mirror of
https://github.com/espressif/esp-idf.git
synced 2024-10-05 20:47:46 -04:00
Merge branch 'feature/secure_features_are_enabled_correctly_v5.0' into 'release/v5.0'
security: Adds new APIs to check that all eFuse security features are enabled correctly (v5.0) See merge request espressif/esp-idf!22116
This commit is contained in:
commit
8a6fb6df19
@ -8,6 +8,7 @@
|
||||
#include <stdbool.h>
|
||||
#include "esp_attr.h"
|
||||
#include "esp_err.h"
|
||||
#include "soc/soc_caps.h"
|
||||
#ifndef BOOTLOADER_BUILD
|
||||
#include "spi_flash_mmap.h"
|
||||
#endif
|
||||
@ -184,6 +185,19 @@ void esp_flash_encryption_init_checks(void);
|
||||
*/
|
||||
esp_err_t esp_flash_encryption_enable_secure_features(void);
|
||||
|
||||
/** @brief Returns the verification status for all physical security features of flash encryption in release mode
|
||||
*
|
||||
* If the device has flash encryption feature configured in the release mode,
|
||||
* then it is highly recommended to call this API in the application startup code.
|
||||
* This API verifies the sanity of the eFuse configuration against
|
||||
* the release (production) mode of the flash encryption feature.
|
||||
*
|
||||
* @return
|
||||
* - True - all eFuses are configured correctly
|
||||
* - False - not all eFuses are configured correctly.
|
||||
*/
|
||||
bool esp_flash_encryption_cfg_verify_release_mode(void);
|
||||
|
||||
/** @brief Switches Flash Encryption from "Development" to "Release"
|
||||
*
|
||||
* If already in "Release" mode, the function will do nothing.
|
||||
|
@ -269,6 +269,19 @@ esp_err_t esp_secure_boot_get_signature_blocks_for_running_app(bool digest_publi
|
||||
*/
|
||||
esp_err_t esp_secure_boot_enable_secure_features(void);
|
||||
|
||||
/** @brief Returns the verification status for all physical security features of secure boot in release mode
|
||||
*
|
||||
* If the device has secure boot feature configured in the release mode,
|
||||
* then it is highly recommended to call this API in the application startup code.
|
||||
* This API verifies the sanity of the eFuse configuration against
|
||||
* the release (production) mode of the secure boot feature.
|
||||
*
|
||||
* @return
|
||||
* - True - all eFuses are configured correctly
|
||||
* - False - not all eFuses are configured correctly.
|
||||
*/
|
||||
bool esp_secure_boot_cfg_verify_release_mode(void);
|
||||
|
||||
#ifdef __cplusplus
|
||||
}
|
||||
#endif
|
||||
|
@ -45,5 +45,17 @@ esp_err_t esp_secure_boot_enable_secure_features(void)
|
||||
|
||||
esp_efuse_write_field_bit(ESP_EFUSE_SECURE_BOOT_EN);
|
||||
|
||||
#ifndef CONFIG_SECURE_BOOT_V2_ALLOW_EFUSE_RD_DIS
|
||||
// Secure boot and Flash encryption share one eFuse key block so they can not be set separately.
|
||||
// CONFIG_SECURE_BOOT_FLASH_ENC_KEYS_BURN_TOGETHER option is used to burn SB and FE at the same time.
|
||||
// SB key is readable, the corresponding bit in RD_DIS is unset.
|
||||
// We set write-protection for RD_DIS to ensure that the SB key is always readable.
|
||||
// FE key is read-protected, the corresponding bit in RD_DIS is set.
|
||||
ESP_LOGI(TAG, "Prevent read disabling of additional efuses...");
|
||||
esp_efuse_write_field_bit(ESP_EFUSE_WR_DIS_RD_DIS);
|
||||
#else
|
||||
ESP_LOGW(TAG, "Allowing read disabling of additional efuses - SECURITY COMPROMISED");
|
||||
#endif
|
||||
|
||||
return ESP_OK;
|
||||
}
|
||||
|
@ -218,3 +218,206 @@ void esp_flash_encryption_set_release_mode(void)
|
||||
}
|
||||
ESP_LOGI(TAG, "Flash encryption mode is RELEASE");
|
||||
}
|
||||
|
||||
#ifdef CONFIG_IDF_TARGET_ESP32
|
||||
bool esp_flash_encryption_cfg_verify_release_mode(void)
|
||||
{
|
||||
bool result = false;
|
||||
bool secure;
|
||||
|
||||
secure = esp_flash_encryption_enabled();
|
||||
result = secure;
|
||||
if (!secure) {
|
||||
ESP_LOGW(TAG, "Not enabled Flash Encryption (FLASH_CRYPT_CNT->1 or max)");
|
||||
}
|
||||
|
||||
uint8_t crypt_config = 0;
|
||||
esp_efuse_read_field_blob(ESP_EFUSE_ENCRYPT_CONFIG, &crypt_config, 4);
|
||||
if (crypt_config != EFUSE_FLASH_CRYPT_CONFIG) {
|
||||
result &= false;
|
||||
ESP_LOGW(TAG, "ENCRYPT_CONFIG must be set 0xF (set ENCRYPT_CONFIG->0xF)");
|
||||
}
|
||||
|
||||
uint8_t flash_crypt_cnt = 0;
|
||||
esp_efuse_read_field_blob(ESP_EFUSE_FLASH_CRYPT_CNT, &flash_crypt_cnt, ESP_EFUSE_FLASH_CRYPT_CNT[0]->bit_count);
|
||||
if (flash_crypt_cnt != (1 << (ESP_EFUSE_FLASH_CRYPT_CNT[0]->bit_count)) - 1) {
|
||||
if (!esp_efuse_read_field_bit(ESP_EFUSE_WR_DIS_FLASH_CRYPT_CNT)) {
|
||||
result &= false;
|
||||
ESP_LOGW(TAG, "Not release mode of Flash Encryption (set FLASH_CRYPT_CNT->max or WR_DIS_FLASH_CRYPT_CNT->1)");
|
||||
}
|
||||
}
|
||||
|
||||
secure = esp_efuse_read_field_bit(ESP_EFUSE_DISABLE_DL_ENCRYPT);
|
||||
result &= secure;
|
||||
if (!secure) {
|
||||
ESP_LOGW(TAG, "Not disabled UART bootloader encryption (set DISABLE_DL_ENCRYPT->1)");
|
||||
}
|
||||
|
||||
secure = esp_efuse_read_field_bit(ESP_EFUSE_DISABLE_DL_DECRYPT);
|
||||
result &= secure;
|
||||
if (!secure) {
|
||||
ESP_LOGW(TAG, "Not disabled UART bootloader decryption (set DISABLE_DL_DECRYPT->1)");
|
||||
}
|
||||
|
||||
secure = esp_efuse_read_field_bit(ESP_EFUSE_DISABLE_DL_CACHE);
|
||||
result &= secure;
|
||||
if (!secure) {
|
||||
ESP_LOGW(TAG, "Not disabled UART bootloader MMU cache (set DISABLE_DL_CACHE->1)");
|
||||
}
|
||||
|
||||
secure = esp_efuse_read_field_bit(ESP_EFUSE_DISABLE_JTAG);
|
||||
result &= secure;
|
||||
if (!secure) {
|
||||
ESP_LOGW(TAG, "Not disabled JTAG (set DISABLE_JTAG->1)");
|
||||
}
|
||||
|
||||
secure = esp_efuse_read_field_bit(ESP_EFUSE_CONSOLE_DEBUG_DISABLE);
|
||||
result &= secure;
|
||||
if (!secure) {
|
||||
ESP_LOGW(TAG, "Not disabled ROM BASIC interpreter fallback (set CONSOLE_DEBUG_DISABLE->1)");
|
||||
}
|
||||
|
||||
secure = esp_efuse_read_field_bit(ESP_EFUSE_RD_DIS_BLK1);
|
||||
result &= secure;
|
||||
if (!secure) {
|
||||
ESP_LOGW(TAG, "Not read-protected flash ecnryption key (set RD_DIS_BLK1->1)");
|
||||
}
|
||||
|
||||
secure = esp_efuse_read_field_bit(ESP_EFUSE_WR_DIS_BLK1);
|
||||
result &= secure;
|
||||
if (!secure) {
|
||||
ESP_LOGW(TAG, "Not write-protected flash ecnryption key (set WR_DIS_BLK1->1)");
|
||||
}
|
||||
return result;
|
||||
}
|
||||
#else // not CONFIG_IDF_TARGET_ESP32
|
||||
bool esp_flash_encryption_cfg_verify_release_mode(void)
|
||||
{
|
||||
bool result = false;
|
||||
bool secure;
|
||||
|
||||
secure = esp_flash_encryption_enabled();
|
||||
result = secure;
|
||||
if (!secure) {
|
||||
ESP_LOGW(TAG, "Not enabled Flash Encryption (SPI_BOOT_CRYPT_CNT->1 or max)");
|
||||
}
|
||||
|
||||
uint8_t flash_crypt_cnt = 0;
|
||||
esp_efuse_read_field_blob(ESP_EFUSE_SPI_BOOT_CRYPT_CNT, &flash_crypt_cnt, ESP_EFUSE_SPI_BOOT_CRYPT_CNT[0]->bit_count);
|
||||
if (flash_crypt_cnt != (1 << (ESP_EFUSE_SPI_BOOT_CRYPT_CNT[0]->bit_count)) - 1) {
|
||||
if (!esp_efuse_read_field_bit(ESP_EFUSE_WR_DIS_SPI_BOOT_CRYPT_CNT)) {
|
||||
result &= false;
|
||||
ESP_LOGW(TAG, "Not release mode of Flash Encryption (set SPI_BOOT_CRYPT_CNT->max or WR_DIS_SPI_BOOT_CRYPT_CNT->1)");
|
||||
}
|
||||
}
|
||||
|
||||
secure = esp_efuse_read_field_bit(ESP_EFUSE_DIS_DOWNLOAD_MANUAL_ENCRYPT);
|
||||
result &= secure;
|
||||
if (!secure) {
|
||||
ESP_LOGW(TAG, "Not disabled UART bootloader encryption (set DIS_DOWNLOAD_MANUAL_ENCRYPT->1)");
|
||||
}
|
||||
|
||||
#if SOC_EFUSE_DIS_DOWNLOAD_DCACHE
|
||||
secure = esp_efuse_read_field_bit(ESP_EFUSE_DIS_DOWNLOAD_DCACHE);
|
||||
result &= secure;
|
||||
if (!secure) {
|
||||
ESP_LOGW(TAG, "Not disabled UART bootloader Dcache (set DIS_DOWNLOAD_DCACHE->1)");
|
||||
}
|
||||
#endif
|
||||
|
||||
secure = esp_efuse_read_field_bit(ESP_EFUSE_DIS_DOWNLOAD_ICACHE);
|
||||
result &= secure;
|
||||
if (!secure) {
|
||||
ESP_LOGW(TAG, "Not disabled UART bootloader cache (set DIS_DOWNLOAD_ICACHE->1)");
|
||||
}
|
||||
|
||||
#if SOC_EFUSE_DIS_PAD_JTAG
|
||||
secure = esp_efuse_read_field_bit(ESP_EFUSE_DIS_PAD_JTAG);
|
||||
result &= secure;
|
||||
if (!secure) {
|
||||
ESP_LOGW(TAG, "Not disabled JTAG PADs (set DIS_PAD_JTAG->1)");
|
||||
}
|
||||
#endif
|
||||
|
||||
#if SOC_EFUSE_DIS_USB_JTAG
|
||||
secure = esp_efuse_read_field_bit(ESP_EFUSE_DIS_USB_JTAG);
|
||||
result &= secure;
|
||||
if (!secure) {
|
||||
ESP_LOGW(TAG, "Not disabled USB JTAG (set DIS_USB_JTAG->1)");
|
||||
}
|
||||
#endif
|
||||
|
||||
#if SOC_EFUSE_DIS_DIRECT_BOOT
|
||||
secure = esp_efuse_read_field_bit(ESP_EFUSE_DIS_DIRECT_BOOT);
|
||||
result &= secure;
|
||||
if (!secure) {
|
||||
ESP_LOGW(TAG, "Not disabled direct boot mode (set DIS_DIRECT_BOOT->1)");
|
||||
}
|
||||
#endif
|
||||
|
||||
#if SOC_EFUSE_HARD_DIS_JTAG
|
||||
secure = esp_efuse_read_field_bit(ESP_EFUSE_HARD_DIS_JTAG);
|
||||
result &= secure;
|
||||
if (!secure) {
|
||||
ESP_LOGW(TAG, "Not disabled JTAG (set HARD_DIS_JTAG->1)");
|
||||
}
|
||||
#endif
|
||||
|
||||
#if SOC_EFUSE_DIS_BOOT_REMAP
|
||||
secure = esp_efuse_read_field_bit(ESP_EFUSE_DIS_BOOT_REMAP);
|
||||
result &= secure;
|
||||
if (!secure) {
|
||||
ESP_LOGW(TAG, "Not disabled boot from RAM (set DIS_BOOT_REMAP->1)");
|
||||
}
|
||||
#endif
|
||||
|
||||
#if SOC_EFUSE_DIS_LEGACY_SPI_BOOT
|
||||
secure = esp_efuse_read_field_bit(ESP_EFUSE_DIS_LEGACY_SPI_BOOT);
|
||||
result &= secure;
|
||||
if (!secure) {
|
||||
ESP_LOGW(TAG, "Not disabled Legcy SPI boot (set DIS_LEGACY_SPI_BOOT->1)");
|
||||
}
|
||||
#endif
|
||||
|
||||
esp_efuse_purpose_t purposes[] = {
|
||||
#if SOC_FLASH_ENCRYPTION_XTS_AES_256
|
||||
ESP_EFUSE_KEY_PURPOSE_XTS_AES_256_KEY_1,
|
||||
ESP_EFUSE_KEY_PURPOSE_XTS_AES_256_KEY_2,
|
||||
#endif
|
||||
#if SOC_FLASH_ENCRYPTION_XTS_AES_128
|
||||
ESP_EFUSE_KEY_PURPOSE_XTS_AES_128_KEY,
|
||||
#endif
|
||||
};
|
||||
// S2 and S3 chips have both XTS_AES_128_KEY and XTS_AES_256_KEY_1/2.
|
||||
// The check below does not take into account that XTS_AES_128_KEY and XTS_AES_256_KEY_1/2
|
||||
// are mutually exclusive because this will make the chip not functional.
|
||||
// Only one type key must be configured in eFuses.
|
||||
secure = false;
|
||||
for (unsigned i = 0; i < sizeof(purposes) / sizeof(esp_efuse_purpose_t); i++) {
|
||||
esp_efuse_block_t block;
|
||||
if (esp_efuse_find_purpose(purposes[i], &block)) {
|
||||
secure = esp_efuse_get_key_dis_read(block);
|
||||
result &= secure;
|
||||
if (!secure) {
|
||||
ESP_LOGW(TAG, "Not read-protected Flash encryption key in BLOCK%d (set RD_DIS_KEY%d->1)", block, block - EFUSE_BLK_KEY0);
|
||||
}
|
||||
secure = esp_efuse_get_key_dis_write(block);
|
||||
result &= secure;
|
||||
if (!secure) {
|
||||
ESP_LOGW(TAG, "Not write-protected Flash encryption key in BLOCK%d (set WR_DIS_KEY%d->1)", block, block - EFUSE_BLK_KEY0);
|
||||
}
|
||||
|
||||
#if SOC_EFUSE_KEY_PURPOSE_FIELD
|
||||
secure = esp_efuse_get_keypurpose_dis_write(block);
|
||||
result &= secure;
|
||||
if (!secure) {
|
||||
ESP_LOGW(TAG, "Not write-protected KEY_PURPOSE for BLOCK%d (set WR_DIS_KEY_PURPOSE%d->1)", block, block - EFUSE_BLK_KEY0);
|
||||
}
|
||||
#endif
|
||||
}
|
||||
}
|
||||
result &= secure;
|
||||
|
||||
return result;
|
||||
}
|
||||
#endif // not CONFIG_IDF_TARGET_ESP32
|
||||
|
@ -10,6 +10,7 @@
|
||||
#include "esp_efuse.h"
|
||||
#include "esp_efuse_table.h"
|
||||
#include "esp_secure_boot.h"
|
||||
#include "hal/efuse_hal.h"
|
||||
|
||||
#ifndef BOOTLOADER_BUILD
|
||||
static __attribute__((unused)) const char *TAG = "secure_boot";
|
||||
@ -188,4 +189,224 @@ void esp_secure_boot_init_checks(void)
|
||||
#endif // CONFIG_SECURE_SIGNED_APPS_RSA_SCHEME && CONFIG_SECURE_SIGNED_ON_UPDATE_NO_SECURE_BOOT
|
||||
|
||||
}
|
||||
|
||||
#ifdef CONFIG_IDF_TARGET_ESP32
|
||||
bool esp_secure_boot_cfg_verify_release_mode(void)
|
||||
{
|
||||
bool result = false;
|
||||
bool secure;
|
||||
|
||||
bool secure_boot_v1 = esp_efuse_read_field_bit(ESP_EFUSE_ABS_DONE_0);
|
||||
bool chip_supports_sbv2 = efuse_hal_chip_revision() >= 300;
|
||||
bool secure_boot_v2 = (chip_supports_sbv2) ? esp_efuse_read_field_bit(ESP_EFUSE_ABS_DONE_1) : false;
|
||||
result = secure_boot_v1 || secure_boot_v2;
|
||||
if (secure_boot_v1 && secure_boot_v2) {
|
||||
ESP_LOGI(TAG, "ABS_DONE_0=1 (V1) and ABS_DONE_1=1 (V2)");
|
||||
ESP_LOGI(TAG, "Secure boot V2 shall take the precedence");
|
||||
} else if (!secure_boot_v1 && !secure_boot_v2) {
|
||||
result = false;
|
||||
ESP_LOGE(TAG, "Not enabled Secure Boot V1 (set ABS_DONE_0->1)");
|
||||
if (chip_supports_sbv2) {
|
||||
ESP_LOGE(TAG, "Not enabled Secure Boot V2 (set ABS_DONE_1->1)");
|
||||
}
|
||||
}
|
||||
|
||||
if (secure_boot_v1 && !secure_boot_v2) {
|
||||
secure = esp_efuse_read_field_bit(ESP_EFUSE_RD_DIS_BLK2);
|
||||
result &= secure;
|
||||
if (!secure) {
|
||||
ESP_LOGW(TAG, "Not read-protected secure boot key (set RD_DIS_BLK2->1)");
|
||||
}
|
||||
}
|
||||
|
||||
secure = esp_efuse_read_field_bit(ESP_EFUSE_WR_DIS_BLK2);
|
||||
result &= secure;
|
||||
if (!secure) {
|
||||
ESP_LOGW(TAG, "Not write-protected secure boot key (set WR_DIS_BLK2->1)");
|
||||
}
|
||||
|
||||
secure = esp_efuse_read_field_bit(ESP_EFUSE_DISABLE_JTAG);
|
||||
result &= secure;
|
||||
if (!secure) {
|
||||
ESP_LOGW(TAG, "Not disabled JTAG (set DISABLE_JTAG->1)");
|
||||
}
|
||||
|
||||
secure = esp_efuse_read_field_bit(ESP_EFUSE_CONSOLE_DEBUG_DISABLE);
|
||||
result &= secure;
|
||||
if (!secure) {
|
||||
ESP_LOGW(TAG, "Not disabled ROM BASIC interpreter fallback (set CONSOLE_DEBUG_DISABLE->1)");
|
||||
}
|
||||
|
||||
if (secure_boot_v2) {
|
||||
secure = esp_efuse_read_field_bit(ESP_EFUSE_UART_DOWNLOAD_DIS);
|
||||
result &= secure;
|
||||
if (!secure) {
|
||||
ESP_LOGW(TAG, "Not disabled UART ROM Download mode (set UART_DOWNLOAD_DIS->1)");
|
||||
}
|
||||
|
||||
secure = esp_efuse_read_field_bit(ESP_EFUSE_WR_DIS_EFUSE_RD_DISABLE);
|
||||
result &= secure;
|
||||
if (!secure) {
|
||||
ESP_LOGW(TAG, "Not disabled write-protection for read-protection (set WR_DIS_EFUSE_RD_DISABLE->1)");
|
||||
}
|
||||
}
|
||||
|
||||
return result;
|
||||
}
|
||||
#else // not CONFIG_IDF_TARGET_ESP32
|
||||
bool esp_secure_boot_cfg_verify_release_mode(void)
|
||||
{
|
||||
bool result = false;
|
||||
bool secure;
|
||||
|
||||
secure = esp_secure_boot_enabled();
|
||||
result = secure;
|
||||
if (!secure) {
|
||||
ESP_LOGW(TAG, "Not enabled Secure Boot (SECURE_BOOT_EN->1)");
|
||||
}
|
||||
|
||||
secure = esp_efuse_read_field_bit(ESP_EFUSE_DIS_DOWNLOAD_MODE);
|
||||
bool en_secure_download = esp_efuse_read_field_bit(ESP_EFUSE_ENABLE_SECURITY_DOWNLOAD);
|
||||
if (!secure && !en_secure_download) {
|
||||
result &= false;
|
||||
ESP_LOGW(TAG, "Download mode has not been changed, disable it or set security mode:");
|
||||
ESP_LOGW(TAG, "Not disabled ROM Download mode (DIS_DOWNLOAD_MODE->1)");
|
||||
ESP_LOGW(TAG, "Not enabled Security download mode (ENABLE_SECURITY_DOWNLOAD->1)");
|
||||
}
|
||||
|
||||
#if SOC_EFUSE_DIS_BOOT_REMAP
|
||||
secure = esp_efuse_read_field_bit(ESP_EFUSE_DIS_BOOT_REMAP);
|
||||
result &= secure;
|
||||
if (!secure) {
|
||||
ESP_LOGW(TAG, "Not disabled boot from RAM (set DIS_BOOT_REMAP->1)");
|
||||
}
|
||||
#endif
|
||||
|
||||
#if SOC_EFUSE_DIS_LEGACY_SPI_BOOT
|
||||
secure = esp_efuse_read_field_bit(ESP_EFUSE_DIS_LEGACY_SPI_BOOT);
|
||||
result &= secure;
|
||||
if (!secure) {
|
||||
ESP_LOGW(TAG, "Not disabled Legcy SPI boot (set DIS_LEGACY_SPI_BOOT->1)");
|
||||
}
|
||||
#endif
|
||||
|
||||
#if SOC_EFUSE_DIS_DIRECT_BOOT
|
||||
secure = esp_efuse_read_field_bit(ESP_EFUSE_DIS_DIRECT_BOOT);
|
||||
result &= secure;
|
||||
if (!secure) {
|
||||
ESP_LOGW(TAG, "Not disabled direct boot mode (set DIS_DIRECT_BOOT->1)");
|
||||
}
|
||||
#endif
|
||||
|
||||
#if SOC_EFUSE_HARD_DIS_JTAG
|
||||
secure = esp_efuse_read_field_bit(ESP_EFUSE_HARD_DIS_JTAG);
|
||||
result &= secure;
|
||||
if (!secure) {
|
||||
ESP_LOGW(TAG, "Not disabled JTAG (set HARD_DIS_JTAG->1)");
|
||||
}
|
||||
#endif
|
||||
|
||||
#if SOC_EFUSE_SOFT_DIS_JTAG
|
||||
size_t soft_dis_jtag_cnt_val = 0;
|
||||
esp_efuse_read_field_cnt(ESP_EFUSE_SOFT_DIS_JTAG, &soft_dis_jtag_cnt_val);
|
||||
if (soft_dis_jtag_cnt_val != ESP_EFUSE_SOFT_DIS_JTAG[0]->bit_count) {
|
||||
result &= secure;
|
||||
ESP_LOGW(TAG, "Not disabled JTAG in the soft way (set SOFT_DIS_JTAG->max)");
|
||||
}
|
||||
#endif
|
||||
|
||||
#if SOC_EFUSE_DIS_PAD_JTAG
|
||||
secure = esp_efuse_read_field_bit(ESP_EFUSE_DIS_PAD_JTAG);
|
||||
result &= secure;
|
||||
if (!secure) {
|
||||
ESP_LOGW(TAG, "Not disabled JTAG PADs (set DIS_PAD_JTAG->1)");
|
||||
}
|
||||
#endif
|
||||
|
||||
#if SOC_EFUSE_DIS_USB_JTAG
|
||||
secure = esp_efuse_read_field_bit(ESP_EFUSE_DIS_USB_JTAG);
|
||||
result &= secure;
|
||||
if (!secure) {
|
||||
ESP_LOGW(TAG, "Not disabled USB JTAG (set DIS_USB_JTAG->1)");
|
||||
}
|
||||
#endif
|
||||
|
||||
#ifdef CONFIG_SECURE_BOOT_ENABLE_AGGRESSIVE_KEY_REVOKE
|
||||
secure = esp_efuse_read_field_bit(ESP_EFUSE_SECURE_BOOT_AGGRESSIVE_REVOKE);
|
||||
result &= secure;
|
||||
if (!secure) {
|
||||
ESP_LOGW(TAG, "Not enabled AGGRESSIVE KEY REVOKE (set SECURE_BOOT_AGGRESSIVE_REVOKE->1)");
|
||||
}
|
||||
#endif
|
||||
|
||||
secure = esp_efuse_read_field_bit(ESP_EFUSE_WR_DIS_RD_DIS);
|
||||
result &= secure;
|
||||
if (!secure) {
|
||||
ESP_LOGW(TAG, "Not disabled write-protection for read-protection (set WR_DIS_RD_DIS->1)");
|
||||
}
|
||||
|
||||
#if SOC_EFUSE_SECURE_BOOT_KEY_DIGESTS == 1
|
||||
unsigned purpose = ESP_EFUSE_KEY_PURPOSE_SECURE_BOOT_V2;
|
||||
#else
|
||||
unsigned purpose = ESP_EFUSE_KEY_PURPOSE_SECURE_BOOT_DIGEST0; // DIGEST0, DIGEST1 and DIGEST2
|
||||
#endif
|
||||
secure = false;
|
||||
unsigned num_keys = 0;
|
||||
for (unsigned i = 0; i < SOC_EFUSE_SECURE_BOOT_KEY_DIGESTS; ++i) {
|
||||
esp_efuse_block_t block;
|
||||
if (esp_efuse_find_purpose(purpose + i, &block)) {
|
||||
// if chip has a few secure boot slots then we check all
|
||||
#if SOC_SUPPORT_SECURE_BOOT_REVOKE_KEY
|
||||
bool revoke = esp_efuse_get_digest_revoke(i);
|
||||
if (revoke) {
|
||||
continue;
|
||||
}
|
||||
#endif
|
||||
++num_keys;
|
||||
#if SOC_EFUSE_CONSISTS_OF_ONE_KEY_BLOCK
|
||||
secure = !esp_efuse_read_field_bit(ESP_EFUSE_RD_DIS_KEY0_HI);
|
||||
#else
|
||||
secure = !esp_efuse_get_key_dis_read(block);
|
||||
#endif // !SOC_EFUSE_CONSISTS_OF_ONE_KEY_BLOCK
|
||||
result &= secure;
|
||||
if (!secure) {
|
||||
ESP_LOGE(TAG, "Secure boot key in BLOCK%d must NOT be read-protected (can not be used)", block);
|
||||
#if SOC_SUPPORT_SECURE_BOOT_REVOKE_KEY
|
||||
ESP_LOGE(TAG, "Revoke this secure boot key (set SECURE_BOOT_KEY_REVOKE%d->1)", i);
|
||||
#endif
|
||||
}
|
||||
secure = !esp_efuse_block_is_empty(block);
|
||||
result &= secure;
|
||||
if (!secure) {
|
||||
ESP_LOGE(TAG, "Secure boot key in BLOCK%d must NOT be empty (can not be used)", block);
|
||||
#if SOC_SUPPORT_SECURE_BOOT_REVOKE_KEY
|
||||
ESP_LOGE(TAG, "Revoke this secure boot key (set SECURE_BOOT_KEY_REVOKE%d->1)", i);
|
||||
#endif
|
||||
}
|
||||
secure = esp_efuse_get_key_dis_write(block);
|
||||
result &= secure;
|
||||
if (!secure) {
|
||||
ESP_LOGW(TAG, "Not write-protected secure boot key in BLOCK%d (set WR_DIS_KEY%d->1)", block, block - EFUSE_BLK_KEY0);
|
||||
}
|
||||
#if SOC_EFUSE_KEY_PURPOSE_FIELD
|
||||
secure = esp_efuse_get_keypurpose_dis_write(block);
|
||||
result &= secure;
|
||||
if (!secure) {
|
||||
ESP_LOGW(TAG, "Not write-protected KEY_PURPOSE for BLOCK%d (set WR_DIS_KEY_PURPOSE%d->1)", block, block - EFUSE_BLK_KEY0);
|
||||
}
|
||||
#endif
|
||||
}
|
||||
}
|
||||
result &= secure;
|
||||
|
||||
secure = (num_keys != 0);
|
||||
result &= secure;
|
||||
if (!secure) {
|
||||
ESP_LOGE(TAG, "No secure boot key found");
|
||||
}
|
||||
|
||||
return result;
|
||||
}
|
||||
#endif // not CONFIG_IDF_TARGET_ESP32
|
||||
|
||||
#endif // not BOOTLOADER_BUILD
|
||||
|
@ -1,5 +1,5 @@
|
||||
/*
|
||||
* SPDX-FileCopyrightText: 2017-2022 Espressif Systems (Shanghai) CO LTD
|
||||
* SPDX-FileCopyrightText: 2017-2023 Espressif Systems (Shanghai) CO LTD
|
||||
*
|
||||
* SPDX-License-Identifier: Apache-2.0
|
||||
*/
|
||||
@ -9,7 +9,7 @@
|
||||
#include <assert.h>
|
||||
#include "esp_efuse_table.h"
|
||||
|
||||
// md5_digest_table 5bc3d3149d5d4c75461337fa415d6533
|
||||
// md5_digest_table 4d0ed19c755bd49610cefdd83f798536
|
||||
// This file was generated from the file esp_efuse_table.csv. DO NOT CHANGE THIS FILE MANUALLY.
|
||||
// If you want to change some fields, you need to change esp_efuse_table.csv file
|
||||
// then run `efuse_common_table` or `efuse_custom_table` command it will generate this file.
|
||||
@ -19,8 +19,8 @@ static const esp_efuse_desc_t WR_DIS[] = {
|
||||
{EFUSE_BLK0, 0, 8}, // Write protection,
|
||||
};
|
||||
|
||||
static const esp_efuse_desc_t WR_DIS_KEY0_RD_DIS[] = {
|
||||
{EFUSE_BLK0, 0, 1}, // Write protection for KEY0_RD_DIS,
|
||||
static const esp_efuse_desc_t WR_DIS_RD_DIS[] = {
|
||||
{EFUSE_BLK0, 0, 1}, // Write protection for RD_DIS,
|
||||
};
|
||||
|
||||
static const esp_efuse_desc_t WR_DIS_GROUP_1[] = {
|
||||
@ -249,8 +249,8 @@ const esp_efuse_desc_t* ESP_EFUSE_WR_DIS[] = {
|
||||
NULL
|
||||
};
|
||||
|
||||
const esp_efuse_desc_t* ESP_EFUSE_WR_DIS_KEY0_RD_DIS[] = {
|
||||
&WR_DIS_KEY0_RD_DIS[0], // Write protection for KEY0_RD_DIS
|
||||
const esp_efuse_desc_t* ESP_EFUSE_WR_DIS_RD_DIS[] = {
|
||||
&WR_DIS_RD_DIS[0], // Write protection for RD_DIS
|
||||
NULL
|
||||
};
|
||||
|
||||
|
@ -12,7 +12,7 @@
|
||||
##############################
|
||||
# EFUSE_RD_WR_DIS_REG #
|
||||
WR_DIS, EFUSE_BLK0, 0, 8, Write protection
|
||||
WR_DIS.KEY0_RD_DIS, EFUSE_BLK0, 0, 1, Write protection for KEY0_RD_DIS
|
||||
WR_DIS.RD_DIS, EFUSE_BLK0, 0, 1, Write protection for RD_DIS
|
||||
WR_DIS.GROUP_1, EFUSE_BLK0, 1, 1, Write protection for WDT_DELAY DIS_PAD_JTAG DIS_DOWNLOAD_ICACHE
|
||||
WR_DIS.GROUP_2, EFUSE_BLK0, 2, 1, Write protection for DOWNLOAD_DIS_MANUAL_ENCRYPT SPI_BOOT_CRYPT_CNT XTS_KEY_LENGTH_256 SECURE_BOOT_EN
|
||||
WR_DIS.SPI_BOOT_CRYPT_CNT, EFUSE_BLK0, 2, 1, Write protection for DOWNLOAD_DIS_MANUAL_ENCRYPT [SPI_BOOT_CRYPT_CNT] XTS_KEY_LENGTH_256 SECURE_BOOT_EN
|
||||
|
Can't render this file because it contains an unexpected character in line 7 and column 53.
|
@ -1,5 +1,5 @@
|
||||
/*
|
||||
* SPDX-FileCopyrightText: 2017-2022 Espressif Systems (Shanghai) CO LTD
|
||||
* SPDX-FileCopyrightText: 2017-2023 Espressif Systems (Shanghai) CO LTD
|
||||
*
|
||||
* SPDX-License-Identifier: Apache-2.0
|
||||
*/
|
||||
@ -10,7 +10,7 @@ extern "C" {
|
||||
|
||||
#include "esp_efuse.h"
|
||||
|
||||
// md5_digest_table 5bc3d3149d5d4c75461337fa415d6533
|
||||
// md5_digest_table 4d0ed19c755bd49610cefdd83f798536
|
||||
// This file was generated from the file esp_efuse_table.csv. DO NOT CHANGE THIS FILE MANUALLY.
|
||||
// If you want to change some fields, you need to change esp_efuse_table.csv file
|
||||
// then run `efuse_common_table` or `efuse_custom_table` command it will generate this file.
|
||||
@ -18,7 +18,7 @@ extern "C" {
|
||||
|
||||
|
||||
extern const esp_efuse_desc_t* ESP_EFUSE_WR_DIS[];
|
||||
extern const esp_efuse_desc_t* ESP_EFUSE_WR_DIS_KEY0_RD_DIS[];
|
||||
extern const esp_efuse_desc_t* ESP_EFUSE_WR_DIS_RD_DIS[];
|
||||
extern const esp_efuse_desc_t* ESP_EFUSE_WR_DIS_GROUP_1[];
|
||||
extern const esp_efuse_desc_t* ESP_EFUSE_WR_DIS_GROUP_2[];
|
||||
extern const esp_efuse_desc_t* ESP_EFUSE_WR_DIS_SPI_BOOT_CRYPT_CNT[];
|
||||
|
@ -459,6 +459,14 @@ config SOC_TIMER_GROUP_TOTAL_TIMERS
|
||||
int
|
||||
default 1
|
||||
|
||||
config SOC_EFUSE_DIS_PAD_JTAG
|
||||
bool
|
||||
default y
|
||||
|
||||
config SOC_EFUSE_DIS_DIRECT_BOOT
|
||||
bool
|
||||
default y
|
||||
|
||||
config SOC_SECURE_BOOT_V2_ECC
|
||||
bool
|
||||
default y
|
||||
|
@ -228,6 +228,10 @@
|
||||
#define SOC_TIMER_GROUP_SUPPORT_PLL_F40M (1)
|
||||
#define SOC_TIMER_GROUP_TOTAL_TIMERS (1U)
|
||||
|
||||
/*-------------------------- eFuse CAPS----------------------------*/
|
||||
#define SOC_EFUSE_DIS_PAD_JTAG 1
|
||||
#define SOC_EFUSE_DIS_DIRECT_BOOT 1
|
||||
|
||||
/*-------------------------- Secure Boot CAPS----------------------------*/
|
||||
#define SOC_SECURE_BOOT_V2_ECC 1
|
||||
#define SOC_EFUSE_SECURE_BOOT_KEY_DIGESTS (1U)
|
||||
|
@ -683,6 +683,22 @@ config SOC_TWAI_SUPPORTS_RX_STATUS
|
||||
bool
|
||||
default y
|
||||
|
||||
config SOC_EFUSE_DIS_PAD_JTAG
|
||||
bool
|
||||
default y
|
||||
|
||||
config SOC_EFUSE_DIS_USB_JTAG
|
||||
bool
|
||||
default y
|
||||
|
||||
config SOC_EFUSE_DIS_DIRECT_BOOT
|
||||
bool
|
||||
default y
|
||||
|
||||
config SOC_EFUSE_SOFT_DIS_JTAG
|
||||
bool
|
||||
default y
|
||||
|
||||
config SOC_SECURE_BOOT_V2_RSA
|
||||
bool
|
||||
default y
|
||||
|
@ -318,6 +318,12 @@
|
||||
#define SOC_TWAI_BRP_MAX 16384
|
||||
#define SOC_TWAI_SUPPORTS_RX_STATUS 1
|
||||
|
||||
/*-------------------------- eFuse CAPS----------------------------*/
|
||||
#define SOC_EFUSE_DIS_PAD_JTAG 1
|
||||
#define SOC_EFUSE_DIS_USB_JTAG 1
|
||||
#define SOC_EFUSE_DIS_DIRECT_BOOT 1
|
||||
#define SOC_EFUSE_SOFT_DIS_JTAG 1
|
||||
|
||||
/*-------------------------- Secure Boot CAPS----------------------------*/
|
||||
#define SOC_SECURE_BOOT_V2_RSA 1
|
||||
#define SOC_EFUSE_SECURE_BOOT_KEY_DIGESTS 3
|
||||
|
@ -655,6 +655,22 @@ config SOC_TWAI_SUPPORTS_RX_STATUS
|
||||
bool
|
||||
default y
|
||||
|
||||
config SOC_EFUSE_DIS_PAD_JTAG
|
||||
bool
|
||||
default y
|
||||
|
||||
config SOC_EFUSE_DIS_USB_JTAG
|
||||
bool
|
||||
default y
|
||||
|
||||
config SOC_EFUSE_DIS_DIRECT_BOOT
|
||||
bool
|
||||
default y
|
||||
|
||||
config SOC_EFUSE_SOFT_DIS_JTAG
|
||||
bool
|
||||
default y
|
||||
|
||||
config SOC_SECURE_BOOT_V2_RSA
|
||||
bool
|
||||
default y
|
||||
|
@ -1,5 +1,5 @@
|
||||
/*
|
||||
* SPDX-FileCopyrightText: 2021-2022 Espressif Systems (Shanghai) CO LTD
|
||||
* SPDX-FileCopyrightText: 2022-2023 Espressif Systems (Shanghai) CO LTD
|
||||
*
|
||||
* SPDX-License-Identifier: Apache-2.0
|
||||
*/
|
||||
@ -322,6 +322,12 @@
|
||||
#define SOC_TWAI_BRP_MAX 16384
|
||||
#define SOC_TWAI_SUPPORTS_RX_STATUS 1
|
||||
|
||||
/*-------------------------- eFuse CAPS----------------------------*/
|
||||
#define SOC_EFUSE_DIS_PAD_JTAG 1
|
||||
#define SOC_EFUSE_DIS_USB_JTAG 1
|
||||
#define SOC_EFUSE_DIS_DIRECT_BOOT 1
|
||||
#define SOC_EFUSE_SOFT_DIS_JTAG 1
|
||||
|
||||
/*-------------------------- Secure Boot CAPS----------------------------*/
|
||||
#define SOC_SECURE_BOOT_V2_RSA 1
|
||||
#define SOC_EFUSE_SECURE_BOOT_KEY_DIGESTS 3
|
||||
|
@ -787,6 +787,26 @@ config SOC_AES_SUPPORT_GCM
|
||||
bool
|
||||
default y
|
||||
|
||||
config SOC_EFUSE_DIS_DOWNLOAD_DCACHE
|
||||
bool
|
||||
default y
|
||||
|
||||
config SOC_EFUSE_HARD_DIS_JTAG
|
||||
bool
|
||||
default y
|
||||
|
||||
config SOC_EFUSE_SOFT_DIS_JTAG
|
||||
bool
|
||||
default y
|
||||
|
||||
config SOC_EFUSE_DIS_BOOT_REMAP
|
||||
bool
|
||||
default y
|
||||
|
||||
config SOC_EFUSE_DIS_LEGACY_SPI_BOOT
|
||||
bool
|
||||
default y
|
||||
|
||||
config SOC_SECURE_BOOT_V2_RSA
|
||||
bool
|
||||
default y
|
||||
|
@ -359,6 +359,13 @@
|
||||
#define SOC_AES_SUPPORT_DMA (1)
|
||||
#define SOC_AES_SUPPORT_GCM (1)
|
||||
|
||||
/*-------------------------- eFuse CAPS----------------------------*/
|
||||
#define SOC_EFUSE_DIS_DOWNLOAD_DCACHE 1
|
||||
#define SOC_EFUSE_HARD_DIS_JTAG 1
|
||||
#define SOC_EFUSE_SOFT_DIS_JTAG 1
|
||||
#define SOC_EFUSE_DIS_BOOT_REMAP 1
|
||||
#define SOC_EFUSE_DIS_LEGACY_SPI_BOOT 1
|
||||
|
||||
/*-------------------------- Secure Boot CAPS----------------------------*/
|
||||
#define SOC_SECURE_BOOT_V2_RSA 1
|
||||
#define SOC_EFUSE_SECURE_BOOT_KEY_DIGESTS 3
|
||||
|
@ -923,6 +923,26 @@ config SOC_PM_SUPPORT_DEEPSLEEP_CHECK_STUB_ONLY
|
||||
bool
|
||||
default y
|
||||
|
||||
config SOC_EFUSE_DIS_DOWNLOAD_DCACHE
|
||||
bool
|
||||
default y
|
||||
|
||||
config SOC_EFUSE_HARD_DIS_JTAG
|
||||
bool
|
||||
default y
|
||||
|
||||
config SOC_EFUSE_DIS_USB_JTAG
|
||||
bool
|
||||
default y
|
||||
|
||||
config SOC_EFUSE_SOFT_DIS_JTAG
|
||||
bool
|
||||
default y
|
||||
|
||||
config SOC_EFUSE_DIS_DIRECT_BOOT
|
||||
bool
|
||||
default y
|
||||
|
||||
config SOC_SECURE_BOOT_V2_RSA
|
||||
bool
|
||||
default y
|
||||
|
@ -395,6 +395,13 @@
|
||||
|
||||
#define SOC_PM_SUPPORT_DEEPSLEEP_CHECK_STUB_ONLY (1)
|
||||
|
||||
/*-------------------------- eFuse CAPS----------------------------*/
|
||||
#define SOC_EFUSE_DIS_DOWNLOAD_DCACHE 1
|
||||
#define SOC_EFUSE_HARD_DIS_JTAG 1
|
||||
#define SOC_EFUSE_DIS_USB_JTAG 1
|
||||
#define SOC_EFUSE_SOFT_DIS_JTAG 1
|
||||
#define SOC_EFUSE_DIS_DIRECT_BOOT 1
|
||||
|
||||
/*-------------------------- Secure Boot CAPS----------------------------*/
|
||||
#define SOC_SECURE_BOOT_V2_RSA 1
|
||||
#define SOC_EFUSE_SECURE_BOOT_KEY_DIGESTS 3
|
||||
|
@ -104,6 +104,14 @@ Setup
|
||||
|
||||
.. note:: The API *esp_efuse_write_field_cnt(ESP_EFUSE_SOFT_DIS_JTAG, ESP_EFUSE_SOFT_DIS_JTAG[0]->bit_count)* can be used to burn "soft JTAG disable" bits on {IDF_TARGET_NAME}.
|
||||
|
||||
.. only:: esp32s2 or esp32s3
|
||||
|
||||
.. note:: If ``HARD_DIS_JTAG`` eFuse is set, then ``SOFT_DIS_JTAG`` functionality does not work because JTAG is permanently disabled.
|
||||
|
||||
.. only:: not esp32s2 and not esp32s3
|
||||
|
||||
.. note:: If ``DIS_PAD_JTAG`` eFuse is set, then ``SOFT_DIS_JTAG`` functionality does not work because JTAG is permanently disabled.
|
||||
|
||||
JTAG enable
|
||||
|
||||
1. The key to re-enable JTAG is the output of the HMAC-SHA256 function using the secret key in eFuse and 32 0x00 bytes as the message.
|
||||
|
@ -251,6 +251,7 @@ def test_examples_efuse_with_virt_flash_enc_release(env, _): # type: (ttfw_idf.
|
||||
|
||||
dut.expect('Flash encryption mode is RELEASE')
|
||||
dut.expect('Start eFuse example')
|
||||
dut.expect('Flash Encryption is in RELEASE mode')
|
||||
dut.expect('example: Done')
|
||||
|
||||
|
||||
@ -668,6 +669,8 @@ def test_examples_efuse_with_virt_sb_v1_and_fe(env, _): # type: (ttfw_idf.TinyF
|
||||
dut.expect('Loading virtual efuse blocks from flash')
|
||||
dut.expect('flash_encrypt: Flash encryption mode is DEVELOPMENT (not secure)')
|
||||
dut.expect('Start eFuse example')
|
||||
dut.expect('example: Flash Encryption is NOT in RELEASE mode')
|
||||
dut.expect('example: Secure Boot is in RELEASE mode')
|
||||
dut.expect('example: Done')
|
||||
|
||||
|
||||
@ -711,7 +714,7 @@ def test_examples_efuse_with_virt_sb_v2_and_fe(env, _): # type: (ttfw_idf.TinyF
|
||||
dut.expect('secure_boot_v2: blowing secure boot efuse...')
|
||||
dut.expect('Disable JTAG...')
|
||||
dut.expect('Disable ROM BASIC interpreter fallback...')
|
||||
dut.expect('UART ROM Download mode kept enabled - SECURITY COMPROMISED')
|
||||
dut.expect('Disable ROM Download mode...')
|
||||
dut.expect('secure_boot_v2: Secure boot permanently enabled')
|
||||
|
||||
dut.expect('Checking flash encryption...')
|
||||
@ -747,6 +750,8 @@ def test_examples_efuse_with_virt_sb_v2_and_fe(env, _): # type: (ttfw_idf.TinyF
|
||||
dut.expect('Loading virtual efuse blocks from flash')
|
||||
dut.expect('flash_encrypt: Flash encryption mode is DEVELOPMENT (not secure)')
|
||||
dut.expect('Start eFuse example')
|
||||
dut.expect('example: Flash Encryption is NOT in RELEASE mode')
|
||||
dut.expect('example: Secure Boot is in RELEASE mode')
|
||||
dut.expect('example: Done')
|
||||
|
||||
|
||||
@ -794,7 +799,7 @@ def test_examples_efuse_with_virt_sb_v2_and_fe_esp32xx(env, _): # type: (ttfw_i
|
||||
dut.expect('secure_boot_v2: Revoking empty key digest slot (1)...')
|
||||
dut.expect('secure_boot_v2: Revoking empty key digest slot (2)...')
|
||||
dut.expect('secure_boot_v2: blowing secure boot efuse...')
|
||||
dut.expect('UART ROM Download mode kept enabled - SECURITY COMPROMISED')
|
||||
dut.expect('Enabling Security download mode...')
|
||||
dut.expect('Disable hardware & software JTAG...')
|
||||
|
||||
if dut.TARGET != 'esp32c2':
|
||||
@ -837,6 +842,8 @@ def test_examples_efuse_with_virt_sb_v2_and_fe_esp32xx(env, _): # type: (ttfw_i
|
||||
dut.expect('Loading virtual efuse blocks from flash')
|
||||
dut.expect('flash_encrypt: Flash encryption mode is DEVELOPMENT (not secure)')
|
||||
dut.expect('Start eFuse example')
|
||||
dut.expect('example: Flash Encryption is NOT in RELEASE mode')
|
||||
dut.expect('example: Secure Boot is in RELEASE mode')
|
||||
dut.expect('example: Done')
|
||||
|
||||
|
||||
|
@ -15,10 +15,8 @@
|
||||
#include "esp_efuse.h"
|
||||
#include "esp_efuse_table.h"
|
||||
#include "esp_efuse_custom_table.h"
|
||||
#if CONFIG_IDF_TARGET_ESP32C2
|
||||
#include "esp_secure_boot.h"
|
||||
#include "esp_flash_encrypt.h"
|
||||
#endif
|
||||
#include "sdkconfig.h"
|
||||
|
||||
static const char* TAG = "example";
|
||||
@ -135,6 +133,21 @@ void app_main(void)
|
||||
{
|
||||
ESP_LOGI(TAG, "Start eFuse example");
|
||||
|
||||
#ifdef CONFIG_SECURE_FLASH_ENC_ENABLED
|
||||
if (esp_flash_encryption_cfg_verify_release_mode()) {
|
||||
ESP_LOGI(TAG, "Flash Encryption is in RELEASE mode");
|
||||
} else {
|
||||
ESP_LOGW(TAG, "Flash Encryption is NOT in RELEASE mode");
|
||||
}
|
||||
#endif
|
||||
#ifdef CONFIG_SECURE_BOOT
|
||||
if (esp_secure_boot_cfg_verify_release_mode()) {
|
||||
ESP_LOGI(TAG, "Secure Boot is in RELEASE mode");
|
||||
} else {
|
||||
ESP_LOGW(TAG, "Secure Boot is NOT in RELEASE mode");
|
||||
}
|
||||
#endif
|
||||
|
||||
esp_efuse_coding_scheme_t coding_scheme = get_coding_scheme();
|
||||
(void) coding_scheme;
|
||||
|
||||
|
@ -13,6 +13,7 @@ CONFIG_PARTITION_TABLE_CUSTOM_FILENAME="test/partitions_efuse_emul.csv"
|
||||
CONFIG_SECURE_BOOT=y
|
||||
CONFIG_SECURE_BOOT_V2_ENABLED=y
|
||||
CONFIG_SECURE_BOOT_SIGNING_KEY="test/secure_boot_signing_key.pem"
|
||||
CONFIG_SECURE_DISABLE_ROM_DL_MODE=y
|
||||
|
||||
CONFIG_SECURE_FLASH_ENC_ENABLED=y
|
||||
|
||||
|
@ -9,6 +9,7 @@ CONFIG_PARTITION_TABLE_CUSTOM_FILENAME="test/partitions_efuse_emul.csv"
|
||||
CONFIG_SECURE_BOOT=y
|
||||
CONFIG_SECURE_BOOT_V2_ENABLED=y
|
||||
CONFIG_SECURE_BOOT_SIGNING_KEY="test/secure_boot_signing_key_ecdsa_nistp256.pem"
|
||||
CONFIG_SECURE_ENABLE_SECURE_ROM_DL_MODE=y
|
||||
|
||||
CONFIG_SECURE_FLASH_ENC_ENABLED=y
|
||||
|
||||
|
@ -13,6 +13,7 @@ CONFIG_PARTITION_TABLE_CUSTOM_FILENAME="test/partitions_efuse_emul.csv"
|
||||
CONFIG_SECURE_BOOT=y
|
||||
CONFIG_SECURE_BOOT_V2_ENABLED=y
|
||||
CONFIG_SECURE_BOOT_SIGNING_KEY="test/secure_boot_signing_key.pem"
|
||||
CONFIG_SECURE_ENABLE_SECURE_ROM_DL_MODE=y
|
||||
|
||||
CONFIG_SECURE_FLASH_ENC_ENABLED=y
|
||||
|
||||
|
@ -9,6 +9,7 @@ CONFIG_PARTITION_TABLE_CUSTOM_FILENAME="test/partitions_efuse_emul.csv"
|
||||
CONFIG_SECURE_BOOT=y
|
||||
CONFIG_SECURE_BOOT_V2_ENABLED=y
|
||||
CONFIG_SECURE_BOOT_SIGNING_KEY="test/secure_boot_signing_key.pem"
|
||||
CONFIG_SECURE_ENABLE_SECURE_ROM_DL_MODE=y
|
||||
|
||||
CONFIG_SECURE_FLASH_ENC_ENABLED=y
|
||||
|
||||
|
Loading…
Reference in New Issue
Block a user