From 696f7495a0467185045022dd0e01b96d561e9cf0 Mon Sep 17 00:00:00 2001 From: KonstantinKondrashov Date: Fri, 12 Aug 2022 17:05:39 +0800 Subject: [PATCH] security: Adds new APIs to check that all eFuse security features are enabled correctly --- .../include/esp_flash_encrypt.h | 14 ++ .../include/esp_secure_boot.h | 13 ++ .../bootloader_support/src/flash_encrypt.c | 203 ++++++++++++++++ .../bootloader_support/src/secure_boot.c | 217 ++++++++++++++++++ .../esp32c2/include/soc/Kconfig.soc_caps.in | 8 + components/soc/esp32c2/include/soc/soc_caps.h | 4 + .../esp32c3/include/soc/Kconfig.soc_caps.in | 16 ++ components/soc/esp32c3/include/soc/soc_caps.h | 6 + .../esp32c6/include/soc/Kconfig.soc_caps.in | 16 ++ components/soc/esp32c6/include/soc/soc_caps.h | 8 +- .../esp32h2/include/soc/Kconfig.soc_caps.in | 16 ++ components/soc/esp32h2/include/soc/soc_caps.h | 8 +- .../esp32h4/include/soc/Kconfig.soc_caps.in | 16 ++ components/soc/esp32h4/include/soc/soc_caps.h | 6 + .../esp32s2/include/soc/Kconfig.soc_caps.in | 20 ++ components/soc/esp32s2/include/soc/soc_caps.h | 7 + .../esp32s3/include/soc/Kconfig.soc_caps.in | 20 ++ components/soc/esp32s3/include/soc/soc_caps.h | 7 + examples/system/efuse/main/efuse_main.c | 17 +- .../efuse/pytest_system_efuse_example.py | 9 +- 20 files changed, 626 insertions(+), 5 deletions(-) diff --git a/components/bootloader_support/include/esp_flash_encrypt.h b/components/bootloader_support/include/esp_flash_encrypt.h index 35129c8b97..d6b0a54c5a 100644 --- a/components/bootloader_support/include/esp_flash_encrypt.h +++ b/components/bootloader_support/include/esp_flash_encrypt.h @@ -8,6 +8,7 @@ #include #include "esp_attr.h" #include "esp_err.h" +#include "soc/soc_caps.h" #ifndef BOOTLOADER_BUILD #include "spi_flash_mmap.h" #endif @@ -184,6 +185,19 @@ void esp_flash_encryption_init_checks(void); */ esp_err_t esp_flash_encryption_enable_secure_features(void); +/** @brief Returns the verification status for all physical security features of flash encryption in release mode + * + * If the device has flash encryption feature configured in the release mode, + * then it is highly recommended to call this API in the application startup code. + * This API verifies the sanity of the eFuse configuration against + * the release (production) mode of the flash encryption feature. + * + * @return + * - True - all eFuses are configured correctly + * - False - not all eFuses are configured correctly. + */ +bool esp_flash_encryption_cfg_verify_release_mode(void); + /** @brief Switches Flash Encryption from "Development" to "Release" * * If already in "Release" mode, the function will do nothing. diff --git a/components/bootloader_support/include/esp_secure_boot.h b/components/bootloader_support/include/esp_secure_boot.h index 95ccf39000..fa5c13e25f 100644 --- a/components/bootloader_support/include/esp_secure_boot.h +++ b/components/bootloader_support/include/esp_secure_boot.h @@ -269,6 +269,19 @@ esp_err_t esp_secure_boot_get_signature_blocks_for_running_app(bool digest_publi */ esp_err_t esp_secure_boot_enable_secure_features(void); +/** @brief Returns the verification status for all physical security features of secure boot in release mode + * + * If the device has secure boot feature configured in the release mode, + * then it is highly recommended to call this API in the application startup code. + * This API verifies the sanity of the eFuse configuration against + * the release (production) mode of the secure boot feature. + * + * @return + * - True - all eFuses are configured correctly + * - False - not all eFuses are configured correctly. + */ +bool esp_secure_boot_cfg_verify_release_mode(void); + #ifdef __cplusplus } #endif diff --git a/components/bootloader_support/src/flash_encrypt.c b/components/bootloader_support/src/flash_encrypt.c index 9fe6be6bf3..50eebed9b7 100644 --- a/components/bootloader_support/src/flash_encrypt.c +++ b/components/bootloader_support/src/flash_encrypt.c @@ -218,3 +218,206 @@ void esp_flash_encryption_set_release_mode(void) } ESP_LOGI(TAG, "Flash encryption mode is RELEASE"); } + +#ifdef CONFIG_IDF_TARGET_ESP32 +bool esp_flash_encryption_cfg_verify_release_mode(void) +{ + bool result = false; + bool secure; + + secure = esp_flash_encryption_enabled(); + result = secure; + if (!secure) { + ESP_LOGW(TAG, "Not enabled Flash Encryption (FLASH_CRYPT_CNT->1 or max)"); + } + + uint8_t crypt_config = 0; + esp_efuse_read_field_blob(ESP_EFUSE_ENCRYPT_CONFIG, &crypt_config, 4); + if (crypt_config != EFUSE_FLASH_CRYPT_CONFIG) { + result &= false; + ESP_LOGW(TAG, "ENCRYPT_CONFIG must be set 0xF (set ENCRYPT_CONFIG->0xF)"); + } + + uint8_t flash_crypt_cnt = 0; + esp_efuse_read_field_blob(ESP_EFUSE_FLASH_CRYPT_CNT, &flash_crypt_cnt, ESP_EFUSE_FLASH_CRYPT_CNT[0]->bit_count); + if (flash_crypt_cnt != (1 << (ESP_EFUSE_FLASH_CRYPT_CNT[0]->bit_count)) - 1) { + if (!esp_efuse_read_field_bit(ESP_EFUSE_WR_DIS_FLASH_CRYPT_CNT)) { + result &= false; + ESP_LOGW(TAG, "Not release mode of Flash Encryption (set FLASH_CRYPT_CNT->max or WR_DIS_FLASH_CRYPT_CNT->1)"); + } + } + + secure = esp_efuse_read_field_bit(ESP_EFUSE_DISABLE_DL_ENCRYPT); + result &= secure; + if (!secure) { + ESP_LOGW(TAG, "Not disabled UART bootloader encryption (set DISABLE_DL_ENCRYPT->1)"); + } + + secure = esp_efuse_read_field_bit(ESP_EFUSE_DISABLE_DL_DECRYPT); + result &= secure; + if (!secure) { + ESP_LOGW(TAG, "Not disabled UART bootloader decryption (set DISABLE_DL_DECRYPT->1)"); + } + + secure = esp_efuse_read_field_bit(ESP_EFUSE_DISABLE_DL_CACHE); + result &= secure; + if (!secure) { + ESP_LOGW(TAG, "Not disabled UART bootloader MMU cache (set DISABLE_DL_CACHE->1)"); + } + + secure = esp_efuse_read_field_bit(ESP_EFUSE_DISABLE_JTAG); + result &= secure; + if (!secure) { + ESP_LOGW(TAG, "Not disabled JTAG (set DISABLE_JTAG->1)"); + } + + secure = esp_efuse_read_field_bit(ESP_EFUSE_CONSOLE_DEBUG_DISABLE); + result &= secure; + if (!secure) { + ESP_LOGW(TAG, "Not disabled ROM BASIC interpreter fallback (set CONSOLE_DEBUG_DISABLE->1)"); + } + + secure = esp_efuse_read_field_bit(ESP_EFUSE_RD_DIS_BLK1); + result &= secure; + if (!secure) { + ESP_LOGW(TAG, "Not read-protected flash ecnryption key (set RD_DIS_BLK1->1)"); + } + + secure = esp_efuse_read_field_bit(ESP_EFUSE_WR_DIS_BLK1); + result &= secure; + if (!secure) { + ESP_LOGW(TAG, "Not write-protected flash ecnryption key (set WR_DIS_BLK1->1)"); + } + return result; +} +#else // not CONFIG_IDF_TARGET_ESP32 +bool esp_flash_encryption_cfg_verify_release_mode(void) +{ + bool result = false; + bool secure; + + secure = esp_flash_encryption_enabled(); + result = secure; + if (!secure) { + ESP_LOGW(TAG, "Not enabled Flash Encryption (SPI_BOOT_CRYPT_CNT->1 or max)"); + } + + uint8_t flash_crypt_cnt = 0; + esp_efuse_read_field_blob(ESP_EFUSE_SPI_BOOT_CRYPT_CNT, &flash_crypt_cnt, ESP_EFUSE_SPI_BOOT_CRYPT_CNT[0]->bit_count); + if (flash_crypt_cnt != (1 << (ESP_EFUSE_SPI_BOOT_CRYPT_CNT[0]->bit_count)) - 1) { + if (!esp_efuse_read_field_bit(ESP_EFUSE_WR_DIS_SPI_BOOT_CRYPT_CNT)) { + result &= false; + ESP_LOGW(TAG, "Not release mode of Flash Encryption (set SPI_BOOT_CRYPT_CNT->max or WR_DIS_SPI_BOOT_CRYPT_CNT->1)"); + } + } + + secure = esp_efuse_read_field_bit(ESP_EFUSE_DIS_DOWNLOAD_MANUAL_ENCRYPT); + result &= secure; + if (!secure) { + ESP_LOGW(TAG, "Not disabled UART bootloader encryption (set DIS_DOWNLOAD_MANUAL_ENCRYPT->1)"); + } + +#if SOC_EFUSE_DIS_DOWNLOAD_DCACHE + secure = esp_efuse_read_field_bit(ESP_EFUSE_DIS_DOWNLOAD_DCACHE); + result &= secure; + if (!secure) { + ESP_LOGW(TAG, "Not disabled UART bootloader Dcache (set DIS_DOWNLOAD_DCACHE->1)"); + } +#endif + + secure = esp_efuse_read_field_bit(ESP_EFUSE_DIS_DOWNLOAD_ICACHE); + result &= secure; + if (!secure) { + ESP_LOGW(TAG, "Not disabled UART bootloader cache (set DIS_DOWNLOAD_ICACHE->1)"); + } + +#if SOC_EFUSE_DIS_PAD_JTAG + secure = esp_efuse_read_field_bit(ESP_EFUSE_DIS_PAD_JTAG); + result &= secure; + if (!secure) { + ESP_LOGW(TAG, "Not disabled JTAG PADs (set DIS_PAD_JTAG->1)"); + } +#endif + +#if SOC_EFUSE_DIS_USB_JTAG + secure = esp_efuse_read_field_bit(ESP_EFUSE_DIS_USB_JTAG); + result &= secure; + if (!secure) { + ESP_LOGW(TAG, "Not disabled USB JTAG (set DIS_USB_JTAG->1)"); + } +#endif + +#if SOC_EFUSE_DIS_DIRECT_BOOT + secure = esp_efuse_read_field_bit(ESP_EFUSE_DIS_DIRECT_BOOT); + result &= secure; + if (!secure) { + ESP_LOGW(TAG, "Not disabled direct boot mode (set DIS_DIRECT_BOOT->1)"); + } +#endif + +#if SOC_EFUSE_HARD_DIS_JTAG + secure = esp_efuse_read_field_bit(ESP_EFUSE_HARD_DIS_JTAG); + result &= secure; + if (!secure) { + ESP_LOGW(TAG, "Not disabled JTAG (set HARD_DIS_JTAG->1)"); + } +#endif + +#if SOC_EFUSE_DIS_BOOT_REMAP + secure = esp_efuse_read_field_bit(ESP_EFUSE_DIS_BOOT_REMAP); + result &= secure; + if (!secure) { + ESP_LOGW(TAG, "Not disabled boot from RAM (set DIS_BOOT_REMAP->1)"); + } +#endif + +#if SOC_EFUSE_DIS_LEGACY_SPI_BOOT + secure = esp_efuse_read_field_bit(ESP_EFUSE_DIS_LEGACY_SPI_BOOT); + result &= secure; + if (!secure) { + ESP_LOGW(TAG, "Not disabled Legcy SPI boot (set DIS_LEGACY_SPI_BOOT->1)"); + } +#endif + + esp_efuse_purpose_t purposes[] = { +#if SOC_FLASH_ENCRYPTION_XTS_AES_256 + ESP_EFUSE_KEY_PURPOSE_XTS_AES_256_KEY_1, + ESP_EFUSE_KEY_PURPOSE_XTS_AES_256_KEY_2, +#endif +#if SOC_FLASH_ENCRYPTION_XTS_AES_128 + ESP_EFUSE_KEY_PURPOSE_XTS_AES_128_KEY, +#endif + }; + // S2 and S3 chips have both XTS_AES_128_KEY and XTS_AES_256_KEY_1/2. + // The check below does not take into account that XTS_AES_128_KEY and XTS_AES_256_KEY_1/2 + // are mutually exclusive because this will make the chip not functional. + // Only one type key must be configured in eFuses. + secure = false; + for (unsigned i = 0; i < sizeof(purposes) / sizeof(esp_efuse_purpose_t); i++) { + esp_efuse_block_t block; + if (esp_efuse_find_purpose(purposes[i], &block)) { + secure = esp_efuse_get_key_dis_read(block); + result &= secure; + if (!secure) { + ESP_LOGW(TAG, "Not read-protected Flash encryption key in BLOCK%d (set RD_DIS_KEY%d->1)", block, block - EFUSE_BLK_KEY0); + } + secure = esp_efuse_get_key_dis_write(block); + result &= secure; + if (!secure) { + ESP_LOGW(TAG, "Not write-protected Flash encryption key in BLOCK%d (set WR_DIS_KEY%d->1)", block, block - EFUSE_BLK_KEY0); + } + +#if SOC_EFUSE_KEY_PURPOSE_FIELD + secure = esp_efuse_get_keypurpose_dis_write(block); + result &= secure; + if (!secure) { + ESP_LOGW(TAG, "Not write-protected KEY_PURPOSE for BLOCK%d (set WR_DIS_KEY_PURPOSE%d->1)", block, block - EFUSE_BLK_KEY0); + } +#endif + } + } + result &= secure; + + return result; +} +#endif // not CONFIG_IDF_TARGET_ESP32 diff --git a/components/bootloader_support/src/secure_boot.c b/components/bootloader_support/src/secure_boot.c index 524e15f962..0b5bab46fc 100644 --- a/components/bootloader_support/src/secure_boot.c +++ b/components/bootloader_support/src/secure_boot.c @@ -10,6 +10,7 @@ #include "esp_efuse.h" #include "esp_efuse_table.h" #include "esp_secure_boot.h" +#include "hal/efuse_hal.h" #ifndef BOOTLOADER_BUILD static __attribute__((unused)) const char *TAG = "secure_boot"; @@ -188,4 +189,220 @@ void esp_secure_boot_init_checks(void) #endif // CONFIG_SECURE_SIGNED_APPS_RSA_SCHEME && CONFIG_SECURE_SIGNED_ON_UPDATE_NO_SECURE_BOOT } + +#ifdef CONFIG_IDF_TARGET_ESP32 +bool esp_secure_boot_cfg_verify_release_mode(void) +{ + bool result = false; + bool secure; + + bool secure_boot_v1 = esp_efuse_read_field_bit(ESP_EFUSE_ABS_DONE_0); + bool chip_supports_sbv2 = efuse_hal_chip_revision() >= 300; + bool secure_boot_v2 = (chip_supports_sbv2) ? esp_efuse_read_field_bit(ESP_EFUSE_ABS_DONE_1) : false; + result = secure_boot_v1 || secure_boot_v2; + if (secure_boot_v1 && secure_boot_v2) { + ESP_LOGI(TAG, "ABS_DONE_0=1 (V1) and ABS_DONE_1=1 (V2)"); + ESP_LOGI(TAG, "Secure boot V2 shall take the precedence"); + } else if (!secure_boot_v1 && !secure_boot_v2) { + result = false; + ESP_LOGE(TAG, "Not enabled Secure Boot V1 (set ABS_DONE_0->1)"); + if (chip_supports_sbv2) { + ESP_LOGE(TAG, "Not enabled Secure Boot V2 (set ABS_DONE_1->1)"); + } + } + + if (secure_boot_v1 && !secure_boot_v2) { + secure = esp_efuse_read_field_bit(ESP_EFUSE_RD_DIS_BLK2); + result &= secure; + if (!secure) { + ESP_LOGW(TAG, "Not read-protected secure boot key (set RD_DIS_BLK2->1)"); + } + } + + secure = esp_efuse_read_field_bit(ESP_EFUSE_WR_DIS_BLK2); + result &= secure; + if (!secure) { + ESP_LOGW(TAG, "Not write-protected secure boot key (set WR_DIS_BLK2->1)"); + } + + secure = esp_efuse_read_field_bit(ESP_EFUSE_DISABLE_JTAG); + result &= secure; + if (!secure) { + ESP_LOGW(TAG, "Not disabled JTAG (set DISABLE_JTAG->1)"); + } + + secure = esp_efuse_read_field_bit(ESP_EFUSE_CONSOLE_DEBUG_DISABLE); + result &= secure; + if (!secure) { + ESP_LOGW(TAG, "Not disabled ROM BASIC interpreter fallback (set CONSOLE_DEBUG_DISABLE->1)"); + } + + if (secure_boot_v2) { + secure = esp_efuse_read_field_bit(ESP_EFUSE_UART_DOWNLOAD_DIS); + result &= secure; + if (!secure) { + ESP_LOGW(TAG, "Not disabled UART ROM Download mode (set UART_DOWNLOAD_DIS->1)"); + } + + secure = esp_efuse_read_field_bit(ESP_EFUSE_WR_DIS_EFUSE_RD_DISABLE); + result &= secure; + if (!secure) { + ESP_LOGW(TAG, "Not disabled write-protection for read-protection (set WR_DIS_EFUSE_RD_DISABLE->1)"); + } + } + + return result; +} +#else // not CONFIG_IDF_TARGET_ESP32 +bool esp_secure_boot_cfg_verify_release_mode(void) +{ + bool result = false; + bool secure; + + secure = esp_secure_boot_enabled(); + result = secure; + if (!secure) { + ESP_LOGW(TAG, "Not enabled Secure Boot (SECURE_BOOT_EN->1)"); + } + + secure = esp_efuse_read_field_bit(ESP_EFUSE_DIS_DOWNLOAD_MODE); + bool en_secure_download = esp_efuse_read_field_bit(ESP_EFUSE_ENABLE_SECURITY_DOWNLOAD); + if (!secure && !en_secure_download) { + result &= false; + ESP_LOGW(TAG, "Download mode has not been changed, disable it or set security mode:"); + ESP_LOGW(TAG, "Not disabled ROM Download mode (DIS_DOWNLOAD_MODE->1)"); + ESP_LOGW(TAG, "Not enabled Security download mode (ENABLE_SECURITY_DOWNLOAD->1)"); + } + +#if SOC_EFUSE_DIS_BOOT_REMAP + secure = esp_efuse_read_field_bit(ESP_EFUSE_DIS_BOOT_REMAP); + result &= secure; + if (!secure) { + ESP_LOGW(TAG, "Not disabled boot from RAM (set DIS_BOOT_REMAP->1)"); + } +#endif + +#if SOC_EFUSE_DIS_LEGACY_SPI_BOOT + secure = esp_efuse_read_field_bit(ESP_EFUSE_DIS_LEGACY_SPI_BOOT); + result &= secure; + if (!secure) { + ESP_LOGW(TAG, "Not disabled Legcy SPI boot (set DIS_LEGACY_SPI_BOOT->1)"); + } +#endif + +#if SOC_EFUSE_DIS_DIRECT_BOOT + secure = esp_efuse_read_field_bit(ESP_EFUSE_DIS_DIRECT_BOOT); + result &= secure; + if (!secure) { + ESP_LOGW(TAG, "Not disabled direct boot mode (set DIS_DIRECT_BOOT->1)"); + } +#endif + +#if SOC_EFUSE_HARD_DIS_JTAG + secure = esp_efuse_read_field_bit(ESP_EFUSE_HARD_DIS_JTAG); + result &= secure; + if (!secure) { + ESP_LOGW(TAG, "Not disabled JTAG (set HARD_DIS_JTAG->1)"); + } +#endif + +#if SOC_EFUSE_SOFT_DIS_JTAG + size_t soft_dis_jtag_cnt_val = 0; + esp_efuse_read_field_cnt(ESP_EFUSE_SOFT_DIS_JTAG, &soft_dis_jtag_cnt_val); + if (soft_dis_jtag_cnt_val != ESP_EFUSE_SOFT_DIS_JTAG[0]->bit_count) { + result &= secure; + ESP_LOGW(TAG, "Not disabled JTAG in the soft way (set SOFT_DIS_JTAG->max)"); + } +#endif + +#if SOC_EFUSE_DIS_PAD_JTAG + secure = esp_efuse_read_field_bit(ESP_EFUSE_DIS_PAD_JTAG); + result &= secure; + if (!secure) { + ESP_LOGW(TAG, "Not disabled JTAG PADs (set DIS_PAD_JTAG->1)"); + } +#endif + +#if SOC_EFUSE_DIS_USB_JTAG + secure = esp_efuse_read_field_bit(ESP_EFUSE_DIS_USB_JTAG); + result &= secure; + if (!secure) { + ESP_LOGW(TAG, "Not disabled USB JTAG (set DIS_USB_JTAG->1)"); + } +#endif + +#ifdef CONFIG_SECURE_BOOT_ENABLE_AGGRESSIVE_KEY_REVOKE + secure = esp_efuse_read_field_bit(ESP_EFUSE_SECURE_BOOT_AGGRESSIVE_REVOKE); + result &= secure; + if (!secure) { + ESP_LOGW(TAG, "Not enabled AGGRESSIVE KEY REVOKE (set SECURE_BOOT_AGGRESSIVE_REVOKE->1)"); + } +#endif + + secure = esp_efuse_read_field_bit(ESP_EFUSE_WR_DIS_RD_DIS); + result &= secure; + if (!secure) { + ESP_LOGW(TAG, "Not disabled write-protection for read-protection (set WR_DIS_RD_DIS->1)"); + } + +#if SOC_EFUSE_SECURE_BOOT_KEY_DIGESTS == 1 + unsigned purpose = ESP_EFUSE_KEY_PURPOSE_SECURE_BOOT_V2; +#else + unsigned purpose = ESP_EFUSE_KEY_PURPOSE_SECURE_BOOT_DIGEST0; // DIGEST0, DIGEST1 and DIGEST2 +#endif + secure = false; + unsigned num_keys = 0; + for (unsigned i = 0; i < SOC_EFUSE_SECURE_BOOT_KEY_DIGESTS; ++i) { + esp_efuse_block_t block; + if (esp_efuse_find_purpose(purpose + i, &block)) { + // if chip has a few secure boot slots then we check all +#if SOC_SUPPORT_SECURE_BOOT_REVOKE_KEY + bool revoke = esp_efuse_get_digest_revoke(i); + if (revoke) { + continue; + } +#endif + ++num_keys; + secure = !esp_efuse_get_key_dis_read(block); + result &= secure; + if (!secure) { + ESP_LOGE(TAG, "Secure boot key in BLOCK%d must NOT be read-protected (can not be used)", block); +#if SOC_SUPPORT_SECURE_BOOT_REVOKE_KEY + ESP_LOGE(TAG, "Revoke this secure boot key (set SECURE_BOOT_KEY_REVOKE%d->1)", i); +#endif + } + secure = !esp_efuse_block_is_empty(block); + result &= secure; + if (!secure) { + ESP_LOGE(TAG, "Secure boot key in BLOCK%d must NOT be empty (can not be used)", block); +#if SOC_SUPPORT_SECURE_BOOT_REVOKE_KEY + ESP_LOGE(TAG, "Revoke this secure boot key (set SECURE_BOOT_KEY_REVOKE%d->1)", i); +#endif + } + secure = esp_efuse_get_key_dis_write(block); + result &= secure; + if (!secure) { + ESP_LOGW(TAG, "Not write-protected secure boot key in BLOCK%d (set WR_DIS_KEY%d->1)", block, block - EFUSE_BLK_KEY0); + } +#if SOC_EFUSE_KEY_PURPOSE_FIELD + secure = esp_efuse_get_keypurpose_dis_write(block); + result &= secure; + if (!secure) { + ESP_LOGW(TAG, "Not write-protected KEY_PURPOSE for BLOCK%d (set WR_DIS_KEY_PURPOSE%d->1)", block, block - EFUSE_BLK_KEY0); + } +#endif + } + } + result &= secure; + + secure = (num_keys != 0); + result &= secure; + if (!secure) { + ESP_LOGE(TAG, "No secure boot key found"); + } + + return result; +} +#endif // not CONFIG_IDF_TARGET_ESP32 + #endif // not BOOTLOADER_BUILD diff --git a/components/soc/esp32c2/include/soc/Kconfig.soc_caps.in b/components/soc/esp32c2/include/soc/Kconfig.soc_caps.in index adcf5f6602..1b7f6fbf28 100644 --- a/components/soc/esp32c2/include/soc/Kconfig.soc_caps.in +++ b/components/soc/esp32c2/include/soc/Kconfig.soc_caps.in @@ -479,6 +479,14 @@ config SOC_TIMER_GROUP_TOTAL_TIMERS int default 1 +config SOC_EFUSE_DIS_PAD_JTAG + bool + default y + +config SOC_EFUSE_DIS_DIRECT_BOOT + bool + default y + config SOC_SECURE_BOOT_V2_ECC bool default y diff --git a/components/soc/esp32c2/include/soc/soc_caps.h b/components/soc/esp32c2/include/soc/soc_caps.h index ba571b1810..f0c5b4a668 100644 --- a/components/soc/esp32c2/include/soc/soc_caps.h +++ b/components/soc/esp32c2/include/soc/soc_caps.h @@ -237,6 +237,10 @@ #define SOC_TIMER_GROUP_SUPPORT_PLL_F40M (1) #define SOC_TIMER_GROUP_TOTAL_TIMERS (1U) +/*-------------------------- eFuse CAPS----------------------------*/ +#define SOC_EFUSE_DIS_PAD_JTAG 1 +#define SOC_EFUSE_DIS_DIRECT_BOOT 1 + /*-------------------------- Secure Boot CAPS----------------------------*/ #define SOC_SECURE_BOOT_V2_ECC 1 #define SOC_EFUSE_SECURE_BOOT_KEY_DIGESTS (1U) diff --git a/components/soc/esp32c3/include/soc/Kconfig.soc_caps.in b/components/soc/esp32c3/include/soc/Kconfig.soc_caps.in index cfb7b79d42..209d6756e0 100644 --- a/components/soc/esp32c3/include/soc/Kconfig.soc_caps.in +++ b/components/soc/esp32c3/include/soc/Kconfig.soc_caps.in @@ -711,6 +711,22 @@ config SOC_TWAI_SUPPORTS_RX_STATUS bool default y +config SOC_EFUSE_DIS_PAD_JTAG + bool + default y + +config SOC_EFUSE_DIS_USB_JTAG + bool + default y + +config SOC_EFUSE_DIS_DIRECT_BOOT + bool + default y + +config SOC_EFUSE_SOFT_DIS_JTAG + bool + default y + config SOC_SECURE_BOOT_V2_RSA bool default y diff --git a/components/soc/esp32c3/include/soc/soc_caps.h b/components/soc/esp32c3/include/soc/soc_caps.h index c91f707d08..9b319001ec 100644 --- a/components/soc/esp32c3/include/soc/soc_caps.h +++ b/components/soc/esp32c3/include/soc/soc_caps.h @@ -324,6 +324,12 @@ #define SOC_TWAI_BRP_MAX 16384 #define SOC_TWAI_SUPPORTS_RX_STATUS 1 +/*-------------------------- eFuse CAPS----------------------------*/ +#define SOC_EFUSE_DIS_PAD_JTAG 1 +#define SOC_EFUSE_DIS_USB_JTAG 1 +#define SOC_EFUSE_DIS_DIRECT_BOOT 1 +#define SOC_EFUSE_SOFT_DIS_JTAG 1 + /*-------------------------- Secure Boot CAPS----------------------------*/ #define SOC_SECURE_BOOT_V2_RSA 1 #define SOC_EFUSE_SECURE_BOOT_KEY_DIGESTS 3 diff --git a/components/soc/esp32c6/include/soc/Kconfig.soc_caps.in b/components/soc/esp32c6/include/soc/Kconfig.soc_caps.in index c5b217ac7d..558b5e5b87 100644 --- a/components/soc/esp32c6/include/soc/Kconfig.soc_caps.in +++ b/components/soc/esp32c6/include/soc/Kconfig.soc_caps.in @@ -799,6 +799,22 @@ config SOC_TWAI_SUPPORTS_RX_STATUS bool default y +config SOC_EFUSE_DIS_PAD_JTAG + bool + default y + +config SOC_EFUSE_DIS_USB_JTAG + bool + default y + +config SOC_EFUSE_DIS_DIRECT_BOOT + bool + default y + +config SOC_EFUSE_SOFT_DIS_JTAG + bool + default y + config SOC_SECURE_BOOT_V2_RSA bool default y diff --git a/components/soc/esp32c6/include/soc/soc_caps.h b/components/soc/esp32c6/include/soc/soc_caps.h index 942e17be30..0bc3318089 100644 --- a/components/soc/esp32c6/include/soc/soc_caps.h +++ b/components/soc/esp32c6/include/soc/soc_caps.h @@ -1,5 +1,5 @@ /* - * SPDX-FileCopyrightText: 2022 Espressif Systems (Shanghai) CO LTD + * SPDX-FileCopyrightText: 2022-2023 Espressif Systems (Shanghai) CO LTD * * SPDX-License-Identifier: Apache-2.0 */ @@ -369,6 +369,12 @@ #define SOC_TWAI_BRP_MAX 32768 #define SOC_TWAI_SUPPORTS_RX_STATUS 1 +/*-------------------------- eFuse CAPS----------------------------*/ +#define SOC_EFUSE_DIS_PAD_JTAG 1 +#define SOC_EFUSE_DIS_USB_JTAG 1 +#define SOC_EFUSE_DIS_DIRECT_BOOT 1 +#define SOC_EFUSE_SOFT_DIS_JTAG 1 + // TODO: IDF-5357 (Copy from esp32c3, need check) /*-------------------------- Secure Boot CAPS----------------------------*/ #define SOC_SECURE_BOOT_V2_RSA 1 diff --git a/components/soc/esp32h2/include/soc/Kconfig.soc_caps.in b/components/soc/esp32h2/include/soc/Kconfig.soc_caps.in index 361403d3d4..be7da9fb8e 100644 --- a/components/soc/esp32h2/include/soc/Kconfig.soc_caps.in +++ b/components/soc/esp32h2/include/soc/Kconfig.soc_caps.in @@ -647,6 +647,22 @@ config SOC_TWAI_SUPPORTS_RX_STATUS bool default y +config SOC_EFUSE_DIS_PAD_JTAG + bool + default y + +config SOC_EFUSE_DIS_USB_JTAG + bool + default y + +config SOC_EFUSE_DIS_DIRECT_BOOT + bool + default y + +config SOC_EFUSE_SOFT_DIS_JTAG + bool + default y + config SOC_SECURE_BOOT_V2_RSA bool default y diff --git a/components/soc/esp32h2/include/soc/soc_caps.h b/components/soc/esp32h2/include/soc/soc_caps.h index b704593898..8c38d5127d 100644 --- a/components/soc/esp32h2/include/soc/soc_caps.h +++ b/components/soc/esp32h2/include/soc/soc_caps.h @@ -1,5 +1,5 @@ /* - * SPDX-FileCopyrightText: 2022 Espressif Systems (Shanghai) CO LTD + * SPDX-FileCopyrightText: 2022-2023 Espressif Systems (Shanghai) CO LTD * * SPDX-License-Identifier: Apache-2.0 */ @@ -353,6 +353,12 @@ #define SOC_TWAI_BRP_MAX 32768 #define SOC_TWAI_SUPPORTS_RX_STATUS 1 +/*-------------------------- eFuse CAPS----------------------------*/ +#define SOC_EFUSE_DIS_PAD_JTAG 1 +#define SOC_EFUSE_DIS_USB_JTAG 1 +#define SOC_EFUSE_DIS_DIRECT_BOOT 1 +#define SOC_EFUSE_SOFT_DIS_JTAG 1 + // TODO: IDF-6281 (Copy from esp32c6, need check) /*-------------------------- Secure Boot CAPS----------------------------*/ #define SOC_SECURE_BOOT_V2_RSA 1 diff --git a/components/soc/esp32h4/include/soc/Kconfig.soc_caps.in b/components/soc/esp32h4/include/soc/Kconfig.soc_caps.in index ad28130f48..2d33b2bbcf 100644 --- a/components/soc/esp32h4/include/soc/Kconfig.soc_caps.in +++ b/components/soc/esp32h4/include/soc/Kconfig.soc_caps.in @@ -687,6 +687,22 @@ config SOC_TWAI_SUPPORTS_RX_STATUS bool default y +config SOC_EFUSE_DIS_PAD_JTAG + bool + default y + +config SOC_EFUSE_DIS_USB_JTAG + bool + default y + +config SOC_EFUSE_DIS_DIRECT_BOOT + bool + default y + +config SOC_EFUSE_SOFT_DIS_JTAG + bool + default y + config SOC_SECURE_BOOT_V2_RSA bool default y diff --git a/components/soc/esp32h4/include/soc/soc_caps.h b/components/soc/esp32h4/include/soc/soc_caps.h index c56443a7f1..5d0fe17416 100644 --- a/components/soc/esp32h4/include/soc/soc_caps.h +++ b/components/soc/esp32h4/include/soc/soc_caps.h @@ -331,6 +331,12 @@ #define SOC_TWAI_BRP_MAX 16384 #define SOC_TWAI_SUPPORTS_RX_STATUS 1 +/*-------------------------- eFuse CAPS----------------------------*/ +#define SOC_EFUSE_DIS_PAD_JTAG 1 +#define SOC_EFUSE_DIS_USB_JTAG 1 +#define SOC_EFUSE_DIS_DIRECT_BOOT 1 +#define SOC_EFUSE_SOFT_DIS_JTAG 1 + /*-------------------------- Secure Boot CAPS----------------------------*/ #define SOC_SECURE_BOOT_V2_RSA 1 #define SOC_EFUSE_SECURE_BOOT_KEY_DIGESTS 3 diff --git a/components/soc/esp32s2/include/soc/Kconfig.soc_caps.in b/components/soc/esp32s2/include/soc/Kconfig.soc_caps.in index 469453abce..b5d22fdada 100644 --- a/components/soc/esp32s2/include/soc/Kconfig.soc_caps.in +++ b/components/soc/esp32s2/include/soc/Kconfig.soc_caps.in @@ -795,6 +795,26 @@ config SOC_AES_SUPPORT_GCM bool default y +config SOC_EFUSE_DIS_DOWNLOAD_DCACHE + bool + default y + +config SOC_EFUSE_HARD_DIS_JTAG + bool + default y + +config SOC_EFUSE_SOFT_DIS_JTAG + bool + default y + +config SOC_EFUSE_DIS_BOOT_REMAP + bool + default y + +config SOC_EFUSE_DIS_LEGACY_SPI_BOOT + bool + default y + config SOC_SECURE_BOOT_V2_RSA bool default y diff --git a/components/soc/esp32s2/include/soc/soc_caps.h b/components/soc/esp32s2/include/soc/soc_caps.h index 40649f2a2b..7922e055e9 100644 --- a/components/soc/esp32s2/include/soc/soc_caps.h +++ b/components/soc/esp32s2/include/soc/soc_caps.h @@ -357,6 +357,13 @@ #define SOC_AES_SUPPORT_DMA (1) #define SOC_AES_SUPPORT_GCM (1) +/*-------------------------- eFuse CAPS----------------------------*/ +#define SOC_EFUSE_DIS_DOWNLOAD_DCACHE 1 +#define SOC_EFUSE_HARD_DIS_JTAG 1 +#define SOC_EFUSE_SOFT_DIS_JTAG 1 +#define SOC_EFUSE_DIS_BOOT_REMAP 1 +#define SOC_EFUSE_DIS_LEGACY_SPI_BOOT 1 + /*-------------------------- Secure Boot CAPS----------------------------*/ #define SOC_SECURE_BOOT_V2_RSA 1 #define SOC_EFUSE_SECURE_BOOT_KEY_DIGESTS 3 diff --git a/components/soc/esp32s3/include/soc/Kconfig.soc_caps.in b/components/soc/esp32s3/include/soc/Kconfig.soc_caps.in index 181410cdbb..c56d2d4218 100644 --- a/components/soc/esp32s3/include/soc/Kconfig.soc_caps.in +++ b/components/soc/esp32s3/include/soc/Kconfig.soc_caps.in @@ -987,6 +987,26 @@ config SOC_CLK_RC_FAST_SUPPORT_CALIBRATION bool default y +config SOC_EFUSE_DIS_DOWNLOAD_DCACHE + bool + default y + +config SOC_EFUSE_HARD_DIS_JTAG + bool + default y + +config SOC_EFUSE_DIS_USB_JTAG + bool + default y + +config SOC_EFUSE_SOFT_DIS_JTAG + bool + default y + +config SOC_EFUSE_DIS_DIRECT_BOOT + bool + default y + config SOC_SECURE_BOOT_V2_RSA bool default y diff --git a/components/soc/esp32s3/include/soc/soc_caps.h b/components/soc/esp32s3/include/soc/soc_caps.h index c96703d5a8..d7ce61e3ee 100644 --- a/components/soc/esp32s3/include/soc/soc_caps.h +++ b/components/soc/esp32s3/include/soc/soc_caps.h @@ -416,6 +416,13 @@ #define SOC_RTC_SLOW_CLK_SUPPORT_RC_FAST_D256 (1) #define SOC_CLK_RC_FAST_SUPPORT_CALIBRATION (1) +/*-------------------------- eFuse CAPS----------------------------*/ +#define SOC_EFUSE_DIS_DOWNLOAD_DCACHE 1 +#define SOC_EFUSE_HARD_DIS_JTAG 1 +#define SOC_EFUSE_DIS_USB_JTAG 1 +#define SOC_EFUSE_SOFT_DIS_JTAG 1 +#define SOC_EFUSE_DIS_DIRECT_BOOT 1 + /*-------------------------- Secure Boot CAPS----------------------------*/ #define SOC_SECURE_BOOT_V2_RSA 1 #define SOC_EFUSE_SECURE_BOOT_KEY_DIGESTS 3 diff --git a/examples/system/efuse/main/efuse_main.c b/examples/system/efuse/main/efuse_main.c index 8c24a407d9..53afd94600 100644 --- a/examples/system/efuse/main/efuse_main.c +++ b/examples/system/efuse/main/efuse_main.c @@ -15,10 +15,8 @@ #include "esp_efuse.h" #include "esp_efuse_table.h" #include "esp_efuse_custom_table.h" -#if CONFIG_IDF_TARGET_ESP32C2 #include "esp_secure_boot.h" #include "esp_flash_encrypt.h" -#endif #include "sdkconfig.h" static const char* TAG = "example"; @@ -135,6 +133,21 @@ void app_main(void) { ESP_LOGI(TAG, "Start eFuse example"); +#ifdef CONFIG_SECURE_FLASH_ENC_ENABLED + if (esp_flash_encryption_cfg_verify_release_mode()) { + ESP_LOGI(TAG, "Flash Encryption is in RELEASE mode"); + } else { + ESP_LOGW(TAG, "Flash Encryption is NOT in RELEASE mode"); + } +#endif +#ifdef CONFIG_SECURE_BOOT + if (esp_secure_boot_cfg_verify_release_mode()) { + ESP_LOGI(TAG, "Secure Boot is in RELEASE mode"); + } else { + ESP_LOGW(TAG, "Secure Boot is NOT in RELEASE mode"); + } +#endif + esp_efuse_coding_scheme_t coding_scheme = get_coding_scheme(); (void) coding_scheme; diff --git a/examples/system/efuse/pytest_system_efuse_example.py b/examples/system/efuse/pytest_system_efuse_example.py index 2f52f56e39..327355e95c 100644 --- a/examples/system/efuse/pytest_system_efuse_example.py +++ b/examples/system/efuse/pytest_system_efuse_example.py @@ -1,4 +1,4 @@ -# SPDX-FileCopyrightText: 2022 Espressif Systems (Shanghai) CO LTD +# SPDX-FileCopyrightText: 2022-2023 Espressif Systems (Shanghai) CO LTD # SPDX-License-Identifier: Unlicense OR CC0-1.0 from __future__ import unicode_literals @@ -248,6 +248,7 @@ def test_examples_efuse_with_virt_flash_enc_release(dut: Dut) -> None: dut.expect_exact('flash encryption is enabled (0 plaintext flashes left)', timeout=5) dut.expect('Flash encryption mode is RELEASE') dut.expect('Start eFuse example') + dut.expect('Flash Encryption is in RELEASE mode') dut.expect('example: Done') @@ -772,6 +773,8 @@ def test_examples_efuse_with_virt_sb_v1_and_fe(dut: Dut) -> None: dut.expect_exact('flash_encrypt: Flash encryption mode is DEVELOPMENT (not secure)') dut.expect('main_task: Calling app_main()') dut.expect('Start eFuse example') + dut.expect('example: Flash Encryption is NOT in RELEASE mode') + dut.expect('example: Secure Boot is in RELEASE mode') dut.expect('example: Done') @@ -851,6 +854,8 @@ def test_examples_efuse_with_virt_sb_v2_and_fe(dut: Dut) -> None: dut.expect_exact('flash_encrypt: Flash encryption mode is DEVELOPMENT (not secure)') dut.expect('main_task: Calling app_main()') dut.expect('Start eFuse example') + dut.expect('example: Flash Encryption is NOT in RELEASE mode') + dut.expect('example: Secure Boot is in RELEASE mode') dut.expect('example: Done') @@ -938,6 +943,8 @@ def test_examples_efuse_with_virt_sb_v2_and_fe_esp32xx(dut: Dut) -> None: dut.expect_exact('flash_encrypt: Flash encryption mode is DEVELOPMENT (not secure)') dut.expect('main_task: Calling app_main()') dut.expect('Start eFuse example') + dut.expect('example: Flash Encryption is NOT in RELEASE mode') + dut.expect('example: Secure Boot is in RELEASE mode') dut.expect('example: Done')