From 723b2e86e54e32acac27a0876ffaee54961ca962 Mon Sep 17 00:00:00 2001 From: KonstantinKondrashov Date: Wed, 8 Mar 2023 00:09:45 +0800 Subject: [PATCH 1/4] security: write-protect DIS_ICAHE and DIS_DCACHE Closes IDF-5177 --- .../esp32/flash_encryption_secure_features.c | 8 +++++++ .../flash_encryption_secure_features.c | 9 ++++++++ .../flash_encryption_secure_features.c | 12 +++++++++- .../flash_encryption_secure_features.c | 9 ++++++++ .../flash_encryption_secure_features.c | 9 ++++++++ .../flash_encryption_secure_features.c | 10 +++++++++ .../flash_encryption_secure_features.c | 10 +++++++++ .../bootloader_support/src/flash_encrypt.c | 22 +++++++++++++++++++ .../esp32c3/include/soc/Kconfig.soc_caps.in | 4 ++++ components/soc/esp32c3/include/soc/soc_caps.h | 1 + .../esp32c6/include/soc/Kconfig.soc_caps.in | 4 ++++ components/soc/esp32c6/include/soc/soc_caps.h | 1 + .../esp32h2/include/soc/Kconfig.soc_caps.in | 4 ++++ components/soc/esp32h2/include/soc/soc_caps.h | 1 + .../esp32h4/include/soc/Kconfig.soc_caps.in | 4 ++++ components/soc/esp32h4/include/soc/soc_caps.h | 1 + .../esp32s2/include/soc/Kconfig.soc_caps.in | 4 ++++ components/soc/esp32s2/include/soc/soc_caps.h | 1 + .../esp32s3/include/soc/Kconfig.soc_caps.in | 4 ++++ components/soc/esp32s3/include/soc/soc_caps.h | 1 + 20 files changed, 118 insertions(+), 1 deletion(-) diff --git a/components/bootloader_support/src/esp32/flash_encryption_secure_features.c b/components/bootloader_support/src/esp32/flash_encryption_secure_features.c index 5738b2c26b..dc09bff08e 100644 --- a/components/bootloader_support/src/esp32/flash_encryption_secure_features.c +++ b/components/bootloader_support/src/esp32/flash_encryption_secure_features.c @@ -79,5 +79,13 @@ esp_err_t esp_flash_encryption_enable_secure_features(void) esp_efuse_write_field_bit(ESP_EFUSE_WR_DIS_EFUSE_RD_DISABLE); #endif +#ifdef CONFIG_SECURE_FLASH_ENCRYPTION_MODE_RELEASE + // Set write-protection for DIS_ICACHE to prevent bricking chip in case it will be set accidentally. + // esp32 has DIS_ICACHE. Write-protection bit = 3. + // List of eFuses with the same write protection bit: + // MAC, MAC_CRC, DISABLE_APP_CPU, DISABLE_BT, DIS_CACHE, VOL_LEVEL_HP_INV. + esp_efuse_write_field_bit(ESP_EFUSE_WR_DIS_DIS_CACHE); +#endif + return ESP_OK; } diff --git a/components/bootloader_support/src/esp32c3/flash_encryption_secure_features.c b/components/bootloader_support/src/esp32c3/flash_encryption_secure_features.c index 16795b5254..f8f2af5090 100644 --- a/components/bootloader_support/src/esp32c3/flash_encryption_secure_features.c +++ b/components/bootloader_support/src/esp32c3/flash_encryption_secure_features.c @@ -46,5 +46,14 @@ esp_err_t esp_flash_encryption_enable_secure_features(void) esp_efuse_write_field_bit(ESP_EFUSE_WR_DIS_RD_DIS); #endif +#ifdef CONFIG_SECURE_FLASH_ENCRYPTION_MODE_RELEASE + // Set write-protection for DIS_ICACHE to prevent bricking chip in case it will be set accidentally. + // esp32c3 has DIS_ICACHE. Write-protection bit = 2. + // List of eFuses with the same write protection bit: + // DIS_ICACHE, DIS_USB_JTAG, DIS_DOWNLOAD_ICACHE, DIS_USB_SERIAL_JTAG, + // DIS_FORCE_DOWNLOAD, DIS_TWAI, JTAG_SEL_ENABLE, DIS_PAD_JTAG, DIS_DOWNLOAD_MANUAL_ENCRYPT. + esp_efuse_write_field_bit(ESP_EFUSE_WR_DIS_DIS_ICACHE); +#endif + return ESP_OK; } diff --git a/components/bootloader_support/src/esp32c6/flash_encryption_secure_features.c b/components/bootloader_support/src/esp32c6/flash_encryption_secure_features.c index 3f64dbfd3d..0186180853 100644 --- a/components/bootloader_support/src/esp32c6/flash_encryption_secure_features.c +++ b/components/bootloader_support/src/esp32c6/flash_encryption_secure_features.c @@ -1,5 +1,5 @@ /* - * SPDX-FileCopyrightText: 2022 Espressif Systems (Shanghai) CO LTD + * SPDX-FileCopyrightText: 2022-2023 Espressif Systems (Shanghai) CO LTD * * SPDX-License-Identifier: Apache-2.0 */ @@ -46,5 +46,15 @@ esp_err_t esp_flash_encryption_enable_secure_features(void) esp_efuse_write_field_bit(ESP_EFUSE_WR_DIS_RD_DIS); #endif +#ifdef CONFIG_SECURE_FLASH_ENCRYPTION_MODE_RELEASE + // Set write-protection for DIS_ICACHE to prevent bricking chip in case it will be set accidentally. + // esp32c6 has DIS_ICACHE. Write-protection bit = 2. + // List of eFuses with the same write protection bit: + // SWAP_UART_SDIO_EN, DIS_ICACHE, DIS_USB_JTAG, DIS_DOWNLOAD_ICACHE, + // DIS_USB_SERIAL_JTAG, DIS_FORCE_DOWNLOAD, DIS_TWAI, JTAG_SEL_ENABLE, + // DIS_PAD_JTAG, DIS_DOWNLOAD_MANUAL_ENCRYPT. + esp_efuse_write_field_bit(ESP_EFUSE_WR_DIS_DIS_ICACHE); +#endif + return ESP_OK; } diff --git a/components/bootloader_support/src/esp32h2/flash_encryption_secure_features.c b/components/bootloader_support/src/esp32h2/flash_encryption_secure_features.c index 8a9749c8f6..3fb6162708 100644 --- a/components/bootloader_support/src/esp32h2/flash_encryption_secure_features.c +++ b/components/bootloader_support/src/esp32h2/flash_encryption_secure_features.c @@ -39,5 +39,14 @@ esp_err_t esp_flash_encryption_enable_secure_features(void) esp_efuse_write_field_bit(ESP_EFUSE_WR_DIS_RD_DIS); #endif +#ifdef CONFIG_SECURE_FLASH_ENCRYPTION_MODE_RELEASE + // Set write-protection for DIS_ICACHE to prevent bricking chip in case it will be set accidentally. + // esp32h2 has DIS_ICACHE. Write-protection bit = 2. + // List of eFuses with the same write protection bit: + // DIS_ICACHE, DIS_USB_JTAG, POWERGLITCH_EN, DIS_FORCE_DOWNLOAD, SPI_DOWNLOAD_MSPI_DIS, + // DIS_TWAI, JTAG_SEL_ENABLE, DIS_PAD_JTAG, DIS_DOWNLOAD_MANUAL_ENCRYPT + esp_efuse_write_field_bit(ESP_EFUSE_WR_DIS_DIS_ICACHE); +#endif + return ESP_OK; } diff --git a/components/bootloader_support/src/esp32h4/flash_encryption_secure_features.c b/components/bootloader_support/src/esp32h4/flash_encryption_secure_features.c index 16795b5254..f06b78a423 100644 --- a/components/bootloader_support/src/esp32h4/flash_encryption_secure_features.c +++ b/components/bootloader_support/src/esp32h4/flash_encryption_secure_features.c @@ -46,5 +46,14 @@ esp_err_t esp_flash_encryption_enable_secure_features(void) esp_efuse_write_field_bit(ESP_EFUSE_WR_DIS_RD_DIS); #endif +#ifdef CONFIG_SECURE_FLASH_ENCRYPTION_MODE_RELEASE + // Set write-protection for DIS_ICACHE to prevent bricking chip in case it will be set accidentally. + // esp32h4 has DIS_ICACHE. Write-protection bit = 2. + // List of eFuses with the same write protection bit: + // DIS_ICACHE, DIS_USB_JTAG, POWERGLITCH_EN, DIS_FORCE_DOWNLOAD, SPI_DOWNLOAD_MSPI_DIS, + // DIS_TWAI, JTAG_SEL_ENABLE, DIS_PAD_JTAG, DIS_DOWNLOAD_MANUAL_ENCRYPT + esp_efuse_write_field_bit(ESP_EFUSE_WR_DIS_DIS_ICACHE); +#endif + return ESP_OK; } diff --git a/components/bootloader_support/src/esp32s2/flash_encryption_secure_features.c b/components/bootloader_support/src/esp32s2/flash_encryption_secure_features.c index 3927367c3e..8751ec6433 100644 --- a/components/bootloader_support/src/esp32s2/flash_encryption_secure_features.c +++ b/components/bootloader_support/src/esp32s2/flash_encryption_secure_features.c @@ -47,5 +47,15 @@ esp_err_t esp_flash_encryption_enable_secure_features(void) esp_efuse_write_field_bit(ESP_EFUSE_WR_DIS_RD_DIS); #endif +#ifdef CONFIG_SECURE_FLASH_ENCRYPTION_MODE_RELEASE + // Set write-protection for DIS_ICACHE and DIS_DCACHE to prevent bricking chip in case it will be set accidentally. + // esp32s2 has DIS_ICACHE and DIS_DCACHE. Write-protection bit = 2 for both. + // List of eFuses with the same write protection bit: + // DIS_ICACHE, DIS_DCACHE, DIS_DOWNLOAD_ICACHE, DIS_DOWNLOAD_DCACHE, + // DIS_FORCE_DOWNLOAD, DIS_USB, DIS_TWAI, DIS_BOOT_REMAP, SOFT_DIS_JTAG, + // HARD_DIS_JTAG, DIS_DOWNLOAD_MANUAL_ENCRYPT. + esp_efuse_write_field_bit(ESP_EFUSE_WR_DIS_DIS_ICACHE); +#endif + return ESP_OK; } diff --git a/components/bootloader_support/src/esp32s3/flash_encryption_secure_features.c b/components/bootloader_support/src/esp32s3/flash_encryption_secure_features.c index 3e5437051b..3fea5e43ad 100644 --- a/components/bootloader_support/src/esp32s3/flash_encryption_secure_features.c +++ b/components/bootloader_support/src/esp32s3/flash_encryption_secure_features.c @@ -47,5 +47,15 @@ esp_err_t esp_flash_encryption_enable_secure_features(void) esp_efuse_write_field_bit(ESP_EFUSE_WR_DIS_RD_DIS); #endif +#ifdef CONFIG_SECURE_FLASH_ENCRYPTION_MODE_RELEASE + // Set write-protection for DIS_ICACHE and DIS_DCACHE to prevent bricking chip in case it will be set accidentally. + // esp32s3 has DIS_ICACHE and DIS_DCACHE. Write-protection bit = 2 for both. + // List of eFuses with the same write protection bit: + // DIS_ICACHE, DIS_DCACHE, DIS_DOWNLOAD_ICACHE, DIS_DOWNLOAD_DCACHE, + // DIS_FORCE_DOWNLOAD, DIS_USB_OTG, DIS_TWAI, DIS_APP_CPU, DIS_PAD_JTAG, + // DIS_DOWNLOAD_MANUAL_ENCRYPT, DIS_USB_JTAG, DIS_USB_SERIAL_JTAG, STRAP_JTAG_SEL, USB_PHY_SEL. + esp_efuse_write_field_bit(ESP_EFUSE_WR_DIS_DIS_ICACHE); +#endif + return ESP_OK; } diff --git a/components/bootloader_support/src/flash_encrypt.c b/components/bootloader_support/src/flash_encrypt.c index 9f040e829a..a21f983081 100644 --- a/components/bootloader_support/src/flash_encrypt.c +++ b/components/bootloader_support/src/flash_encrypt.c @@ -200,6 +200,14 @@ void esp_flash_encryption_set_release_mode(void) #endif // CONFIG_SOC_FLASH_ENCRYPTION_XTS_AES_128_DERIVED #endif // !CONFIG_IDF_TARGET_ESP32 +#ifdef CONFIG_IDF_TARGET_ESP32 + esp_efuse_write_field_bit(ESP_EFUSE_WR_DIS_DIS_CACHE); +#else +#if SOC_EFUSE_DIS_ICACHE + esp_efuse_write_field_bit(ESP_EFUSE_WR_DIS_DIS_ICACHE); +#endif +#endif // !CONFIG_IDF_TARGET_ESP32 + #if CONFIG_SOC_SUPPORTS_SECURE_DL_MODE esp_efuse_enable_rom_secure_download_mode(); #else @@ -272,6 +280,12 @@ bool esp_flash_encryption_cfg_verify_release_mode(void) ESP_LOGW(TAG, "Not disabled ROM BASIC interpreter fallback (set CONSOLE_DEBUG_DISABLE->1)"); } + secure = esp_efuse_read_field_bit(ESP_EFUSE_WR_DIS_DIS_CACHE); + result &= secure; + if (!secure) { + ESP_LOGW(TAG, "Not write-protected DIS_CACHE (set WR_DIS_DIS_CACHE->1)"); + } + secure = esp_efuse_read_field_bit(ESP_EFUSE_RD_DIS_BLK1); result &= secure; if (!secure) { @@ -376,6 +390,14 @@ bool esp_flash_encryption_cfg_verify_release_mode(void) } #endif +#if SOC_EFUSE_DIS_ICACHE + secure = esp_efuse_read_field_bit(ESP_EFUSE_WR_DIS_DIS_ICACHE); + result &= secure; + if (!secure) { + ESP_LOGW(TAG, "Not write-protected DIS_ICACHE (set WR_DIS_DIS_ICACHE->1)"); + } +#endif + esp_efuse_purpose_t purposes[] = { #if SOC_FLASH_ENCRYPTION_XTS_AES_256 ESP_EFUSE_KEY_PURPOSE_XTS_AES_256_KEY_1, diff --git a/components/soc/esp32c3/include/soc/Kconfig.soc_caps.in b/components/soc/esp32c3/include/soc/Kconfig.soc_caps.in index 697d080b69..96e933201d 100644 --- a/components/soc/esp32c3/include/soc/Kconfig.soc_caps.in +++ b/components/soc/esp32c3/include/soc/Kconfig.soc_caps.in @@ -767,6 +767,10 @@ config SOC_EFUSE_SOFT_DIS_JTAG bool default y +config SOC_EFUSE_DIS_ICACHE + bool + default y + config SOC_SECURE_BOOT_V2_RSA bool default y diff --git a/components/soc/esp32c3/include/soc/soc_caps.h b/components/soc/esp32c3/include/soc/soc_caps.h index c7abe37fad..e0fc2f3cff 100644 --- a/components/soc/esp32c3/include/soc/soc_caps.h +++ b/components/soc/esp32c3/include/soc/soc_caps.h @@ -339,6 +339,7 @@ #define SOC_EFUSE_DIS_USB_JTAG 1 #define SOC_EFUSE_DIS_DIRECT_BOOT 1 #define SOC_EFUSE_SOFT_DIS_JTAG 1 +#define SOC_EFUSE_DIS_ICACHE 1 /*-------------------------- Secure Boot CAPS----------------------------*/ #define SOC_SECURE_BOOT_V2_RSA 1 diff --git a/components/soc/esp32c6/include/soc/Kconfig.soc_caps.in b/components/soc/esp32c6/include/soc/Kconfig.soc_caps.in index 2373c9452d..3b940ce317 100644 --- a/components/soc/esp32c6/include/soc/Kconfig.soc_caps.in +++ b/components/soc/esp32c6/include/soc/Kconfig.soc_caps.in @@ -979,6 +979,10 @@ config SOC_EFUSE_SOFT_DIS_JTAG bool default y +config SOC_EFUSE_DIS_ICACHE + bool + default y + config SOC_SECURE_BOOT_V2_RSA bool default y diff --git a/components/soc/esp32c6/include/soc/soc_caps.h b/components/soc/esp32c6/include/soc/soc_caps.h index ef0d583a8c..b0a30ae422 100644 --- a/components/soc/esp32c6/include/soc/soc_caps.h +++ b/components/soc/esp32c6/include/soc/soc_caps.h @@ -403,6 +403,7 @@ #define SOC_EFUSE_DIS_USB_JTAG 1 #define SOC_EFUSE_DIS_DIRECT_BOOT 1 #define SOC_EFUSE_SOFT_DIS_JTAG 1 +#define SOC_EFUSE_DIS_ICACHE 1 /*-------------------------- Secure Boot CAPS----------------------------*/ #define SOC_SECURE_BOOT_V2_RSA 1 diff --git a/components/soc/esp32h2/include/soc/Kconfig.soc_caps.in b/components/soc/esp32h2/include/soc/Kconfig.soc_caps.in index eea30cc633..28b6b2b8ef 100644 --- a/components/soc/esp32h2/include/soc/Kconfig.soc_caps.in +++ b/components/soc/esp32h2/include/soc/Kconfig.soc_caps.in @@ -943,6 +943,10 @@ config SOC_EFUSE_SOFT_DIS_JTAG bool default y +config SOC_EFUSE_DIS_ICACHE + bool + default y + config SOC_SECURE_BOOT_V2_RSA bool default y diff --git a/components/soc/esp32h2/include/soc/soc_caps.h b/components/soc/esp32h2/include/soc/soc_caps.h index d24600c4ca..2711941d85 100644 --- a/components/soc/esp32h2/include/soc/soc_caps.h +++ b/components/soc/esp32h2/include/soc/soc_caps.h @@ -400,6 +400,7 @@ #define SOC_EFUSE_DIS_USB_JTAG 1 #define SOC_EFUSE_DIS_DIRECT_BOOT 1 #define SOC_EFUSE_SOFT_DIS_JTAG 1 +#define SOC_EFUSE_DIS_ICACHE 1 /*-------------------------- Secure Boot CAPS----------------------------*/ #define SOC_SECURE_BOOT_V2_RSA 1 diff --git a/components/soc/esp32h4/include/soc/Kconfig.soc_caps.in b/components/soc/esp32h4/include/soc/Kconfig.soc_caps.in index 1efb5ef96d..d21f7e3bb0 100644 --- a/components/soc/esp32h4/include/soc/Kconfig.soc_caps.in +++ b/components/soc/esp32h4/include/soc/Kconfig.soc_caps.in @@ -739,6 +739,10 @@ config SOC_EFUSE_SOFT_DIS_JTAG bool default y +config SOC_EFUSE_DIS_ICACHE + bool + default y + config SOC_SECURE_BOOT_V2_RSA bool default y diff --git a/components/soc/esp32h4/include/soc/soc_caps.h b/components/soc/esp32h4/include/soc/soc_caps.h index 759114e918..fea5b165dc 100644 --- a/components/soc/esp32h4/include/soc/soc_caps.h +++ b/components/soc/esp32h4/include/soc/soc_caps.h @@ -350,6 +350,7 @@ #define SOC_EFUSE_DIS_USB_JTAG 1 #define SOC_EFUSE_DIS_DIRECT_BOOT 1 #define SOC_EFUSE_SOFT_DIS_JTAG 1 +#define SOC_EFUSE_DIS_ICACHE 1 /*-------------------------- Secure Boot CAPS----------------------------*/ #define SOC_SECURE_BOOT_V2_RSA 1 diff --git a/components/soc/esp32s2/include/soc/Kconfig.soc_caps.in b/components/soc/esp32s2/include/soc/Kconfig.soc_caps.in index 8998050439..0a756e0f60 100644 --- a/components/soc/esp32s2/include/soc/Kconfig.soc_caps.in +++ b/components/soc/esp32s2/include/soc/Kconfig.soc_caps.in @@ -863,6 +863,10 @@ config SOC_EFUSE_DIS_LEGACY_SPI_BOOT bool default y +config SOC_EFUSE_DIS_ICACHE + bool + default y + config SOC_SECURE_BOOT_V2_RSA bool default y diff --git a/components/soc/esp32s2/include/soc/soc_caps.h b/components/soc/esp32s2/include/soc/soc_caps.h index 2a74a93803..94e210a282 100644 --- a/components/soc/esp32s2/include/soc/soc_caps.h +++ b/components/soc/esp32s2/include/soc/soc_caps.h @@ -375,6 +375,7 @@ #define SOC_EFUSE_SOFT_DIS_JTAG 1 #define SOC_EFUSE_DIS_BOOT_REMAP 1 #define SOC_EFUSE_DIS_LEGACY_SPI_BOOT 1 +#define SOC_EFUSE_DIS_ICACHE 1 /*-------------------------- Secure Boot CAPS----------------------------*/ #define SOC_SECURE_BOOT_V2_RSA 1 diff --git a/components/soc/esp32s3/include/soc/Kconfig.soc_caps.in b/components/soc/esp32s3/include/soc/Kconfig.soc_caps.in index e067050659..887936c4cb 100644 --- a/components/soc/esp32s3/include/soc/Kconfig.soc_caps.in +++ b/components/soc/esp32s3/include/soc/Kconfig.soc_caps.in @@ -1091,6 +1091,10 @@ config SOC_EFUSE_DIS_DIRECT_BOOT bool default y +config SOC_EFUSE_DIS_ICACHE + bool + default y + config SOC_SECURE_BOOT_V2_RSA bool default y diff --git a/components/soc/esp32s3/include/soc/soc_caps.h b/components/soc/esp32s3/include/soc/soc_caps.h index 5d69e0eae4..3434250e30 100644 --- a/components/soc/esp32s3/include/soc/soc_caps.h +++ b/components/soc/esp32s3/include/soc/soc_caps.h @@ -439,6 +439,7 @@ #define SOC_EFUSE_DIS_USB_JTAG 1 #define SOC_EFUSE_SOFT_DIS_JTAG 1 #define SOC_EFUSE_DIS_DIRECT_BOOT 1 +#define SOC_EFUSE_DIS_ICACHE 1 /*-------------------------- Secure Boot CAPS----------------------------*/ #define SOC_SECURE_BOOT_V2_RSA 1 From b950f5de8d2e9ebb874f81178a4ae5803078e06e Mon Sep 17 00:00:00 2001 From: KonstantinKondrashov Date: Tue, 14 Mar 2023 00:03:27 +0800 Subject: [PATCH 2/4] efuse: Fix handling aliases in efuse_table_gen --- components/efuse/efuse_table_gen.py | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/components/efuse/efuse_table_gen.py b/components/efuse/efuse_table_gen.py index 11252c5681..498f50721d 100755 --- a/components/efuse/efuse_table_gen.py +++ b/components/efuse/efuse_table_gen.py @@ -439,7 +439,7 @@ class FuseDefinition(object): str(self.get_bit_count()) + '}, \t // ' + self.comment]) def get_alt_names(self): - result = re.search(r'\[(.*?)\]', self.comment) + result = re.search(r'^\[(.*?)\]', self.comment) if result: return result.group(1).split() return [] From 199e5abbf3be65d69cdd8dbfacd82a542cd9819a Mon Sep 17 00:00:00 2001 From: KonstantinKondrashov Date: Tue, 14 Mar 2023 00:06:41 +0800 Subject: [PATCH 3/4] efuse: Adds WR_DIS.DIS_CACHE for esp32 and WR_DIS.DIS_ICACHE for rest chips C2 chip does not have such fields --- components/efuse/esp32/esp_efuse_table.c | 22 +++++++++++++++++-- components/efuse/esp32/esp_efuse_table.csv | 12 +++++----- .../efuse/esp32/include/esp_efuse_table.h | 6 +++-- components/efuse/esp32c3/esp_efuse_table.c | 13 +++++++++-- components/efuse/esp32c3/esp_efuse_table.csv | 1 + .../efuse/esp32c3/include/esp_efuse_table.h | 5 +++-- components/efuse/esp32h4/esp_efuse_table.c | 13 +++++++++-- components/efuse/esp32h4/esp_efuse_table.csv | 1 + .../efuse/esp32h4/include/esp_efuse_table.h | 5 +++-- components/efuse/esp32s2/esp_efuse_table.c | 13 +++++++++-- components/efuse/esp32s2/esp_efuse_table.csv | 1 + .../efuse/esp32s2/include/esp_efuse_table.h | 5 +++-- components/efuse/esp32s3/esp_efuse_table.c | 13 +++++++++-- components/efuse/esp32s3/esp_efuse_table.csv | 1 + .../efuse/esp32s3/include/esp_efuse_table.h | 5 +++-- 15 files changed, 91 insertions(+), 25 deletions(-) diff --git a/components/efuse/esp32/esp_efuse_table.c b/components/efuse/esp32/esp_efuse_table.c index dc57a53b55..c02ab77fa1 100644 --- a/components/efuse/esp32/esp_efuse_table.c +++ b/components/efuse/esp32/esp_efuse_table.c @@ -1,5 +1,5 @@ /* - * SPDX-FileCopyrightText: 2017-2022 Espressif Systems (Shanghai) CO LTD + * SPDX-FileCopyrightText: 2017-2023 Espressif Systems (Shanghai) CO LTD * * SPDX-License-Identifier: Apache-2.0 */ @@ -9,7 +9,7 @@ #include #include "esp_efuse_table.h" -// md5_digest_table 6256f9b7c6783e0b651bf52b5b162aa8 +// md5_digest_table c5ac3aa2d3a97d98ced4f4fccf48c328 // This file was generated from the file esp_efuse_table.csv. DO NOT CHANGE THIS FILE MANUALLY. // If you want to change some fields, you need to change esp_efuse_table.csv file // then run `efuse_common_table` or `efuse_custom_table` command it will generate this file. @@ -99,6 +99,10 @@ static const esp_efuse_desc_t UART_DOWNLOAD_DIS[] = { {EFUSE_BLK0, 27, 1}, // Disable UART download mode. Valid for ESP32 V3 and newer, }; +static const esp_efuse_desc_t WR_DIS[] = { + {EFUSE_BLK0, 0, 16}, // [] Efuse write disable mask, +}; + static const esp_efuse_desc_t WR_DIS_EFUSE_RD_DISABLE[] = { {EFUSE_BLK0, 0, 1}, // Write protection for EFUSE_RD_DISABLE, }; @@ -107,6 +111,10 @@ static const esp_efuse_desc_t WR_DIS_FLASH_CRYPT_CNT[] = { {EFUSE_BLK0, 2, 1}, // Flash encrypt. Write protection FLASH_CRYPT_CNT, }; +static const esp_efuse_desc_t WR_DIS_DIS_CACHE[] = { + {EFUSE_BLK0, 3, 1}, // [] wr_dis of DIS_CACHE, +}; + static const esp_efuse_desc_t WR_DIS_BLK1[] = { {EFUSE_BLK0, 7, 1}, // Flash encrypt. Write protection encryption key. EFUSE_WR_DIS_BLK1, }; @@ -294,6 +302,11 @@ const esp_efuse_desc_t* ESP_EFUSE_UART_DOWNLOAD_DIS[] = { NULL }; +const esp_efuse_desc_t* ESP_EFUSE_WR_DIS[] = { + &WR_DIS[0], // [] Efuse write disable mask + NULL +}; + const esp_efuse_desc_t* ESP_EFUSE_WR_DIS_EFUSE_RD_DISABLE[] = { &WR_DIS_EFUSE_RD_DISABLE[0], // Write protection for EFUSE_RD_DISABLE NULL @@ -304,6 +317,11 @@ const esp_efuse_desc_t* ESP_EFUSE_WR_DIS_FLASH_CRYPT_CNT[] = { NULL }; +const esp_efuse_desc_t* ESP_EFUSE_WR_DIS_DIS_CACHE[] = { + &WR_DIS_DIS_CACHE[0], // [] wr_dis of DIS_CACHE + NULL +}; + const esp_efuse_desc_t* ESP_EFUSE_WR_DIS_BLK1[] = { &WR_DIS_BLK1[0], // Flash encrypt. Write protection encryption key. EFUSE_WR_DIS_BLK1 NULL diff --git a/components/efuse/esp32/esp_efuse_table.csv b/components/efuse/esp32/esp_efuse_table.csv index 8f04db1d3e..95ed0a0113 100644 --- a/components/efuse/esp32/esp_efuse_table.csv +++ b/components/efuse/esp32/esp_efuse_table.csv @@ -49,11 +49,13 @@ UART_DOWNLOAD_DIS, EFUSE_BLK0, 27, 1, Disable UART download mode. # Write protection # #################### -WR_DIS_EFUSE_RD_DISABLE,EFUSE_BLK0, 0, 1, Write protection for EFUSE_RD_DISABLE -WR_DIS_FLASH_CRYPT_CNT, EFUSE_BLK0, 2, 1, Flash encrypt. Write protection FLASH_CRYPT_CNT, UART_DOWNLOAD_DIS. EFUSE_WR_DIS_FLASH_CRYPT_CNT -WR_DIS_BLK1, EFUSE_BLK0, 7, 1, Flash encrypt. Write protection encryption key. EFUSE_WR_DIS_BLK1 -WR_DIS_BLK2, EFUSE_BLK0, 8, 1, Security boot. Write protection security key. EFUSE_WR_DIS_BLK2 -WR_DIS_BLK3, EFUSE_BLK0, 9, 1, Write protection for EFUSE_BLK3. EFUSE_WR_DIS_BLK3 +WR_DIS, EFUSE_BLK0, 0, 16, [] Efuse write disable mask +WR_DIS.EFUSE_RD_DISABLE,EFUSE_BLK0, 0, 1, Write protection for EFUSE_RD_DISABLE +WR_DIS.FLASH_CRYPT_CNT, EFUSE_BLK0, 2, 1, Flash encrypt. Write protection FLASH_CRYPT_CNT, UART_DOWNLOAD_DIS. EFUSE_WR_DIS_FLASH_CRYPT_CNT +WR_DIS.DIS_CACHE, EFUSE_BLK0, 3, 1, [] wr_dis of DIS_CACHE +WR_DIS.BLK1, EFUSE_BLK0, 7, 1, Flash encrypt. Write protection encryption key. EFUSE_WR_DIS_BLK1 +WR_DIS.BLK2, EFUSE_BLK0, 8, 1, Security boot. Write protection security key. EFUSE_WR_DIS_BLK2 +WR_DIS.BLK3, EFUSE_BLK0, 9, 1, Write protection for EFUSE_BLK3. EFUSE_WR_DIS_BLK3 # Read protection # ################### diff --git a/components/efuse/esp32/include/esp_efuse_table.h b/components/efuse/esp32/include/esp_efuse_table.h index ab896d1b9c..2433d4b87a 100644 --- a/components/efuse/esp32/include/esp_efuse_table.h +++ b/components/efuse/esp32/include/esp_efuse_table.h @@ -1,5 +1,5 @@ /* - * SPDX-FileCopyrightText: 2017-2022 Espressif Systems (Shanghai) CO LTD + * SPDX-FileCopyrightText: 2017-2023 Espressif Systems (Shanghai) CO LTD * * SPDX-License-Identifier: Apache-2.0 */ @@ -10,7 +10,7 @@ extern "C" { #include "esp_efuse.h" -// md5_digest_table 6256f9b7c6783e0b651bf52b5b162aa8 +// md5_digest_table c5ac3aa2d3a97d98ced4f4fccf48c328 // This file was generated from the file esp_efuse_table.csv. DO NOT CHANGE THIS FILE MANUALLY. // If you want to change some fields, you need to change esp_efuse_table.csv file // then run `efuse_common_table` or `efuse_custom_table` command it will generate this file. @@ -34,8 +34,10 @@ extern const esp_efuse_desc_t* ESP_EFUSE_FLASH_CRYPT_CNT[]; extern const esp_efuse_desc_t* ESP_EFUSE_DISABLE_JTAG[]; extern const esp_efuse_desc_t* ESP_EFUSE_CONSOLE_DEBUG_DISABLE[]; extern const esp_efuse_desc_t* ESP_EFUSE_UART_DOWNLOAD_DIS[]; +extern const esp_efuse_desc_t* ESP_EFUSE_WR_DIS[]; extern const esp_efuse_desc_t* ESP_EFUSE_WR_DIS_EFUSE_RD_DISABLE[]; extern const esp_efuse_desc_t* ESP_EFUSE_WR_DIS_FLASH_CRYPT_CNT[]; +extern const esp_efuse_desc_t* ESP_EFUSE_WR_DIS_DIS_CACHE[]; extern const esp_efuse_desc_t* ESP_EFUSE_WR_DIS_BLK1[]; extern const esp_efuse_desc_t* ESP_EFUSE_WR_DIS_BLK2[]; extern const esp_efuse_desc_t* ESP_EFUSE_WR_DIS_BLK3[]; diff --git a/components/efuse/esp32c3/esp_efuse_table.c b/components/efuse/esp32c3/esp_efuse_table.c index 7d0329923c..b25e14c1a8 100644 --- a/components/efuse/esp32c3/esp_efuse_table.c +++ b/components/efuse/esp32c3/esp_efuse_table.c @@ -1,5 +1,5 @@ /* - * SPDX-FileCopyrightText: 2017-2022 Espressif Systems (Shanghai) CO LTD + * SPDX-FileCopyrightText: 2017-2023 Espressif Systems (Shanghai) CO LTD * * SPDX-License-Identifier: Apache-2.0 */ @@ -9,7 +9,7 @@ #include #include "esp_efuse_table.h" -// md5_digest_table d006c80095638b5dbdc8649bf7e04dce +// md5_digest_table 2bf0cfccdc9e055a493d80400a248794 // This file was generated from the file esp_efuse_table.csv. DO NOT CHANGE THIS FILE MANUALLY. // If you want to change some fields, you need to change esp_efuse_table.csv file // then run `efuse_common_table` or `efuse_custom_table` command it will generate this file. @@ -23,6 +23,10 @@ static const esp_efuse_desc_t WR_DIS_RD_DIS[] = { {EFUSE_BLK0, 0, 1}, // Write protection for RD_DIS_KEY0 RD_DIS_KEY1 RD_DIS_KEY2 RD_DIS_KEY3 RD_DIS_KEY4 RD_DIS_KEY5 RD_DIS_SYS_DATA_PART2, }; +static const esp_efuse_desc_t WR_DIS_DIS_ICACHE[] = { + {EFUSE_BLK0, 2, 1}, // [] wr_dis of DIS_ICACHE, +}; + static const esp_efuse_desc_t WR_DIS_GROUP_1[] = { {EFUSE_BLK0, 2, 1}, // Write protection for DIS_ICACHE DIS_DOWNLOAD_ICACHE DIS_FORCE_DOWNLOAD DIS_USB DIS_CAN SOFT_DIS_JTAG DIS_DOWNLOAD_MANUAL_ENCRYPT, }; @@ -515,6 +519,11 @@ const esp_efuse_desc_t* ESP_EFUSE_WR_DIS_RD_DIS[] = { NULL }; +const esp_efuse_desc_t* ESP_EFUSE_WR_DIS_DIS_ICACHE[] = { + &WR_DIS_DIS_ICACHE[0], // [] wr_dis of DIS_ICACHE + NULL +}; + const esp_efuse_desc_t* ESP_EFUSE_WR_DIS_GROUP_1[] = { &WR_DIS_GROUP_1[0], // Write protection for DIS_ICACHE DIS_DOWNLOAD_ICACHE DIS_FORCE_DOWNLOAD DIS_USB DIS_CAN SOFT_DIS_JTAG DIS_DOWNLOAD_MANUAL_ENCRYPT NULL diff --git a/components/efuse/esp32c3/esp_efuse_table.csv b/components/efuse/esp32c3/esp_efuse_table.csv index 007eb65bfd..9430ae73e6 100644 --- a/components/efuse/esp32c3/esp_efuse_table.csv +++ b/components/efuse/esp32c3/esp_efuse_table.csv @@ -15,6 +15,7 @@ # EFUSE_RD_WR_DIS_REG # WR_DIS, EFUSE_BLK0, 0, 32, Write protection WR_DIS.RD_DIS, EFUSE_BLK0, 0, 1, Write protection for RD_DIS_KEY0 RD_DIS_KEY1 RD_DIS_KEY2 RD_DIS_KEY3 RD_DIS_KEY4 RD_DIS_KEY5 RD_DIS_SYS_DATA_PART2 + WR_DIS.DIS_ICACHE, EFUSE_BLK0, 2, 1, [] wr_dis of DIS_ICACHE WR_DIS.GROUP_1, EFUSE_BLK0, 2, 1, Write protection for DIS_ICACHE DIS_DOWNLOAD_ICACHE DIS_FORCE_DOWNLOAD DIS_USB DIS_CAN SOFT_DIS_JTAG DIS_DOWNLOAD_MANUAL_ENCRYPT WR_DIS.GROUP_2, EFUSE_BLK0, 3, 1, Write protection for WDT_DELAY_SEL WR_DIS.SPI_BOOT_CRYPT_CNT, EFUSE_BLK0, 4, 1, Write protection for SPI_BOOT_CRYPT_CNT diff --git a/components/efuse/esp32c3/include/esp_efuse_table.h b/components/efuse/esp32c3/include/esp_efuse_table.h index 05afdbc155..00b24634b9 100644 --- a/components/efuse/esp32c3/include/esp_efuse_table.h +++ b/components/efuse/esp32c3/include/esp_efuse_table.h @@ -1,5 +1,5 @@ /* - * SPDX-FileCopyrightText: 2017-2022 Espressif Systems (Shanghai) CO LTD + * SPDX-FileCopyrightText: 2017-2023 Espressif Systems (Shanghai) CO LTD * * SPDX-License-Identifier: Apache-2.0 */ @@ -10,7 +10,7 @@ extern "C" { #include "esp_efuse.h" -// md5_digest_table d006c80095638b5dbdc8649bf7e04dce +// md5_digest_table 2bf0cfccdc9e055a493d80400a248794 // This file was generated from the file esp_efuse_table.csv. DO NOT CHANGE THIS FILE MANUALLY. // If you want to change some fields, you need to change esp_efuse_table.csv file // then run `efuse_common_table` or `efuse_custom_table` command it will generate this file. @@ -19,6 +19,7 @@ extern "C" { extern const esp_efuse_desc_t* ESP_EFUSE_WR_DIS[]; extern const esp_efuse_desc_t* ESP_EFUSE_WR_DIS_RD_DIS[]; +extern const esp_efuse_desc_t* ESP_EFUSE_WR_DIS_DIS_ICACHE[]; extern const esp_efuse_desc_t* ESP_EFUSE_WR_DIS_GROUP_1[]; extern const esp_efuse_desc_t* ESP_EFUSE_WR_DIS_GROUP_2[]; extern const esp_efuse_desc_t* ESP_EFUSE_WR_DIS_SPI_BOOT_CRYPT_CNT[]; diff --git a/components/efuse/esp32h4/esp_efuse_table.c b/components/efuse/esp32h4/esp_efuse_table.c index bcd9aa4cb7..dd5f5a9f20 100644 --- a/components/efuse/esp32h4/esp_efuse_table.c +++ b/components/efuse/esp32h4/esp_efuse_table.c @@ -1,5 +1,5 @@ /* - * SPDX-FileCopyrightText: 2017-2022 Espressif Systems (Shanghai) CO LTD + * SPDX-FileCopyrightText: 2017-2023 Espressif Systems (Shanghai) CO LTD * * SPDX-License-Identifier: Apache-2.0 */ @@ -9,7 +9,7 @@ #include #include "esp_efuse_table.h" -// md5_digest_table b9e60ac2d8c534764d7bee10063617aa +// md5_digest_table 4561606695cfe94477d259619fd723ef // This file was generated from the file esp_efuse_table.csv. DO NOT CHANGE THIS FILE MANUALLY. // If you want to change some fields, you need to change esp_efuse_table.csv file // then run `efuse_common_table` or `efuse_custom_table` command it will generate this file. @@ -23,6 +23,10 @@ static const esp_efuse_desc_t WR_DIS_RD_DIS[] = { {EFUSE_BLK0, 0, 1}, // Write protection for RD_DIS_KEY0 RD_DIS_KEY1 RD_DIS_KEY2 RD_DIS_KEY3 RD_DIS_KEY4 RD_DIS_KEY5 RD_DIS_SYS_DATA_PART2, }; +static const esp_efuse_desc_t WR_DIS_DIS_ICACHE[] = { + {EFUSE_BLK0, 2, 1}, // [] wr_dis of DIS_ICACHE, +}; + static const esp_efuse_desc_t WR_DIS_GROUP_1[] = { {EFUSE_BLK0, 2, 1}, // Write protection for DIS_ICACHE DIS_DOWNLOAD_ICACHE DIS_FORCE_DOWNLOAD DIS_USB DIS_TWAI SOFT_DIS_JTAG DIS_DOWNLOAD_MANUAL_ENCRYPT, }; @@ -483,6 +487,11 @@ const esp_efuse_desc_t* ESP_EFUSE_WR_DIS_RD_DIS[] = { NULL }; +const esp_efuse_desc_t* ESP_EFUSE_WR_DIS_DIS_ICACHE[] = { + &WR_DIS_DIS_ICACHE[0], // [] wr_dis of DIS_ICACHE + NULL +}; + const esp_efuse_desc_t* ESP_EFUSE_WR_DIS_GROUP_1[] = { &WR_DIS_GROUP_1[0], // Write protection for DIS_ICACHE DIS_DOWNLOAD_ICACHE DIS_FORCE_DOWNLOAD DIS_USB DIS_TWAI SOFT_DIS_JTAG DIS_DOWNLOAD_MANUAL_ENCRYPT NULL diff --git a/components/efuse/esp32h4/esp_efuse_table.csv b/components/efuse/esp32h4/esp_efuse_table.csv index 2b08c33d70..cd94d46d37 100644 --- a/components/efuse/esp32h4/esp_efuse_table.csv +++ b/components/efuse/esp32h4/esp_efuse_table.csv @@ -16,6 +16,7 @@ # EFUSE_RD_WR_DIS_REG # WR_DIS, EFUSE_BLK0, 0, 32, Write protection WR_DIS.RD_DIS, EFUSE_BLK0, 0, 1, Write protection for RD_DIS_KEY0 RD_DIS_KEY1 RD_DIS_KEY2 RD_DIS_KEY3 RD_DIS_KEY4 RD_DIS_KEY5 RD_DIS_SYS_DATA_PART2 + WR_DIS.DIS_ICACHE, EFUSE_BLK0, 2, 1, [] wr_dis of DIS_ICACHE WR_DIS.GROUP_1, EFUSE_BLK0, 2, 1, Write protection for DIS_ICACHE DIS_DOWNLOAD_ICACHE DIS_FORCE_DOWNLOAD DIS_USB DIS_TWAI SOFT_DIS_JTAG DIS_DOWNLOAD_MANUAL_ENCRYPT WR_DIS.GROUP_2, EFUSE_BLK0, 3, 1, Write protection for WDT_DELAY_SEL WR_DIS.SPI_BOOT_CRYPT_CNT, EFUSE_BLK0, 4, 1, Write protection for SPI_BOOT_CRYPT_CNT diff --git a/components/efuse/esp32h4/include/esp_efuse_table.h b/components/efuse/esp32h4/include/esp_efuse_table.h index f5ed848a0c..402f995278 100644 --- a/components/efuse/esp32h4/include/esp_efuse_table.h +++ b/components/efuse/esp32h4/include/esp_efuse_table.h @@ -1,5 +1,5 @@ /* - * SPDX-FileCopyrightText: 2017-2022 Espressif Systems (Shanghai) CO LTD + * SPDX-FileCopyrightText: 2017-2023 Espressif Systems (Shanghai) CO LTD * * SPDX-License-Identifier: Apache-2.0 */ @@ -10,7 +10,7 @@ extern "C" { #include "esp_efuse.h" -// md5_digest_table b9e60ac2d8c534764d7bee10063617aa +// md5_digest_table 4561606695cfe94477d259619fd723ef // This file was generated from the file esp_efuse_table.csv. DO NOT CHANGE THIS FILE MANUALLY. // If you want to change some fields, you need to change esp_efuse_table.csv file // then run `efuse_common_table` or `efuse_custom_table` command it will generate this file. @@ -19,6 +19,7 @@ extern "C" { extern const esp_efuse_desc_t* ESP_EFUSE_WR_DIS[]; extern const esp_efuse_desc_t* ESP_EFUSE_WR_DIS_RD_DIS[]; +extern const esp_efuse_desc_t* ESP_EFUSE_WR_DIS_DIS_ICACHE[]; extern const esp_efuse_desc_t* ESP_EFUSE_WR_DIS_GROUP_1[]; extern const esp_efuse_desc_t* ESP_EFUSE_WR_DIS_GROUP_2[]; extern const esp_efuse_desc_t* ESP_EFUSE_WR_DIS_SPI_BOOT_CRYPT_CNT[]; diff --git a/components/efuse/esp32s2/esp_efuse_table.c b/components/efuse/esp32s2/esp_efuse_table.c index 91d390d62b..2a1928894d 100644 --- a/components/efuse/esp32s2/esp_efuse_table.c +++ b/components/efuse/esp32s2/esp_efuse_table.c @@ -1,5 +1,5 @@ /* - * SPDX-FileCopyrightText: 2017-2022 Espressif Systems (Shanghai) CO LTD + * SPDX-FileCopyrightText: 2017-2023 Espressif Systems (Shanghai) CO LTD * * SPDX-License-Identifier: Apache-2.0 */ @@ -9,7 +9,7 @@ #include #include "esp_efuse_table.h" -// md5_digest_table 3ac9188bf7eb0a27f3f636085a260743 +// md5_digest_table 10aa3ea5c0748be491a49b2b2d889166 // This file was generated from the file esp_efuse_table.csv. DO NOT CHANGE THIS FILE MANUALLY. // If you want to change some fields, you need to change esp_efuse_table.csv file // then run `efuse_common_table` or `efuse_custom_table` command it will generate this file. @@ -27,6 +27,10 @@ static const esp_efuse_desc_t WR_DIS_DIS_RTC_RAM_BOOT[] = { {EFUSE_BLK0, 1, 1}, // Write protection for DIS_RTC_RAM_BOOT, }; +static const esp_efuse_desc_t WR_DIS_DIS_ICACHE[] = { + {EFUSE_BLK0, 2, 1}, // [] wr_dis of DIS_ICACHE, +}; + static const esp_efuse_desc_t WR_DIS_GROUP_1[] = { {EFUSE_BLK0, 2, 1}, // Write protection for DIS_ICACHE DIS_DCACHE DIS_DOWNLOAD_ICACHE DIS_DOWNLOAD_DCACHE DIS_FORCE_DOWNLOAD DIS_USB DIS_CAN DIS_BOOT_REMAP SOFT_DIS_JTAG HARD_DIS.JTAG DIS_DOWNLOAD_MANUAL_ENCRYPT, }; @@ -480,6 +484,11 @@ const esp_efuse_desc_t* ESP_EFUSE_WR_DIS_DIS_RTC_RAM_BOOT[] = { NULL }; +const esp_efuse_desc_t* ESP_EFUSE_WR_DIS_DIS_ICACHE[] = { + &WR_DIS_DIS_ICACHE[0], // [] wr_dis of DIS_ICACHE + NULL +}; + const esp_efuse_desc_t* ESP_EFUSE_WR_DIS_GROUP_1[] = { &WR_DIS_GROUP_1[0], // Write protection for DIS_ICACHE DIS_DCACHE DIS_DOWNLOAD_ICACHE DIS_DOWNLOAD_DCACHE DIS_FORCE_DOWNLOAD DIS_USB DIS_CAN DIS_BOOT_REMAP SOFT_DIS_JTAG HARD_DIS.JTAG DIS_DOWNLOAD_MANUAL_ENCRYPT NULL diff --git a/components/efuse/esp32s2/esp_efuse_table.csv b/components/efuse/esp32s2/esp_efuse_table.csv index 7835b55a75..27ed54a8c1 100644 --- a/components/efuse/esp32s2/esp_efuse_table.csv +++ b/components/efuse/esp32s2/esp_efuse_table.csv @@ -16,6 +16,7 @@ WR_DIS, EFUSE_BLK0, 0, 32, Write protection WR_DIS.RD_DIS, EFUSE_BLK0, 0, 1, Write protection for RD_DIS.KEY0 RD_DIS.KEY1 RD_DIS.KEY2 RD_DIS.KEY3 RD_DIS.KEY4 RD_DIS.KEY5 RD_DIS.SYS_DATA_PART2 WR_DIS.DIS_RTC_RAM_BOOT, EFUSE_BLK0, 1, 1, Write protection for DIS_RTC_RAM_BOOT + WR_DIS.DIS_ICACHE, EFUSE_BLK0, 2, 1, [] wr_dis of DIS_ICACHE WR_DIS.GROUP_1, EFUSE_BLK0, 2, 1, Write protection for DIS_ICACHE DIS_DCACHE DIS_DOWNLOAD_ICACHE DIS_DOWNLOAD_DCACHE DIS_FORCE_DOWNLOAD DIS_USB DIS_CAN DIS_BOOT_REMAP SOFT_DIS_JTAG HARD_DIS.JTAG DIS_DOWNLOAD_MANUAL_ENCRYPT WR_DIS.GROUP_2, EFUSE_BLK0, 3, 1, Write protection for VDD_SPI_XPD VDD_SPI_TIEH VDD_SPI_FORCE VDD_SPI_INIT VDD_SPI_DCAP WDT_DELAY_SEL WR_DIS.SPI_BOOT_CRYPT_CNT, EFUSE_BLK0, 4, 1, Write protection for SPI_BOOT_CRYPT_CNT diff --git a/components/efuse/esp32s2/include/esp_efuse_table.h b/components/efuse/esp32s2/include/esp_efuse_table.h index 6e0404f31f..46d67dc029 100644 --- a/components/efuse/esp32s2/include/esp_efuse_table.h +++ b/components/efuse/esp32s2/include/esp_efuse_table.h @@ -1,5 +1,5 @@ /* - * SPDX-FileCopyrightText: 2017-2022 Espressif Systems (Shanghai) CO LTD + * SPDX-FileCopyrightText: 2017-2023 Espressif Systems (Shanghai) CO LTD * * SPDX-License-Identifier: Apache-2.0 */ @@ -10,7 +10,7 @@ extern "C" { #include "esp_efuse.h" -// md5_digest_table 3ac9188bf7eb0a27f3f636085a260743 +// md5_digest_table 10aa3ea5c0748be491a49b2b2d889166 // This file was generated from the file esp_efuse_table.csv. DO NOT CHANGE THIS FILE MANUALLY. // If you want to change some fields, you need to change esp_efuse_table.csv file // then run `efuse_common_table` or `efuse_custom_table` command it will generate this file. @@ -20,6 +20,7 @@ extern "C" { extern const esp_efuse_desc_t* ESP_EFUSE_WR_DIS[]; extern const esp_efuse_desc_t* ESP_EFUSE_WR_DIS_RD_DIS[]; extern const esp_efuse_desc_t* ESP_EFUSE_WR_DIS_DIS_RTC_RAM_BOOT[]; +extern const esp_efuse_desc_t* ESP_EFUSE_WR_DIS_DIS_ICACHE[]; extern const esp_efuse_desc_t* ESP_EFUSE_WR_DIS_GROUP_1[]; extern const esp_efuse_desc_t* ESP_EFUSE_WR_DIS_GROUP_2[]; extern const esp_efuse_desc_t* ESP_EFUSE_WR_DIS_SPI_BOOT_CRYPT_CNT[]; diff --git a/components/efuse/esp32s3/esp_efuse_table.c b/components/efuse/esp32s3/esp_efuse_table.c index b2a99a0b83..064c5066d8 100644 --- a/components/efuse/esp32s3/esp_efuse_table.c +++ b/components/efuse/esp32s3/esp_efuse_table.c @@ -1,5 +1,5 @@ /* - * SPDX-FileCopyrightText: 2017-2022 Espressif Systems (Shanghai) CO LTD + * SPDX-FileCopyrightText: 2017-2023 Espressif Systems (Shanghai) CO LTD * * SPDX-License-Identifier: Apache-2.0 */ @@ -9,7 +9,7 @@ #include #include "esp_efuse_table.h" -// md5_digest_table 87c5ae68b74dbafb114e14f6febff9e2 +// md5_digest_table 770b2130715648e4649be150765d72f9 // This file was generated from the file esp_efuse_table.csv. DO NOT CHANGE THIS FILE MANUALLY. // If you want to change some fields, you need to change esp_efuse_table.csv file // then run `efuse_common_table` or `efuse_custom_table` command it will generate this file. @@ -23,6 +23,10 @@ static const esp_efuse_desc_t WR_DIS_RD_DIS[] = { {EFUSE_BLK0, 0, 1}, // Write protection for RD_DIS_KEY0 RD_DIS_KEY1 RD_DIS_KEY2 RD_DIS_KEY3 RD_DIS_KEY4 RD_DIS_KEY5 RD_DIS_SYS_DATA_PART2, }; +static const esp_efuse_desc_t WR_DIS_DIS_ICACHE[] = { + {EFUSE_BLK0, 2, 1}, // [] wr_dis of DIS_ICACHE, +}; + static const esp_efuse_desc_t WR_DIS_GROUP_1[] = { {EFUSE_BLK0, 2, 1}, // Write protection for DIS_ICACHE DIS_DCACHE DIS_DOWNLOAD_ICACHE DIS_DOWNLOAD_DCACHE DIS_FORCE_DOWNLOAD DIS_USB DIS_CAN SOFT_DIS_JTAG HARD_DIS_JTAG DIS_DOWNLOAD_MANUAL_ENCRYPT, }; @@ -583,6 +587,11 @@ const esp_efuse_desc_t* ESP_EFUSE_WR_DIS_RD_DIS[] = { NULL }; +const esp_efuse_desc_t* ESP_EFUSE_WR_DIS_DIS_ICACHE[] = { + &WR_DIS_DIS_ICACHE[0], // [] wr_dis of DIS_ICACHE + NULL +}; + const esp_efuse_desc_t* ESP_EFUSE_WR_DIS_GROUP_1[] = { &WR_DIS_GROUP_1[0], // Write protection for DIS_ICACHE DIS_DCACHE DIS_DOWNLOAD_ICACHE DIS_DOWNLOAD_DCACHE DIS_FORCE_DOWNLOAD DIS_USB DIS_CAN SOFT_DIS_JTAG HARD_DIS_JTAG DIS_DOWNLOAD_MANUAL_ENCRYPT NULL diff --git a/components/efuse/esp32s3/esp_efuse_table.csv b/components/efuse/esp32s3/esp_efuse_table.csv index 8efee7c24b..9d48b9d1d3 100644 --- a/components/efuse/esp32s3/esp_efuse_table.csv +++ b/components/efuse/esp32s3/esp_efuse_table.csv @@ -14,6 +14,7 @@ # EFUSE_RD_WR_DIS_REG # WR_DIS, EFUSE_BLK0, 0, 32, Write protection WR_DIS.RD_DIS, EFUSE_BLK0, 0, 1, Write protection for RD_DIS_KEY0 RD_DIS_KEY1 RD_DIS_KEY2 RD_DIS_KEY3 RD_DIS_KEY4 RD_DIS_KEY5 RD_DIS_SYS_DATA_PART2 + WR_DIS.DIS_ICACHE, EFUSE_BLK0, 2, 1, [] wr_dis of DIS_ICACHE WR_DIS.GROUP_1, EFUSE_BLK0, 2, 1, Write protection for DIS_ICACHE DIS_DCACHE DIS_DOWNLOAD_ICACHE DIS_DOWNLOAD_DCACHE DIS_FORCE_DOWNLOAD DIS_USB DIS_CAN SOFT_DIS_JTAG HARD_DIS_JTAG DIS_DOWNLOAD_MANUAL_ENCRYPT WR_DIS.GROUP_2, EFUSE_BLK0, 3, 1, Write protection for VDD_SPI_XPD VDD_SPI_TIEH VDD_SPI_FORCE VDD_SPI_INIT VDD_SPI_DCAP WDT_DELAY_SEL WR_DIS.SPI_BOOT_CRYPT_CNT, EFUSE_BLK0, 4, 1, Write protection for SPI_BOOT_CRYPT_CNT diff --git a/components/efuse/esp32s3/include/esp_efuse_table.h b/components/efuse/esp32s3/include/esp_efuse_table.h index 93be6aae49..ca89951ee0 100644 --- a/components/efuse/esp32s3/include/esp_efuse_table.h +++ b/components/efuse/esp32s3/include/esp_efuse_table.h @@ -1,5 +1,5 @@ /* - * SPDX-FileCopyrightText: 2017-2022 Espressif Systems (Shanghai) CO LTD + * SPDX-FileCopyrightText: 2017-2023 Espressif Systems (Shanghai) CO LTD * * SPDX-License-Identifier: Apache-2.0 */ @@ -10,7 +10,7 @@ extern "C" { #include "esp_efuse.h" -// md5_digest_table 87c5ae68b74dbafb114e14f6febff9e2 +// md5_digest_table 770b2130715648e4649be150765d72f9 // This file was generated from the file esp_efuse_table.csv. DO NOT CHANGE THIS FILE MANUALLY. // If you want to change some fields, you need to change esp_efuse_table.csv file // then run `efuse_common_table` or `efuse_custom_table` command it will generate this file. @@ -19,6 +19,7 @@ extern "C" { extern const esp_efuse_desc_t* ESP_EFUSE_WR_DIS[]; extern const esp_efuse_desc_t* ESP_EFUSE_WR_DIS_RD_DIS[]; +extern const esp_efuse_desc_t* ESP_EFUSE_WR_DIS_DIS_ICACHE[]; extern const esp_efuse_desc_t* ESP_EFUSE_WR_DIS_GROUP_1[]; extern const esp_efuse_desc_t* ESP_EFUSE_WR_DIS_GROUP_2[]; extern const esp_efuse_desc_t* ESP_EFUSE_WR_DIS_SPI_BOOT_CRYPT_CNT[]; From a3232e4a5b110ce8758ae98c85ed36a97c8d9584 Mon Sep 17 00:00:00 2001 From: KonstantinKondrashov Date: Sat, 25 Mar 2023 03:07:10 +0800 Subject: [PATCH 4/4] bootloader: Adds an option to leave DIS_CACHE writeable --- components/bootloader/Kconfig.projbuild | 41 +++++++++++++++++++ .../esp32/flash_encryption_secure_features.c | 2 +- .../flash_encryption_secure_features.c | 2 +- .../flash_encryption_secure_features.c | 2 +- .../flash_encryption_secure_features.c | 2 +- .../flash_encryption_secure_features.c | 2 +- .../flash_encryption_secure_features.c | 2 +- .../flash_encryption_secure_features.c | 2 +- 8 files changed, 48 insertions(+), 7 deletions(-) diff --git a/components/bootloader/Kconfig.projbuild b/components/bootloader/Kconfig.projbuild index 37abaaf789..4c13448c1c 100644 --- a/components/bootloader/Kconfig.projbuild +++ b/components/bootloader/Kconfig.projbuild @@ -829,6 +829,10 @@ menu "Security features" endchoice + config SECURE_FLASH_HAS_WRITE_PROTECTION_CACHE + bool + default y if (SOC_EFUSE_DIS_ICACHE || IDF_TARGET_ESP32) && SECURE_FLASH_ENC_ENABLED + menu "Potentially insecure options" visible if SECURE_FLASH_ENCRYPTION_MODE_DEVELOPMENT || SECURE_BOOT_INSECURE || SECURE_SIGNED_ON_UPDATE_NO_SECURE_BOOT # NOERROR @@ -855,6 +859,7 @@ menu "Security features" config SECURE_BOOT_ALLOW_JTAG bool "Allow JTAG Debugging" depends on SECURE_BOOT_INSECURE || SECURE_FLASH_ENCRYPTION_MODE_DEVELOPMENT + select SECURE_FLASH_SKIP_WRITE_PROTECTION_CACHE if SECURE_FLASH_HAS_WRITE_PROTECTION_CACHE default N help If not set (default), the bootloader will permanently disable JTAG (across entire chip) on first boot @@ -912,6 +917,7 @@ menu "Security features" config SECURE_FLASH_UART_BOOTLOADER_ALLOW_ENC bool "Leave UART bootloader encryption enabled" depends on SECURE_FLASH_ENCRYPTION_MODE_DEVELOPMENT + select SECURE_FLASH_SKIP_WRITE_PROTECTION_CACHE if SECURE_FLASH_HAS_WRITE_PROTECTION_CACHE default N help If not set (default), the bootloader will permanently disable UART bootloader encryption access on @@ -934,6 +940,7 @@ menu "Security features" bool "Leave UART bootloader flash cache enabled" depends on SECURE_FLASH_ENCRYPTION_MODE_DEVELOPMENT && (IDF_TARGET_ESP32 || SOC_EFUSE_DIS_DOWNLOAD_ICACHE || SOC_EFUSE_DIS_DOWNLOAD_DCACHE) # NOERROR default N + select SECURE_FLASH_SKIP_WRITE_PROTECTION_CACHE if SECURE_FLASH_HAS_WRITE_PROTECTION_CACHE help If not set (default), the bootloader will permanently disable UART bootloader flash cache access on first boot. If set, the UART bootloader will still be able to access the flash cache. @@ -954,6 +961,40 @@ menu "Security features" Only use this option in testing environments, to avoid accidentally enabling flash encryption on the wrong device. The device needs to have flash encryption already enabled using espefuse.py. + config SECURE_FLASH_SKIP_WRITE_PROTECTION_CACHE + bool "Skip write-protection of DIS_CACHE (DIS_ICACHE, DIS_DCACHE)" + default n + depends on SECURE_FLASH_HAS_WRITE_PROTECTION_CACHE + help + If not set (default, recommended), on the first boot the bootloader will burn the write-protection of + DIS_CACHE(for ESP32) or DIS_ICACHE/DIS_DCACHE(for other chips) eFuse when Flash Encryption is enabled. + Write protection for cache disable efuse prevents the chip from being blocked if it is set by accident. + App and bootloader use cache so disabling it makes the chip useless for IDF. + Due to other eFuses are linked with the same write protection bit (see the list below) then + write-protection will not be done if these SECURE_FLASH_UART_BOOTLOADER_ALLOW_ENC, + SECURE_BOOT_ALLOW_JTAG or SECURE_FLASH_UART_BOOTLOADER_ALLOW_CACHE options are selected + to give a chance to turn on the chip into the release mode later. + + List of eFuses with the same write protection bit: + ESP32: MAC, MAC_CRC, DISABLE_APP_CPU, DISABLE_BT, DIS_CACHE, VOL_LEVEL_HP_INV. + + ESP32-C3: DIS_ICACHE, DIS_USB_JTAG, DIS_DOWNLOAD_ICACHE, DIS_USB_SERIAL_JTAG, + DIS_FORCE_DOWNLOAD, DIS_TWAI, JTAG_SEL_ENABLE, DIS_PAD_JTAG, DIS_DOWNLOAD_MANUAL_ENCRYPT. + + ESP32-C6: SWAP_UART_SDIO_EN, DIS_ICACHE, DIS_USB_JTAG, DIS_DOWNLOAD_ICACHE, + DIS_USB_SERIAL_JTAG, DIS_FORCE_DOWNLOAD, DIS_TWAI, JTAG_SEL_ENABLE, + DIS_PAD_JTAG, DIS_DOWNLOAD_MANUAL_ENCRYPT. + + ESP32-H2: DIS_ICACHE, DIS_USB_JTAG, POWERGLITCH_EN, DIS_FORCE_DOWNLOAD, SPI_DOWNLOAD_MSPI_DIS, + DIS_TWAI, JTAG_SEL_ENABLE, DIS_PAD_JTAG, DIS_DOWNLOAD_MANUAL_ENCRYPT. + + ESP32-S2: DIS_ICACHE, DIS_DCACHE, DIS_DOWNLOAD_ICACHE, DIS_DOWNLOAD_DCACHE, + DIS_FORCE_DOWNLOAD, DIS_USB, DIS_TWAI, DIS_BOOT_REMAP, SOFT_DIS_JTAG, + HARD_DIS_JTAG, DIS_DOWNLOAD_MANUAL_ENCRYPT. + + ESP32-S3: DIS_ICACHE, DIS_DCACHE, DIS_DOWNLOAD_ICACHE, DIS_DOWNLOAD_DCACHE, + DIS_FORCE_DOWNLOAD, DIS_USB_OTG, DIS_TWAI, DIS_APP_CPU, DIS_PAD_JTAG, + DIS_DOWNLOAD_MANUAL_ENCRYPT, DIS_USB_JTAG, DIS_USB_SERIAL_JTAG, STRAP_JTAG_SEL, USB_PHY_SEL. endmenu # Potentially Insecure config SECURE_FLASH_CHECK_ENC_EN_IN_APP diff --git a/components/bootloader_support/src/esp32/flash_encryption_secure_features.c b/components/bootloader_support/src/esp32/flash_encryption_secure_features.c index dc09bff08e..d70b37fea3 100644 --- a/components/bootloader_support/src/esp32/flash_encryption_secure_features.c +++ b/components/bootloader_support/src/esp32/flash_encryption_secure_features.c @@ -79,7 +79,7 @@ esp_err_t esp_flash_encryption_enable_secure_features(void) esp_efuse_write_field_bit(ESP_EFUSE_WR_DIS_EFUSE_RD_DISABLE); #endif -#ifdef CONFIG_SECURE_FLASH_ENCRYPTION_MODE_RELEASE +#ifndef CONFIG_SECURE_FLASH_SKIP_WRITE_PROTECTION_CACHE // Set write-protection for DIS_ICACHE to prevent bricking chip in case it will be set accidentally. // esp32 has DIS_ICACHE. Write-protection bit = 3. // List of eFuses with the same write protection bit: diff --git a/components/bootloader_support/src/esp32c3/flash_encryption_secure_features.c b/components/bootloader_support/src/esp32c3/flash_encryption_secure_features.c index f8f2af5090..16d81feabd 100644 --- a/components/bootloader_support/src/esp32c3/flash_encryption_secure_features.c +++ b/components/bootloader_support/src/esp32c3/flash_encryption_secure_features.c @@ -46,7 +46,7 @@ esp_err_t esp_flash_encryption_enable_secure_features(void) esp_efuse_write_field_bit(ESP_EFUSE_WR_DIS_RD_DIS); #endif -#ifdef CONFIG_SECURE_FLASH_ENCRYPTION_MODE_RELEASE +#ifndef CONFIG_SECURE_FLASH_SKIP_WRITE_PROTECTION_CACHE // Set write-protection for DIS_ICACHE to prevent bricking chip in case it will be set accidentally. // esp32c3 has DIS_ICACHE. Write-protection bit = 2. // List of eFuses with the same write protection bit: diff --git a/components/bootloader_support/src/esp32c6/flash_encryption_secure_features.c b/components/bootloader_support/src/esp32c6/flash_encryption_secure_features.c index 0186180853..cde773a967 100644 --- a/components/bootloader_support/src/esp32c6/flash_encryption_secure_features.c +++ b/components/bootloader_support/src/esp32c6/flash_encryption_secure_features.c @@ -46,7 +46,7 @@ esp_err_t esp_flash_encryption_enable_secure_features(void) esp_efuse_write_field_bit(ESP_EFUSE_WR_DIS_RD_DIS); #endif -#ifdef CONFIG_SECURE_FLASH_ENCRYPTION_MODE_RELEASE +#ifndef CONFIG_SECURE_FLASH_SKIP_WRITE_PROTECTION_CACHE // Set write-protection for DIS_ICACHE to prevent bricking chip in case it will be set accidentally. // esp32c6 has DIS_ICACHE. Write-protection bit = 2. // List of eFuses with the same write protection bit: diff --git a/components/bootloader_support/src/esp32h2/flash_encryption_secure_features.c b/components/bootloader_support/src/esp32h2/flash_encryption_secure_features.c index 3fb6162708..f1a6d2aef9 100644 --- a/components/bootloader_support/src/esp32h2/flash_encryption_secure_features.c +++ b/components/bootloader_support/src/esp32h2/flash_encryption_secure_features.c @@ -39,7 +39,7 @@ esp_err_t esp_flash_encryption_enable_secure_features(void) esp_efuse_write_field_bit(ESP_EFUSE_WR_DIS_RD_DIS); #endif -#ifdef CONFIG_SECURE_FLASH_ENCRYPTION_MODE_RELEASE +#ifndef CONFIG_SECURE_FLASH_SKIP_WRITE_PROTECTION_CACHE // Set write-protection for DIS_ICACHE to prevent bricking chip in case it will be set accidentally. // esp32h2 has DIS_ICACHE. Write-protection bit = 2. // List of eFuses with the same write protection bit: diff --git a/components/bootloader_support/src/esp32h4/flash_encryption_secure_features.c b/components/bootloader_support/src/esp32h4/flash_encryption_secure_features.c index f06b78a423..163cc7ac86 100644 --- a/components/bootloader_support/src/esp32h4/flash_encryption_secure_features.c +++ b/components/bootloader_support/src/esp32h4/flash_encryption_secure_features.c @@ -46,7 +46,7 @@ esp_err_t esp_flash_encryption_enable_secure_features(void) esp_efuse_write_field_bit(ESP_EFUSE_WR_DIS_RD_DIS); #endif -#ifdef CONFIG_SECURE_FLASH_ENCRYPTION_MODE_RELEASE +#ifndef CONFIG_SECURE_FLASH_SKIP_WRITE_PROTECTION_CACHE // Set write-protection for DIS_ICACHE to prevent bricking chip in case it will be set accidentally. // esp32h4 has DIS_ICACHE. Write-protection bit = 2. // List of eFuses with the same write protection bit: diff --git a/components/bootloader_support/src/esp32s2/flash_encryption_secure_features.c b/components/bootloader_support/src/esp32s2/flash_encryption_secure_features.c index 8751ec6433..e01f9211a0 100644 --- a/components/bootloader_support/src/esp32s2/flash_encryption_secure_features.c +++ b/components/bootloader_support/src/esp32s2/flash_encryption_secure_features.c @@ -47,7 +47,7 @@ esp_err_t esp_flash_encryption_enable_secure_features(void) esp_efuse_write_field_bit(ESP_EFUSE_WR_DIS_RD_DIS); #endif -#ifdef CONFIG_SECURE_FLASH_ENCRYPTION_MODE_RELEASE +#ifndef CONFIG_SECURE_FLASH_SKIP_WRITE_PROTECTION_CACHE // Set write-protection for DIS_ICACHE and DIS_DCACHE to prevent bricking chip in case it will be set accidentally. // esp32s2 has DIS_ICACHE and DIS_DCACHE. Write-protection bit = 2 for both. // List of eFuses with the same write protection bit: diff --git a/components/bootloader_support/src/esp32s3/flash_encryption_secure_features.c b/components/bootloader_support/src/esp32s3/flash_encryption_secure_features.c index 3fea5e43ad..92b58c300f 100644 --- a/components/bootloader_support/src/esp32s3/flash_encryption_secure_features.c +++ b/components/bootloader_support/src/esp32s3/flash_encryption_secure_features.c @@ -47,7 +47,7 @@ esp_err_t esp_flash_encryption_enable_secure_features(void) esp_efuse_write_field_bit(ESP_EFUSE_WR_DIS_RD_DIS); #endif -#ifdef CONFIG_SECURE_FLASH_ENCRYPTION_MODE_RELEASE +#ifndef CONFIG_SECURE_FLASH_SKIP_WRITE_PROTECTION_CACHE // Set write-protection for DIS_ICACHE and DIS_DCACHE to prevent bricking chip in case it will be set accidentally. // esp32s3 has DIS_ICACHE and DIS_DCACHE. Write-protection bit = 2 for both. // List of eFuses with the same write protection bit: