From 2c0081b2868317e5060226e8ec4c40e878f95145 Mon Sep 17 00:00:00 2001 From: Aditya Patwardhan Date: Thu, 11 Nov 2021 10:29:50 +0530 Subject: [PATCH] secure_boot: Fix warning when UART ROM DL mode is disabled *Additionally use updated calls to enable rom secure download mode --- .../src/esp32/secure_boot_secure_features.c | 2 +- .../src/esp32c3/secure_boot_secure_features.c | 15 +++++++++++++-- .../src/esp32h2/secure_boot.c | 18 +++++++++++++++--- .../src/esp32s2/secure_boot_secure_features.c | 15 +++++++++++++-- .../src/esp32s3/secure_boot_secure_features.c | 15 +++++++++++++-- 5 files changed, 55 insertions(+), 10 deletions(-) diff --git a/components/bootloader_support/src/esp32/secure_boot_secure_features.c b/components/bootloader_support/src/esp32/secure_boot_secure_features.c index b0f10436c9..977a691bf8 100644 --- a/components/bootloader_support/src/esp32/secure_boot_secure_features.c +++ b/components/bootloader_support/src/esp32/secure_boot_secure_features.c @@ -79,7 +79,7 @@ esp_err_t esp_secure_boot_enable_secure_features(void) return err; } #else - ESP_LOGW(TAG, "Not disabling ROM Download mode - SECURITY COMPROMISED"); + ESP_LOGW(TAG, "UART ROM Download mode kept enabled - SECURITY COMPROMISED"); #endif #ifndef CONFIG_SECURE_BOOT_V2_ALLOW_EFUSE_RD_DIS diff --git a/components/bootloader_support/src/esp32c3/secure_boot_secure_features.c b/components/bootloader_support/src/esp32c3/secure_boot_secure_features.c index 30098bed32..c1bde8aa39 100644 --- a/components/bootloader_support/src/esp32c3/secure_boot_secure_features.c +++ b/components/bootloader_support/src/esp32c3/secure_boot_secure_features.c @@ -20,9 +20,20 @@ esp_err_t esp_secure_boot_enable_secure_features(void) #ifdef CONFIG_SECURE_ENABLE_SECURE_ROM_DL_MODE ESP_LOGI(TAG, "Enabling Security download mode..."); - esp_efuse_write_field_bit(ESP_EFUSE_ENABLE_SECURITY_DOWNLOAD); + esp_err_t err = esp_efuse_enable_rom_secure_download_mode(); + if (err != ESP_OK) { + ESP_LOGE(TAG, "Could not enable Security download mode..."); + return err; + } +#elif CONFIG_SECURE_DISABLE_ROM_DL_MODE + ESP_LOGI(TAG, "Disable ROM Download mode..."); + esp_err_t err = esp_efuse_disable_rom_download_mode(); + if (err != ESP_OK) { + ESP_LOGE(TAG, "Could not disable ROM Download mode..."); + return err; + } #else - ESP_LOGW(TAG, "Not enabling Security download mode - SECURITY COMPROMISED"); + ESP_LOGW(TAG, "UART ROM download mode kept enabled - SECURITY COMPROMISED"); #endif #ifndef CONFIG_SECURE_BOOT_ALLOW_JTAG diff --git a/components/bootloader_support/src/esp32h2/secure_boot.c b/components/bootloader_support/src/esp32h2/secure_boot.c index 359d7f28c1..85ea55452b 100644 --- a/components/bootloader_support/src/esp32h2/secure_boot.c +++ b/components/bootloader_support/src/esp32h2/secure_boot.c @@ -250,11 +250,23 @@ esp_err_t esp_secure_boot_v2_permanently_enable(const esp_image_metadata_t *imag esp_efuse_write_field_bit(ESP_EFUSE_DIS_LEGACY_SPI_BOOT); + esp_err_t err = ESP_FAIL; #ifdef CONFIG_SECURE_ENABLE_SECURE_ROM_DL_MODE ESP_LOGI(TAG, "Enabling Security download mode..."); - esp_efuse_write_field_bit(ESP_EFUSE_ENABLE_SECURITY_DOWNLOAD); + err = esp_efuse_enable_rom_secure_download_mode(); + if (err != ESP_OK) { + ESP_LOGE(TAG, "Could not enable Security download mode..."); + return err; + } +#elif CONFIG_SECURE_DISABLE_ROM_DL_MODE + ESP_LOGI(TAG, "Disable ROM Download mode..."); + err = esp_efuse_disable_rom_download_mode(); + if (err != ESP_OK) { + ESP_LOGE(TAG, "Could not disable ROM Download mode..."); + return err; + } #else - ESP_LOGW(TAG, "Not enabling Security download mode - SECURITY COMPROMISED"); + ESP_LOGW(TAG, "UART download mode kept enabled - SECURITY COMPROMISED"); #endif #ifndef CONFIG_SECURE_BOOT_ALLOW_JTAG @@ -272,7 +284,7 @@ esp_err_t esp_secure_boot_v2_permanently_enable(const esp_image_metadata_t *imag esp_efuse_write_field_bit(ESP_EFUSE_SECURE_BOOT_EN); - esp_err_t err = esp_efuse_batch_write_commit(); + err = esp_efuse_batch_write_commit(); if (err != ESP_OK) { ESP_LOGE(TAG, "Error programming security eFuses (err=0x%x).", err); return err; diff --git a/components/bootloader_support/src/esp32s2/secure_boot_secure_features.c b/components/bootloader_support/src/esp32s2/secure_boot_secure_features.c index 418a932209..71dbc64c2e 100644 --- a/components/bootloader_support/src/esp32s2/secure_boot_secure_features.c +++ b/components/bootloader_support/src/esp32s2/secure_boot_secure_features.c @@ -21,9 +21,20 @@ esp_err_t esp_secure_boot_enable_secure_features(void) #ifdef CONFIG_SECURE_ENABLE_SECURE_ROM_DL_MODE ESP_LOGI(TAG, "Enabling Security download mode..."); - esp_efuse_write_field_bit(ESP_EFUSE_ENABLE_SECURITY_DOWNLOAD); + esp_err_t err = esp_efuse_enable_rom_secure_download_mode(); + if (err != ESP_OK) { + ESP_LOGE(TAG, "Could not enable Security download mode..."); + return err; + } +#elif CONFIG_SECURE_DISABLE_ROM_DL_MODE + ESP_LOGI(TAG, "Disable ROM Download mode..."); + esp_err_t err = esp_efuse_disable_rom_download_mode(); + if (err != ESP_OK) { + ESP_LOGE(TAG, "Could not disable ROM Download mode..."); + return err; + } #else - ESP_LOGW(TAG, "Not enabling Security download mode - SECURITY COMPROMISED"); + ESP_LOGW(TAG, "UART ROM download mode kept enabled - SECURITY COMPROMISED"); #endif #ifndef CONFIG_SECURE_BOOT_ALLOW_JTAG diff --git a/components/bootloader_support/src/esp32s3/secure_boot_secure_features.c b/components/bootloader_support/src/esp32s3/secure_boot_secure_features.c index 4284626a73..2081e81e2f 100644 --- a/components/bootloader_support/src/esp32s3/secure_boot_secure_features.c +++ b/components/bootloader_support/src/esp32s3/secure_boot_secure_features.c @@ -20,9 +20,20 @@ esp_err_t esp_secure_boot_enable_secure_features(void) #ifdef CONFIG_SECURE_ENABLE_SECURE_ROM_DL_MODE ESP_LOGI(TAG, "Enabling Security download mode..."); - esp_efuse_write_field_bit(ESP_EFUSE_ENABLE_SECURITY_DOWNLOAD); + esp_err_t err = esp_efuse_enable_rom_secure_download_mode(); + if (err != ESP_OK) { + ESP_LOGE(TAG, "Could not enable Security download mode..."); + return err; + } +#elif CONFIG_SECURE_DISABLE_ROM_DL_MODE + ESP_LOGI(TAG, "Disable ROM Download mode..."); + esp_err_t err = esp_efuse_disable_rom_download_mode(); + if (err != ESP_OK) { + ESP_LOGE(TAG, "Could not disable ROM Download mode..."); + return err; + } #else - ESP_LOGW(TAG, "Not enabling Security download mode - SECURITY COMPROMISED"); + ESP_LOGW(TAG, "UART ROM download mode kept enabled - SECURITY COMPROMISED"); #endif #ifndef CONFIG_SECURE_BOOT_ALLOW_JTAG