From 723b2e86e54e32acac27a0876ffaee54961ca962 Mon Sep 17 00:00:00 2001 From: KonstantinKondrashov Date: Wed, 8 Mar 2023 00:09:45 +0800 Subject: [PATCH] security: write-protect DIS_ICAHE and DIS_DCACHE Closes IDF-5177 --- .../esp32/flash_encryption_secure_features.c | 8 +++++++ .../flash_encryption_secure_features.c | 9 ++++++++ .../flash_encryption_secure_features.c | 12 +++++++++- .../flash_encryption_secure_features.c | 9 ++++++++ .../flash_encryption_secure_features.c | 9 ++++++++ .../flash_encryption_secure_features.c | 10 +++++++++ .../flash_encryption_secure_features.c | 10 +++++++++ .../bootloader_support/src/flash_encrypt.c | 22 +++++++++++++++++++ .../esp32c3/include/soc/Kconfig.soc_caps.in | 4 ++++ components/soc/esp32c3/include/soc/soc_caps.h | 1 + .../esp32c6/include/soc/Kconfig.soc_caps.in | 4 ++++ components/soc/esp32c6/include/soc/soc_caps.h | 1 + .../esp32h2/include/soc/Kconfig.soc_caps.in | 4 ++++ components/soc/esp32h2/include/soc/soc_caps.h | 1 + .../esp32h4/include/soc/Kconfig.soc_caps.in | 4 ++++ components/soc/esp32h4/include/soc/soc_caps.h | 1 + .../esp32s2/include/soc/Kconfig.soc_caps.in | 4 ++++ components/soc/esp32s2/include/soc/soc_caps.h | 1 + .../esp32s3/include/soc/Kconfig.soc_caps.in | 4 ++++ components/soc/esp32s3/include/soc/soc_caps.h | 1 + 20 files changed, 118 insertions(+), 1 deletion(-) diff --git a/components/bootloader_support/src/esp32/flash_encryption_secure_features.c b/components/bootloader_support/src/esp32/flash_encryption_secure_features.c index 5738b2c26b..dc09bff08e 100644 --- a/components/bootloader_support/src/esp32/flash_encryption_secure_features.c +++ b/components/bootloader_support/src/esp32/flash_encryption_secure_features.c @@ -79,5 +79,13 @@ esp_err_t esp_flash_encryption_enable_secure_features(void) esp_efuse_write_field_bit(ESP_EFUSE_WR_DIS_EFUSE_RD_DISABLE); #endif +#ifdef CONFIG_SECURE_FLASH_ENCRYPTION_MODE_RELEASE + // Set write-protection for DIS_ICACHE to prevent bricking chip in case it will be set accidentally. + // esp32 has DIS_ICACHE. Write-protection bit = 3. + // List of eFuses with the same write protection bit: + // MAC, MAC_CRC, DISABLE_APP_CPU, DISABLE_BT, DIS_CACHE, VOL_LEVEL_HP_INV. + esp_efuse_write_field_bit(ESP_EFUSE_WR_DIS_DIS_CACHE); +#endif + return ESP_OK; } diff --git a/components/bootloader_support/src/esp32c3/flash_encryption_secure_features.c b/components/bootloader_support/src/esp32c3/flash_encryption_secure_features.c index 16795b5254..f8f2af5090 100644 --- a/components/bootloader_support/src/esp32c3/flash_encryption_secure_features.c +++ b/components/bootloader_support/src/esp32c3/flash_encryption_secure_features.c @@ -46,5 +46,14 @@ esp_err_t esp_flash_encryption_enable_secure_features(void) esp_efuse_write_field_bit(ESP_EFUSE_WR_DIS_RD_DIS); #endif +#ifdef CONFIG_SECURE_FLASH_ENCRYPTION_MODE_RELEASE + // Set write-protection for DIS_ICACHE to prevent bricking chip in case it will be set accidentally. + // esp32c3 has DIS_ICACHE. Write-protection bit = 2. + // List of eFuses with the same write protection bit: + // DIS_ICACHE, DIS_USB_JTAG, DIS_DOWNLOAD_ICACHE, DIS_USB_SERIAL_JTAG, + // DIS_FORCE_DOWNLOAD, DIS_TWAI, JTAG_SEL_ENABLE, DIS_PAD_JTAG, DIS_DOWNLOAD_MANUAL_ENCRYPT. + esp_efuse_write_field_bit(ESP_EFUSE_WR_DIS_DIS_ICACHE); +#endif + return ESP_OK; } diff --git a/components/bootloader_support/src/esp32c6/flash_encryption_secure_features.c b/components/bootloader_support/src/esp32c6/flash_encryption_secure_features.c index 3f64dbfd3d..0186180853 100644 --- a/components/bootloader_support/src/esp32c6/flash_encryption_secure_features.c +++ b/components/bootloader_support/src/esp32c6/flash_encryption_secure_features.c @@ -1,5 +1,5 @@ /* - * SPDX-FileCopyrightText: 2022 Espressif Systems (Shanghai) CO LTD + * SPDX-FileCopyrightText: 2022-2023 Espressif Systems (Shanghai) CO LTD * * SPDX-License-Identifier: Apache-2.0 */ @@ -46,5 +46,15 @@ esp_err_t esp_flash_encryption_enable_secure_features(void) esp_efuse_write_field_bit(ESP_EFUSE_WR_DIS_RD_DIS); #endif +#ifdef CONFIG_SECURE_FLASH_ENCRYPTION_MODE_RELEASE + // Set write-protection for DIS_ICACHE to prevent bricking chip in case it will be set accidentally. + // esp32c6 has DIS_ICACHE. Write-protection bit = 2. + // List of eFuses with the same write protection bit: + // SWAP_UART_SDIO_EN, DIS_ICACHE, DIS_USB_JTAG, DIS_DOWNLOAD_ICACHE, + // DIS_USB_SERIAL_JTAG, DIS_FORCE_DOWNLOAD, DIS_TWAI, JTAG_SEL_ENABLE, + // DIS_PAD_JTAG, DIS_DOWNLOAD_MANUAL_ENCRYPT. + esp_efuse_write_field_bit(ESP_EFUSE_WR_DIS_DIS_ICACHE); +#endif + return ESP_OK; } diff --git a/components/bootloader_support/src/esp32h2/flash_encryption_secure_features.c b/components/bootloader_support/src/esp32h2/flash_encryption_secure_features.c index 8a9749c8f6..3fb6162708 100644 --- a/components/bootloader_support/src/esp32h2/flash_encryption_secure_features.c +++ b/components/bootloader_support/src/esp32h2/flash_encryption_secure_features.c @@ -39,5 +39,14 @@ esp_err_t esp_flash_encryption_enable_secure_features(void) esp_efuse_write_field_bit(ESP_EFUSE_WR_DIS_RD_DIS); #endif +#ifdef CONFIG_SECURE_FLASH_ENCRYPTION_MODE_RELEASE + // Set write-protection for DIS_ICACHE to prevent bricking chip in case it will be set accidentally. + // esp32h2 has DIS_ICACHE. Write-protection bit = 2. + // List of eFuses with the same write protection bit: + // DIS_ICACHE, DIS_USB_JTAG, POWERGLITCH_EN, DIS_FORCE_DOWNLOAD, SPI_DOWNLOAD_MSPI_DIS, + // DIS_TWAI, JTAG_SEL_ENABLE, DIS_PAD_JTAG, DIS_DOWNLOAD_MANUAL_ENCRYPT + esp_efuse_write_field_bit(ESP_EFUSE_WR_DIS_DIS_ICACHE); +#endif + return ESP_OK; } diff --git a/components/bootloader_support/src/esp32h4/flash_encryption_secure_features.c b/components/bootloader_support/src/esp32h4/flash_encryption_secure_features.c index 16795b5254..f06b78a423 100644 --- a/components/bootloader_support/src/esp32h4/flash_encryption_secure_features.c +++ b/components/bootloader_support/src/esp32h4/flash_encryption_secure_features.c @@ -46,5 +46,14 @@ esp_err_t esp_flash_encryption_enable_secure_features(void) esp_efuse_write_field_bit(ESP_EFUSE_WR_DIS_RD_DIS); #endif +#ifdef CONFIG_SECURE_FLASH_ENCRYPTION_MODE_RELEASE + // Set write-protection for DIS_ICACHE to prevent bricking chip in case it will be set accidentally. + // esp32h4 has DIS_ICACHE. Write-protection bit = 2. + // List of eFuses with the same write protection bit: + // DIS_ICACHE, DIS_USB_JTAG, POWERGLITCH_EN, DIS_FORCE_DOWNLOAD, SPI_DOWNLOAD_MSPI_DIS, + // DIS_TWAI, JTAG_SEL_ENABLE, DIS_PAD_JTAG, DIS_DOWNLOAD_MANUAL_ENCRYPT + esp_efuse_write_field_bit(ESP_EFUSE_WR_DIS_DIS_ICACHE); +#endif + return ESP_OK; } diff --git a/components/bootloader_support/src/esp32s2/flash_encryption_secure_features.c b/components/bootloader_support/src/esp32s2/flash_encryption_secure_features.c index 3927367c3e..8751ec6433 100644 --- a/components/bootloader_support/src/esp32s2/flash_encryption_secure_features.c +++ b/components/bootloader_support/src/esp32s2/flash_encryption_secure_features.c @@ -47,5 +47,15 @@ esp_err_t esp_flash_encryption_enable_secure_features(void) esp_efuse_write_field_bit(ESP_EFUSE_WR_DIS_RD_DIS); #endif +#ifdef CONFIG_SECURE_FLASH_ENCRYPTION_MODE_RELEASE + // Set write-protection for DIS_ICACHE and DIS_DCACHE to prevent bricking chip in case it will be set accidentally. + // esp32s2 has DIS_ICACHE and DIS_DCACHE. Write-protection bit = 2 for both. + // List of eFuses with the same write protection bit: + // DIS_ICACHE, DIS_DCACHE, DIS_DOWNLOAD_ICACHE, DIS_DOWNLOAD_DCACHE, + // DIS_FORCE_DOWNLOAD, DIS_USB, DIS_TWAI, DIS_BOOT_REMAP, SOFT_DIS_JTAG, + // HARD_DIS_JTAG, DIS_DOWNLOAD_MANUAL_ENCRYPT. + esp_efuse_write_field_bit(ESP_EFUSE_WR_DIS_DIS_ICACHE); +#endif + return ESP_OK; } diff --git a/components/bootloader_support/src/esp32s3/flash_encryption_secure_features.c b/components/bootloader_support/src/esp32s3/flash_encryption_secure_features.c index 3e5437051b..3fea5e43ad 100644 --- a/components/bootloader_support/src/esp32s3/flash_encryption_secure_features.c +++ b/components/bootloader_support/src/esp32s3/flash_encryption_secure_features.c @@ -47,5 +47,15 @@ esp_err_t esp_flash_encryption_enable_secure_features(void) esp_efuse_write_field_bit(ESP_EFUSE_WR_DIS_RD_DIS); #endif +#ifdef CONFIG_SECURE_FLASH_ENCRYPTION_MODE_RELEASE + // Set write-protection for DIS_ICACHE and DIS_DCACHE to prevent bricking chip in case it will be set accidentally. + // esp32s3 has DIS_ICACHE and DIS_DCACHE. Write-protection bit = 2 for both. + // List of eFuses with the same write protection bit: + // DIS_ICACHE, DIS_DCACHE, DIS_DOWNLOAD_ICACHE, DIS_DOWNLOAD_DCACHE, + // DIS_FORCE_DOWNLOAD, DIS_USB_OTG, DIS_TWAI, DIS_APP_CPU, DIS_PAD_JTAG, + // DIS_DOWNLOAD_MANUAL_ENCRYPT, DIS_USB_JTAG, DIS_USB_SERIAL_JTAG, STRAP_JTAG_SEL, USB_PHY_SEL. + esp_efuse_write_field_bit(ESP_EFUSE_WR_DIS_DIS_ICACHE); +#endif + return ESP_OK; } diff --git a/components/bootloader_support/src/flash_encrypt.c b/components/bootloader_support/src/flash_encrypt.c index 9f040e829a..a21f983081 100644 --- a/components/bootloader_support/src/flash_encrypt.c +++ b/components/bootloader_support/src/flash_encrypt.c @@ -200,6 +200,14 @@ void esp_flash_encryption_set_release_mode(void) #endif // CONFIG_SOC_FLASH_ENCRYPTION_XTS_AES_128_DERIVED #endif // !CONFIG_IDF_TARGET_ESP32 +#ifdef CONFIG_IDF_TARGET_ESP32 + esp_efuse_write_field_bit(ESP_EFUSE_WR_DIS_DIS_CACHE); +#else +#if SOC_EFUSE_DIS_ICACHE + esp_efuse_write_field_bit(ESP_EFUSE_WR_DIS_DIS_ICACHE); +#endif +#endif // !CONFIG_IDF_TARGET_ESP32 + #if CONFIG_SOC_SUPPORTS_SECURE_DL_MODE esp_efuse_enable_rom_secure_download_mode(); #else @@ -272,6 +280,12 @@ bool esp_flash_encryption_cfg_verify_release_mode(void) ESP_LOGW(TAG, "Not disabled ROM BASIC interpreter fallback (set CONSOLE_DEBUG_DISABLE->1)"); } + secure = esp_efuse_read_field_bit(ESP_EFUSE_WR_DIS_DIS_CACHE); + result &= secure; + if (!secure) { + ESP_LOGW(TAG, "Not write-protected DIS_CACHE (set WR_DIS_DIS_CACHE->1)"); + } + secure = esp_efuse_read_field_bit(ESP_EFUSE_RD_DIS_BLK1); result &= secure; if (!secure) { @@ -376,6 +390,14 @@ bool esp_flash_encryption_cfg_verify_release_mode(void) } #endif +#if SOC_EFUSE_DIS_ICACHE + secure = esp_efuse_read_field_bit(ESP_EFUSE_WR_DIS_DIS_ICACHE); + result &= secure; + if (!secure) { + ESP_LOGW(TAG, "Not write-protected DIS_ICACHE (set WR_DIS_DIS_ICACHE->1)"); + } +#endif + esp_efuse_purpose_t purposes[] = { #if SOC_FLASH_ENCRYPTION_XTS_AES_256 ESP_EFUSE_KEY_PURPOSE_XTS_AES_256_KEY_1, diff --git a/components/soc/esp32c3/include/soc/Kconfig.soc_caps.in b/components/soc/esp32c3/include/soc/Kconfig.soc_caps.in index 697d080b69..96e933201d 100644 --- a/components/soc/esp32c3/include/soc/Kconfig.soc_caps.in +++ b/components/soc/esp32c3/include/soc/Kconfig.soc_caps.in @@ -767,6 +767,10 @@ config SOC_EFUSE_SOFT_DIS_JTAG bool default y +config SOC_EFUSE_DIS_ICACHE + bool + default y + config SOC_SECURE_BOOT_V2_RSA bool default y diff --git a/components/soc/esp32c3/include/soc/soc_caps.h b/components/soc/esp32c3/include/soc/soc_caps.h index c7abe37fad..e0fc2f3cff 100644 --- a/components/soc/esp32c3/include/soc/soc_caps.h +++ b/components/soc/esp32c3/include/soc/soc_caps.h @@ -339,6 +339,7 @@ #define SOC_EFUSE_DIS_USB_JTAG 1 #define SOC_EFUSE_DIS_DIRECT_BOOT 1 #define SOC_EFUSE_SOFT_DIS_JTAG 1 +#define SOC_EFUSE_DIS_ICACHE 1 /*-------------------------- Secure Boot CAPS----------------------------*/ #define SOC_SECURE_BOOT_V2_RSA 1 diff --git a/components/soc/esp32c6/include/soc/Kconfig.soc_caps.in b/components/soc/esp32c6/include/soc/Kconfig.soc_caps.in index 2373c9452d..3b940ce317 100644 --- a/components/soc/esp32c6/include/soc/Kconfig.soc_caps.in +++ b/components/soc/esp32c6/include/soc/Kconfig.soc_caps.in @@ -979,6 +979,10 @@ config SOC_EFUSE_SOFT_DIS_JTAG bool default y +config SOC_EFUSE_DIS_ICACHE + bool + default y + config SOC_SECURE_BOOT_V2_RSA bool default y diff --git a/components/soc/esp32c6/include/soc/soc_caps.h b/components/soc/esp32c6/include/soc/soc_caps.h index ef0d583a8c..b0a30ae422 100644 --- a/components/soc/esp32c6/include/soc/soc_caps.h +++ b/components/soc/esp32c6/include/soc/soc_caps.h @@ -403,6 +403,7 @@ #define SOC_EFUSE_DIS_USB_JTAG 1 #define SOC_EFUSE_DIS_DIRECT_BOOT 1 #define SOC_EFUSE_SOFT_DIS_JTAG 1 +#define SOC_EFUSE_DIS_ICACHE 1 /*-------------------------- Secure Boot CAPS----------------------------*/ #define SOC_SECURE_BOOT_V2_RSA 1 diff --git a/components/soc/esp32h2/include/soc/Kconfig.soc_caps.in b/components/soc/esp32h2/include/soc/Kconfig.soc_caps.in index eea30cc633..28b6b2b8ef 100644 --- a/components/soc/esp32h2/include/soc/Kconfig.soc_caps.in +++ b/components/soc/esp32h2/include/soc/Kconfig.soc_caps.in @@ -943,6 +943,10 @@ config SOC_EFUSE_SOFT_DIS_JTAG bool default y +config SOC_EFUSE_DIS_ICACHE + bool + default y + config SOC_SECURE_BOOT_V2_RSA bool default y diff --git a/components/soc/esp32h2/include/soc/soc_caps.h b/components/soc/esp32h2/include/soc/soc_caps.h index d24600c4ca..2711941d85 100644 --- a/components/soc/esp32h2/include/soc/soc_caps.h +++ b/components/soc/esp32h2/include/soc/soc_caps.h @@ -400,6 +400,7 @@ #define SOC_EFUSE_DIS_USB_JTAG 1 #define SOC_EFUSE_DIS_DIRECT_BOOT 1 #define SOC_EFUSE_SOFT_DIS_JTAG 1 +#define SOC_EFUSE_DIS_ICACHE 1 /*-------------------------- Secure Boot CAPS----------------------------*/ #define SOC_SECURE_BOOT_V2_RSA 1 diff --git a/components/soc/esp32h4/include/soc/Kconfig.soc_caps.in b/components/soc/esp32h4/include/soc/Kconfig.soc_caps.in index 1efb5ef96d..d21f7e3bb0 100644 --- a/components/soc/esp32h4/include/soc/Kconfig.soc_caps.in +++ b/components/soc/esp32h4/include/soc/Kconfig.soc_caps.in @@ -739,6 +739,10 @@ config SOC_EFUSE_SOFT_DIS_JTAG bool default y +config SOC_EFUSE_DIS_ICACHE + bool + default y + config SOC_SECURE_BOOT_V2_RSA bool default y diff --git a/components/soc/esp32h4/include/soc/soc_caps.h b/components/soc/esp32h4/include/soc/soc_caps.h index 759114e918..fea5b165dc 100644 --- a/components/soc/esp32h4/include/soc/soc_caps.h +++ b/components/soc/esp32h4/include/soc/soc_caps.h @@ -350,6 +350,7 @@ #define SOC_EFUSE_DIS_USB_JTAG 1 #define SOC_EFUSE_DIS_DIRECT_BOOT 1 #define SOC_EFUSE_SOFT_DIS_JTAG 1 +#define SOC_EFUSE_DIS_ICACHE 1 /*-------------------------- Secure Boot CAPS----------------------------*/ #define SOC_SECURE_BOOT_V2_RSA 1 diff --git a/components/soc/esp32s2/include/soc/Kconfig.soc_caps.in b/components/soc/esp32s2/include/soc/Kconfig.soc_caps.in index 8998050439..0a756e0f60 100644 --- a/components/soc/esp32s2/include/soc/Kconfig.soc_caps.in +++ b/components/soc/esp32s2/include/soc/Kconfig.soc_caps.in @@ -863,6 +863,10 @@ config SOC_EFUSE_DIS_LEGACY_SPI_BOOT bool default y +config SOC_EFUSE_DIS_ICACHE + bool + default y + config SOC_SECURE_BOOT_V2_RSA bool default y diff --git a/components/soc/esp32s2/include/soc/soc_caps.h b/components/soc/esp32s2/include/soc/soc_caps.h index 2a74a93803..94e210a282 100644 --- a/components/soc/esp32s2/include/soc/soc_caps.h +++ b/components/soc/esp32s2/include/soc/soc_caps.h @@ -375,6 +375,7 @@ #define SOC_EFUSE_SOFT_DIS_JTAG 1 #define SOC_EFUSE_DIS_BOOT_REMAP 1 #define SOC_EFUSE_DIS_LEGACY_SPI_BOOT 1 +#define SOC_EFUSE_DIS_ICACHE 1 /*-------------------------- Secure Boot CAPS----------------------------*/ #define SOC_SECURE_BOOT_V2_RSA 1 diff --git a/components/soc/esp32s3/include/soc/Kconfig.soc_caps.in b/components/soc/esp32s3/include/soc/Kconfig.soc_caps.in index e067050659..887936c4cb 100644 --- a/components/soc/esp32s3/include/soc/Kconfig.soc_caps.in +++ b/components/soc/esp32s3/include/soc/Kconfig.soc_caps.in @@ -1091,6 +1091,10 @@ config SOC_EFUSE_DIS_DIRECT_BOOT bool default y +config SOC_EFUSE_DIS_ICACHE + bool + default y + config SOC_SECURE_BOOT_V2_RSA bool default y diff --git a/components/soc/esp32s3/include/soc/soc_caps.h b/components/soc/esp32s3/include/soc/soc_caps.h index 5d69e0eae4..3434250e30 100644 --- a/components/soc/esp32s3/include/soc/soc_caps.h +++ b/components/soc/esp32s3/include/soc/soc_caps.h @@ -439,6 +439,7 @@ #define SOC_EFUSE_DIS_USB_JTAG 1 #define SOC_EFUSE_SOFT_DIS_JTAG 1 #define SOC_EFUSE_DIS_DIRECT_BOOT 1 +#define SOC_EFUSE_DIS_ICACHE 1 /*-------------------------- Secure Boot CAPS----------------------------*/ #define SOC_SECURE_BOOT_V2_RSA 1