espressif: Bootloader size limitation when Flash Encryption + Secure Boot V2 + MCUboot signing are enabled #1262
Description
This issue was created to track the following scenario:
Both Flash Encryption and Secure Boot V2 hardware-powered support were added to the Espressif port in addition to the MCUboot security chain.
Each feature alone can be enabled without issues. However, currently when all features are enabled at the same time, the resulting bootloader binary size for some chip + feature combination may exceed the size limit for the ROM bootloader verification, which may prevent the system from boot (Documentation).
Considering the signing schemes currently implemented by MCUboot, these are the combinations currently supported by the Espressif port:
| MCUboot signing scheme | No security features | Secure Boot V2 + Flash Encryption | ||||||
|---|---|---|---|---|---|---|---|---|
| ESP32 | ESP32-S2 | ESP32-C3 | ESP32-S3 | ESP32 | ESP32-S2 | ESP32-C3 | ESP32-S3 | |
| RSA-2048 | ✔️ | ✔️ | ✔️ | ✔️ | ❌ | ✔️ | ❌ | ✔️ |
| RSA-3072 | ✔️ | ✔️ | ✔️ | ✔️ | ❌ | ✔️ | ❌ | ✔️ |
| EC256 | ✔️ | ✔️ | ✔️ | ✔️ | ✔️ | ✔️ | ✔️ | ✔️ |
| ED25519 | ✔️ | ✔️ | ✔️ | ✔️ | ❌ | ❌ | ✔️ | ✔️ |