alex/esp-idf
alex/esp-idf
1
0
Fork 0
mirror of https://github.com/espressif/esp-idf.git synced 2024-10-05 20:47:46 -04:00
Code Issues Actions 2 Packages Projects Releases Wiki Activity

security: Adds new APIs to check that all eFuse security features are enabled correctly

Browse Source
This commit is contained in:
KonstantinKondrashov 2022-08-12 17:05:39 +08:00
parent c41bb46d92
commit 5d37e26d35
16 changed files with 580 additions and 3 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

14
components/bootloader_support/include/esp_flash_encrypt.h
View File

@ -8,6 +8,7 @@
#include <stdbool.h>
#include "esp_attr.h"
#include "esp_err.h"
#include "soc/soc_caps.h"
#ifndef BOOTLOADER_BUILD
#include "spi_flash_mmap.h"
#endif
@ -184,6 +185,19 @@ void esp_flash_encryption_init_checks(void);
*/
esp_err_t esp_flash_encryption_enable_secure_features(void);
/** @brief Returns the verification status for all physical security features of flash encryption in release mode
*
* If the device has flash encryption feature configured in the release mode,
* then it is highly recommended to call this API in the application startup code.
* This API verifies the sanity of the eFuse configuration against
* the release (production) mode of the flash encryption feature.
*
* @return
* - True - all eFuses are configured correctly
* - False - not all eFuses are configured correctly.
*/
bool esp_flash_encryption_cfg_verify_release_mode(void);
/** @brief Switches Flash Encryption from "Development" to "Release"
*
* If already in "Release" mode, the function will do nothing.

13
components/bootloader_support/include/esp_secure_boot.h
View File

@ -269,6 +269,19 @@ esp_err_t esp_secure_boot_get_signature_blocks_for_running_app(bool digest_publi
*/
esp_err_t esp_secure_boot_enable_secure_features(void);
/** @brief Returns the verification status for all physical security features of secure boot in release mode
*
* If the device has secure boot feature configured in the release mode,
* then it is highly recommended to call this API in the application startup code.
* This API verifies the sanity of the eFuse configuration against
* the release (production) mode of the secure boot feature.
*
* @return
* - True - all eFuses are configured correctly
* - False - not all eFuses are configured correctly.
*/
bool esp_secure_boot_cfg_verify_release_mode(void);
#ifdef __cplusplus
}
#endif

203
components/bootloader_support/src/flash_encrypt.c
View File

@ -218,3 +218,206 @@ void esp_flash_encryption_set_release_mode(void)
}
ESP_LOGI(TAG, "Flash encryption mode is RELEASE");
}
#ifdef CONFIG_IDF_TARGET_ESP32
bool esp_flash_encryption_cfg_verify_release_mode(void)
{
bool result = false;
bool secure;
secure = esp_flash_encryption_enabled();
result = secure;
if (!secure) {
ESP_LOGW(TAG, "Not enabled Flash Encryption (FLASH_CRYPT_CNT->1 or max)");
}
uint8_t crypt_config = 0;
esp_efuse_read_field_blob(ESP_EFUSE_ENCRYPT_CONFIG, &crypt_config, 4);
if (crypt_config != EFUSE_FLASH_CRYPT_CONFIG) {
result &= false;
ESP_LOGW(TAG, "ENCRYPT_CONFIG must be set 0xF (set ENCRYPT_CONFIG->0xF)");
}
uint8_t flash_crypt_cnt = 0;
esp_efuse_read_field_blob(ESP_EFUSE_FLASH_CRYPT_CNT, &flash_crypt_cnt, ESP_EFUSE_FLASH_CRYPT_CNT[0]->bit_count);
if (flash_crypt_cnt != (1 << (ESP_EFUSE_FLASH_CRYPT_CNT[0]->bit_count)) - 1) {
if (!esp_efuse_read_field_bit(ESP_EFUSE_WR_DIS_FLASH_CRYPT_CNT)) {
result &= false;
ESP_LOGW(TAG, "Not release mode of Flash Encryption (set FLASH_CRYPT_CNT->max or WR_DIS_FLASH_CRYPT_CNT->1)");
}
}
secure = esp_efuse_read_field_bit(ESP_EFUSE_DISABLE_DL_ENCRYPT);
result &= secure;
if (!secure) {
ESP_LOGW(TAG, "Not disabled UART bootloader encryption (set DISABLE_DL_ENCRYPT->1)");
}
secure = esp_efuse_read_field_bit(ESP_EFUSE_DISABLE_DL_DECRYPT);
result &= secure;
if (!secure) {
ESP_LOGW(TAG, "Not disabled UART bootloader decryption (set DISABLE_DL_DECRYPT->1)");
}
secure = esp_efuse_read_field_bit(ESP_EFUSE_DISABLE_DL_CACHE);
result &= secure;
if (!secure) {
ESP_LOGW(TAG, "Not disabled UART bootloader MMU cache (set DISABLE_DL_CACHE->1)");
}
secure = esp_efuse_read_field_bit(ESP_EFUSE_DISABLE_JTAG);
result &= secure;
if (!secure) {
ESP_LOGW(TAG, "Not disabled JTAG (set DISABLE_JTAG->1)");
}
secure = esp_efuse_read_field_bit(ESP_EFUSE_CONSOLE_DEBUG_DISABLE);
result &= secure;
if (!secure) {
ESP_LOGW(TAG, "Not disabled ROM BASIC interpreter fallback (set CONSOLE_DEBUG_DISABLE->1)");
}
secure = esp_efuse_read_field_bit(ESP_EFUSE_RD_DIS_BLK1);
result &= secure;
if (!secure) {
ESP_LOGW(TAG, "Not read-protected flash ecnryption key (set RD_DIS_BLK1->1)");
}
secure = esp_efuse_read_field_bit(ESP_EFUSE_WR_DIS_BLK1);
result &= secure;
if (!secure) {
ESP_LOGW(TAG, "Not write-protected flash ecnryption key (set WR_DIS_BLK1->1)");
}
return result;
}
#else // not CONFIG_IDF_TARGET_ESP32
bool esp_flash_encryption_cfg_verify_release_mode(void)
{
bool result = false;
bool secure;
secure = esp_flash_encryption_enabled();
result = secure;
if (!secure) {
ESP_LOGW(TAG, "Not enabled Flash Encryption (SPI_BOOT_CRYPT_CNT->1 or max)");
}
uint8_t flash_crypt_cnt = 0;
esp_efuse_read_field_blob(ESP_EFUSE_SPI_BOOT_CRYPT_CNT, &flash_crypt_cnt, ESP_EFUSE_SPI_BOOT_CRYPT_CNT[0]->bit_count);
if (flash_crypt_cnt != (1 << (ESP_EFUSE_SPI_BOOT_CRYPT_CNT[0]->bit_count)) - 1) {
if (!esp_efuse_read_field_bit(ESP_EFUSE_WR_DIS_SPI_BOOT_CRYPT_CNT)) {
result &= false;
ESP_LOGW(TAG, "Not release mode of Flash Encryption (set SPI_BOOT_CRYPT_CNT->max or WR_DIS_SPI_BOOT_CRYPT_CNT->1)");
}
}
secure = esp_efuse_read_field_bit(ESP_EFUSE_DIS_DOWNLOAD_MANUAL_ENCRYPT);
result &= secure;
if (!secure) {
ESP_LOGW(TAG, "Not disabled UART bootloader encryption (set DIS_DOWNLOAD_MANUAL_ENCRYPT->1)");
}
#if SOC_EFUSE_DIS_DOWNLOAD_DCACHE
secure = esp_efuse_read_field_bit(ESP_EFUSE_DIS_DOWNLOAD_DCACHE);
result &= secure;
if (!secure) {
ESP_LOGW(TAG, "Not disabled UART bootloader Dcache (set DIS_DOWNLOAD_DCACHE->1)");
}
#endif
secure = esp_efuse_read_field_bit(ESP_EFUSE_DIS_DOWNLOAD_ICACHE);
result &= secure;
if (!secure) {
ESP_LOGW(TAG, "Not disabled UART bootloader cache (set DIS_DOWNLOAD_ICACHE->1)");
}
#if SOC_EFUSE_DIS_PAD_JTAG
secure = esp_efuse_read_field_bit(ESP_EFUSE_DIS_PAD_JTAG);
result &= secure;
if (!secure) {
ESP_LOGW(TAG, "Not disabled JTAG PADs (set DIS_PAD_JTAG->1)");
}
#endif
#if SOC_EFUSE_DIS_USB_JTAG
secure = esp_efuse_read_field_bit(ESP_EFUSE_DIS_USB_JTAG);
result &= secure;
if (!secure) {
ESP_LOGW(TAG, "Not disabled USB JTAG (set DIS_USB_JTAG->1)");
}
#endif
#if SOC_EFUSE_DIS_DIRECT_BOOT
secure = esp_efuse_read_field_bit(ESP_EFUSE_DIS_DIRECT_BOOT);
result &= secure;
if (!secure) {
ESP_LOGW(TAG, "Not disabled direct boot mode (set DIS_DIRECT_BOOT->1)");
}
#endif
#if SOC_EFUSE_HARD_DIS_JTAG
secure = esp_efuse_read_field_bit(ESP_EFUSE_HARD_DIS_JTAG);
result &= secure;
if (!secure) {
ESP_LOGW(TAG, "Not disabled JTAG (set HARD_DIS_JTAG->1)");
}
#endif
#if SOC_EFUSE_DIS_BOOT_REMAP
secure = esp_efuse_read_field_bit(ESP_EFUSE_DIS_BOOT_REMAP);
result &= secure;
if (!secure) {
ESP_LOGW(TAG, "Not disabled boot from RAM (set DIS_BOOT_REMAP->1)");
}
#endif
#if SOC_EFUSE_DIS_LEGACY_SPI_BOOT
secure = esp_efuse_read_field_bit(ESP_EFUSE_DIS_LEGACY_SPI_BOOT);
result &= secure;
if (!secure) {
ESP_LOGW(TAG, "Not disabled Legcy SPI boot (set DIS_LEGACY_SPI_BOOT->1)");
}
#endif
esp_efuse_purpose_t purposes[] = {
#if SOC_FLASH_ENCRYPTION_XTS_AES_256
ESP_EFUSE_KEY_PURPOSE_XTS_AES_256_KEY_1,
ESP_EFUSE_KEY_PURPOSE_XTS_AES_256_KEY_2,
#endif
#if SOC_FLASH_ENCRYPTION_XTS_AES_128
ESP_EFUSE_KEY_PURPOSE_XTS_AES_128_KEY,
#endif
};
// S2 and S3 chips have both XTS_AES_128_KEY and XTS_AES_256_KEY_1/2.
// The check below does not take into account that XTS_AES_128_KEY and XTS_AES_256_KEY_1/2
// are mutually exclusive because this will make the chip not functional.
// Only one type key must be configured in eFuses.
secure = false;
for (unsigned i = 0; i < sizeof(purposes) / sizeof(esp_efuse_purpose_t); i++) {
esp_efuse_block_t block;
if (esp_efuse_find_purpose(purposes[i], &block)) {
secure = esp_efuse_get_key_dis_read(block);
result &= secure;
if (!secure) {
ESP_LOGW(TAG, "Not read-protected Flash encryption key in BLOCK%d (set RD_DIS_KEY%d->1)", block, block - EFUSE_BLK_KEY0);
}
secure = esp_efuse_get_key_dis_write(block);
result &= secure;
if (!secure) {
ESP_LOGW(TAG, "Not write-protected Flash encryption key in BLOCK%d (set WR_DIS_KEY%d->1)", block, block - EFUSE_BLK_KEY0);
}
#if SOC_EFUSE_KEY_PURPOSE_FIELD
secure = esp_efuse_get_keypurpose_dis_write(block);
result &= secure;
if (!secure) {
ESP_LOGW(TAG, "Not write-protected KEY_PURPOSE for BLOCK%d (set WR_DIS_KEY_PURPOSE%d->1)", block, block - EFUSE_BLK_KEY0);
}
#endif
}
}
result &= secure;
return result;
}
#endif // not CONFIG_IDF_TARGET_ESP32

217
components/bootloader_support/src/secure_boot.c
View File

@ -10,6 +10,7 @@
#include "esp_efuse.h"
#include "esp_efuse_table.h"
#include "esp_secure_boot.h"
#include "hal/efuse_hal.h"
#ifndef BOOTLOADER_BUILD
static __attribute__((unused)) const char *TAG = "secure_boot";
@ -188,4 +189,220 @@ void esp_secure_boot_init_checks(void)
#endif // CONFIG_SECURE_SIGNED_APPS_RSA_SCHEME && CONFIG_SECURE_SIGNED_ON_UPDATE_NO_SECURE_BOOT
}
#ifdef CONFIG_IDF_TARGET_ESP32
bool esp_secure_boot_cfg_verify_release_mode(void)
{
bool result = false;
bool secure;
bool secure_boot_v1 = esp_efuse_read_field_bit(ESP_EFUSE_ABS_DONE_0);
bool chip_supports_sbv2 = efuse_hal_chip_revision() >= 300;
bool secure_boot_v2 = (chip_supports_sbv2) ? esp_efuse_read_field_bit(ESP_EFUSE_ABS_DONE_1) : false;
result = secure_boot_v1 || secure_boot_v2;
if (secure_boot_v1 && secure_boot_v2) {
ESP_LOGI(TAG, "ABS_DONE_0=1 (V1) and ABS_DONE_1=1 (V2)");
ESP_LOGI(TAG, "Secure boot V2 shall take the precedence");
} else if (!secure_boot_v1 && !secure_boot_v2) {
result = false;
ESP_LOGE(TAG, "Not enabled Secure Boot V1 (set ABS_DONE_0->1)");
if (chip_supports_sbv2) {
ESP_LOGE(TAG, "Not enabled Secure Boot V2 (set ABS_DONE_1->1)");
}
}
if (secure_boot_v1 && !secure_boot_v2) {
secure = esp_efuse_read_field_bit(ESP_EFUSE_RD_DIS_BLK2);
result &= secure;
if (!secure) {
ESP_LOGW(TAG, "Not read-protected secure boot key (set RD_DIS_BLK2->1)");
}
}
secure = esp_efuse_read_field_bit(ESP_EFUSE_WR_DIS_BLK2);
result &= secure;
if (!secure) {
ESP_LOGW(TAG, "Not write-protected secure boot key (set WR_DIS_BLK2->1)");
}
secure = esp_efuse_read_field_bit(ESP_EFUSE_DISABLE_JTAG);
result &= secure;
if (!secure) {
ESP_LOGW(TAG, "Not disabled JTAG (set DISABLE_JTAG->1)");
}
secure = esp_efuse_read_field_bit(ESP_EFUSE_CONSOLE_DEBUG_DISABLE);
result &= secure;
if (!secure) {
ESP_LOGW(TAG, "Not disabled ROM BASIC interpreter fallback (set CONSOLE_DEBUG_DISABLE->1)");
}
if (secure_boot_v2) {
secure = esp_efuse_read_field_bit(ESP_EFUSE_UART_DOWNLOAD_DIS);
result &= secure;
if (!secure) {
ESP_LOGW(TAG, "Not disabled UART ROM Download mode (set UART_DOWNLOAD_DIS->1)");
}
secure = esp_efuse_read_field_bit(ESP_EFUSE_WR_DIS_EFUSE_RD_DISABLE);
result &= secure;
if (!secure) {
ESP_LOGW(TAG, "Not disabled write-protection for read-protection (set WR_DIS_EFUSE_RD_DISABLE->1)");
}
}
return result;
}
#else // not CONFIG_IDF_TARGET_ESP32
bool esp_secure_boot_cfg_verify_release_mode(void)
{
bool result = false;
bool secure;
secure = esp_secure_boot_enabled();
result = secure;
if (!secure) {
ESP_LOGW(TAG, "Not enabled Secure Boot (SECURE_BOOT_EN->1)");
}
secure = esp_efuse_read_field_bit(ESP_EFUSE_DIS_DOWNLOAD_MODE);
bool en_secure_download = esp_efuse_read_field_bit(ESP_EFUSE_ENABLE_SECURITY_DOWNLOAD);
if (!secure && !en_secure_download) {
result &= false;
ESP_LOGW(TAG, "Download mode has not been changed, disable it or set security mode:");
ESP_LOGW(TAG, "Not disabled ROM Download mode (DIS_DOWNLOAD_MODE->1)");
ESP_LOGW(TAG, "Not enabled Security download mode (ENABLE_SECURITY_DOWNLOAD->1)");
}
#if SOC_EFUSE_DIS_BOOT_REMAP
secure = esp_efuse_read_field_bit(ESP_EFUSE_DIS_BOOT_REMAP);
result &= secure;
if (!secure) {
ESP_LOGW(TAG, "Not disabled boot from RAM (set DIS_BOOT_REMAP->1)");
}
#endif
#if SOC_EFUSE_DIS_LEGACY_SPI_BOOT
secure = esp_efuse_read_field_bit(ESP_EFUSE_DIS_LEGACY_SPI_BOOT);
result &= secure;
if (!secure) {
ESP_LOGW(TAG, "Not disabled Legcy SPI boot (set DIS_LEGACY_SPI_BOOT->1)");
}
#endif
#if SOC_EFUSE_DIS_DIRECT_BOOT
secure = esp_efuse_read_field_bit(ESP_EFUSE_DIS_DIRECT_BOOT);
result &= secure;
if (!secure) {
ESP_LOGW(TAG, "Not disabled direct boot mode (set DIS_DIRECT_BOOT->1)");
}
#endif
#if SOC_EFUSE_HARD_DIS_JTAG
secure = esp_efuse_read_field_bit(ESP_EFUSE_HARD_DIS_JTAG);
result &= secure;
if (!secure) {
ESP_LOGW(TAG, "Not disabled JTAG (set HARD_DIS_JTAG->1)");
}
#endif
#if SOC_EFUSE_SOFT_DIS_JTAG
size_t soft_dis_jtag_cnt_val = 0;
esp_efuse_read_field_cnt(ESP_EFUSE_SOFT_DIS_JTAG, &soft_dis_jtag_cnt_val);
if (soft_dis_jtag_cnt_val != ESP_EFUSE_SOFT_DIS_JTAG[0]->bit_count) {
result &= secure;
ESP_LOGW(TAG, "Not disabled JTAG in the soft way (set SOFT_DIS_JTAG->max)");
}
#endif
#if SOC_EFUSE_DIS_PAD_JTAG
secure = esp_efuse_read_field_bit(ESP_EFUSE_DIS_PAD_JTAG);
result &= secure;
if (!secure) {
ESP_LOGW(TAG, "Not disabled JTAG PADs (set DIS_PAD_JTAG->1)");
}
#endif
#if SOC_EFUSE_DIS_USB_JTAG
secure = esp_efuse_read_field_bit(ESP_EFUSE_DIS_USB_JTAG);
result &= secure;
if (!secure) {
ESP_LOGW(TAG, "Not disabled USB JTAG (set DIS_USB_JTAG->1)");
}
#endif
#ifdef CONFIG_SECURE_BOOT_ENABLE_AGGRESSIVE_KEY_REVOKE
secure = esp_efuse_read_field_bit(ESP_EFUSE_SECURE_BOOT_AGGRESSIVE_REVOKE);
result &= secure;
if (!secure) {
ESP_LOGW(TAG, "Not enabled AGGRESSIVE KEY REVOKE (set SECURE_BOOT_AGGRESSIVE_REVOKE->1)");
}
#endif
secure = esp_efuse_read_field_bit(ESP_EFUSE_WR_DIS_RD_DIS);
result &= secure;
if (!secure) {
ESP_LOGW(TAG, "Not disabled write-protection for read-protection (set WR_DIS_RD_DIS->1)");
}
#if SOC_EFUSE_SECURE_BOOT_KEY_DIGESTS == 1
unsigned purpose = ESP_EFUSE_KEY_PURPOSE_SECURE_BOOT_V2;
#else
unsigned purpose = ESP_EFUSE_KEY_PURPOSE_SECURE_BOOT_DIGEST0; // DIGEST0, DIGEST1 and DIGEST2
#endif
secure = false;
unsigned num_keys = 0;
for (unsigned i = 0; i < SOC_EFUSE_SECURE_BOOT_KEY_DIGESTS; ++i) {
esp_efuse_block_t block;
if (esp_efuse_find_purpose(purpose + i, &block)) {
// if chip has a few secure boot slots then we check all
#if SOC_SUPPORT_SECURE_BOOT_REVOKE_KEY
bool revoke = esp_efuse_get_digest_revoke(i);
if (revoke) {
continue;
}
#endif
++num_keys;
secure = !esp_efuse_get_key_dis_read(block);
result &= secure;
if (!secure) {
ESP_LOGE(TAG, "Secure boot key in BLOCK%d must NOT be read-protected (can not be used)", block);
#if SOC_SUPPORT_SECURE_BOOT_REVOKE_KEY
ESP_LOGE(TAG, "Revoke this secure boot key (set SECURE_BOOT_KEY_REVOKE%d->1)", i);
#endif
}
secure = !esp_efuse_block_is_empty(block);
result &= secure;
if (!secure) {
ESP_LOGE(TAG, "Secure boot key in BLOCK%d must NOT be empty (can not be used)", block);
#if SOC_SUPPORT_SECURE_BOOT_REVOKE_KEY
ESP_LOGE(TAG, "Revoke this secure boot key (set SECURE_BOOT_KEY_REVOKE%d->1)", i);
#endif
}
secure = esp_efuse_get_key_dis_write(block);
result &= secure;
if (!secure) {
ESP_LOGW(TAG, "Not write-protected secure boot key in BLOCK%d (set WR_DIS_KEY%d->1)", block, block - EFUSE_BLK_KEY0);
}
#if SOC_EFUSE_KEY_PURPOSE_FIELD
secure = esp_efuse_get_keypurpose_dis_write(block);
result &= secure;
if (!secure) {
ESP_LOGW(TAG, "Not write-protected KEY_PURPOSE for BLOCK%d (set WR_DIS_KEY_PURPOSE%d->1)", block, block - EFUSE_BLK_KEY0);
}
#endif
}
}
result &= secure;
secure = (num_keys != 0);
result &= secure;
if (!secure) {
ESP_LOGE(TAG, "No secure boot key found");
}
return result;
}
#endif // not CONFIG_IDF_TARGET_ESP32
#endif // not BOOTLOADER_BUILD

8
components/soc/esp32c2/include/soc/Kconfig.soc_caps.in
View File

@ -459,6 +459,14 @@ config SOC_TIMER_GROUP_TOTAL_TIMERS
int
default 1
config SOC_EFUSE_DIS_PAD_JTAG
bool
default y
config SOC_EFUSE_DIS_DIRECT_BOOT
bool
default y
config SOC_SECURE_BOOT_V2_ECC
bool
default y

4
components/soc/esp32c2/include/soc/soc_caps.h
View File

@ -228,6 +228,10 @@
#define SOC_TIMER_GROUP_SUPPORT_PLL_F40M (1)
#define SOC_TIMER_GROUP_TOTAL_TIMERS (1U)
/*-------------------------- eFuse CAPS----------------------------*/
#define SOC_EFUSE_DIS_PAD_JTAG 1
#define SOC_EFUSE_DIS_DIRECT_BOOT 1
/*-------------------------- Secure Boot CAPS----------------------------*/
#define SOC_SECURE_BOOT_V2_ECC 1
#define SOC_EFUSE_SECURE_BOOT_KEY_DIGESTS (1U)

16
components/soc/esp32c3/include/soc/Kconfig.soc_caps.in
View File

@ -683,6 +683,22 @@ config SOC_TWAI_SUPPORTS_RX_STATUS
bool
default y
config SOC_EFUSE_DIS_PAD_JTAG
bool
default y
config SOC_EFUSE_DIS_USB_JTAG
bool
default y
config SOC_EFUSE_DIS_DIRECT_BOOT
bool
default y
config SOC_EFUSE_SOFT_DIS_JTAG
bool
default y
config SOC_SECURE_BOOT_V2_RSA
bool
default y

6
components/soc/esp32c3/include/soc/soc_caps.h
View File

@ -318,6 +318,12 @@
#define SOC_TWAI_BRP_MAX 16384
#define SOC_TWAI_SUPPORTS_RX_STATUS 1
/*-------------------------- eFuse CAPS----------------------------*/
#define SOC_EFUSE_DIS_PAD_JTAG 1
#define SOC_EFUSE_DIS_USB_JTAG 1
#define SOC_EFUSE_DIS_DIRECT_BOOT 1
#define SOC_EFUSE_SOFT_DIS_JTAG 1
/*-------------------------- Secure Boot CAPS----------------------------*/
#define SOC_SECURE_BOOT_V2_RSA 1
#define SOC_EFUSE_SECURE_BOOT_KEY_DIGESTS 3

16
components/soc/esp32h2/include/soc/Kconfig.soc_caps.in
View File

@ -655,6 +655,22 @@ config SOC_TWAI_SUPPORTS_RX_STATUS
bool
default y
config SOC_EFUSE_DIS_PAD_JTAG
bool
default y
config SOC_EFUSE_DIS_USB_JTAG
bool
default y
config SOC_EFUSE_DIS_DIRECT_BOOT
bool
default y
config SOC_EFUSE_SOFT_DIS_JTAG
bool
default y
config SOC_SECURE_BOOT_V2_RSA
bool
default y

8
components/soc/esp32h2/include/soc/soc_caps.h
View File

@ -1,5 +1,5 @@
/*
* SPDX-FileCopyrightText: 2021-2022 Espressif Systems (Shanghai) CO LTD
* SPDX-FileCopyrightText: 2022-2023 Espressif Systems (Shanghai) CO LTD
*
* SPDX-License-Identifier: Apache-2.0
*/
@ -322,6 +322,12 @@
#define SOC_TWAI_BRP_MAX 16384
#define SOC_TWAI_SUPPORTS_RX_STATUS 1
/*-------------------------- eFuse CAPS----------------------------*/
#define SOC_EFUSE_DIS_PAD_JTAG 1
#define SOC_EFUSE_DIS_USB_JTAG 1
#define SOC_EFUSE_DIS_DIRECT_BOOT 1
#define SOC_EFUSE_SOFT_DIS_JTAG 1
/*-------------------------- Secure Boot CAPS----------------------------*/
#define SOC_SECURE_BOOT_V2_RSA 1
#define SOC_EFUSE_SECURE_BOOT_KEY_DIGESTS 3

20
components/soc/esp32s2/include/soc/Kconfig.soc_caps.in
View File

@ -787,6 +787,26 @@ config SOC_AES_SUPPORT_GCM
bool
default y
config SOC_EFUSE_DIS_DOWNLOAD_DCACHE
bool
default y
config SOC_EFUSE_HARD_DIS_JTAG
bool
default y
config SOC_EFUSE_SOFT_DIS_JTAG
bool
default y
config SOC_EFUSE_DIS_BOOT_REMAP
bool
default y
config SOC_EFUSE_DIS_LEGACY_SPI_BOOT
bool
default y
config SOC_SECURE_BOOT_V2_RSA
bool
default y

7
components/soc/esp32s2/include/soc/soc_caps.h
View File

@ -359,6 +359,13 @@
#define SOC_AES_SUPPORT_DMA (1)
#define SOC_AES_SUPPORT_GCM (1)
/*-------------------------- eFuse CAPS----------------------------*/
#define SOC_EFUSE_DIS_DOWNLOAD_DCACHE 1
#define SOC_EFUSE_HARD_DIS_JTAG 1
#define SOC_EFUSE_SOFT_DIS_JTAG 1
#define SOC_EFUSE_DIS_BOOT_REMAP 1
#define SOC_EFUSE_DIS_LEGACY_SPI_BOOT 1
/*-------------------------- Secure Boot CAPS----------------------------*/
#define SOC_SECURE_BOOT_V2_RSA 1
#define SOC_EFUSE_SECURE_BOOT_KEY_DIGESTS 3

20
components/soc/esp32s3/include/soc/Kconfig.soc_caps.in
View File

@ -923,6 +923,26 @@ config SOC_PM_SUPPORT_DEEPSLEEP_CHECK_STUB_ONLY
bool
default y
config SOC_EFUSE_DIS_DOWNLOAD_DCACHE
bool
default y
config SOC_EFUSE_HARD_DIS_JTAG
bool
default y
config SOC_EFUSE_DIS_USB_JTAG
bool
default y
config SOC_EFUSE_SOFT_DIS_JTAG
bool
default y
config SOC_EFUSE_DIS_DIRECT_BOOT
bool
default y
config SOC_SECURE_BOOT_V2_RSA
bool
default y

7
components/soc/esp32s3/include/soc/soc_caps.h
View File

@ -395,6 +395,13 @@
#define SOC_PM_SUPPORT_DEEPSLEEP_CHECK_STUB_ONLY (1)
/*-------------------------- eFuse CAPS----------------------------*/
#define SOC_EFUSE_DIS_DOWNLOAD_DCACHE 1
#define SOC_EFUSE_HARD_DIS_JTAG 1
#define SOC_EFUSE_DIS_USB_JTAG 1
#define SOC_EFUSE_SOFT_DIS_JTAG 1
#define SOC_EFUSE_DIS_DIRECT_BOOT 1
/*-------------------------- Secure Boot CAPS----------------------------*/
#define SOC_SECURE_BOOT_V2_RSA 1
#define SOC_EFUSE_SECURE_BOOT_KEY_DIGESTS 3

7
examples/system/efuse/example_test.py
View File

@ -251,6 +251,7 @@ def test_examples_efuse_with_virt_flash_enc_release(env, _): # type: (ttfw_idf.
dut.expect('Flash encryption mode is RELEASE')
dut.expect('Start eFuse example')
dut.expect('Flash Encryption is in RELEASE mode')
dut.expect('example: Done')
@ -668,6 +669,8 @@ def test_examples_efuse_with_virt_sb_v1_and_fe(env, _): # type: (ttfw_idf.TinyF
dut.expect('Loading virtual efuse blocks from flash')
dut.expect('flash_encrypt: Flash encryption mode is DEVELOPMENT (not secure)')
dut.expect('Start eFuse example')
dut.expect('example: Flash Encryption is NOT in RELEASE mode')
dut.expect('example: Secure Boot is in RELEASE mode')
dut.expect('example: Done')
@ -747,6 +750,8 @@ def test_examples_efuse_with_virt_sb_v2_and_fe(env, _): # type: (ttfw_idf.TinyF
dut.expect('Loading virtual efuse blocks from flash')
dut.expect('flash_encrypt: Flash encryption mode is DEVELOPMENT (not secure)')
dut.expect('Start eFuse example')
dut.expect('example: Flash Encryption is NOT in RELEASE mode')
dut.expect('example: Secure Boot is in RELEASE mode')
dut.expect('example: Done')
@ -837,6 +842,8 @@ def test_examples_efuse_with_virt_sb_v2_and_fe_esp32xx(env, _): # type: (ttfw_i
dut.expect('Loading virtual efuse blocks from flash')
dut.expect('flash_encrypt: Flash encryption mode is DEVELOPMENT (not secure)')
dut.expect('Start eFuse example')
dut.expect('example: Flash Encryption is NOT in RELEASE mode')
dut.expect('example: Secure Boot is in RELEASE mode')
dut.expect('example: Done')

17
examples/system/efuse/main/efuse_main.c
View File

@ -15,10 +15,8 @@
#include "esp_efuse.h"
#include "esp_efuse_table.h"
#include "esp_efuse_custom_table.h"
#if CONFIG_IDF_TARGET_ESP32C2
#include "esp_secure_boot.h"
#include "esp_flash_encrypt.h"
#endif
#include "sdkconfig.h"
static const char* TAG = "example";
@ -135,6 +133,21 @@ void app_main(void)
{
ESP_LOGI(TAG, "Start eFuse example");
#ifdef CONFIG_SECURE_FLASH_ENC_ENABLED
if (esp_flash_encryption_cfg_verify_release_mode()) {
ESP_LOGI(TAG, "Flash Encryption is in RELEASE mode");
} else {
ESP_LOGW(TAG, "Flash Encryption is NOT in RELEASE mode");
}
#endif
#ifdef CONFIG_SECURE_BOOT
if (esp_secure_boot_cfg_verify_release_mode()) {
ESP_LOGI(TAG, "Secure Boot is in RELEASE mode");
} else {
ESP_LOGW(TAG, "Secure Boot is NOT in RELEASE mode");
}
#endif
esp_efuse_coding_scheme_t coding_scheme = get_coding_scheme();
(void) coding_scheme;