diff --git a/components/bootloader_support/include/esp_flash_encrypt.h b/components/bootloader_support/include/esp_flash_encrypt.h index 35129c8b97..d6b0a54c5a 100644 --- a/components/bootloader_support/include/esp_flash_encrypt.h +++ b/components/bootloader_support/include/esp_flash_encrypt.h @@ -8,6 +8,7 @@ #include #include "esp_attr.h" #include "esp_err.h" +#include "soc/soc_caps.h" #ifndef BOOTLOADER_BUILD #include "spi_flash_mmap.h" #endif @@ -184,6 +185,19 @@ void esp_flash_encryption_init_checks(void); */ esp_err_t esp_flash_encryption_enable_secure_features(void); +/** @brief Returns the verification status for all physical security features of flash encryption in release mode + * + * If the device has flash encryption feature configured in the release mode, + * then it is highly recommended to call this API in the application startup code. + * This API verifies the sanity of the eFuse configuration against + * the release (production) mode of the flash encryption feature. + * + * @return + * - True - all eFuses are configured correctly + * - False - not all eFuses are configured correctly. + */ +bool esp_flash_encryption_cfg_verify_release_mode(void); + /** @brief Switches Flash Encryption from "Development" to "Release" * * If already in "Release" mode, the function will do nothing. diff --git a/components/bootloader_support/include/esp_secure_boot.h b/components/bootloader_support/include/esp_secure_boot.h index 95ccf39000..fa5c13e25f 100644 --- a/components/bootloader_support/include/esp_secure_boot.h +++ b/components/bootloader_support/include/esp_secure_boot.h @@ -269,6 +269,19 @@ esp_err_t esp_secure_boot_get_signature_blocks_for_running_app(bool digest_publi */ esp_err_t esp_secure_boot_enable_secure_features(void); +/** @brief Returns the verification status for all physical security features of secure boot in release mode + * + * If the device has secure boot feature configured in the release mode, + * then it is highly recommended to call this API in the application startup code. + * This API verifies the sanity of the eFuse configuration against + * the release (production) mode of the secure boot feature. + * + * @return + * - True - all eFuses are configured correctly + * - False - not all eFuses are configured correctly. + */ +bool esp_secure_boot_cfg_verify_release_mode(void); + #ifdef __cplusplus } #endif diff --git a/components/bootloader_support/src/flash_encrypt.c b/components/bootloader_support/src/flash_encrypt.c index 6624043780..7e40983ad5 100644 --- a/components/bootloader_support/src/flash_encrypt.c +++ b/components/bootloader_support/src/flash_encrypt.c @@ -218,3 +218,206 @@ void esp_flash_encryption_set_release_mode(void) } ESP_LOGI(TAG, "Flash encryption mode is RELEASE"); } + +#ifdef CONFIG_IDF_TARGET_ESP32 +bool esp_flash_encryption_cfg_verify_release_mode(void) +{ + bool result = false; + bool secure; + + secure = esp_flash_encryption_enabled(); + result = secure; + if (!secure) { + ESP_LOGW(TAG, "Not enabled Flash Encryption (FLASH_CRYPT_CNT->1 or max)"); + } + + uint8_t crypt_config = 0; + esp_efuse_read_field_blob(ESP_EFUSE_ENCRYPT_CONFIG, &crypt_config, 4); + if (crypt_config != EFUSE_FLASH_CRYPT_CONFIG) { + result &= false; + ESP_LOGW(TAG, "ENCRYPT_CONFIG must be set 0xF (set ENCRYPT_CONFIG->0xF)"); + } + + uint8_t flash_crypt_cnt = 0; + esp_efuse_read_field_blob(ESP_EFUSE_FLASH_CRYPT_CNT, &flash_crypt_cnt, ESP_EFUSE_FLASH_CRYPT_CNT[0]->bit_count); + if (flash_crypt_cnt != (1 << (ESP_EFUSE_FLASH_CRYPT_CNT[0]->bit_count)) - 1) { + if (!esp_efuse_read_field_bit(ESP_EFUSE_WR_DIS_FLASH_CRYPT_CNT)) { + result &= false; + ESP_LOGW(TAG, "Not release mode of Flash Encryption (set FLASH_CRYPT_CNT->max or WR_DIS_FLASH_CRYPT_CNT->1)"); + } + } + + secure = esp_efuse_read_field_bit(ESP_EFUSE_DISABLE_DL_ENCRYPT); + result &= secure; + if (!secure) { + ESP_LOGW(TAG, "Not disabled UART bootloader encryption (set DISABLE_DL_ENCRYPT->1)"); + } + + secure = esp_efuse_read_field_bit(ESP_EFUSE_DISABLE_DL_DECRYPT); + result &= secure; + if (!secure) { + ESP_LOGW(TAG, "Not disabled UART bootloader decryption (set DISABLE_DL_DECRYPT->1)"); + } + + secure = esp_efuse_read_field_bit(ESP_EFUSE_DISABLE_DL_CACHE); + result &= secure; + if (!secure) { + ESP_LOGW(TAG, "Not disabled UART bootloader MMU cache (set DISABLE_DL_CACHE->1)"); + } + + secure = esp_efuse_read_field_bit(ESP_EFUSE_DISABLE_JTAG); + result &= secure; + if (!secure) { + ESP_LOGW(TAG, "Not disabled JTAG (set DISABLE_JTAG->1)"); + } + + secure = esp_efuse_read_field_bit(ESP_EFUSE_CONSOLE_DEBUG_DISABLE); + result &= secure; + if (!secure) { + ESP_LOGW(TAG, "Not disabled ROM BASIC interpreter fallback (set CONSOLE_DEBUG_DISABLE->1)"); + } + + secure = esp_efuse_read_field_bit(ESP_EFUSE_RD_DIS_BLK1); + result &= secure; + if (!secure) { + ESP_LOGW(TAG, "Not read-protected flash ecnryption key (set RD_DIS_BLK1->1)"); + } + + secure = esp_efuse_read_field_bit(ESP_EFUSE_WR_DIS_BLK1); + result &= secure; + if (!secure) { + ESP_LOGW(TAG, "Not write-protected flash ecnryption key (set WR_DIS_BLK1->1)"); + } + return result; +} +#else // not CONFIG_IDF_TARGET_ESP32 +bool esp_flash_encryption_cfg_verify_release_mode(void) +{ + bool result = false; + bool secure; + + secure = esp_flash_encryption_enabled(); + result = secure; + if (!secure) { + ESP_LOGW(TAG, "Not enabled Flash Encryption (SPI_BOOT_CRYPT_CNT->1 or max)"); + } + + uint8_t flash_crypt_cnt = 0; + esp_efuse_read_field_blob(ESP_EFUSE_SPI_BOOT_CRYPT_CNT, &flash_crypt_cnt, ESP_EFUSE_SPI_BOOT_CRYPT_CNT[0]->bit_count); + if (flash_crypt_cnt != (1 << (ESP_EFUSE_SPI_BOOT_CRYPT_CNT[0]->bit_count)) - 1) { + if (!esp_efuse_read_field_bit(ESP_EFUSE_WR_DIS_SPI_BOOT_CRYPT_CNT)) { + result &= false; + ESP_LOGW(TAG, "Not release mode of Flash Encryption (set SPI_BOOT_CRYPT_CNT->max or WR_DIS_SPI_BOOT_CRYPT_CNT->1)"); + } + } + + secure = esp_efuse_read_field_bit(ESP_EFUSE_DIS_DOWNLOAD_MANUAL_ENCRYPT); + result &= secure; + if (!secure) { + ESP_LOGW(TAG, "Not disabled UART bootloader encryption (set DIS_DOWNLOAD_MANUAL_ENCRYPT->1)"); + } + +#if SOC_EFUSE_DIS_DOWNLOAD_DCACHE + secure = esp_efuse_read_field_bit(ESP_EFUSE_DIS_DOWNLOAD_DCACHE); + result &= secure; + if (!secure) { + ESP_LOGW(TAG, "Not disabled UART bootloader Dcache (set DIS_DOWNLOAD_DCACHE->1)"); + } +#endif + + secure = esp_efuse_read_field_bit(ESP_EFUSE_DIS_DOWNLOAD_ICACHE); + result &= secure; + if (!secure) { + ESP_LOGW(TAG, "Not disabled UART bootloader cache (set DIS_DOWNLOAD_ICACHE->1)"); + } + +#if SOC_EFUSE_DIS_PAD_JTAG + secure = esp_efuse_read_field_bit(ESP_EFUSE_DIS_PAD_JTAG); + result &= secure; + if (!secure) { + ESP_LOGW(TAG, "Not disabled JTAG PADs (set DIS_PAD_JTAG->1)"); + } +#endif + +#if SOC_EFUSE_DIS_USB_JTAG + secure = esp_efuse_read_field_bit(ESP_EFUSE_DIS_USB_JTAG); + result &= secure; + if (!secure) { + ESP_LOGW(TAG, "Not disabled USB JTAG (set DIS_USB_JTAG->1)"); + } +#endif + +#if SOC_EFUSE_DIS_DIRECT_BOOT + secure = esp_efuse_read_field_bit(ESP_EFUSE_DIS_DIRECT_BOOT); + result &= secure; + if (!secure) { + ESP_LOGW(TAG, "Not disabled direct boot mode (set DIS_DIRECT_BOOT->1)"); + } +#endif + +#if SOC_EFUSE_HARD_DIS_JTAG + secure = esp_efuse_read_field_bit(ESP_EFUSE_HARD_DIS_JTAG); + result &= secure; + if (!secure) { + ESP_LOGW(TAG, "Not disabled JTAG (set HARD_DIS_JTAG->1)"); + } +#endif + +#if SOC_EFUSE_DIS_BOOT_REMAP + secure = esp_efuse_read_field_bit(ESP_EFUSE_DIS_BOOT_REMAP); + result &= secure; + if (!secure) { + ESP_LOGW(TAG, "Not disabled boot from RAM (set DIS_BOOT_REMAP->1)"); + } +#endif + +#if SOC_EFUSE_DIS_LEGACY_SPI_BOOT + secure = esp_efuse_read_field_bit(ESP_EFUSE_DIS_LEGACY_SPI_BOOT); + result &= secure; + if (!secure) { + ESP_LOGW(TAG, "Not disabled Legcy SPI boot (set DIS_LEGACY_SPI_BOOT->1)"); + } +#endif + + esp_efuse_purpose_t purposes[] = { +#if SOC_FLASH_ENCRYPTION_XTS_AES_256 + ESP_EFUSE_KEY_PURPOSE_XTS_AES_256_KEY_1, + ESP_EFUSE_KEY_PURPOSE_XTS_AES_256_KEY_2, +#endif +#if SOC_FLASH_ENCRYPTION_XTS_AES_128 + ESP_EFUSE_KEY_PURPOSE_XTS_AES_128_KEY, +#endif + }; + // S2 and S3 chips have both XTS_AES_128_KEY and XTS_AES_256_KEY_1/2. + // The check below does not take into account that XTS_AES_128_KEY and XTS_AES_256_KEY_1/2 + // are mutually exclusive because this will make the chip not functional. + // Only one type key must be configured in eFuses. + secure = false; + for (unsigned i = 0; i < sizeof(purposes) / sizeof(esp_efuse_purpose_t); i++) { + esp_efuse_block_t block; + if (esp_efuse_find_purpose(purposes[i], &block)) { + secure = esp_efuse_get_key_dis_read(block); + result &= secure; + if (!secure) { + ESP_LOGW(TAG, "Not read-protected Flash encryption key in BLOCK%d (set RD_DIS_KEY%d->1)", block, block - EFUSE_BLK_KEY0); + } + secure = esp_efuse_get_key_dis_write(block); + result &= secure; + if (!secure) { + ESP_LOGW(TAG, "Not write-protected Flash encryption key in BLOCK%d (set WR_DIS_KEY%d->1)", block, block - EFUSE_BLK_KEY0); + } + +#if SOC_EFUSE_KEY_PURPOSE_FIELD + secure = esp_efuse_get_keypurpose_dis_write(block); + result &= secure; + if (!secure) { + ESP_LOGW(TAG, "Not write-protected KEY_PURPOSE for BLOCK%d (set WR_DIS_KEY_PURPOSE%d->1)", block, block - EFUSE_BLK_KEY0); + } +#endif + } + } + result &= secure; + + return result; +} +#endif // not CONFIG_IDF_TARGET_ESP32 diff --git a/components/bootloader_support/src/secure_boot.c b/components/bootloader_support/src/secure_boot.c index 524e15f962..0b5bab46fc 100644 --- a/components/bootloader_support/src/secure_boot.c +++ b/components/bootloader_support/src/secure_boot.c @@ -10,6 +10,7 @@ #include "esp_efuse.h" #include "esp_efuse_table.h" #include "esp_secure_boot.h" +#include "hal/efuse_hal.h" #ifndef BOOTLOADER_BUILD static __attribute__((unused)) const char *TAG = "secure_boot"; @@ -188,4 +189,220 @@ void esp_secure_boot_init_checks(void) #endif // CONFIG_SECURE_SIGNED_APPS_RSA_SCHEME && CONFIG_SECURE_SIGNED_ON_UPDATE_NO_SECURE_BOOT } + +#ifdef CONFIG_IDF_TARGET_ESP32 +bool esp_secure_boot_cfg_verify_release_mode(void) +{ + bool result = false; + bool secure; + + bool secure_boot_v1 = esp_efuse_read_field_bit(ESP_EFUSE_ABS_DONE_0); + bool chip_supports_sbv2 = efuse_hal_chip_revision() >= 300; + bool secure_boot_v2 = (chip_supports_sbv2) ? esp_efuse_read_field_bit(ESP_EFUSE_ABS_DONE_1) : false; + result = secure_boot_v1 || secure_boot_v2; + if (secure_boot_v1 && secure_boot_v2) { + ESP_LOGI(TAG, "ABS_DONE_0=1 (V1) and ABS_DONE_1=1 (V2)"); + ESP_LOGI(TAG, "Secure boot V2 shall take the precedence"); + } else if (!secure_boot_v1 && !secure_boot_v2) { + result = false; + ESP_LOGE(TAG, "Not enabled Secure Boot V1 (set ABS_DONE_0->1)"); + if (chip_supports_sbv2) { + ESP_LOGE(TAG, "Not enabled Secure Boot V2 (set ABS_DONE_1->1)"); + } + } + + if (secure_boot_v1 && !secure_boot_v2) { + secure = esp_efuse_read_field_bit(ESP_EFUSE_RD_DIS_BLK2); + result &= secure; + if (!secure) { + ESP_LOGW(TAG, "Not read-protected secure boot key (set RD_DIS_BLK2->1)"); + } + } + + secure = esp_efuse_read_field_bit(ESP_EFUSE_WR_DIS_BLK2); + result &= secure; + if (!secure) { + ESP_LOGW(TAG, "Not write-protected secure boot key (set WR_DIS_BLK2->1)"); + } + + secure = esp_efuse_read_field_bit(ESP_EFUSE_DISABLE_JTAG); + result &= secure; + if (!secure) { + ESP_LOGW(TAG, "Not disabled JTAG (set DISABLE_JTAG->1)"); + } + + secure = esp_efuse_read_field_bit(ESP_EFUSE_CONSOLE_DEBUG_DISABLE); + result &= secure; + if (!secure) { + ESP_LOGW(TAG, "Not disabled ROM BASIC interpreter fallback (set CONSOLE_DEBUG_DISABLE->1)"); + } + + if (secure_boot_v2) { + secure = esp_efuse_read_field_bit(ESP_EFUSE_UART_DOWNLOAD_DIS); + result &= secure; + if (!secure) { + ESP_LOGW(TAG, "Not disabled UART ROM Download mode (set UART_DOWNLOAD_DIS->1)"); + } + + secure = esp_efuse_read_field_bit(ESP_EFUSE_WR_DIS_EFUSE_RD_DISABLE); + result &= secure; + if (!secure) { + ESP_LOGW(TAG, "Not disabled write-protection for read-protection (set WR_DIS_EFUSE_RD_DISABLE->1)"); + } + } + + return result; +} +#else // not CONFIG_IDF_TARGET_ESP32 +bool esp_secure_boot_cfg_verify_release_mode(void) +{ + bool result = false; + bool secure; + + secure = esp_secure_boot_enabled(); + result = secure; + if (!secure) { + ESP_LOGW(TAG, "Not enabled Secure Boot (SECURE_BOOT_EN->1)"); + } + + secure = esp_efuse_read_field_bit(ESP_EFUSE_DIS_DOWNLOAD_MODE); + bool en_secure_download = esp_efuse_read_field_bit(ESP_EFUSE_ENABLE_SECURITY_DOWNLOAD); + if (!secure && !en_secure_download) { + result &= false; + ESP_LOGW(TAG, "Download mode has not been changed, disable it or set security mode:"); + ESP_LOGW(TAG, "Not disabled ROM Download mode (DIS_DOWNLOAD_MODE->1)"); + ESP_LOGW(TAG, "Not enabled Security download mode (ENABLE_SECURITY_DOWNLOAD->1)"); + } + +#if SOC_EFUSE_DIS_BOOT_REMAP + secure = esp_efuse_read_field_bit(ESP_EFUSE_DIS_BOOT_REMAP); + result &= secure; + if (!secure) { + ESP_LOGW(TAG, "Not disabled boot from RAM (set DIS_BOOT_REMAP->1)"); + } +#endif + +#if SOC_EFUSE_DIS_LEGACY_SPI_BOOT + secure = esp_efuse_read_field_bit(ESP_EFUSE_DIS_LEGACY_SPI_BOOT); + result &= secure; + if (!secure) { + ESP_LOGW(TAG, "Not disabled Legcy SPI boot (set DIS_LEGACY_SPI_BOOT->1)"); + } +#endif + +#if SOC_EFUSE_DIS_DIRECT_BOOT + secure = esp_efuse_read_field_bit(ESP_EFUSE_DIS_DIRECT_BOOT); + result &= secure; + if (!secure) { + ESP_LOGW(TAG, "Not disabled direct boot mode (set DIS_DIRECT_BOOT->1)"); + } +#endif + +#if SOC_EFUSE_HARD_DIS_JTAG + secure = esp_efuse_read_field_bit(ESP_EFUSE_HARD_DIS_JTAG); + result &= secure; + if (!secure) { + ESP_LOGW(TAG, "Not disabled JTAG (set HARD_DIS_JTAG->1)"); + } +#endif + +#if SOC_EFUSE_SOFT_DIS_JTAG + size_t soft_dis_jtag_cnt_val = 0; + esp_efuse_read_field_cnt(ESP_EFUSE_SOFT_DIS_JTAG, &soft_dis_jtag_cnt_val); + if (soft_dis_jtag_cnt_val != ESP_EFUSE_SOFT_DIS_JTAG[0]->bit_count) { + result &= secure; + ESP_LOGW(TAG, "Not disabled JTAG in the soft way (set SOFT_DIS_JTAG->max)"); + } +#endif + +#if SOC_EFUSE_DIS_PAD_JTAG + secure = esp_efuse_read_field_bit(ESP_EFUSE_DIS_PAD_JTAG); + result &= secure; + if (!secure) { + ESP_LOGW(TAG, "Not disabled JTAG PADs (set DIS_PAD_JTAG->1)"); + } +#endif + +#if SOC_EFUSE_DIS_USB_JTAG + secure = esp_efuse_read_field_bit(ESP_EFUSE_DIS_USB_JTAG); + result &= secure; + if (!secure) { + ESP_LOGW(TAG, "Not disabled USB JTAG (set DIS_USB_JTAG->1)"); + } +#endif + +#ifdef CONFIG_SECURE_BOOT_ENABLE_AGGRESSIVE_KEY_REVOKE + secure = esp_efuse_read_field_bit(ESP_EFUSE_SECURE_BOOT_AGGRESSIVE_REVOKE); + result &= secure; + if (!secure) { + ESP_LOGW(TAG, "Not enabled AGGRESSIVE KEY REVOKE (set SECURE_BOOT_AGGRESSIVE_REVOKE->1)"); + } +#endif + + secure = esp_efuse_read_field_bit(ESP_EFUSE_WR_DIS_RD_DIS); + result &= secure; + if (!secure) { + ESP_LOGW(TAG, "Not disabled write-protection for read-protection (set WR_DIS_RD_DIS->1)"); + } + +#if SOC_EFUSE_SECURE_BOOT_KEY_DIGESTS == 1 + unsigned purpose = ESP_EFUSE_KEY_PURPOSE_SECURE_BOOT_V2; +#else + unsigned purpose = ESP_EFUSE_KEY_PURPOSE_SECURE_BOOT_DIGEST0; // DIGEST0, DIGEST1 and DIGEST2 +#endif + secure = false; + unsigned num_keys = 0; + for (unsigned i = 0; i < SOC_EFUSE_SECURE_BOOT_KEY_DIGESTS; ++i) { + esp_efuse_block_t block; + if (esp_efuse_find_purpose(purpose + i, &block)) { + // if chip has a few secure boot slots then we check all +#if SOC_SUPPORT_SECURE_BOOT_REVOKE_KEY + bool revoke = esp_efuse_get_digest_revoke(i); + if (revoke) { + continue; + } +#endif + ++num_keys; + secure = !esp_efuse_get_key_dis_read(block); + result &= secure; + if (!secure) { + ESP_LOGE(TAG, "Secure boot key in BLOCK%d must NOT be read-protected (can not be used)", block); +#if SOC_SUPPORT_SECURE_BOOT_REVOKE_KEY + ESP_LOGE(TAG, "Revoke this secure boot key (set SECURE_BOOT_KEY_REVOKE%d->1)", i); +#endif + } + secure = !esp_efuse_block_is_empty(block); + result &= secure; + if (!secure) { + ESP_LOGE(TAG, "Secure boot key in BLOCK%d must NOT be empty (can not be used)", block); +#if SOC_SUPPORT_SECURE_BOOT_REVOKE_KEY + ESP_LOGE(TAG, "Revoke this secure boot key (set SECURE_BOOT_KEY_REVOKE%d->1)", i); +#endif + } + secure = esp_efuse_get_key_dis_write(block); + result &= secure; + if (!secure) { + ESP_LOGW(TAG, "Not write-protected secure boot key in BLOCK%d (set WR_DIS_KEY%d->1)", block, block - EFUSE_BLK_KEY0); + } +#if SOC_EFUSE_KEY_PURPOSE_FIELD + secure = esp_efuse_get_keypurpose_dis_write(block); + result &= secure; + if (!secure) { + ESP_LOGW(TAG, "Not write-protected KEY_PURPOSE for BLOCK%d (set WR_DIS_KEY_PURPOSE%d->1)", block, block - EFUSE_BLK_KEY0); + } +#endif + } + } + result &= secure; + + secure = (num_keys != 0); + result &= secure; + if (!secure) { + ESP_LOGE(TAG, "No secure boot key found"); + } + + return result; +} +#endif // not CONFIG_IDF_TARGET_ESP32 + #endif // not BOOTLOADER_BUILD diff --git a/components/soc/esp32c2/include/soc/Kconfig.soc_caps.in b/components/soc/esp32c2/include/soc/Kconfig.soc_caps.in index 4ed771e1df..4f21126ec2 100644 --- a/components/soc/esp32c2/include/soc/Kconfig.soc_caps.in +++ b/components/soc/esp32c2/include/soc/Kconfig.soc_caps.in @@ -459,6 +459,14 @@ config SOC_TIMER_GROUP_TOTAL_TIMERS int default 1 +config SOC_EFUSE_DIS_PAD_JTAG + bool + default y + +config SOC_EFUSE_DIS_DIRECT_BOOT + bool + default y + config SOC_SECURE_BOOT_V2_ECC bool default y diff --git a/components/soc/esp32c2/include/soc/soc_caps.h b/components/soc/esp32c2/include/soc/soc_caps.h index f28f545ad8..366edeb153 100644 --- a/components/soc/esp32c2/include/soc/soc_caps.h +++ b/components/soc/esp32c2/include/soc/soc_caps.h @@ -228,6 +228,10 @@ #define SOC_TIMER_GROUP_SUPPORT_PLL_F40M (1) #define SOC_TIMER_GROUP_TOTAL_TIMERS (1U) +/*-------------------------- eFuse CAPS----------------------------*/ +#define SOC_EFUSE_DIS_PAD_JTAG 1 +#define SOC_EFUSE_DIS_DIRECT_BOOT 1 + /*-------------------------- Secure Boot CAPS----------------------------*/ #define SOC_SECURE_BOOT_V2_ECC 1 #define SOC_EFUSE_SECURE_BOOT_KEY_DIGESTS (1U) diff --git a/components/soc/esp32c3/include/soc/Kconfig.soc_caps.in b/components/soc/esp32c3/include/soc/Kconfig.soc_caps.in index 4a0da79c2a..079a1aa028 100644 --- a/components/soc/esp32c3/include/soc/Kconfig.soc_caps.in +++ b/components/soc/esp32c3/include/soc/Kconfig.soc_caps.in @@ -683,6 +683,22 @@ config SOC_TWAI_SUPPORTS_RX_STATUS bool default y +config SOC_EFUSE_DIS_PAD_JTAG + bool + default y + +config SOC_EFUSE_DIS_USB_JTAG + bool + default y + +config SOC_EFUSE_DIS_DIRECT_BOOT + bool + default y + +config SOC_EFUSE_SOFT_DIS_JTAG + bool + default y + config SOC_SECURE_BOOT_V2_RSA bool default y diff --git a/components/soc/esp32c3/include/soc/soc_caps.h b/components/soc/esp32c3/include/soc/soc_caps.h index 4c8bbaf5a9..6d4bd63ace 100644 --- a/components/soc/esp32c3/include/soc/soc_caps.h +++ b/components/soc/esp32c3/include/soc/soc_caps.h @@ -318,6 +318,12 @@ #define SOC_TWAI_BRP_MAX 16384 #define SOC_TWAI_SUPPORTS_RX_STATUS 1 +/*-------------------------- eFuse CAPS----------------------------*/ +#define SOC_EFUSE_DIS_PAD_JTAG 1 +#define SOC_EFUSE_DIS_USB_JTAG 1 +#define SOC_EFUSE_DIS_DIRECT_BOOT 1 +#define SOC_EFUSE_SOFT_DIS_JTAG 1 + /*-------------------------- Secure Boot CAPS----------------------------*/ #define SOC_SECURE_BOOT_V2_RSA 1 #define SOC_EFUSE_SECURE_BOOT_KEY_DIGESTS 3 diff --git a/components/soc/esp32h2/include/soc/Kconfig.soc_caps.in b/components/soc/esp32h2/include/soc/Kconfig.soc_caps.in index 7622e5a604..be6a132f0f 100644 --- a/components/soc/esp32h2/include/soc/Kconfig.soc_caps.in +++ b/components/soc/esp32h2/include/soc/Kconfig.soc_caps.in @@ -655,6 +655,22 @@ config SOC_TWAI_SUPPORTS_RX_STATUS bool default y +config SOC_EFUSE_DIS_PAD_JTAG + bool + default y + +config SOC_EFUSE_DIS_USB_JTAG + bool + default y + +config SOC_EFUSE_DIS_DIRECT_BOOT + bool + default y + +config SOC_EFUSE_SOFT_DIS_JTAG + bool + default y + config SOC_SECURE_BOOT_V2_RSA bool default y diff --git a/components/soc/esp32h2/include/soc/soc_caps.h b/components/soc/esp32h2/include/soc/soc_caps.h index bb88bf0243..01d262ec95 100644 --- a/components/soc/esp32h2/include/soc/soc_caps.h +++ b/components/soc/esp32h2/include/soc/soc_caps.h @@ -1,5 +1,5 @@ /* - * SPDX-FileCopyrightText: 2021-2022 Espressif Systems (Shanghai) CO LTD + * SPDX-FileCopyrightText: 2022-2023 Espressif Systems (Shanghai) CO LTD * * SPDX-License-Identifier: Apache-2.0 */ @@ -322,6 +322,12 @@ #define SOC_TWAI_BRP_MAX 16384 #define SOC_TWAI_SUPPORTS_RX_STATUS 1 +/*-------------------------- eFuse CAPS----------------------------*/ +#define SOC_EFUSE_DIS_PAD_JTAG 1 +#define SOC_EFUSE_DIS_USB_JTAG 1 +#define SOC_EFUSE_DIS_DIRECT_BOOT 1 +#define SOC_EFUSE_SOFT_DIS_JTAG 1 + /*-------------------------- Secure Boot CAPS----------------------------*/ #define SOC_SECURE_BOOT_V2_RSA 1 #define SOC_EFUSE_SECURE_BOOT_KEY_DIGESTS 3 diff --git a/components/soc/esp32s2/include/soc/Kconfig.soc_caps.in b/components/soc/esp32s2/include/soc/Kconfig.soc_caps.in index f8f54815df..db007d6887 100644 --- a/components/soc/esp32s2/include/soc/Kconfig.soc_caps.in +++ b/components/soc/esp32s2/include/soc/Kconfig.soc_caps.in @@ -787,6 +787,26 @@ config SOC_AES_SUPPORT_GCM bool default y +config SOC_EFUSE_DIS_DOWNLOAD_DCACHE + bool + default y + +config SOC_EFUSE_HARD_DIS_JTAG + bool + default y + +config SOC_EFUSE_SOFT_DIS_JTAG + bool + default y + +config SOC_EFUSE_DIS_BOOT_REMAP + bool + default y + +config SOC_EFUSE_DIS_LEGACY_SPI_BOOT + bool + default y + config SOC_SECURE_BOOT_V2_RSA bool default y diff --git a/components/soc/esp32s2/include/soc/soc_caps.h b/components/soc/esp32s2/include/soc/soc_caps.h index b1f17f2430..90a860a2d2 100644 --- a/components/soc/esp32s2/include/soc/soc_caps.h +++ b/components/soc/esp32s2/include/soc/soc_caps.h @@ -359,6 +359,13 @@ #define SOC_AES_SUPPORT_DMA (1) #define SOC_AES_SUPPORT_GCM (1) +/*-------------------------- eFuse CAPS----------------------------*/ +#define SOC_EFUSE_DIS_DOWNLOAD_DCACHE 1 +#define SOC_EFUSE_HARD_DIS_JTAG 1 +#define SOC_EFUSE_SOFT_DIS_JTAG 1 +#define SOC_EFUSE_DIS_BOOT_REMAP 1 +#define SOC_EFUSE_DIS_LEGACY_SPI_BOOT 1 + /*-------------------------- Secure Boot CAPS----------------------------*/ #define SOC_SECURE_BOOT_V2_RSA 1 #define SOC_EFUSE_SECURE_BOOT_KEY_DIGESTS 3 diff --git a/components/soc/esp32s3/include/soc/Kconfig.soc_caps.in b/components/soc/esp32s3/include/soc/Kconfig.soc_caps.in index 01669a7cee..f0abe49ae0 100644 --- a/components/soc/esp32s3/include/soc/Kconfig.soc_caps.in +++ b/components/soc/esp32s3/include/soc/Kconfig.soc_caps.in @@ -923,6 +923,26 @@ config SOC_PM_SUPPORT_DEEPSLEEP_CHECK_STUB_ONLY bool default y +config SOC_EFUSE_DIS_DOWNLOAD_DCACHE + bool + default y + +config SOC_EFUSE_HARD_DIS_JTAG + bool + default y + +config SOC_EFUSE_DIS_USB_JTAG + bool + default y + +config SOC_EFUSE_SOFT_DIS_JTAG + bool + default y + +config SOC_EFUSE_DIS_DIRECT_BOOT + bool + default y + config SOC_SECURE_BOOT_V2_RSA bool default y diff --git a/components/soc/esp32s3/include/soc/soc_caps.h b/components/soc/esp32s3/include/soc/soc_caps.h index a1d9ca6658..773223d097 100644 --- a/components/soc/esp32s3/include/soc/soc_caps.h +++ b/components/soc/esp32s3/include/soc/soc_caps.h @@ -395,6 +395,13 @@ #define SOC_PM_SUPPORT_DEEPSLEEP_CHECK_STUB_ONLY (1) +/*-------------------------- eFuse CAPS----------------------------*/ +#define SOC_EFUSE_DIS_DOWNLOAD_DCACHE 1 +#define SOC_EFUSE_HARD_DIS_JTAG 1 +#define SOC_EFUSE_DIS_USB_JTAG 1 +#define SOC_EFUSE_SOFT_DIS_JTAG 1 +#define SOC_EFUSE_DIS_DIRECT_BOOT 1 + /*-------------------------- Secure Boot CAPS----------------------------*/ #define SOC_SECURE_BOOT_V2_RSA 1 #define SOC_EFUSE_SECURE_BOOT_KEY_DIGESTS 3 diff --git a/examples/system/efuse/example_test.py b/examples/system/efuse/example_test.py index af5afa9e62..ac39e4733e 100644 --- a/examples/system/efuse/example_test.py +++ b/examples/system/efuse/example_test.py @@ -251,6 +251,7 @@ def test_examples_efuse_with_virt_flash_enc_release(env, _): # type: (ttfw_idf. dut.expect('Flash encryption mode is RELEASE') dut.expect('Start eFuse example') + dut.expect('Flash Encryption is in RELEASE mode') dut.expect('example: Done') @@ -668,6 +669,8 @@ def test_examples_efuse_with_virt_sb_v1_and_fe(env, _): # type: (ttfw_idf.TinyF dut.expect('Loading virtual efuse blocks from flash') dut.expect('flash_encrypt: Flash encryption mode is DEVELOPMENT (not secure)') dut.expect('Start eFuse example') + dut.expect('example: Flash Encryption is NOT in RELEASE mode') + dut.expect('example: Secure Boot is in RELEASE mode') dut.expect('example: Done') @@ -747,6 +750,8 @@ def test_examples_efuse_with_virt_sb_v2_and_fe(env, _): # type: (ttfw_idf.TinyF dut.expect('Loading virtual efuse blocks from flash') dut.expect('flash_encrypt: Flash encryption mode is DEVELOPMENT (not secure)') dut.expect('Start eFuse example') + dut.expect('example: Flash Encryption is NOT in RELEASE mode') + dut.expect('example: Secure Boot is in RELEASE mode') dut.expect('example: Done') @@ -837,6 +842,8 @@ def test_examples_efuse_with_virt_sb_v2_and_fe_esp32xx(env, _): # type: (ttfw_i dut.expect('Loading virtual efuse blocks from flash') dut.expect('flash_encrypt: Flash encryption mode is DEVELOPMENT (not secure)') dut.expect('Start eFuse example') + dut.expect('example: Flash Encryption is NOT in RELEASE mode') + dut.expect('example: Secure Boot is in RELEASE mode') dut.expect('example: Done') diff --git a/examples/system/efuse/main/efuse_main.c b/examples/system/efuse/main/efuse_main.c index 8c24a407d9..53afd94600 100644 --- a/examples/system/efuse/main/efuse_main.c +++ b/examples/system/efuse/main/efuse_main.c @@ -15,10 +15,8 @@ #include "esp_efuse.h" #include "esp_efuse_table.h" #include "esp_efuse_custom_table.h" -#if CONFIG_IDF_TARGET_ESP32C2 #include "esp_secure_boot.h" #include "esp_flash_encrypt.h" -#endif #include "sdkconfig.h" static const char* TAG = "example"; @@ -135,6 +133,21 @@ void app_main(void) { ESP_LOGI(TAG, "Start eFuse example"); +#ifdef CONFIG_SECURE_FLASH_ENC_ENABLED + if (esp_flash_encryption_cfg_verify_release_mode()) { + ESP_LOGI(TAG, "Flash Encryption is in RELEASE mode"); + } else { + ESP_LOGW(TAG, "Flash Encryption is NOT in RELEASE mode"); + } +#endif +#ifdef CONFIG_SECURE_BOOT + if (esp_secure_boot_cfg_verify_release_mode()) { + ESP_LOGI(TAG, "Secure Boot is in RELEASE mode"); + } else { + ESP_LOGW(TAG, "Secure Boot is NOT in RELEASE mode"); + } +#endif + esp_efuse_coding_scheme_t coding_scheme = get_coding_scheme(); (void) coding_scheme;