flash encryption: add option to require flash encryption to be enabled

In testing environment, to avoid accidentally enabling flash encryption on a device, CONFIG_SECURE_FLASH_REQUIRE_ALREADY_ENABLED can be set. If set, the bootloader will refuse to boot if flash encryption is not enabled, instead of enabling it.
2024-10-05 20:47:46 -04:00 · 2019-07-27 08:55:30 +02:00 · 2019-07-27 08:55:30 +02:00 · a0256b9e9d
commit a0256b9e9d
parent a37694741c
2 changed files with 21 additions and 1 deletions
--- a/components/bootloader/Kconfig.projbuild
+++ b/components/bootloader/Kconfig.projbuild
@ -515,6 +515,20 @@ menu "Security features"

                Only set this option in testing environments.

+        config SECURE_FLASH_REQUIRE_ALREADY_ENABLED
+            bool "Require flash encryption to be already enabled"
+            depends on SECURE_FLASH_ENCRYPTION_MODE_DEVELOPMENT
+            default N
+            help
+                If not set (default), and flash encryption is not yet enabled in eFuses, the 2nd stage bootloader
+                will enable flash encryption: generate the flash encryption key and program eFuses.
+                If this option is set, and flash encryption is not yet enabled, the bootloader will error out and
+                reboot.
+                If flash encryption is enabled in eFuses, this option does not change the bootloader behavior.
+
+                Only use this option in testing environments, to avoid accidentally enabling flash encryption on
+                the wrong device. The device needs to have flash encryption already enabled using espefuse.py.
+
    endmenu  # Potentially Insecure
 endmenu  # Security features

--- a/components/bootloader_support/src/esp32/flash_encrypt.c
+++ b/components/bootloader_support/src/esp32/flash_encrypt.c
@ -37,7 +37,7 @@ static const char *TAG = "flash_encrypt";

 /* Static functions for stages of flash encryption */
 static esp_err_t initialise_flash_encryption(void);
-static esp_err_t encrypt_flash_contents(uint32_t flash_crypt_cnt, bool flash_crypt_wr_dis);
+static esp_err_t encrypt_flash_contents(uint32_t flash_crypt_cnt, bool flash_crypt_wr_dis) __attribute__((unused));
 static esp_err_t encrypt_bootloader();
 static esp_err_t encrypt_and_load_partition_table(esp_partition_info_t *partition_table, int *num_partitions);
 static esp_err_t encrypt_partition(int index, const esp_partition_info_t *partition);
@ -60,8 +60,14 @@ esp_err_t esp_flash_encrypt_check_and_update(void)
        return ESP_OK;
    }
    else {
+#ifndef CONFIG_SECURE_FLASH_REQUIRE_ALREADY_ENABLED
        /* Flash is not encrypted, so encrypt it! */
        return encrypt_flash_contents(flash_crypt_cnt, flash_crypt_wr_dis);
+#else
+        ESP_LOGE(TAG, "flash encryption is not enabled, and SECURE_FLASH_REQUIRE_ALREADY_ENABLED "
+                      "is set, refusing to boot.");
+        return ESP_ERR_INVALID_STATE;
+#endif // CONFIG_SECURE_FLASH_REQUIRE_ALREADY_ENABLED
    }
 }