From 505e18237afa632c1b7ec16d44eda787694dbaa9 Mon Sep 17 00:00:00 2001 From: KonstantinKondrashov Date: Wed, 4 May 2022 19:04:56 +0800 Subject: [PATCH] bootloader: Support Flash Encryption for ESP32-C2 --- components/bootloader/Kconfig.projbuild | 19 ++- .../include/esp_flash_encrypt.h | 43 ++++++ .../src/bootloader_utility.c | 58 ++++++- .../flash_encryption_secure_features.c | 5 + .../bootloader_support/src/flash_encrypt.c | 50 +++--- .../src/flash_encryption/flash_encrypt.c | 142 +++++++++++++----- .../bootloader_support/src/secure_boot.c | 2 + .../src/secure_boot_v2/secure_boot.c | 2 + components/efuse/esp32c2/include/esp_efuse.h | 2 +- .../one_key_block/esp_efuse_api_key.c | 13 +- .../test/one_key_block/test_efuse_keys.c | 24 +-- .../esp32c2/include/soc/Kconfig.soc_caps.in | 10 +- components/soc/esp32c2/include/soc/soc_caps.h | 6 +- .../esp32s2/include/soc/Kconfig.soc_caps.in | 4 + components/soc/esp32s2/include/soc/soc_caps.h | 1 + .../esp32s3/include/soc/Kconfig.soc_caps.in | 4 + components/soc/esp32s3/include/soc/soc_caps.h | 1 + 17 files changed, 293 insertions(+), 93 deletions(-) diff --git a/components/bootloader/Kconfig.projbuild b/components/bootloader/Kconfig.projbuild index 96dd3f5b92..53a6c13bfe 100644 --- a/components/bootloader/Kconfig.projbuild +++ b/components/bootloader/Kconfig.projbuild @@ -476,6 +476,11 @@ menu "Security features" bool default y if SECURE_BOOT_V2_ENABLED && SECURE_BOOT_V2_RSA_SUPPORTED + config SECURE_BOOT_FLASH_ENC_KEYS_BURN_TOGETHER + bool + default y if SOC_EFUSE_CONSISTS_OF_ONE_KEY_BLOCK && SECURE_BOOT && SECURE_FLASH_ENC_ENABLED + # ESP32-C2 has one key block for SB and FE keys. These keys must be burned at the same time. + config SECURE_SIGNED_APPS_NO_SECURE_BOOT bool "Require signed app images" depends on !SECURE_BOOT @@ -769,21 +774,29 @@ menu "Security features" choice SECURE_FLASH_ENCRYPTION_KEYSIZE bool "Size of generated AES-XTS key" default SECURE_FLASH_ENCRYPTION_AES128 - depends on SOC_FLASH_ENCRYPTION_XTS_AES_256 && SECURE_FLASH_ENC_ENABLED + depends on SOC_FLASH_ENCRYPTION_XTS_AES_OPTIONS && SECURE_FLASH_ENC_ENABLED help Size of generated AES-XTS key. - AES-128 uses a 256-bit key (32 bytes) which occupies one Efuse key block. - AES-256 uses a 512-bit key (64 bytes) which occupies two Efuse key blocks. + - AES-128 uses a 256-bit key (32 bytes) derived from 128 bits (16 bytes) burned in half Efuse key block. + Internally, it calculates SHA256(128 bits) + - AES-128 uses a 256-bit key (32 bytes) which occupies one Efuse key block. + - AES-256 uses a 512-bit key (64 bytes) which occupies two Efuse key blocks. This setting is ignored if either type of key is already burned to Efuse before the first boot. In this case, the pre-burned key is used and no new key is generated. + config SECURE_FLASH_ENCRYPTION_AES128_DERIVED + bool "AES-128 key derived from 128 bits (SHA256(128 bits))" + depends on SOC_FLASH_ENCRYPTION_XTS_AES_128_DERIVED + config SECURE_FLASH_ENCRYPTION_AES128 bool "AES-128 (256-bit key)" + depends on SOC_FLASH_ENCRYPTION_XTS_AES_128 && !(IDF_TARGET_ESP32C2 && SECURE_BOOT) config SECURE_FLASH_ENCRYPTION_AES256 bool "AES-256 (512-bit key)" + depends on SOC_FLASH_ENCRYPTION_XTS_AES_256 endchoice choice SECURE_FLASH_ENCRYPTION_MODE diff --git a/components/bootloader_support/include/esp_flash_encrypt.h b/components/bootloader_support/include/esp_flash_encrypt.h index 9a5ca9ea23..cc1b33fbd6 100644 --- a/components/bootloader_support/include/esp_flash_encrypt.h +++ b/components/bootloader_support/include/esp_flash_encrypt.h @@ -85,6 +85,49 @@ bool esp_flash_encryption_enabled(void); */ esp_err_t esp_flash_encrypt_check_and_update(void); +/** @brief Returns the Flash Encryption state and prints it + * + * @return True - Flash Encryption is enabled + * False - Flash Encryption is not enabled + */ +bool esp_flash_encrypt_state(void); + +/** @brief Checks if the first initialization was done + * + * If the first initialization was done then FLASH_CRYPT_CNT != 0 + * + * @return true - the first initialization was done + * false - the first initialization was NOT done + */ +bool esp_flash_encrypt_initialized_once(void); + +/** @brief The first initialization of Flash Encryption key and related eFuses + * + * @return ESP_OK if all operations succeeded + */ +esp_err_t esp_flash_encrypt_init(void); + +/** @brief Encrypts flash content + * + * @return ESP_OK if all operations succeeded + */ +esp_err_t esp_flash_encrypt_contents(void); + +/** @brief Activates Flash encryption on the chip + * + * It burns FLASH_CRYPT_CNT eFuse based on the CONFIG_SECURE_FLASH_ENCRYPTION_MODE_RELEASE option. + * + * @return ESP_OK if all operations succeeded + */ +esp_err_t esp_flash_encrypt_enable(void); + +/** @brief Returns True if the write protection of FLASH_CRYPT_CNT is set + * + * @param print_error Print error if it is write protected + * + * @return true - if FLASH_CRYPT_CNT is write protected + */ +bool esp_flash_encrypt_is_write_protected(bool print_error); /** @brief Encrypt-in-place a block of flash sectors * diff --git a/components/bootloader_support/src/bootloader_utility.c b/components/bootloader_support/src/bootloader_utility.c index 86ce78898a..52a375bc81 100644 --- a/components/bootloader_support/src/bootloader_utility.c +++ b/components/bootloader_support/src/bootloader_utility.c @@ -577,6 +577,17 @@ static void load_image(const esp_image_metadata_t *image_data) esp_err_t err; #endif +#ifdef CONFIG_SECURE_BOOT_FLASH_ENC_KEYS_BURN_TOGETHER + if (esp_secure_boot_enabled() ^ esp_flash_encrypt_initialized_once()) { + ESP_LOGE(TAG, "Secure Boot and Flash Encryption cannot be enabled separately, only together (their keys go into one eFuse key block)"); + return; + } + + if (!esp_secure_boot_enabled() || !esp_flash_encryption_enabled()) { + esp_efuse_batch_write_begin(); + } +#endif // CONFIG_SECURE_BOOT_FLASH_ENC_KEYS_BURN_TOGETHER + #ifdef CONFIG_SECURE_BOOT_V2_ENABLED err = esp_secure_boot_v2_permanently_enable(image_data); if (err != ESP_OK) { @@ -604,13 +615,50 @@ static void load_image(const esp_image_metadata_t *image_data) * 5) Burn EFUSE to enable flash encryption */ ESP_LOGI(TAG, "Checking flash encryption..."); - bool flash_encryption_enabled = esp_flash_encryption_enabled(); - err = esp_flash_encrypt_check_and_update(); - if (err != ESP_OK) { - ESP_LOGE(TAG, "Flash encryption check failed (%d).", err); + bool flash_encryption_enabled = esp_flash_encrypt_state(); + if (!flash_encryption_enabled) { +#ifdef CONFIG_SECURE_FLASH_REQUIRE_ALREADY_ENABLED + ESP_LOGE(TAG, "flash encryption is not enabled, and SECURE_FLASH_REQUIRE_ALREADY_ENABLED is set, refusing to boot."); return; +#endif // CONFIG_SECURE_FLASH_REQUIRE_ALREADY_ENABLED + + if (esp_flash_encrypt_is_write_protected(true)) { + return; + } + + err = esp_flash_encrypt_init(); + if (err != ESP_OK) { + ESP_LOGE(TAG, "Initialization of Flash Encryption key failed (%d)", err); + return; + } } -#endif + +#ifdef CONFIG_SECURE_BOOT_FLASH_ENC_KEYS_BURN_TOGETHER + if (!esp_secure_boot_enabled() || !flash_encryption_enabled) { + err = esp_efuse_batch_write_commit(); + if (err != ESP_OK) { + ESP_LOGE(TAG, "Error programming eFuses (err=0x%x).", err); + return; + } + assert(esp_secure_boot_enabled()); + ESP_LOGI(TAG, "Secure boot permanently enabled"); + } +#endif // CONFIG_SECURE_BOOT_FLASH_ENC_KEYS_BURN_TOGETHER + + if (!flash_encryption_enabled) { + err = esp_flash_encrypt_contents(); + if (err != ESP_OK) { + ESP_LOGE(TAG, "Encryption flash contents failed (%d)", err); + return; + } + + err = esp_flash_encrypt_enable(); + if (err != ESP_OK) { + ESP_LOGE(TAG, "Enabling of Flash encryption failed (%d)", err); + return; + } + } +#endif // CONFIG_SECURE_FLASH_ENC_ENABLED #ifdef CONFIG_SECURE_BOOT_V1_ENABLED /* Step 6 (see above for full description): diff --git a/components/bootloader_support/src/esp32c2/flash_encryption_secure_features.c b/components/bootloader_support/src/esp32c2/flash_encryption_secure_features.c index 18b8bc73b9..aa4cd483ce 100644 --- a/components/bootloader_support/src/esp32c2/flash_encryption_secure_features.c +++ b/components/bootloader_support/src/esp32c2/flash_encryption_secure_features.c @@ -23,7 +23,12 @@ esp_err_t esp_flash_encryption_enable_secure_features(void) ESP_LOGW(TAG, "Not disabling UART bootloader encryption"); #endif +#ifndef CONFIG_SECURE_FLASH_UART_BOOTLOADER_ALLOW_CACHE ESP_LOGI(TAG, "Disable UART bootloader cache..."); + esp_efuse_write_field_bit(ESP_EFUSE_DIS_DOWNLOAD_ICACHE); +#else + ESP_LOGW(TAG, "Not disabling UART bootloader cache - SECURITY COMPROMISED"); +#endif #ifndef CONFIG_SECURE_BOOT_ALLOW_JTAG ESP_LOGI(TAG, "Disable JTAG..."); diff --git a/components/bootloader_support/src/flash_encrypt.c b/components/bootloader_support/src/flash_encrypt.c index 409823dc17..9405e5ac68 100644 --- a/components/bootloader_support/src/flash_encrypt.c +++ b/components/bootloader_support/src/flash_encrypt.c @@ -47,10 +47,10 @@ void esp_flash_encryption_init_checks() if (flash_crypt_cnt == (1<<(CRYPT_CNT[0]->bit_count))-1) { // If encryption counter is already max, no need to write protect it // (this distinction is important on ESP32 ECO3 where write-procted FLASH_CRYPT_CNT also write-protects UART_DL_DIS) - return; + } else { + ESP_LOGE(TAG, "Flash encryption & Secure Boot together requires FLASH_CRYPT_CNT efuse to be write protected. Fixing now..."); + esp_flash_write_protect_crypt_cnt(); } - ESP_LOGE(TAG, "Flash encryption & Secure Boot together requires FLASH_CRYPT_CNT efuse to be write protected. Fixing now..."); - esp_flash_write_protect_crypt_cnt(); } } #endif // CONFIG_SECURE_BOOT @@ -110,17 +110,6 @@ void esp_flash_write_protect_crypt_cnt(void) esp_flash_enc_mode_t esp_get_flash_encryption_mode(void) { bool flash_crypt_cnt_wr_dis = false; -#if CONFIG_IDF_TARGET_ESP32 - uint8_t dis_dl_enc = 0, dis_dl_dec = 0, dis_dl_cache = 0; -#elif CONFIG_IDF_TARGET_ESP32S2 || CONFIG_IDF_TARGET_ESP32S3 - uint8_t dis_dl_enc = 0; - uint8_t dis_dl_icache = 0; - uint8_t dis_dl_dcache = 0; -#elif CONFIG_IDF_TARGET_ESP32C3 || CONFIG_IDF_TARGET_ESP32H2 - uint8_t dis_dl_enc = 0; - uint8_t dis_dl_icache = 0; -#endif - esp_flash_enc_mode_t mode = ESP_FLASH_ENC_MODE_DEVELOPMENT; if (esp_flash_encryption_enabled()) { @@ -138,27 +127,32 @@ esp_flash_enc_mode_t esp_get_flash_encryption_mode(void) if (flash_crypt_cnt_wr_dis) { #if CONFIG_IDF_TARGET_ESP32 - dis_dl_cache = esp_efuse_read_field_bit(ESP_EFUSE_DISABLE_DL_CACHE); - dis_dl_enc = esp_efuse_read_field_bit(ESP_EFUSE_DISABLE_DL_ENCRYPT); - dis_dl_dec = esp_efuse_read_field_bit(ESP_EFUSE_DISABLE_DL_DECRYPT); + bool dis_dl_cache = esp_efuse_read_field_bit(ESP_EFUSE_DISABLE_DL_CACHE); + bool dis_dl_enc = esp_efuse_read_field_bit(ESP_EFUSE_DISABLE_DL_ENCRYPT); + bool dis_dl_dec = esp_efuse_read_field_bit(ESP_EFUSE_DISABLE_DL_DECRYPT); /* Check if DISABLE_DL_DECRYPT, DISABLE_DL_ENCRYPT & DISABLE_DL_CACHE are set */ if ( dis_dl_cache && dis_dl_enc && dis_dl_dec ) { mode = ESP_FLASH_ENC_MODE_RELEASE; } #elif CONFIG_IDF_TARGET_ESP32S2 || CONFIG_IDF_TARGET_ESP32S3 - dis_dl_enc = esp_efuse_read_field_bit(ESP_EFUSE_DIS_DOWNLOAD_MANUAL_ENCRYPT); - dis_dl_icache = esp_efuse_read_field_bit(ESP_EFUSE_DIS_DOWNLOAD_ICACHE); - dis_dl_dcache = esp_efuse_read_field_bit(ESP_EFUSE_DIS_DOWNLOAD_DCACHE); + bool dis_dl_enc = esp_efuse_read_field_bit(ESP_EFUSE_DIS_DOWNLOAD_MANUAL_ENCRYPT); + bool dis_dl_icache = esp_efuse_read_field_bit(ESP_EFUSE_DIS_DOWNLOAD_ICACHE); + bool dis_dl_dcache = esp_efuse_read_field_bit(ESP_EFUSE_DIS_DOWNLOAD_DCACHE); if (dis_dl_enc && dis_dl_icache && dis_dl_dcache) { mode = ESP_FLASH_ENC_MODE_RELEASE; } -#elif CONFIG_IDF_TARGET_ESP32C3 || CONFIG_IDF_TARGET_ESP32H2 - dis_dl_enc = esp_efuse_read_field_bit(ESP_EFUSE_DIS_DOWNLOAD_MANUAL_ENCRYPT); - dis_dl_icache = esp_efuse_read_field_bit(ESP_EFUSE_DIS_DOWNLOAD_ICACHE); - +#elif CONFIG_IDF_TARGET_ESP32C2 || CONFIG_IDF_TARGET_ESP32C3 || CONFIG_IDF_TARGET_ESP32H2 + bool dis_dl_enc = esp_efuse_read_field_bit(ESP_EFUSE_DIS_DOWNLOAD_MANUAL_ENCRYPT); + bool dis_dl_icache = esp_efuse_read_field_bit(ESP_EFUSE_DIS_DOWNLOAD_ICACHE); if (dis_dl_enc && dis_dl_icache) { mode = ESP_FLASH_ENC_MODE_RELEASE; +#ifdef CONFIG_SOC_FLASH_ENCRYPTION_XTS_AES_128_DERIVED + // This chip supports two types of key: AES128_DERIVED and AES128. + // To be in RELEASE mode, it is important for the AES128_DERIVED key that XTS_KEY_LENGTH_256 be write-protected. + bool xts_key_len_256_wr_dis = esp_efuse_read_field_bit(WR_DIS_CRYPT_CNT); + mode = (xts_key_len_256_wr_dis) ? ESP_FLASH_ENC_MODE_RELEASE : ESP_FLASH_ENC_MODE_DEVELOPMENT; +#endif // CONFIG_SOC_FLASH_ENCRYPTION_XTS_AES_128_DERIVED } #endif } @@ -197,9 +191,15 @@ void esp_flash_encryption_set_release_mode(void) esp_efuse_write_field_bit(ESP_EFUSE_DIS_DOWNLOAD_MANUAL_ENCRYPT); esp_efuse_write_field_bit(ESP_EFUSE_DIS_DOWNLOAD_ICACHE); esp_efuse_write_field_bit(ESP_EFUSE_DIS_DOWNLOAD_DCACHE); -#elif CONFIG_IDF_TARGET_ESP32C3 || CONFIG_IDF_TARGET_ESP32H2 +#elif CONFIG_IDF_TARGET_ESP32C2 || CONFIG_IDF_TARGET_ESP32C3 || CONFIG_IDF_TARGET_ESP32H2 esp_efuse_write_field_bit(ESP_EFUSE_DIS_DOWNLOAD_MANUAL_ENCRYPT); esp_efuse_write_field_bit(ESP_EFUSE_DIS_DOWNLOAD_ICACHE); +#ifdef CONFIG_SOC_FLASH_ENCRYPTION_XTS_AES_128_DERIVED + // For AES128_DERIVED, FE key is 16 bytes and XTS_KEY_LENGTH_256 is 0. + // It is important to protect XTS_KEY_LENGTH_256 from further changing it to 1. Set write protection for this bit. + // Burning WR_DIS_CRYPT_CNT, blocks further changing of eFuses: DIS_DOWNLOAD_MANUAL_ENCRYPT, SPI_BOOT_CRYPT_CNT, [XTS_KEY_LENGTH_256], SECURE_BOOT_EN. + esp_efuse_write_field_bit(WR_DIS_CRYPT_CNT); +#endif // CONFIG_SOC_FLASH_ENCRYPTION_XTS_AES_128_DERIVED #else ESP_LOGE(TAG, "Flash Encryption support not added, abort.."); abort(); diff --git a/components/bootloader_support/src/flash_encryption/flash_encrypt.c b/components/bootloader_support/src/flash_encryption/flash_encrypt.c index fc340a2983..0256a6ebdd 100644 --- a/components/bootloader_support/src/flash_encryption/flash_encrypt.c +++ b/components/bootloader_support/src/flash_encryption/flash_encrypt.c @@ -15,9 +15,8 @@ #include "esp_efuse_table.h" #include "esp_log.h" #include "hal/wdt_hal.h" -#ifdef CONFIG_IDF_TARGET_ESP32C2 -// IDF-3899 -#warning "Not support flash encryption on esp32c2 yet." +#ifdef CONFIG_SOC_EFUSE_CONSISTS_OF_ONE_KEY_BLOCK +#include "soc/sensitive_reg.h" #endif #ifdef CONFIG_SECURE_FLASH_ENC_ENABLED @@ -30,6 +29,8 @@ #define WR_DIS_CRYPT_CNT ESP_EFUSE_WR_DIS_SPI_BOOT_CRYPT_CNT #endif +#define FLASH_ENC_CNT_MAX (CRYPT_CNT[0]->bit_count) + /* This file implements FLASH ENCRYPTION related APIs to perform * various operations such as programming necessary flash encryption * eFuses, detect whether flash encryption is enabled (by reading eFuse) @@ -39,38 +40,86 @@ static const char *TAG = "flash_encrypt"; /* Static functions for stages of flash encryption */ -static esp_err_t initialise_flash_encryption(void); -static esp_err_t encrypt_flash_contents(size_t flash_crypt_cnt, bool flash_crypt_wr_dis) __attribute__((unused)); static esp_err_t encrypt_bootloader(void); static esp_err_t encrypt_and_load_partition_table(esp_partition_info_t *partition_table, int *num_partitions); static esp_err_t encrypt_partition(int index, const esp_partition_info_t *partition); +static size_t get_flash_encrypt_cnt_value(void); -esp_err_t esp_flash_encrypt_check_and_update(void) +static size_t get_flash_encrypt_cnt_value(void) { size_t flash_crypt_cnt = 0; esp_efuse_read_field_cnt(CRYPT_CNT, &flash_crypt_cnt); - bool flash_crypt_wr_dis = esp_efuse_read_field_bit(WR_DIS_CRYPT_CNT); + return flash_crypt_cnt; +} + +bool esp_flash_encrypt_initialized_once(void) +{ + return get_flash_encrypt_cnt_value() != 0; +} + +bool esp_flash_encrypt_is_write_protected(bool print_error) +{ + if (esp_efuse_read_field_bit(WR_DIS_CRYPT_CNT)) { + if (print_error) { + ESP_LOGE(TAG, "Flash Encryption cannot be enabled (CRYPT_CNT (%d) is write protected)", get_flash_encrypt_cnt_value()); + } + return true; + } + return false; +} + +bool esp_flash_encrypt_state(void) +{ + size_t flash_crypt_cnt = get_flash_encrypt_cnt_value(); + bool flash_crypt_wr_dis = esp_flash_encrypt_is_write_protected(false); ESP_LOGV(TAG, "CRYPT_CNT %d, write protection %d", flash_crypt_cnt, flash_crypt_wr_dis); if (flash_crypt_cnt % 2 == 1) { /* Flash is already encrypted */ - int left = (CRYPT_CNT[0]->bit_count - flash_crypt_cnt) / 2; + int left = (FLASH_ENC_CNT_MAX - flash_crypt_cnt) / 2; if (flash_crypt_wr_dis) { left = 0; /* can't update FLASH_CRYPT_CNT, no more flashes */ } ESP_LOGI(TAG, "flash encryption is enabled (%d plaintext flashes left)", left); - return ESP_OK; - } else { + return true; + } + return false; +} + +esp_err_t esp_flash_encrypt_check_and_update(void) +{ + bool flash_encryption_enabled = esp_flash_encrypt_state(); + if (!flash_encryption_enabled) { #ifndef CONFIG_SECURE_FLASH_REQUIRE_ALREADY_ENABLED - /* Flash is not encrypted, so encrypt it! */ - return encrypt_flash_contents(flash_crypt_cnt, flash_crypt_wr_dis); + if (esp_flash_encrypt_is_write_protected(true)) { + return ESP_FAIL; + } + + esp_err_t err = esp_flash_encrypt_init(); + if (err != ESP_OK) { + ESP_LOGE(TAG, "Initialization of Flash encryption key failed (%d)", err); + return err; + } + + err = esp_flash_encrypt_contents(); + if (err != ESP_OK) { + ESP_LOGE(TAG, "Encryption flash contents failed (%d)", err); + return err; + } + + err = esp_flash_encrypt_enable(); + if (err != ESP_OK) { + ESP_LOGE(TAG, "Enabling of Flash encryption failed (%d)", err); + return err; + } #else ESP_LOGE(TAG, "flash encryption is not enabled, and SECURE_FLASH_REQUIRE_ALREADY_ENABLED " "is set, refusing to boot."); return ESP_ERR_INVALID_STATE; #endif // CONFIG_SECURE_FLASH_REQUIRE_ALREADY_ENABLED } + return ESP_OK; } static esp_err_t check_and_generate_encryption_keys(void) @@ -101,10 +150,10 @@ static esp_err_t check_and_generate_encryption_keys(void) return ESP_ERR_INVALID_STATE; } #else -#ifdef CONFIG_SECURE_FLASH_ENCRYPTION_AES64 +#ifdef CONFIG_SECURE_FLASH_ENCRYPTION_AES128_DERIVED enum { BLOCKS_NEEDED = 1 }; esp_efuse_purpose_t purposes[BLOCKS_NEEDED] = { - ESP_EFUSE_KEY_PURPOSE_XTS_AES_64_KEY, + ESP_EFUSE_KEY_PURPOSE_XTS_AES_128_KEY_DERIVED_FROM_128_EFUSE_BITS, }; key_size = 16; #else @@ -112,7 +161,7 @@ static esp_err_t check_and_generate_encryption_keys(void) esp_efuse_purpose_t purposes[BLOCKS_NEEDED] = { ESP_EFUSE_KEY_PURPOSE_XTS_AES_128_KEY, }; -#endif // CONFIG_SECURE_FLASH_ENCRYPTION_AES64 +#endif // CONFIG_SECURE_FLASH_ENCRYPTION_AES128_DERIVED #endif // CONFIG_SECURE_FLASH_ENCRYPTION_AES256 #endif // CONFIG_IDF_TARGET_ESP32 @@ -163,8 +212,14 @@ static esp_err_t check_and_generate_encryption_keys(void) return ESP_OK; } -static esp_err_t initialise_flash_encryption(void) +esp_err_t esp_flash_encrypt_init(void) { + if (esp_flash_encryption_enabled() || esp_flash_encrypt_initialized_once()) { + return ESP_OK; + } + + /* Very first flash encryption pass: generate keys, etc. */ + esp_efuse_batch_write_begin(); /* Batch all efuse writes at the end of this function */ /* Before first flash encryption pass, need to initialise key & crypto config */ @@ -190,26 +245,15 @@ static esp_err_t initialise_flash_encryption(void) } /* Encrypt all flash data that should be encrypted */ -static esp_err_t encrypt_flash_contents(size_t flash_crypt_cnt, bool flash_crypt_wr_dis) +esp_err_t esp_flash_encrypt_contents(void) { esp_err_t err; esp_partition_info_t partition_table[ESP_PARTITION_TABLE_MAX_ENTRIES]; int num_partitions; - /* If all flash_crypt_cnt bits are burned or write-disabled, the - device can't re-encrypt itself. */ - if (flash_crypt_wr_dis || flash_crypt_cnt == CRYPT_CNT[0]->bit_count) { - ESP_LOGE(TAG, "Cannot re-encrypt data CRYPT_CNT %d write disabled %d", flash_crypt_cnt, flash_crypt_wr_dis); - return ESP_FAIL; - } - - if (flash_crypt_cnt == 0) { - /* Very first flash of encrypted data: generate keys, etc. */ - err = initialise_flash_encryption(); - if (err != ESP_OK) { - return err; - } - } +#ifdef CONFIG_SOC_EFUSE_CONSISTS_OF_ONE_KEY_BLOCK + REG_WRITE(SENSITIVE_XTS_AES_KEY_UPDATE_REG, 1); +#endif err = encrypt_bootloader(); if (err != ESP_OK) { @@ -234,16 +278,38 @@ static esp_err_t encrypt_flash_contents(size_t flash_crypt_cnt, bool flash_crypt ESP_LOGD(TAG, "All flash regions checked for encryption pass"); + return ESP_OK; +} + +esp_err_t esp_flash_encrypt_enable(void) +{ + esp_err_t err = ESP_OK; + if (!esp_flash_encryption_enabled()) { + + if (esp_flash_encrypt_is_write_protected(true)) { + return ESP_FAIL; + } + + size_t flash_crypt_cnt = get_flash_encrypt_cnt_value(); + #ifdef CONFIG_SECURE_FLASH_ENCRYPTION_MODE_RELEASE - // Go straight to max, permanently enabled - ESP_LOGI(TAG, "Setting CRYPT_CNT for permanent encryption"); - size_t new_flash_crypt_cnt = CRYPT_CNT[0]->bit_count - flash_crypt_cnt; + // Go straight to max, permanently enabled + ESP_LOGI(TAG, "Setting CRYPT_CNT for permanent encryption"); + size_t new_flash_crypt_cnt = FLASH_ENC_CNT_MAX - flash_crypt_cnt; #else - /* Set least significant 0-bit in flash_crypt_cnt */ - size_t new_flash_crypt_cnt = 1; + /* Set least significant 0-bit in flash_crypt_cnt */ + size_t new_flash_crypt_cnt = 1; #endif - ESP_LOGD(TAG, "CRYPT_CNT %d -> %d", flash_crypt_cnt, new_flash_crypt_cnt); - err = esp_efuse_write_field_cnt(CRYPT_CNT, new_flash_crypt_cnt); + ESP_LOGD(TAG, "CRYPT_CNT %d -> %d", flash_crypt_cnt, new_flash_crypt_cnt); + err = esp_efuse_write_field_cnt(CRYPT_CNT, new_flash_crypt_cnt); + +#if defined(CONFIG_SECURE_FLASH_ENCRYPTION_MODE_RELEASE) && defined(CONFIG_SOC_FLASH_ENCRYPTION_XTS_AES_128_DERIVED) + // For AES128_DERIVED, FE key is 16 bytes and XTS_KEY_LENGTH_256 is 0. + // It is important to protect XTS_KEY_LENGTH_256 from further changing it to 1. Set write protection for this bit. + // Burning WR_DIS_CRYPT_CNT, blocks further changing of eFuses: DOWNLOAD_DIS_MANUAL_ENCRYPT, SPI_BOOT_CRYPT_CNT, [XTS_KEY_LENGTH_256], SECURE_BOOT_EN. + esp_efuse_write_field_bit(WR_DIS_CRYPT_CNT); +#endif + } ESP_LOGI(TAG, "Flash encryption completed"); diff --git a/components/bootloader_support/src/secure_boot.c b/components/bootloader_support/src/secure_boot.c index ac3663f661..896a0cface 100644 --- a/components/bootloader_support/src/secure_boot.c +++ b/components/bootloader_support/src/secure_boot.c @@ -64,12 +64,14 @@ static esp_err_t secure_boot_v2_check(bool *need_fix) { esp_err_t err = ESP_OK; esp_efuse_block_t block = EFUSE_BLK_SECURE_BOOT; +#ifndef CONFIG_SECURE_BOOT_FLASH_ENC_KEYS_BURN_TOGETHER if (esp_efuse_get_key_dis_read(block)) { ESP_LOGE(TAG, "eFuse BLOCK%d should be readable", block); abort(); // This code is not achievable because the bootloader will not boot an app in this state. // But we keep it here just in case (any unexpected behavior). } +#endif if (esp_efuse_block_is_empty(block)) { ESP_LOGE(TAG, "eFuse BLOCK%d should not be empty", block); abort(); diff --git a/components/bootloader_support/src/secure_boot_v2/secure_boot.c b/components/bootloader_support/src/secure_boot_v2/secure_boot.c index 904da89fc7..d7cb0c687c 100644 --- a/components/bootloader_support/src/secure_boot_v2/secure_boot.c +++ b/components/bootloader_support/src/secure_boot_v2/secure_boot.c @@ -331,8 +331,10 @@ esp_err_t esp_secure_boot_v2_permanently_enable(const esp_image_metadata_t *imag assert(esp_efuse_read_field_bit(ESP_EFUSE_SECURE_BOOT_AGGRESSIVE_REVOKE)); #endif +#ifndef CONFIG_SECURE_BOOT_FLASH_ENC_KEYS_BURN_TOGETHER assert(esp_secure_boot_enabled()); ESP_LOGI(TAG, "Secure boot permanently enabled"); +#endif return ESP_OK; } diff --git a/components/efuse/esp32c2/include/esp_efuse.h b/components/efuse/esp32c2/include/esp_efuse.h index bdf42d7135..468e6c1f0b 100644 --- a/components/efuse/esp32c2/include/esp_efuse.h +++ b/components/efuse/esp32c2/include/esp_efuse.h @@ -44,7 +44,7 @@ typedef enum { typedef enum { ESP_EFUSE_KEY_PURPOSE_USER = 0, /**< whole BLOCK3 */ ESP_EFUSE_KEY_PURPOSE_XTS_AES_128_KEY = 1, /**< FE uses the whole BLOCK3 (key is 256-bits) */ - ESP_EFUSE_KEY_PURPOSE_XTS_AES_64_KEY = 2, /**< FE uses lower 128-bits of BLOCK3 (key is 128-bits) */ + ESP_EFUSE_KEY_PURPOSE_XTS_AES_128_KEY_DERIVED_FROM_128_EFUSE_BITS = 2, /**< FE uses lower 128-bits of BLOCK3 (key is 128-bits) */ ESP_EFUSE_KEY_PURPOSE_SECURE_BOOT_V2 = 3, /**< SB uses higher 128-bits of BLOCK3 (key is 128-bits) */ ESP_EFUSE_KEY_PURPOSE_MAX, /**< MAX PURPOSE */ } esp_efuse_purpose_t; diff --git a/components/efuse/src/efuse_controller/keys/without_key_purposes/one_key_block/esp_efuse_api_key.c b/components/efuse/src/efuse_controller/keys/without_key_purposes/one_key_block/esp_efuse_api_key.c index 2910f23f71..9832695f14 100644 --- a/components/efuse/src/efuse_controller/keys/without_key_purposes/one_key_block/esp_efuse_api_key.c +++ b/components/efuse/src/efuse_controller/keys/without_key_purposes/one_key_block/esp_efuse_api_key.c @@ -153,7 +153,7 @@ esp_efuse_purpose_t esp_efuse_get_key_purpose(esp_efuse_block_t block) if (esp_efuse_read_field_bit(ESP_EFUSE_XTS_KEY_LENGTH_256)) { return ESP_EFUSE_KEY_PURPOSE_XTS_AES_128_KEY; } - return ESP_EFUSE_KEY_PURPOSE_XTS_AES_64_KEY; + return ESP_EFUSE_KEY_PURPOSE_XTS_AES_128_KEY_DERIVED_FROM_128_EFUSE_BITS; } @@ -189,7 +189,7 @@ esp_err_t esp_efuse_write_key(esp_efuse_block_t block, esp_efuse_purpose_t purpo if (block < EFUSE_BLK_KEY0 || block >= EFUSE_BLK_KEY_MAX || key_size_bytes > 32 || purpose >= ESP_EFUSE_KEY_PURPOSE_MAX) { return ESP_ERR_INVALID_ARG; } - if ((purpose == ESP_EFUSE_KEY_PURPOSE_SECURE_BOOT_V2 || purpose == ESP_EFUSE_KEY_PURPOSE_XTS_AES_64_KEY) && (key_size_bytes != 16)) { + if ((purpose == ESP_EFUSE_KEY_PURPOSE_SECURE_BOOT_V2 || purpose == ESP_EFUSE_KEY_PURPOSE_XTS_AES_128_KEY_DERIVED_FROM_128_EFUSE_BITS) && (key_size_bytes != 16)) { return ESP_ERR_INVALID_ARG; } @@ -202,9 +202,10 @@ esp_err_t esp_efuse_write_key(esp_efuse_block_t block, esp_efuse_purpose_t purpo ESP_EFUSE_CHK(esp_efuse_write_block(block, key, offset_in_bits, key_size_bytes * 8)); if (purpose == ESP_EFUSE_KEY_PURPOSE_XTS_AES_128_KEY) { ESP_EFUSE_CHK(esp_efuse_set_key_purpose(block, purpose)); - } - if (purpose == ESP_EFUSE_KEY_PURPOSE_XTS_AES_128_KEY || purpose == ESP_EFUSE_KEY_PURPOSE_XTS_AES_64_KEY) { - ESP_EFUSE_CHK(esp_efuse_set_key_dis_read(block)); + ESP_EFUSE_CHK(esp_efuse_write_field_bit(ESP_EFUSE_RD_DIS_KEY0_LOW)); + ESP_EFUSE_CHK(esp_efuse_write_field_bit(ESP_EFUSE_RD_DIS_KEY0_HI)); + } else if (purpose == ESP_EFUSE_KEY_PURPOSE_XTS_AES_128_KEY_DERIVED_FROM_128_EFUSE_BITS) { + ESP_EFUSE_CHK(esp_efuse_write_field_bit(ESP_EFUSE_RD_DIS_KEY0_LOW)); } ESP_EFUSE_CHK(esp_efuse_set_key_dis_write(block)); return esp_efuse_batch_write_commit(); @@ -227,7 +228,7 @@ esp_err_t esp_efuse_write_keys(const esp_efuse_purpose_t purposes[], uint8_t key for (unsigned i_key = 0; i_key < number_of_keys; i_key++) { purpose = purposes[i_key]; ESP_LOGI(TAG, "Writing EFUSE_BLK_KEY0 with purpose %d", purpose); - size_t key_size = (purpose == ESP_EFUSE_KEY_PURPOSE_SECURE_BOOT_V2 || purpose == ESP_EFUSE_KEY_PURPOSE_XTS_AES_64_KEY) ? 16 : 32; + size_t key_size = (purpose == ESP_EFUSE_KEY_PURPOSE_SECURE_BOOT_V2 || purpose == ESP_EFUSE_KEY_PURPOSE_XTS_AES_128_KEY_DERIVED_FROM_128_EFUSE_BITS) ? 16 : 32; ESP_EFUSE_CHK(esp_efuse_write_key(EFUSE_BLK_KEY0, purpose, keys[i_key], key_size)); } return esp_efuse_batch_write_commit(); diff --git a/components/efuse/test/one_key_block/test_efuse_keys.c b/components/efuse/test/one_key_block/test_efuse_keys.c index 8f28f74c16..43b29ed5b1 100644 --- a/components/efuse/test/one_key_block/test_efuse_keys.c +++ b/components/efuse/test/one_key_block/test_efuse_keys.c @@ -34,7 +34,7 @@ TEST_CASE("Test keys and purposes, rd, wr, wr_key_purposes are in the initial st TEST_ASSERT_EACH_EQUAL_HEX8(0, key, sizeof(key)); TEST_ASSERT_FALSE(esp_efuse_get_key_dis_read(num_key)); TEST_ASSERT_FALSE(esp_efuse_get_key_dis_write(num_key)); - TEST_ASSERT_EQUAL(ESP_EFUSE_KEY_PURPOSE_XTS_AES_64_KEY, esp_efuse_get_key_purpose(num_key)); + TEST_ASSERT_EQUAL(ESP_EFUSE_KEY_PURPOSE_XTS_AES_128_KEY_DERIVED_FROM_128_EFUSE_BITS, esp_efuse_get_key_purpose(num_key)); esp_efuse_block_t key_block = EFUSE_BLK_MAX; TEST_ASSERT_TRUE(esp_efuse_find_purpose(ESP_EFUSE_KEY_PURPOSE_USER, NULL)); @@ -53,7 +53,7 @@ static esp_err_t s_check_key(esp_efuse_block_t num_key, void* wr_key, esp_efuse_ { size_t offset_in_bits = 0; uint8_t key_size = 32; - if (purpose == ESP_EFUSE_KEY_PURPOSE_XTS_AES_64_KEY || purpose == ESP_EFUSE_KEY_PURPOSE_SECURE_BOOT_V2) { + if (purpose == ESP_EFUSE_KEY_PURPOSE_XTS_AES_128_KEY_DERIVED_FROM_128_EFUSE_BITS || purpose == ESP_EFUSE_KEY_PURPOSE_SECURE_BOOT_V2) { key_size = 16; } @@ -69,7 +69,7 @@ static esp_err_t s_check_key(esp_efuse_block_t num_key, void* wr_key, esp_efuse_ #endif // not CONFIG_IDF_ENV_FPGA TEST_ASSERT_TRUE(esp_efuse_get_key_dis_write(num_key)); - if (purpose == ESP_EFUSE_KEY_PURPOSE_XTS_AES_128_KEY || purpose == ESP_EFUSE_KEY_PURPOSE_XTS_AES_64_KEY) { + if (purpose == ESP_EFUSE_KEY_PURPOSE_XTS_AES_128_KEY || purpose == ESP_EFUSE_KEY_PURPOSE_XTS_AES_128_KEY_DERIVED_FROM_128_EFUSE_BITS) { TEST_ASSERT_TRUE(esp_efuse_get_key_dis_read(num_key)); #if CONFIG_IDF_ENV_FPGA && !CONFIG_EFUSE_VIRTUAL TEST_ASSERT_EACH_EQUAL_HEX8(0, rd_key, key_size); @@ -91,7 +91,7 @@ void test_write_key(esp_efuse_block_t num_key, esp_efuse_purpose_t purpose) { } uint8_t key_size = sizeof(wr_key); - if (purpose == ESP_EFUSE_KEY_PURPOSE_XTS_AES_64_KEY || purpose == ESP_EFUSE_KEY_PURPOSE_SECURE_BOOT_V2) { + if (purpose == ESP_EFUSE_KEY_PURPOSE_XTS_AES_128_KEY_DERIVED_FROM_128_EFUSE_BITS || purpose == ESP_EFUSE_KEY_PURPOSE_SECURE_BOOT_V2) { key_size = 16; } @@ -117,7 +117,7 @@ TEST_CASE("Test esp_efuse_write_key for virt mode", "[efuse]") TEST_ESP_ERR(ESP_ERR_INVALID_ARG, esp_efuse_write_key(EFUSE_BLK_KEY0, ESP_EFUSE_KEY_PURPOSE_USER, &rd_key, 33)); TEST_ESP_ERR(ESP_ERR_INVALID_ARG, esp_efuse_write_key(EFUSE_BLK3, ESP_EFUSE_KEY_PURPOSE_USER, NULL, sizeof(rd_key))); TEST_ESP_ERR(ESP_ERR_INVALID_ARG, esp_efuse_write_key(EFUSE_BLK0, ESP_EFUSE_KEY_PURPOSE_USER, &rd_key, sizeof(rd_key))); - TEST_ESP_ERR(ESP_ERR_INVALID_ARG, esp_efuse_write_key(EFUSE_BLK0, ESP_EFUSE_KEY_PURPOSE_XTS_AES_64_KEY, &rd_key, sizeof(rd_key))); + TEST_ESP_ERR(ESP_ERR_INVALID_ARG, esp_efuse_write_key(EFUSE_BLK0, ESP_EFUSE_KEY_PURPOSE_XTS_AES_128_KEY_DERIVED_FROM_128_EFUSE_BITS, &rd_key, sizeof(rd_key))); TEST_ESP_ERR(ESP_ERR_INVALID_ARG, esp_efuse_write_key(EFUSE_BLK0, ESP_EFUSE_KEY_PURPOSE_SECURE_BOOT_V2, &rd_key, sizeof(rd_key))); for (esp_efuse_purpose_t purpose = ESP_EFUSE_KEY_PURPOSE_USER; purpose < ESP_EFUSE_KEY_PURPOSE_MAX; ++purpose) { @@ -145,9 +145,9 @@ TEST_CASE("Test 1 esp_efuse_write_key for FPGA", "[efuse]") esp_efuse_utility_debug_dump_blocks(); TEST_ASSERT_TRUE(esp_efuse_key_block_unused(EFUSE_BLK_KEY0)); TEST_ASSERT_TRUE(esp_efuse_block_is_empty(EFUSE_BLK_KEY0)); - TEST_ASSERT_TRUE(esp_efuse_find_purpose(ESP_EFUSE_KEY_PURPOSE_XTS_AES_64_KEY, NULL)); + TEST_ASSERT_TRUE(esp_efuse_find_purpose(ESP_EFUSE_KEY_PURPOSE_XTS_AES_128_KEY_DERIVED_FROM_128_EFUSE_BITS, NULL)); - test_write_key(EFUSE_BLK_KEY0, ESP_EFUSE_KEY_PURPOSE_XTS_AES_64_KEY); + test_write_key(EFUSE_BLK_KEY0, ESP_EFUSE_KEY_PURPOSE_XTS_AES_128_KEY_DERIVED_FROM_128_EFUSE_BITS); esp_efuse_utility_debug_dump_blocks(); @@ -168,7 +168,7 @@ TEST_CASE("Test 2 esp_efuse_write_key for FPGA", "[efuse]") esp_efuse_utility_debug_dump_blocks(); TEST_ASSERT_TRUE(esp_efuse_key_block_unused(EFUSE_BLK_KEY0)); TEST_ASSERT_TRUE(esp_efuse_block_is_empty(EFUSE_BLK_KEY0)); - TEST_ASSERT_TRUE(esp_efuse_find_purpose(ESP_EFUSE_KEY_PURPOSE_XTS_AES_64_KEY, NULL)); + TEST_ASSERT_TRUE(esp_efuse_find_purpose(ESP_EFUSE_KEY_PURPOSE_XTS_AES_128_KEY_DERIVED_FROM_128_EFUSE_BITS, NULL)); test_write_key(EFUSE_BLK_KEY0, ESP_EFUSE_KEY_PURPOSE_SECURE_BOOT_V2); @@ -212,12 +212,12 @@ TEST_CASE("Test esp_efuse_write_keys", "[efuse]") esp_efuse_utility_debug_dump_blocks(); TEST_ASSERT_TRUE(esp_efuse_key_block_unused(EFUSE_BLK_KEY0)); TEST_ASSERT_TRUE(esp_efuse_block_is_empty(EFUSE_BLK_KEY0)); - TEST_ASSERT_TRUE(esp_efuse_find_purpose(ESP_EFUSE_KEY_PURPOSE_XTS_AES_64_KEY, NULL)); + TEST_ASSERT_TRUE(esp_efuse_find_purpose(ESP_EFUSE_KEY_PURPOSE_XTS_AES_128_KEY_DERIVED_FROM_128_EFUSE_BITS, NULL)); esp_efuse_block_t key_block = EFUSE_BLK_MAX; enum { BLOCKS_NEEDED1 = 2 }; esp_efuse_purpose_t purpose1[BLOCKS_NEEDED1] = { - ESP_EFUSE_KEY_PURPOSE_XTS_AES_64_KEY, + ESP_EFUSE_KEY_PURPOSE_XTS_AES_128_KEY_DERIVED_FROM_128_EFUSE_BITS, ESP_EFUSE_KEY_PURPOSE_SECURE_BOOT_V2, }; uint8_t keys1[BLOCKS_NEEDED1][32] = {{0xEE}}; @@ -233,7 +233,7 @@ TEST_CASE("Test esp_efuse_write_keys", "[efuse]") TEST_ASSERT_TRUE(esp_efuse_find_purpose(purpose1[0], &key_block)); TEST_ASSERT_EQUAL(EFUSE_BLK_KEY0, key_block); - TEST_ESP_OK(s_check_key(EFUSE_BLK_KEY0, keys1[0], ESP_EFUSE_KEY_PURPOSE_XTS_AES_64_KEY)); + TEST_ESP_OK(s_check_key(EFUSE_BLK_KEY0, keys1[0], ESP_EFUSE_KEY_PURPOSE_XTS_AES_128_KEY_DERIVED_FROM_128_EFUSE_BITS)); TEST_ESP_OK(s_check_key(EFUSE_BLK_KEY0, keys1[1], ESP_EFUSE_KEY_PURPOSE_SECURE_BOOT_V2)); esp_efuse_utility_debug_dump_blocks(); @@ -260,7 +260,7 @@ TEST_CASE("Test esp_efuse_write_keys for returned errors", "[efuse]") enum { BLOCKS_NEEDED = 2 }; esp_efuse_purpose_t purpose[BLOCKS_NEEDED] = { - ESP_EFUSE_KEY_PURPOSE_XTS_AES_64_KEY, + ESP_EFUSE_KEY_PURPOSE_XTS_AES_128_KEY_DERIVED_FROM_128_EFUSE_BITS, ESP_EFUSE_KEY_PURPOSE_MAX, // it leads ESP_ERR_INVALID_ARG in esp_efuse_write_keys }; uint8_t keys[BLOCKS_NEEDED][32]; diff --git a/components/soc/esp32c2/include/soc/Kconfig.soc_caps.in b/components/soc/esp32c2/include/soc/Kconfig.soc_caps.in index ef61f89c88..b64541ba5a 100644 --- a/components/soc/esp32c2/include/soc/Kconfig.soc_caps.in +++ b/components/soc/esp32c2/include/soc/Kconfig.soc_caps.in @@ -467,9 +467,17 @@ config SOC_FLASH_ENCRYPTION_XTS_AES bool default y +config SOC_FLASH_ENCRYPTION_XTS_AES_OPTIONS + bool + default y + config SOC_FLASH_ENCRYPTION_XTS_AES_128 bool - default n + default y + +config SOC_FLASH_ENCRYPTION_XTS_AES_128_DERIVED + bool + default y config SOC_UART_NUM int diff --git a/components/soc/esp32c2/include/soc/soc_caps.h b/components/soc/esp32c2/include/soc/soc_caps.h index f9daef65d5..ab6a666564 100644 --- a/components/soc/esp32c2/include/soc/soc_caps.h +++ b/components/soc/esp32c2/include/soc/soc_caps.h @@ -236,8 +236,10 @@ /*-------------------------- Flash Encryption CAPS----------------------------*/ #define SOC_FLASH_ENCRYPTED_XTS_AES_BLOCK_MAX (32) -#define SOC_FLASH_ENCRYPTION_XTS_AES 1 -#define SOC_FLASH_ENCRYPTION_XTS_AES_128 0 // This will be enabled with IDF-3899 +#define SOC_FLASH_ENCRYPTION_XTS_AES 1 +#define SOC_FLASH_ENCRYPTION_XTS_AES_OPTIONS 1 +#define SOC_FLASH_ENCRYPTION_XTS_AES_128 1 +#define SOC_FLASH_ENCRYPTION_XTS_AES_128_DERIVED 1 /*-------------------------- UART CAPS ---------------------------------------*/ // ESP32-C2 has 2 UARTs diff --git a/components/soc/esp32s2/include/soc/Kconfig.soc_caps.in b/components/soc/esp32s2/include/soc/Kconfig.soc_caps.in index 9605f3b7cf..3d026002bb 100644 --- a/components/soc/esp32s2/include/soc/Kconfig.soc_caps.in +++ b/components/soc/esp32s2/include/soc/Kconfig.soc_caps.in @@ -759,6 +759,10 @@ config SOC_FLASH_ENCRYPTION_XTS_AES bool default y +config SOC_FLASH_ENCRYPTION_XTS_AES_OPTIONS + bool + default y + config SOC_FLASH_ENCRYPTION_XTS_AES_128 bool default y diff --git a/components/soc/esp32s2/include/soc/soc_caps.h b/components/soc/esp32s2/include/soc/soc_caps.h index 97bfceae25..94d0fed3c2 100644 --- a/components/soc/esp32s2/include/soc/soc_caps.h +++ b/components/soc/esp32s2/include/soc/soc_caps.h @@ -349,6 +349,7 @@ /*-------------------------- Flash Encryption CAPS----------------------------*/ #define SOC_FLASH_ENCRYPTED_XTS_AES_BLOCK_MAX (64) #define SOC_FLASH_ENCRYPTION_XTS_AES 1 +#define SOC_FLASH_ENCRYPTION_XTS_AES_OPTIONS 1 #define SOC_FLASH_ENCRYPTION_XTS_AES_128 1 #define SOC_FLASH_ENCRYPTION_XTS_AES_256 1 diff --git a/components/soc/esp32s3/include/soc/Kconfig.soc_caps.in b/components/soc/esp32s3/include/soc/Kconfig.soc_caps.in index 5fb66724f0..443c3da2f5 100644 --- a/components/soc/esp32s3/include/soc/Kconfig.soc_caps.in +++ b/components/soc/esp32s3/include/soc/Kconfig.soc_caps.in @@ -899,6 +899,10 @@ config SOC_FLASH_ENCRYPTION_XTS_AES bool default y +config SOC_FLASH_ENCRYPTION_XTS_AES_OPTIONS + bool + default y + config SOC_FLASH_ENCRYPTION_XTS_AES_128 bool default y diff --git a/components/soc/esp32s3/include/soc/soc_caps.h b/components/soc/esp32s3/include/soc/soc_caps.h index f79c8e0172..bf0a452094 100644 --- a/components/soc/esp32s3/include/soc/soc_caps.h +++ b/components/soc/esp32s3/include/soc/soc_caps.h @@ -383,6 +383,7 @@ /*-------------------------- Flash Encryption CAPS----------------------------*/ #define SOC_FLASH_ENCRYPTED_XTS_AES_BLOCK_MAX (64) #define SOC_FLASH_ENCRYPTION_XTS_AES 1 +#define SOC_FLASH_ENCRYPTION_XTS_AES_OPTIONS 1 #define SOC_FLASH_ENCRYPTION_XTS_AES_128 1 #define SOC_FLASH_ENCRYPTION_XTS_AES_256 1