Merge branch 'bugfix/encrypt_len_for_sb_update_case_v5.5' into 'release/v5.5'

fix(bootloader): correct encryption length for secure update without secure boot (v5.5)

See merge request espressif/esp-idf!41923

components/bootloader_support/include/esp_secure_boot.h

@@ -225,6 +225,23 @@ typedef struct {
     uint8_t signature[64];
 } esp_secure_boot_sig_block_t;
 
+/** @brief Get the size of the secure boot signature block
+ *
+ * This is the size of the signature block appended to a signed image.
+ *
+ * @return Size of the secure boot signature block in bytes
+ */
+static inline uint32_t esp_secure_boot_sig_block_size(void)
+{
+#if CONFIG_SECURE_SIGNED_APPS_RSA_SCHEME || CONFIG_SECURE_SIGNED_APPS_ECDSA_V2_SCHEME
+    return sizeof(ets_secure_boot_signature_t);
+#elif defined(CONFIG_SECURE_SIGNED_APPS_ECDSA_SCHEME)
+    return sizeof(esp_secure_boot_sig_block_t);
+#else
+    return 0;
+#endif
+}
+
 /** @brief Verify the ECDSA secure boot signature block for Secure Boot V1.
  *
  *  Calculates Deterministic ECDSA w/ SHA256 based on the SHA256 hash of the image. ECDSA signature

components/bootloader_support/src/flash_encryption/flash_encrypt.c

@@ -428,6 +428,10 @@ static esp_err_t encrypt_partition(int index, const esp_partition_info_t *partit
         if (partition->type == PART_TYPE_APP && should_encrypt) {
             // Encrypt only the app image instead of encrypting the whole partition
             size = image_data.image_len;
+#if CONFIG_SECURE_SIGNED_ON_UPDATE_NO_SECURE_BOOT
+            // If secure update without secure boot, also encrypt the signature block
+            size += esp_secure_boot_sig_block_size();
+#endif
         }
 #endif
     } else if (partition->type == PART_TYPE_PARTITION_TABLE) {