alex/esp-idf
alex/esp-idf
1
0
Fork 0
mirror of https://github.com/espressif/esp-idf.git synced 2024-10-05 20:47:46 -04:00
Code Issues Actions 2 Packages Projects Releases Wiki Activity

Merge branch 'feature/esp32h2_enable_flash_encryption' into 'master'

Browse Source 
Feature/esp32h2 enable flash encryption

Closes IDF-6282 and IDF-6680

See merge request espressif/esp-idf!22502
This commit is contained in:
Mahavir Jain 2023-02-27 16:55:32 +08:00
commit ad19981af8
6 changed files with 32 additions and 28 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

4
components/hal/CMakeLists.txt
View File

@ -47,8 +47,10 @@ if(NOT BOOTLOADER_BUILD)
list(APPEND srcs
"spi_flash_hal.c"
"spi_flash_hal_iram.c"
"spi_flash_encrypt_hal_iram.c"
)
if(CONFIG_SOC_FLASH_ENC_SUPPORTED)
list(APPEND srcs "spi_flash_encrypt_hal_iram.c")
endif()
endif()
if(CONFIG_SOC_SYSTIMER_SUPPORTED AND NOT CONFIG_HAL_SYSTIMER_USE_ROM_IMPL)

40
components/hal/esp32h2/include/hal/spi_flash_encrypted_ll.h
View File

@ -1,5 +1,5 @@
/*
* SPDX-FileCopyrightText: 2022 Espressif Systems (Shanghai) CO LTD
* SPDX-FileCopyrightText: 2022-2023 Espressif Systems (Shanghai) CO LTD
*
* SPDX-License-Identifier: Apache-2.0
*/
@ -35,9 +35,9 @@ typedef enum
*/
static inline void spi_flash_encrypt_ll_enable(void)
{
// REG_SET_BIT(HP_SYSTEM_EXTERNAL_DEVICE_ENCRYPT_DECRYPT_CONTROL_REG,
// HP_SYSTEM_ENABLE_DOWNLOAD_MANUAL_ENCRYPT |
// HP_SYSTEM_ENABLE_SPI_MANUAL_ENCRYPT);
REG_SET_BIT(HP_SYSTEM_EXTERNAL_DEVICE_ENCRYPT_DECRYPT_CONTROL_REG,
HP_SYSTEM_ENABLE_DOWNLOAD_MANUAL_ENCRYPT |
HP_SYSTEM_ENABLE_SPI_MANUAL_ENCRYPT);
}
/*
@ -45,8 +45,8 @@ static inline void spi_flash_encrypt_ll_enable(void)
*/
static inline void spi_flash_encrypt_ll_disable(void)
{
// REG_CLR_BIT(HP_SYSTEM_EXTERNAL_DEVICE_ENCRYPT_DECRYPT_CONTROL_REG,
// HP_SYSTEM_ENABLE_SPI_MANUAL_ENCRYPT);
REG_CLR_BIT(HP_SYSTEM_EXTERNAL_DEVICE_ENCRYPT_DECRYPT_CONTROL_REG,
HP_SYSTEM_ENABLE_SPI_MANUAL_ENCRYPT);
}
/**
@ -59,8 +59,8 @@ static inline void spi_flash_encrypt_ll_disable(void)
static inline void spi_flash_encrypt_ll_type(flash_encrypt_ll_type_t type)
{
// Our hardware only support flash encryption
// HAL_ASSERT(type == FLASH_ENCRYPTION_MANU);
// REG_SET_FIELD(SPI_MEM_XTS_DESTINATION_REG(0), SPI_MEM_XTS_DESTINATION, type);
HAL_ASSERT(type == FLASH_ENCRYPTION_MANU);
REG_SET_FIELD(SPI_MEM_XTS_DESTINATION_REG(0), SPI_MEM_XTS_DESTINATION, type);
}
/**
@ -71,7 +71,7 @@ static inline void spi_flash_encrypt_ll_type(flash_encrypt_ll_type_t type)
static inline void spi_flash_encrypt_ll_buffer_length(uint32_t size)
{
// Desired block should not be larger than the block size.
// REG_SET_FIELD(SPI_MEM_XTS_LINESIZE_REG(0), SPI_MEM_XTS_LINESIZE, size >> 5);
REG_SET_FIELD(SPI_MEM_XTS_LINESIZE_REG(0), SPI_MEM_XTS_LINESIZE, size >> 5);
}
/**
@ -84,8 +84,8 @@ static inline void spi_flash_encrypt_ll_buffer_length(uint32_t size)
*/
static inline void spi_flash_encrypt_ll_plaintext_save(uint32_t address, const uint32_t* buffer, uint32_t size)
{
// uint32_t plaintext_offs = (address % 64);
// memcpy((void *)(SPI_MEM_XTS_PLAIN_BASE_REG(0) + plaintext_offs), buffer, size);
uint32_t plaintext_offs = (address % 64);
memcpy((void *)(SPI_MEM_XTS_PLAIN_BASE_REG(0) + plaintext_offs), buffer, size);
}
/**
@ -95,7 +95,7 @@ static inline void spi_flash_encrypt_ll_plaintext_save(uint32_t address, const u
*/
static inline void spi_flash_encrypt_ll_address_save(uint32_t flash_addr)
{
// REG_SET_FIELD(SPI_MEM_XTS_PHYSICAL_ADDRESS_REG(0), SPI_MEM_XTS_PHYSICAL_ADDRESS, flash_addr);
REG_SET_FIELD(SPI_MEM_XTS_PHYSICAL_ADDRESS_REG(0), SPI_MEM_XTS_PHYSICAL_ADDRESS, flash_addr);
}
/**
@ -103,7 +103,7 @@ static inline void spi_flash_encrypt_ll_address_save(uint32_t flash_addr)
*/
static inline void spi_flash_encrypt_ll_calculate_start(void)
{
// REG_SET_FIELD(SPI_MEM_XTS_TRIGGER_REG(0), SPI_MEM_XTS_TRIGGER, 1);
REG_SET_FIELD(SPI_MEM_XTS_TRIGGER_REG(0), SPI_MEM_XTS_TRIGGER, 1);
}
/**
@ -111,8 +111,8 @@ static inline void spi_flash_encrypt_ll_calculate_start(void)
*/
static inline void spi_flash_encrypt_ll_calculate_wait_idle(void)
{
// while(REG_GET_FIELD(SPI_MEM_XTS_STATE_REG(0), SPI_MEM_XTS_STATE) == 0x1) {
// }
while(REG_GET_FIELD(SPI_MEM_XTS_STATE_REG(0), SPI_MEM_XTS_STATE) == 0x1) {
}
}
/**
@ -120,9 +120,9 @@ static inline void spi_flash_encrypt_ll_calculate_wait_idle(void)
*/
static inline void spi_flash_encrypt_ll_done(void)
{
// REG_SET_BIT(SPI_MEM_XTS_RELEASE_REG(0), SPI_MEM_XTS_RELEASE);
// while(REG_GET_FIELD(SPI_MEM_XTS_STATE_REG(0), SPI_MEM_XTS_STATE) != 0x3) {
// }
REG_SET_BIT(SPI_MEM_XTS_RELEASE_REG(0), SPI_MEM_XTS_RELEASE);
while(REG_GET_FIELD(SPI_MEM_XTS_STATE_REG(0), SPI_MEM_XTS_STATE) != 0x3) {
}
}
/**
@ -130,7 +130,7 @@ static inline void spi_flash_encrypt_ll_done(void)
*/
static inline void spi_flash_encrypt_ll_destroy(void)
{
// REG_SET_BIT(SPI_MEM_XTS_DESTROY_REG(0), SPI_MEM_XTS_DESTROY);
REG_SET_BIT(SPI_MEM_XTS_DESTROY_REG(0), SPI_MEM_XTS_DESTROY);
}
/**
@ -141,7 +141,7 @@ static inline void spi_flash_encrypt_ll_destroy(void)
*/
static inline bool spi_flash_encrypt_ll_check(uint32_t address, uint32_t length)
{
return false;//((address % length) == 0) ? true : false;
return ((address % length) == 0) ? true : false;
}
#ifdef __cplusplus

4
components/soc/esp32h2/include/soc/Kconfig.soc_caps.in
View File

@ -111,6 +111,10 @@ config SOC_DIG_SIGN_SUPPORTED
bool
default y
config SOC_FLASH_ENC_SUPPORTED
bool
default y
config SOC_BOD_SUPPORTED
bool
default y

3
components/soc/esp32h2/include/soc/soc_caps.h
View File

@ -58,7 +58,7 @@
#define SOC_SHA_SUPPORTED 1
#define SOC_HMAC_SUPPORTED 1
#define SOC_DIG_SIGN_SUPPORTED 1
// #define SOC_FLASH_ENC_SUPPORTED 1 // TODO: IDF-6282
#define SOC_FLASH_ENC_SUPPORTED 1
// #define SOC_SECURE_BOOT_SUPPORTED 1 // TODO: IDF-6281
#define SOC_BOD_SUPPORTED 1
#define SOC_APM_SUPPORTED 1
@ -384,7 +384,6 @@
#define SOC_EFUSE_REVOKE_BOOT_KEY_DIGESTS 1
#define SOC_SUPPORT_SECURE_BOOT_REVOKE_KEY 1
// TODO: IDF-6282 (Copy from esp32c6, need check)
/*-------------------------- Flash Encryption CAPS----------------------------*/
#define SOC_FLASH_ENCRYPTED_XTS_AES_BLOCK_MAX (32)
#define SOC_FLASH_ENCRYPTION_XTS_AES 1

1
docs/docs_not_updated/esp32h2.txt
View File

@ -126,7 +126,6 @@ api-reference/protocols/esp_tls
api-reference/protocols/mdns
api-reference/protocols/index
api-reference/protocols/asio
security/flash-encryption
security/esp32h2_log.inc
security/security
security/secure-boot-v2

8
docs/en/security/flash-encryption.rst
View File

@ -903,11 +903,11 @@ On the first boot, the flash encryption process burns by default the following e
.. list::
- ``DIS_DOWNLOAD_MANUAL_ENCRYPT`` which disables flash encryption operation when running in UART bootloader boot mode.
:esp32s2 or esp32s3: - ``DIS_DOWNLOAD_ICACHE`` and ``DIS_DOWNLOAD_DCACHE`` which disables the entire MMU flash cache when running in UART bootloader mode.
:esp32c3 or esp32c2 or esp32c6: - ``DIS_DOWNLOAD_ICACHE`` which disables the entire MMU flash cache when running in UART bootloader mode.
:SOC_EFUSE_DIS_DOWNLOAD_ICACHE and SOC_EFUSE_DIS_DOWNLOAD_DCACHE: - ``DIS_DOWNLOAD_ICACHE`` and ``DIS_DOWNLOAD_DCACHE`` which disables the entire MMU flash cache when running in UART bootloader mode.
:SOC_EFUSE_DIS_DOWNLOAD_ICACHE and not SOC_EFUSE_DIS_DOWNLOAD_DCACHE: - ``DIS_DOWNLOAD_ICACHE`` which disables the entire MMU flash cache when running in UART bootloader mode.
:esp32s2: - ``HARD_DIS_JTAG`` which disables JTAG.
:esp32c3 or esp32c6: - ``DIS_PAD_JTAG`` and ``DIS_USB_JTAG`` which disables JTAG.
:esp32s3: - ``HARD_DIS_JTAG`` and ``DIS_USB_JTAG`` which disables JTAG.
:SOC_EFUSE_DIS_PAD_JTAG and SOC_EFUSE_DIS_USB_JTAG: - ``DIS_PAD_JTAG`` and ``DIS_USB_JTAG`` which disables JTAG.
:SOC_EFUSE_HARD_DIS_JTAG and SOC_EFUSE_DIS_USB_JTAG: - ``HARD_DIS_JTAG`` and ``DIS_USB_JTAG`` which disables JTAG.
- ``DIS_DIRECT_BOOT`` (old name ``DIS_LEGACY_SPI_BOOT``) which disables direct boot mode
However, before the first boot you can choose to keep any of these features enabled by burning only selected eFuses and write-protect the rest of eFuses with unset value 0. For example: