From ff33406e74240f0803ad7071196d7c9a4ba33381 Mon Sep 17 00:00:00 2001 From: Angus Gratton Date: Wed, 26 Sep 2018 16:57:44 +1000 Subject: [PATCH 1/3] bootloader: Don't enable secure boot or flash encryption for 3/4 Coding Scheme --- components/bootloader_support/src/flash_encrypt.c | 5 +++++ components/bootloader_support/src/secure_boot.c | 5 +++++ 2 files changed, 10 insertions(+) diff --git a/components/bootloader_support/src/flash_encrypt.c b/components/bootloader_support/src/flash_encrypt.c index e04945daec..8768d5a6c7 100644 --- a/components/bootloader_support/src/flash_encrypt.c +++ b/components/bootloader_support/src/flash_encrypt.c @@ -63,6 +63,11 @@ esp_err_t esp_flash_encrypt_check_and_update(void) static esp_err_t initialise_flash_encryption(void) { + if (REG_READ(EFUSE_BLK0_RDATA6_REG) & EFUSE_CODING_SCHEME_M) { + ESP_LOGE(TAG, "Flash Encryption is currently not supported on hardware with 3/4 Coding Scheme (CODING_SCHEME efuse set)"); + return ESP_ERR_NOT_SUPPORTED; + } + /* Before first flash encryption pass, need to initialise key & crypto config */ /* Generate key */ diff --git a/components/bootloader_support/src/secure_boot.c b/components/bootloader_support/src/secure_boot.c index ef9744ffc8..6355bcd7c5 100644 --- a/components/bootloader_support/src/secure_boot.c +++ b/components/bootloader_support/src/secure_boot.c @@ -111,6 +111,11 @@ esp_err_t esp_secure_boot_permanently_enable(void) { return ESP_OK; } + if (REG_READ(EFUSE_BLK0_RDATA6_REG) & EFUSE_CODING_SCHEME_M) { + ESP_LOGE(TAG, "Secure Boot is currently not supported on hardware with 3/4 Coding Scheme (CODING_SCHEME efuse set)"); + return ESP_ERR_NOT_SUPPORTED; + } + err = esp_image_verify_bootloader(&image_len); if (err != ESP_OK) { ESP_LOGE(TAG, "bootloader image appears invalid! error %d", err); From 4d99513bdbc3022e6b8969c1cd4dfae984d3c939 Mon Sep 17 00:00:00 2001 From: Angus Gratton Date: Wed, 26 Sep 2018 17:48:50 +1000 Subject: [PATCH 2/3] bootloader: Fix crash enabling flash encryption Regression in 9c715d7946a9595bad53307cf0a141d4226d0a5a --- components/bootloader/subproject/main/esp32.bootloader.ld | 1 + 1 file changed, 1 insertion(+) diff --git a/components/bootloader/subproject/main/esp32.bootloader.ld b/components/bootloader/subproject/main/esp32.bootloader.ld index 1a182acb5e..85a3c67524 100644 --- a/components/bootloader/subproject/main/esp32.bootloader.ld +++ b/components/bootloader/subproject/main/esp32.bootloader.ld @@ -54,6 +54,7 @@ SECTIONS *libbootloader_support.a:secure_boot_signatures.*(.literal .text .literal.* .text.*) *libmicro-ecc.a:*.*(.literal .text .literal.* .text.*) *libspi_flash.a:*.*(.literal .text .literal.* .text.*) + *libsoc.a:rtc_wdt.*(.literal .text .literal.* .text.*) *(.fini.literal) *(.fini) *(.gnu.version) From d8c84cff3ac8d222f52c780e2dcd59da04e78cee Mon Sep 17 00:00:00 2001 From: Angus Gratton Date: Thu, 27 Sep 2018 10:12:00 +1000 Subject: [PATCH 3/3] esptool: Update to v2.5.1 Release notes: https://github.com/espressif/esptool/releases/tag/v2.5.1 Needed to no longer burn keys if 3/4 Coding Scheme is enabled. --- components/esptool_py/esptool | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/components/esptool_py/esptool b/components/esptool_py/esptool index fd8c25d216..59b8dd8bfe 160000 --- a/components/esptool_py/esptool +++ b/components/esptool_py/esptool @@ -1 +1 @@ -Subproject commit fd8c25d2160505fb9d5abbe56f85116a136afb05 +Subproject commit 59b8dd8bfe3927dc11ffc06603fa082cb0f523bb