----

test/secure_images/ecdsa384_secure_boot_signing_key2.pem

@@ -0,0 +1,5 @@
+-----BEGIN EC PRIVATE KEY-----
+MIGkAgEBBDAi/QEI621c5gFBaHyZ3JyrCXQYy5umeENn7dfHXxyM6CIKLFXWXrHOJ+xPEAvKEnqg
+BwYFK4EEACKhZANiAATQJep17Gl/ukPYPaoeau5WlspgrnT7pNqkq/TyJH5NYPZfuGFDzAxxaPl4
+PEbHAazkDNvziUUeI+CkF/M17chj7YyOFFdAJN+I+Qn38bS/yZiYVzOocGXeLWhZks3+wME=
+-----END EC PRIVATE KEY-----

test/secure_images/ecdsa384_secure_boot_signing_pubkey.pem

@@ -0,0 +1,5 @@
+-----BEGIN PUBLIC KEY-----
+MHYwEAYHKoZIzj0CAQYFK4EEACIDYgAEKIS7DPm9//IOAOKvOU6W61W+2fggpAzi
+/dBc3HpaBBT2PULfiKCDJqsb8dFIs/bfNQhxN/nlcKFS4eznqTCSf5UV+5XmOoC7
+ZzWMTz6Wpq0TgCfQYGpGflRPbWAZStwG
+-----END PUBLIC KEY-----

test/secure_images/ecdsa384_secure_boot_signing_pubkey2.pem

@@ -0,0 +1,5 @@
+-----BEGIN PUBLIC KEY-----
+MHYwEAYHKoZIzj0CAQYFK4EEACIDYgAE0CXqdexpf7pD2D2qHmruVpbKYK50+6Ta
+pKv08iR+TWD2X7hhQ8wMcWj5eDxGxwGs5Azb84lFHiPgpBfzNe3IY+2MjhRXQCTf
+iPkJ9/G0v8mYmFczqHBl3i1oWZLN/sDB
+-----END PUBLIC KEY-----

test/test_espsecure.py

@@ -211,6 +211,7 @@ def test_sign_v2_data(self):
             "rsa_secure_boot_signing_key.pem",
             "ecdsa192_secure_boot_signing_key.pem",
             "ecdsa_secure_boot_signing_key.pem",
+            "ecdsa384_secure_boot_signing_key.pem",
         ]
         for key in signing_keys:
             try:
@@ -411,11 +412,13 @@ def test_sign_v2_with_pre_calculated_signature(self):
             "rsa_secure_boot_signing_pubkey.pem",
             "ecdsa192_secure_boot_signing_pubkey.pem",
             "ecdsa_secure_boot_signing_pubkey.pem",
+            "ecdsa384_secure_boot_signing_pubkey.pem",
         ]
         pre_calculated_signatures = [
             "pre_calculated_bootloader_signature_rsa.bin",
             "pre_calculated_bootloader_signature_ecdsa192.bin",
             "pre_calculated_bootloader_signature_ecdsa256.bin",
+            "pre_calculated_bootloader_signature_ecdsa384.bin",
         ]
         for pub_key, signature in zip(signing_keys, pre_calculated_signatures):
             try:
@@ -497,6 +500,16 @@ def test_verify_signature_signing_key(self):
         )
         espsecure.verify_signature(args)
 
+        # correct key v2 (ecdsa384)
+        args = self.VerifyArgs(
+            "2",
+            False,
+            None,
+            self._open("ecdsa384_secure_boot_signing_key.pem"),
+            self._open("bootloader_signed_v2_ecdsa384.bin"),
+        )
+        espsecure.verify_signature(args)
+
         # correct key v2 (ecdsa256)
         args = self.VerifyArgs(
             "2",
@@ -553,6 +566,18 @@ def test_verify_signature_signing_key(self):
             espsecure.verify_signature(args)
         assert "Invalid datafile" in str(cm.value)
 
+        # wrong key v2 (ecdsa384)
+        args = self.VerifyArgs(
+            "2",
+            False,
+            None,
+            self._open("ecdsa384_secure_boot_signing_key2.pem"),
+            self._open("bootloader_signed_v2_ecdsa384.bin"),
+        )
+        with pytest.raises(esptool.FatalError) as cm:
+            espsecure.verify_signature(args)
+        assert "Signature could not be verified with the provided key." in str(cm.value)
+
         # wrong key v2 (ecdsa256)
         args = self.VerifyArgs(
             "2",
@@ -610,6 +635,16 @@ def test_verify_signature_public_key(self):
         )
         espsecure.verify_signature(args)
 
+        # correct key v2 (ecdsa384)
+        args = self.VerifyArgs(
+            "2",
+            False,
+            None,
+            self._open("ecdsa384_secure_boot_signing_pubkey.pem"),
+            self._open("bootloader_signed_v2_ecdsa384.bin"),
+        )
+        espsecure.verify_signature(args)
+
         # correct key v2 (ecdsa256)
         args = self.VerifyArgs(
             "2",
@@ -654,6 +689,18 @@ def test_verify_signature_public_key(self):
             espsecure.verify_signature(args)
         assert "Signature could not be verified with the provided key." in str(cm.value)
 
+        # wrong key v2 (ecdsa384)
+        args = self.VerifyArgs(
+            "2",
+            False,
+            None,
+            self._open("ecdsa384_secure_boot_signing_pubkey2.pem"),
+            self._open("bootloader_signed_v2_ecdsa384.bin"),
+        )
+        with pytest.raises(esptool.FatalError) as cm:
+            espsecure.verify_signature(args)
+        assert "Signature could not be verified with the provided key." in str(cm.value)
+
         # wrong key v2 (ecdsa256)
         args = self.VerifyArgs(
             "2",
@@ -728,7 +775,7 @@ def test_generate_and_extract_key_v2(self):
             # We need to manually delete the keyfile as we are iterating over
             # different schemes with the same keyfile so instead of using addCleanup,
             # we remove it using os.remove at the end of each pass
-            for scheme in ["rsa3072", "ecdsa192", "ecdsa256"]:
+            for scheme in ["rsa3072", "ecdsa192", "ecdsa256", "ecdsa384"]:
                 args = self.GenerateKeyArgs("2", scheme, keyfile_name)
                 espsecure.generate_signing_key(args)