From 188017d6b1741c296523aafd727dbe8a2807a469 Mon Sep 17 00:00:00 2001 From: Mahavir Jain Date: Wed, 14 Dec 2022 09:12:18 +0530 Subject: [PATCH 1/2] docs: Fix Secure DL mode documentation about flash read being unsupported Simple flash read command is not supported if Secure DL mode is enabled on the target. Remove reference of this from the relevant docs part. Related: https://github.com/espressif/esptool/issues/810 Related: ESPTOOL-567 Closes IDF-6468 --- components/bootloader/Kconfig.projbuild | 6 +++--- docs/en/security/flash-encryption.rst | 2 +- docs/en/security/security.rst | 4 ++-- 3 files changed, 6 insertions(+), 6 deletions(-) diff --git a/components/bootloader/Kconfig.projbuild b/components/bootloader/Kconfig.projbuild index 48336204d0..4579fd41c9 100644 --- a/components/bootloader/Kconfig.projbuild +++ b/components/bootloader/Kconfig.projbuild @@ -997,9 +997,9 @@ menu "Security features" Download Mode into a separate Secure Download mode. This option can only work if Download Mode is not already disabled by eFuse. - Secure Download mode limits the use of Download Mode functions to simple flash read, - write and erase operations, plus a command to return a summary of currently enabled - security features. + Secure Download mode limits the use of Download Mode functions to update SPI config, + changing baud rate, basic flash write and a command to return a summary of currently + enabled security features (`get_security_info`). Secure Download mode is not compatible with the esptool.py flasher stub feature, espefuse.py, read/writing memory or registers, encrypted download, or any other diff --git a/docs/en/security/flash-encryption.rst b/docs/en/security/flash-encryption.rst index bc6d31b1dc..0068f534b6 100644 --- a/docs/en/security/flash-encryption.rst +++ b/docs/en/security/flash-encryption.rst @@ -544,7 +544,7 @@ When using Flash Encryption in production: - Do not reuse the same flash encryption key between multiple devices. This means that an attacker who copies encrypted data from one device cannot transfer it to a second device. :esp32: - When using ESP32 V3, if the UART ROM Download Mode is not needed for a production device then it should be disabled to provide an extra level of protection. Do this by calling :cpp:func:`esp_efuse_disable_rom_download_mode` during application startup. Alternatively, configure the project :ref:`CONFIG_ESP32_REV_MIN` level to 3 (targeting ESP32 V3 only) and select the :ref:`CONFIG_SECURE_UART_ROM_DL_MODE` to "Permanently disable ROM Download Mode (recommended)". The ability to disable ROM Download Mode is not available on earlier ESP32 versions. - :not esp32: - The UART ROM Download Mode should be disabled entirely if it is not needed, or permanently set to "Secure Download Mode" otherwise. Secure Download Mode permanently limits the available commands to basic flash read and write only. The default behaviour is to set Secure Download Mode on first boot in Release mode. To disable Download Mode entirely select select the :ref:`CONFIG_SECURE_UART_ROM_DL_MODE` to "Permanently disable ROM Download Mode (recommended)" or call :cpp:func:`esp_efuse_disable_rom_download_mode` at runtime. + :not esp32: - The UART ROM Download Mode should be disabled entirely if it is not needed, or permanently set to "Secure Download Mode" otherwise. Secure Download Mode permanently limits the available commands to update SPI config, changing baud rate, basic flash write and a command to return a summary of currently enabled security features (`get_security_info`). The default behaviour is to set Secure Download Mode on first boot in Release mode. To disable Download Mode entirely select select the :ref:`CONFIG_SECURE_UART_ROM_DL_MODE` to "Permanently disable ROM Download Mode (recommended)" or call :cpp:func:`esp_efuse_disable_rom_download_mode` at runtime. - Enable :doc:`Secure Boot ` as an extra layer of protection, and to prevent an attacker from selectively corrupting any part of the flash before boot. Possible Failures diff --git a/docs/en/security/security.rst b/docs/en/security/security.rst index 1b01126606..e86e4f7377 100644 --- a/docs/en/security/security.rst +++ b/docs/en/security/security.rst @@ -108,13 +108,13 @@ UART DL Mode .. important:: If UART Download mode is disabled then ``esptool`` can not work on the device. -.. only:: not esp32 +.. only:: SOC_SUPPORTS_SECURE_DL_MODE In {IDF_TARGET_NAME}, Secure UART Download mode gets activated if any of the security features are enabled. * Secure UART Download mode can also be enabled by calling :cpp:func:`esp_efuse_enable_rom_secure_download_mode`. * This mode does not allow any arbitrary code to execute if downloaded through the UART download mode. - * It also limits the available commands in Download mode to basic flash read and write, plus a command to return a summary of currently enabled security features. + * It also limits the available commands in Download mode to update SPI config, changing baud rate, basic flash write and a command to return a summary of currently enabled security features (`get_security_info`). * To disable Download Mode entirely select the :ref:`CONFIG_SECURE_UART_ROM_DL_MODE` to "Permanently disable ROM Download Mode (recommended)" or call :cpp:func:`esp_efuse_disable_rom_download_mode` at runtime. .. important:: From 46588e71267d2487c0cfe196b9166d0c5d86dd6f Mon Sep 17 00:00:00 2001 From: Mahavir Jain Date: Wed, 14 Dec 2022 10:02:35 +0530 Subject: [PATCH 2/2] docs: security: enable memory protection section for ESP32-C2/ESP32-C6 --- docs/en/security/security.rst | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/docs/en/security/security.rst b/docs/en/security/security.rst index e86e4f7377..2ac5019d30 100644 --- a/docs/en/security/security.rst +++ b/docs/en/security/security.rst @@ -75,7 +75,7 @@ Flash Encryption Best Practices Please refer to the :doc:`DS Peripheral Guide <../api-reference/peripherals/ds>` for detailed documentation. -.. only:: SOC_MEMPROT_SUPPORTED +.. only:: SOC_MEMPROT_SUPPORTED or SOC_CPU_IDRAM_SPLIT_USING_PMP Memory Protection ~~~~~~~~~~~~~~~~~