Flash encryption / secure boot: Temporarily disable on-device key generation

Will be enabled after seeding of HWRNG in bootloader is fully tested/qualified.
This commit is contained in:
Angus Gratton 2016-12-01 23:16:34 -08:00
parent f62b83fb77
commit ceb8566970
4 changed files with 14 additions and 27 deletions

View File

@ -78,19 +78,12 @@ static esp_err_t initialise_flash_encryption(void)
&& REG_READ(EFUSE_BLK1_RDATA5_REG) == 0
&& REG_READ(EFUSE_BLK1_RDATA6_REG) == 0
&& REG_READ(EFUSE_BLK1_RDATA7_REG) == 0) {
ESP_LOGI(TAG, "Generating new flash encryption key...");
uint32_t buf[8];
bootloader_fill_random(buf, sizeof(buf));
for (int i = 0; i < 8; i++) {
ESP_LOGV(TAG, "EFUSE_BLK1_WDATA%d_REG = 0x%08x", i, buf[i]);
REG_WRITE(EFUSE_BLK1_WDATA0_REG + 4*i, buf[i]);
}
bzero(buf, sizeof(buf));
esp_efuse_burn_new_values();
ESP_LOGI(TAG, "Read & write protecting new key...");
REG_WRITE(EFUSE_BLK0_WDATA0_REG, EFUSE_WR_DIS_BLK1 | EFUSE_RD_DIS_BLK1);
esp_efuse_burn_new_values();
/* On-device key generation is temporarily disabled, until
* RNG operation during bootloader is qualified.
* See docs/security/flash-encryption.rst for details. */
ESP_LOGE(TAG, "On-device key generation is not yet available.");
return ESP_ERR_NOT_SUPPORTED;
} else {
if(!(efuse_key_read_protected && efuse_key_write_protected)) {

View File

@ -130,21 +130,12 @@ esp_err_t esp_secure_boot_permanently_enable(void) {
&& REG_READ(EFUSE_BLK2_RDATA5_REG) == 0
&& REG_READ(EFUSE_BLK2_RDATA6_REG) == 0
&& REG_READ(EFUSE_BLK2_RDATA7_REG) == 0) {
ESP_LOGI(TAG, "Generating new secure boot key...");
uint32_t buf[8];
bootloader_fill_random(buf, sizeof(buf));
for (int i = 0; i < 8; i++) {
ESP_LOGV(TAG, "EFUSE_BLK2_WDATA%d_REG = 0x%08x", i, buf[i]);
REG_WRITE(EFUSE_BLK2_WDATA0_REG + 4*i, buf[i]);
}
bzero(buf, sizeof(buf));
burn_efuses();
ESP_LOGI(TAG, "Read & write protecting new key...");
REG_WRITE(EFUSE_BLK0_WDATA0_REG, EFUSE_WR_DIS_BLK2 | EFUSE_RD_DIS_BLK2);
burn_efuses();
efuse_key_read_protected = true;
efuse_key_write_protected = true;
/* On-device key generation is temporarily disabled, until
* RNG operation during bootloader is qualified.
* See docs/security/secure-boot.rst for details. */
ESP_LOGE(TAG, "On-device key generation is not yet available.");
return ESP_ERR_NOT_SUPPORTED;
} else {
ESP_LOGW(TAG, "Using pre-loaded secure boot key in EFUSE block 2");
}

View File

@ -7,6 +7,9 @@ Flash Encryption is separate from the `Secure Boot` feature, and you can use fla
**IMPORTANT: Enabling flash encryption limits your options for further updates of your ESP32. Make sure to read this document (including `Limitations of Flash Encryption` and understand the implications of enabling flash encryption.**
**IMPORTANT: Flash Encryption feature is currently enabled for development use only, with a key generated on the host. The recommended production configuration, where the flash encryption key is generated by the device on first boot, is currently disabled while final testing is done. This documentation refers to flash encryption keys being generated on first boot, however for now it is necessary to follow the additional steps shown under `Precalculated Flash Encryption Key`.**
Background
----------

View File

@ -5,7 +5,7 @@ Secure Boot is a feature for ensuring only your code can run on the chip. Data l
Secure Boot is separate from the `Flash Encryption` feature, and you can use secure boot without encrypting the flash contents. However we recommend using both features together for a secure environment.
**IMPORTANT: As Encrypted Flash feature and related security features are not yet released, Secure Boot should not be considered sufficient for a secure device and we strongly recommend not enabling the one-time secure bootloader feature until it is mature.**
**IMPORTANT: Secure Boot feature is currently enabled for development use only, with a key generated on the host. The recommended production configuration, where the secure boot key is generated by the device on first boot, is currently disabled while final testing is done. This documentation refers to "One-Time Flashable" mode (where keys are generated on the device), but for now only the `Re-Flashable Software Bootloader` mode is available.**
Background
----------