From 3d695b97686017c9099c1e2c6da5dcfed54eb439 Mon Sep 17 00:00:00 2001 From: KonstantinKondrashov Date: Tue, 4 Apr 2023 00:00:56 +0800 Subject: [PATCH 1/2] efuse: Prevent burning XTS_AES and ECDSA keys into BLOCK9 (BLOCK_KEY5) eFuse module has a hardware bug. It is related to ESP32-C3, C6, S3, H2 chips: - BLOCK9 (BLOCK_KEY5) can not be used by XTS_AES keys. For H2 chips, the BLOCK9 (BLOCK_KEY5) can not be used by ECDSA keys. S2 does not have such a hardware bug. --- .../with_key_purposes/esp_efuse_api_key.c | 16 ++++++++ .../main/with_key_purposes/test_efuse_keys.c | 41 +++++++++++++++++-- .../esp32c3/include/soc/Kconfig.soc_caps.in | 4 ++ components/soc/esp32c3/include/soc/soc_caps.h | 1 + .../esp32c6/include/soc/Kconfig.soc_caps.in | 4 ++ components/soc/esp32c6/include/soc/soc_caps.h | 1 + .../esp32h2/include/soc/Kconfig.soc_caps.in | 4 ++ components/soc/esp32h2/include/soc/soc_caps.h | 1 + .../esp32h4/include/soc/Kconfig.soc_caps.in | 4 ++ components/soc/esp32h4/include/soc/soc_caps.h | 1 + .../esp32s3/include/soc/Kconfig.soc_caps.in | 4 ++ components/soc/esp32s3/include/soc/soc_caps.h | 1 + 12 files changed, 79 insertions(+), 3 deletions(-) diff --git a/components/efuse/src/efuse_controller/keys/with_key_purposes/esp_efuse_api_key.c b/components/efuse/src/efuse_controller/keys/with_key_purposes/esp_efuse_api_key.c index 0ae91931f9..da1afb7a6c 100644 --- a/components/efuse/src/efuse_controller/keys/with_key_purposes/esp_efuse_api_key.c +++ b/components/efuse/src/efuse_controller/keys/with_key_purposes/esp_efuse_api_key.c @@ -282,6 +282,22 @@ esp_err_t esp_efuse_write_key(esp_efuse_block_t block, esp_efuse_purpose_t purpo ESP_EFUSE_CHK(esp_efuse_write_field_blob(s_table[idx].key, key, key_size_bytes * 8)); ESP_EFUSE_CHK(esp_efuse_set_key_dis_write(block)); +#if SOC_EFUSE_BLOCK9_KEY_PURPOSE_QUIRK + if (block == EFUSE_BLK9 && ( +#if SOC_FLASH_ENCRYPTION_XTS_AES_256 + purpose == ESP_EFUSE_KEY_PURPOSE_XTS_AES_256_KEY_1 || + purpose == ESP_EFUSE_KEY_PURPOSE_XTS_AES_256_KEY_2 || +#endif +#if SOC_ECDSA_SUPPORTED + purpose == ESP_EFUSE_KEY_PURPOSE_ECDSA_KEY || +#endif + purpose == ESP_EFUSE_KEY_PURPOSE_XTS_AES_128_KEY)) { + ESP_LOGE(TAG, "BLOCK9 can not have the %d purpose because of HW bug (see TRM for more details)", purpose); + err = ESP_ERR_NOT_SUPPORTED; + goto err_exit; + } +#endif // SOC_EFUSE_BLOCK9_KEY_PURPOSE_QUIRK + if (purpose == ESP_EFUSE_KEY_PURPOSE_XTS_AES_128_KEY || #ifdef SOC_FLASH_ENCRYPTION_XTS_AES_256 purpose == ESP_EFUSE_KEY_PURPOSE_XTS_AES_256_KEY_1 || diff --git a/components/efuse/test_apps/main/with_key_purposes/test_efuse_keys.c b/components/efuse/test_apps/main/with_key_purposes/test_efuse_keys.c index 30aa478ff3..ee53928c80 100644 --- a/components/efuse/test_apps/main/with_key_purposes/test_efuse_keys.c +++ b/components/efuse/test_apps/main/with_key_purposes/test_efuse_keys.c @@ -50,6 +50,26 @@ TEST_CASE("Test keys and purposes, rd, wr, wr_key_purposes are in the initial st printf("EFUSE_BLK_KEY%d, RD, WR, PURPOSE_USER, PURPOSE_USER WR ... OK\n", num_key - EFUSE_BLK_KEY0); } } + +#if SOC_EFUSE_BLOCK9_KEY_PURPOSE_QUIRK +TEST_CASE("Test efuse API blocks burning XTS and ECDSA keys into BLOCK9", "[efuse]") +{ + uint8_t key[32] = {0}; + esp_efuse_purpose_t purpose = ESP_EFUSE_KEY_PURPOSE_XTS_AES_128_KEY; + TEST_ESP_ERR(ESP_ERR_NOT_SUPPORTED, esp_efuse_write_key(EFUSE_BLK9, purpose, &key, sizeof(key))); +#if SOC_FLASH_ENCRYPTION_XTS_AES_256 + purpose = ESP_EFUSE_KEY_PURPOSE_XTS_AES_256_KEY_1; + TEST_ESP_ERR(ESP_ERR_NOT_SUPPORTED, esp_efuse_write_key(EFUSE_BLK9, purpose, &key, sizeof(key))); + purpose = ESP_EFUSE_KEY_PURPOSE_XTS_AES_256_KEY_2; + TEST_ESP_ERR(ESP_ERR_NOT_SUPPORTED, esp_efuse_write_key(EFUSE_BLK9, purpose, &key, sizeof(key))); +#endif +#if SOC_ECDSA_SUPPORTED + purpose = ESP_EFUSE_KEY_PURPOSE_ECDSA_KEY; + TEST_ESP_ERR(ESP_ERR_NOT_SUPPORTED, esp_efuse_write_key(EFUSE_BLK9, purpose, &key, sizeof(key))); +#endif +} +#endif // SOC_EFUSE_BLOCK9_KEY_PURPOSE_QUIRK + #endif // CONFIG_EFUSE_VIRTUAL // If using efuse is real, then turn off writing tests. @@ -124,8 +144,8 @@ TEST_CASE("Test esp_efuse_write_key for virt mode", "[efuse]") TEST_ESP_ERR(ESP_ERR_INVALID_ARG, esp_efuse_write_key(EFUSE_BLK_KEY0, tmp_purpose, &rd_key, 33)); TEST_ESP_ERR(ESP_ERR_INVALID_ARG, esp_efuse_write_key(EFUSE_BLK10, tmp_purpose, &rd_key, sizeof(rd_key))); - for (esp_efuse_purpose_t purpose = ESP_EFUSE_KEY_PURPOSE_USER; purpose < ESP_EFUSE_KEY_PURPOSE_MAX; ++purpose) { - if (purpose == ESP_EFUSE_KEY_PURPOSE_USER) { + for (esp_efuse_purpose_t g_purpose = ESP_EFUSE_KEY_PURPOSE_USER; g_purpose < ESP_EFUSE_KEY_PURPOSE_MAX; ++g_purpose) { + if (g_purpose == ESP_EFUSE_KEY_PURPOSE_USER) { continue; } esp_efuse_utility_reset(); @@ -136,9 +156,24 @@ TEST_CASE("Test esp_efuse_write_key for virt mode", "[efuse]") #endif esp_efuse_utility_debug_dump_blocks(); - TEST_ASSERT_FALSE(esp_efuse_find_purpose(purpose, NULL)); + TEST_ASSERT_FALSE(esp_efuse_find_purpose(g_purpose, NULL)); for (esp_efuse_block_t num_key = (EFUSE_BLK_KEY_MAX - 1); num_key >= EFUSE_BLK_KEY0; --num_key) { + esp_efuse_purpose_t purpose = g_purpose; +#if SOC_EFUSE_BLOCK9_KEY_PURPOSE_QUIRK + if (num_key == EFUSE_BLK9 && ( +#ifdef SOC_FLASH_ENCRYPTION_XTS_AES_256 + purpose == ESP_EFUSE_KEY_PURPOSE_XTS_AES_256_KEY_1 || + purpose == ESP_EFUSE_KEY_PURPOSE_XTS_AES_256_KEY_2 || +#endif //#ifdef SOC_EFUSE_SUPPORT_XTS_AES_256_KEYS +#if SOC_ECDSA_SUPPORTED + purpose == ESP_EFUSE_KEY_PURPOSE_ECDSA_KEY || +#endif + purpose == ESP_EFUSE_KEY_PURPOSE_XTS_AES_128_KEY)) { + printf("BLOCK9 can not have the %d purpose, use RESERVED instead\n", purpose); + purpose = ESP_EFUSE_KEY_PURPOSE_RESERVED; + } +#endif // SOC_EFUSE_BLOCK9_KEY_PURPOSE_QUIRK int id = num_key - EFUSE_BLK_KEY0; TEST_ASSERT_EQUAL(id + 1, esp_efuse_count_unused_key_blocks()); test_write_key(num_key, purpose); diff --git a/components/soc/esp32c3/include/soc/Kconfig.soc_caps.in b/components/soc/esp32c3/include/soc/Kconfig.soc_caps.in index 8cf02e6a6b..3cd2c1afa6 100644 --- a/components/soc/esp32c3/include/soc/Kconfig.soc_caps.in +++ b/components/soc/esp32c3/include/soc/Kconfig.soc_caps.in @@ -771,6 +771,10 @@ config SOC_EFUSE_DIS_ICACHE bool default y +config SOC_EFUSE_BLOCK9_KEY_PURPOSE_QUIRK + bool + default y + config SOC_SECURE_BOOT_V2_RSA bool default y diff --git a/components/soc/esp32c3/include/soc/soc_caps.h b/components/soc/esp32c3/include/soc/soc_caps.h index fc9003b341..298907c34c 100644 --- a/components/soc/esp32c3/include/soc/soc_caps.h +++ b/components/soc/esp32c3/include/soc/soc_caps.h @@ -340,6 +340,7 @@ #define SOC_EFUSE_DIS_DIRECT_BOOT 1 #define SOC_EFUSE_SOFT_DIS_JTAG 1 #define SOC_EFUSE_DIS_ICACHE 1 +#define SOC_EFUSE_BLOCK9_KEY_PURPOSE_QUIRK 1 // AES-XTS key purpose not supported for this block /*-------------------------- Secure Boot CAPS----------------------------*/ #define SOC_SECURE_BOOT_V2_RSA 1 diff --git a/components/soc/esp32c6/include/soc/Kconfig.soc_caps.in b/components/soc/esp32c6/include/soc/Kconfig.soc_caps.in index 36ceda6ec6..70aef4c549 100644 --- a/components/soc/esp32c6/include/soc/Kconfig.soc_caps.in +++ b/components/soc/esp32c6/include/soc/Kconfig.soc_caps.in @@ -983,6 +983,10 @@ config SOC_EFUSE_DIS_ICACHE bool default y +config SOC_EFUSE_BLOCK9_KEY_PURPOSE_QUIRK + bool + default y + config SOC_SECURE_BOOT_V2_RSA bool default y diff --git a/components/soc/esp32c6/include/soc/soc_caps.h b/components/soc/esp32c6/include/soc/soc_caps.h index 573da4f110..0a15699693 100644 --- a/components/soc/esp32c6/include/soc/soc_caps.h +++ b/components/soc/esp32c6/include/soc/soc_caps.h @@ -404,6 +404,7 @@ #define SOC_EFUSE_DIS_DIRECT_BOOT 1 #define SOC_EFUSE_SOFT_DIS_JTAG 1 #define SOC_EFUSE_DIS_ICACHE 1 +#define SOC_EFUSE_BLOCK9_KEY_PURPOSE_QUIRK 1 // AES-XTS key purpose not supported for this block /*-------------------------- Secure Boot CAPS----------------------------*/ #define SOC_SECURE_BOOT_V2_RSA 1 diff --git a/components/soc/esp32h2/include/soc/Kconfig.soc_caps.in b/components/soc/esp32h2/include/soc/Kconfig.soc_caps.in index f09f39459c..663c5203e7 100644 --- a/components/soc/esp32h2/include/soc/Kconfig.soc_caps.in +++ b/components/soc/esp32h2/include/soc/Kconfig.soc_caps.in @@ -975,6 +975,10 @@ config SOC_EFUSE_DIS_ICACHE bool default y +config SOC_EFUSE_BLOCK9_KEY_PURPOSE_QUIRK + bool + default y + config SOC_SECURE_BOOT_V2_RSA bool default y diff --git a/components/soc/esp32h2/include/soc/soc_caps.h b/components/soc/esp32h2/include/soc/soc_caps.h index 7d76f26253..aa90e035f6 100644 --- a/components/soc/esp32h2/include/soc/soc_caps.h +++ b/components/soc/esp32h2/include/soc/soc_caps.h @@ -410,6 +410,7 @@ #define SOC_EFUSE_DIS_DIRECT_BOOT 1 #define SOC_EFUSE_SOFT_DIS_JTAG 1 #define SOC_EFUSE_DIS_ICACHE 1 +#define SOC_EFUSE_BLOCK9_KEY_PURPOSE_QUIRK 1 // AES-XTS and ECDSA key purposes not supported for this block /*-------------------------- Secure Boot CAPS----------------------------*/ #define SOC_SECURE_BOOT_V2_RSA 1 diff --git a/components/soc/esp32h4/include/soc/Kconfig.soc_caps.in b/components/soc/esp32h4/include/soc/Kconfig.soc_caps.in index 2860ab9fb8..9d1facc11e 100644 --- a/components/soc/esp32h4/include/soc/Kconfig.soc_caps.in +++ b/components/soc/esp32h4/include/soc/Kconfig.soc_caps.in @@ -743,6 +743,10 @@ config SOC_EFUSE_DIS_ICACHE bool default y +config SOC_EFUSE_BLOCK9_KEY_PURPOSE_QUIRK + bool + default y + config SOC_SECURE_BOOT_V2_RSA bool default y diff --git a/components/soc/esp32h4/include/soc/soc_caps.h b/components/soc/esp32h4/include/soc/soc_caps.h index 44423a7b91..46a28eea78 100644 --- a/components/soc/esp32h4/include/soc/soc_caps.h +++ b/components/soc/esp32h4/include/soc/soc_caps.h @@ -351,6 +351,7 @@ #define SOC_EFUSE_DIS_DIRECT_BOOT 1 #define SOC_EFUSE_SOFT_DIS_JTAG 1 #define SOC_EFUSE_DIS_ICACHE 1 +#define SOC_EFUSE_BLOCK9_KEY_PURPOSE_QUIRK 1 // AES-XTS key purpose not supported for this block /*-------------------------- Secure Boot CAPS----------------------------*/ #define SOC_SECURE_BOOT_V2_RSA 1 diff --git a/components/soc/esp32s3/include/soc/Kconfig.soc_caps.in b/components/soc/esp32s3/include/soc/Kconfig.soc_caps.in index f32eee4119..98ca8a4ce8 100644 --- a/components/soc/esp32s3/include/soc/Kconfig.soc_caps.in +++ b/components/soc/esp32s3/include/soc/Kconfig.soc_caps.in @@ -1095,6 +1095,10 @@ config SOC_EFUSE_DIS_ICACHE bool default y +config SOC_EFUSE_BLOCK9_KEY_PURPOSE_QUIRK + bool + default y + config SOC_SECURE_BOOT_V2_RSA bool default y diff --git a/components/soc/esp32s3/include/soc/soc_caps.h b/components/soc/esp32s3/include/soc/soc_caps.h index c12a89cf24..2d954d0bae 100644 --- a/components/soc/esp32s3/include/soc/soc_caps.h +++ b/components/soc/esp32s3/include/soc/soc_caps.h @@ -440,6 +440,7 @@ #define SOC_EFUSE_SOFT_DIS_JTAG 1 #define SOC_EFUSE_DIS_DIRECT_BOOT 1 #define SOC_EFUSE_DIS_ICACHE 1 +#define SOC_EFUSE_BLOCK9_KEY_PURPOSE_QUIRK 1 // AES-XTS key purpose not supported for this block /*-------------------------- Secure Boot CAPS----------------------------*/ #define SOC_SECURE_BOOT_V2_RSA 1 From f4334e0318e9a49826a5a1ba108a3689a07014b9 Mon Sep 17 00:00:00 2001 From: Mahavir Jain Date: Wed, 5 Apr 2023 14:19:32 +0530 Subject: [PATCH 2/2] docs: add a note regarding EFuse Block9 key purpose quirk for some chips --- docs/en/api-reference/system/efuse.rst | 6 +++++- 1 file changed, 5 insertions(+), 1 deletion(-) diff --git a/docs/en/api-reference/system/efuse.rst b/docs/en/api-reference/system/efuse.rst index cb1cca776e..92ede477d6 100644 --- a/docs/en/api-reference/system/efuse.rst +++ b/docs/en/api-reference/system/efuse.rst @@ -29,6 +29,8 @@ For more details, see *{IDF_TARGET_NAME} Technical Reference Manual* > *eFuse Co .. only:: not esp32 and not esp32c2 + .. list:: + {IDF_TARGET_NAME} has 11 eFuse blocks each of the size of 256 bits (not all bits are available): * EFUSE_BLK0 is used entirely for system purposes; @@ -40,7 +42,9 @@ For more details, see *{IDF_TARGET_NAME} Technical Reference Manual* > *eFuse Co * EFUSE_BLK6 (also named EFUSE_BLK_KEY2) can be used as key (for secure_boot or flash_encryption) or for user purposes; * EFUSE_BLK7 (also named EFUSE_BLK_KEY3) can be used as key (for secure_boot or flash_encryption) or for user purposes; * EFUSE_BLK8 (also named EFUSE_BLK_KEY4) can be used as key (for secure_boot or flash_encryption) or for user purposes; - * EFUSE_BLK9 (also named EFUSE_BLK_KEY5) can be used as key (for secure_boot or flash_encryption) or for user purposes; + :SOC_EFUSE_BLOCK9_KEY_PURPOSE_QUIRK and SOC_ECDSA_SUPPORTED: * EFUSE_BLK9 (also named EFUSE_BLK_KEY5) can be used for any purpose except for flash encryption or ECDSA (due to a HW bug); + :SOC_EFUSE_BLOCK9_KEY_PURPOSE_QUIRK and not SOC_ECDSA_SUPPORTED: * EFUSE_BLK9 (also named EFUSE_BLK_KEY5) can be used for any purpose except for flash encryption (due to a HW bug); + :not SOC_EFUSE_BLOCK9_KEY_PURPOSE_QUIRK: * EFUSE_BLK9 (also named EFUSE_BLK_KEY5) can be used as key (for secure_boot or flash_encryption) or for user purposes; * EFUSE_BLK10 (also named EFUSE_BLK_SYS_DATA_PART2) is reseved for system purposes. .. only:: esp32c2