Merge branch 'feature/secure_features_are_enabled_correctly' into 'master'

security: Adds new APIs to check that all eFuse security features are enabled correctly

Closes IDF-1814

See merge request espressif/esp-idf!19532
This commit is contained in:
Mahavir Jain 2023-01-13 15:09:55 +08:00
commit fd34bdb70a
25 changed files with 654 additions and 13 deletions

View File

@ -8,6 +8,7 @@
#include <stdbool.h>
#include "esp_attr.h"
#include "esp_err.h"
#include "soc/soc_caps.h"
#ifndef BOOTLOADER_BUILD
#include "spi_flash_mmap.h"
#endif
@ -184,6 +185,19 @@ void esp_flash_encryption_init_checks(void);
*/
esp_err_t esp_flash_encryption_enable_secure_features(void);
/** @brief Returns the verification status for all physical security features of flash encryption in release mode
*
* If the device has flash encryption feature configured in the release mode,
* then it is highly recommended to call this API in the application startup code.
* This API verifies the sanity of the eFuse configuration against
* the release (production) mode of the flash encryption feature.
*
* @return
* - True - all eFuses are configured correctly
* - False - not all eFuses are configured correctly.
*/
bool esp_flash_encryption_cfg_verify_release_mode(void);
/** @brief Switches Flash Encryption from "Development" to "Release"
*
* If already in "Release" mode, the function will do nothing.

View File

@ -269,6 +269,19 @@ esp_err_t esp_secure_boot_get_signature_blocks_for_running_app(bool digest_publi
*/
esp_err_t esp_secure_boot_enable_secure_features(void);
/** @brief Returns the verification status for all physical security features of secure boot in release mode
*
* If the device has secure boot feature configured in the release mode,
* then it is highly recommended to call this API in the application startup code.
* This API verifies the sanity of the eFuse configuration against
* the release (production) mode of the secure boot feature.
*
* @return
* - True - all eFuses are configured correctly
* - False - not all eFuses are configured correctly.
*/
bool esp_secure_boot_cfg_verify_release_mode(void);
#ifdef __cplusplus
}
#endif

View File

@ -45,5 +45,17 @@ esp_err_t esp_secure_boot_enable_secure_features(void)
esp_efuse_write_field_bit(ESP_EFUSE_SECURE_BOOT_EN);
#ifndef CONFIG_SECURE_BOOT_V2_ALLOW_EFUSE_RD_DIS
// Secure boot and Flash encryption share one eFuse key block so they can not be set separately.
// CONFIG_SECURE_BOOT_FLASH_ENC_KEYS_BURN_TOGETHER option is used to burn SB and FE at the same time.
// SB key is readable, the corresponding bit in RD_DIS is unset.
// We set write-protection for RD_DIS to ensure that the SB key is always readable.
// FE key is read-protected, the corresponding bit in RD_DIS is set.
ESP_LOGI(TAG, "Prevent read disabling of additional efuses...");
esp_efuse_write_field_bit(ESP_EFUSE_WR_DIS_RD_DIS);
#else
ESP_LOGW(TAG, "Allowing read disabling of additional efuses - SECURITY COMPROMISED");
#endif
return ESP_OK;
}

View File

@ -218,3 +218,206 @@ void esp_flash_encryption_set_release_mode(void)
}
ESP_LOGI(TAG, "Flash encryption mode is RELEASE");
}
#ifdef CONFIG_IDF_TARGET_ESP32
bool esp_flash_encryption_cfg_verify_release_mode(void)
{
bool result = false;
bool secure;
secure = esp_flash_encryption_enabled();
result = secure;
if (!secure) {
ESP_LOGW(TAG, "Not enabled Flash Encryption (FLASH_CRYPT_CNT->1 or max)");
}
uint8_t crypt_config = 0;
esp_efuse_read_field_blob(ESP_EFUSE_ENCRYPT_CONFIG, &crypt_config, 4);
if (crypt_config != EFUSE_FLASH_CRYPT_CONFIG) {
result &= false;
ESP_LOGW(TAG, "ENCRYPT_CONFIG must be set 0xF (set ENCRYPT_CONFIG->0xF)");
}
uint8_t flash_crypt_cnt = 0;
esp_efuse_read_field_blob(ESP_EFUSE_FLASH_CRYPT_CNT, &flash_crypt_cnt, ESP_EFUSE_FLASH_CRYPT_CNT[0]->bit_count);
if (flash_crypt_cnt != (1 << (ESP_EFUSE_FLASH_CRYPT_CNT[0]->bit_count)) - 1) {
if (!esp_efuse_read_field_bit(ESP_EFUSE_WR_DIS_FLASH_CRYPT_CNT)) {
result &= false;
ESP_LOGW(TAG, "Not release mode of Flash Encryption (set FLASH_CRYPT_CNT->max or WR_DIS_FLASH_CRYPT_CNT->1)");
}
}
secure = esp_efuse_read_field_bit(ESP_EFUSE_DISABLE_DL_ENCRYPT);
result &= secure;
if (!secure) {
ESP_LOGW(TAG, "Not disabled UART bootloader encryption (set DISABLE_DL_ENCRYPT->1)");
}
secure = esp_efuse_read_field_bit(ESP_EFUSE_DISABLE_DL_DECRYPT);
result &= secure;
if (!secure) {
ESP_LOGW(TAG, "Not disabled UART bootloader decryption (set DISABLE_DL_DECRYPT->1)");
}
secure = esp_efuse_read_field_bit(ESP_EFUSE_DISABLE_DL_CACHE);
result &= secure;
if (!secure) {
ESP_LOGW(TAG, "Not disabled UART bootloader MMU cache (set DISABLE_DL_CACHE->1)");
}
secure = esp_efuse_read_field_bit(ESP_EFUSE_DISABLE_JTAG);
result &= secure;
if (!secure) {
ESP_LOGW(TAG, "Not disabled JTAG (set DISABLE_JTAG->1)");
}
secure = esp_efuse_read_field_bit(ESP_EFUSE_CONSOLE_DEBUG_DISABLE);
result &= secure;
if (!secure) {
ESP_LOGW(TAG, "Not disabled ROM BASIC interpreter fallback (set CONSOLE_DEBUG_DISABLE->1)");
}
secure = esp_efuse_read_field_bit(ESP_EFUSE_RD_DIS_BLK1);
result &= secure;
if (!secure) {
ESP_LOGW(TAG, "Not read-protected flash ecnryption key (set RD_DIS_BLK1->1)");
}
secure = esp_efuse_read_field_bit(ESP_EFUSE_WR_DIS_BLK1);
result &= secure;
if (!secure) {
ESP_LOGW(TAG, "Not write-protected flash ecnryption key (set WR_DIS_BLK1->1)");
}
return result;
}
#else // not CONFIG_IDF_TARGET_ESP32
bool esp_flash_encryption_cfg_verify_release_mode(void)
{
bool result = false;
bool secure;
secure = esp_flash_encryption_enabled();
result = secure;
if (!secure) {
ESP_LOGW(TAG, "Not enabled Flash Encryption (SPI_BOOT_CRYPT_CNT->1 or max)");
}
uint8_t flash_crypt_cnt = 0;
esp_efuse_read_field_blob(ESP_EFUSE_SPI_BOOT_CRYPT_CNT, &flash_crypt_cnt, ESP_EFUSE_SPI_BOOT_CRYPT_CNT[0]->bit_count);
if (flash_crypt_cnt != (1 << (ESP_EFUSE_SPI_BOOT_CRYPT_CNT[0]->bit_count)) - 1) {
if (!esp_efuse_read_field_bit(ESP_EFUSE_WR_DIS_SPI_BOOT_CRYPT_CNT)) {
result &= false;
ESP_LOGW(TAG, "Not release mode of Flash Encryption (set SPI_BOOT_CRYPT_CNT->max or WR_DIS_SPI_BOOT_CRYPT_CNT->1)");
}
}
secure = esp_efuse_read_field_bit(ESP_EFUSE_DIS_DOWNLOAD_MANUAL_ENCRYPT);
result &= secure;
if (!secure) {
ESP_LOGW(TAG, "Not disabled UART bootloader encryption (set DIS_DOWNLOAD_MANUAL_ENCRYPT->1)");
}
#if SOC_EFUSE_DIS_DOWNLOAD_DCACHE
secure = esp_efuse_read_field_bit(ESP_EFUSE_DIS_DOWNLOAD_DCACHE);
result &= secure;
if (!secure) {
ESP_LOGW(TAG, "Not disabled UART bootloader Dcache (set DIS_DOWNLOAD_DCACHE->1)");
}
#endif
secure = esp_efuse_read_field_bit(ESP_EFUSE_DIS_DOWNLOAD_ICACHE);
result &= secure;
if (!secure) {
ESP_LOGW(TAG, "Not disabled UART bootloader cache (set DIS_DOWNLOAD_ICACHE->1)");
}
#if SOC_EFUSE_DIS_PAD_JTAG
secure = esp_efuse_read_field_bit(ESP_EFUSE_DIS_PAD_JTAG);
result &= secure;
if (!secure) {
ESP_LOGW(TAG, "Not disabled JTAG PADs (set DIS_PAD_JTAG->1)");
}
#endif
#if SOC_EFUSE_DIS_USB_JTAG
secure = esp_efuse_read_field_bit(ESP_EFUSE_DIS_USB_JTAG);
result &= secure;
if (!secure) {
ESP_LOGW(TAG, "Not disabled USB JTAG (set DIS_USB_JTAG->1)");
}
#endif
#if SOC_EFUSE_DIS_DIRECT_BOOT
secure = esp_efuse_read_field_bit(ESP_EFUSE_DIS_DIRECT_BOOT);
result &= secure;
if (!secure) {
ESP_LOGW(TAG, "Not disabled direct boot mode (set DIS_DIRECT_BOOT->1)");
}
#endif
#if SOC_EFUSE_HARD_DIS_JTAG
secure = esp_efuse_read_field_bit(ESP_EFUSE_HARD_DIS_JTAG);
result &= secure;
if (!secure) {
ESP_LOGW(TAG, "Not disabled JTAG (set HARD_DIS_JTAG->1)");
}
#endif
#if SOC_EFUSE_DIS_BOOT_REMAP
secure = esp_efuse_read_field_bit(ESP_EFUSE_DIS_BOOT_REMAP);
result &= secure;
if (!secure) {
ESP_LOGW(TAG, "Not disabled boot from RAM (set DIS_BOOT_REMAP->1)");
}
#endif
#if SOC_EFUSE_DIS_LEGACY_SPI_BOOT
secure = esp_efuse_read_field_bit(ESP_EFUSE_DIS_LEGACY_SPI_BOOT);
result &= secure;
if (!secure) {
ESP_LOGW(TAG, "Not disabled Legcy SPI boot (set DIS_LEGACY_SPI_BOOT->1)");
}
#endif
esp_efuse_purpose_t purposes[] = {
#if SOC_FLASH_ENCRYPTION_XTS_AES_256
ESP_EFUSE_KEY_PURPOSE_XTS_AES_256_KEY_1,
ESP_EFUSE_KEY_PURPOSE_XTS_AES_256_KEY_2,
#endif
#if SOC_FLASH_ENCRYPTION_XTS_AES_128
ESP_EFUSE_KEY_PURPOSE_XTS_AES_128_KEY,
#endif
};
// S2 and S3 chips have both XTS_AES_128_KEY and XTS_AES_256_KEY_1/2.
// The check below does not take into account that XTS_AES_128_KEY and XTS_AES_256_KEY_1/2
// are mutually exclusive because this will make the chip not functional.
// Only one type key must be configured in eFuses.
secure = false;
for (unsigned i = 0; i < sizeof(purposes) / sizeof(esp_efuse_purpose_t); i++) {
esp_efuse_block_t block;
if (esp_efuse_find_purpose(purposes[i], &block)) {
secure = esp_efuse_get_key_dis_read(block);
result &= secure;
if (!secure) {
ESP_LOGW(TAG, "Not read-protected Flash encryption key in BLOCK%d (set RD_DIS_KEY%d->1)", block, block - EFUSE_BLK_KEY0);
}
secure = esp_efuse_get_key_dis_write(block);
result &= secure;
if (!secure) {
ESP_LOGW(TAG, "Not write-protected Flash encryption key in BLOCK%d (set WR_DIS_KEY%d->1)", block, block - EFUSE_BLK_KEY0);
}
#if SOC_EFUSE_KEY_PURPOSE_FIELD
secure = esp_efuse_get_keypurpose_dis_write(block);
result &= secure;
if (!secure) {
ESP_LOGW(TAG, "Not write-protected KEY_PURPOSE for BLOCK%d (set WR_DIS_KEY_PURPOSE%d->1)", block, block - EFUSE_BLK_KEY0);
}
#endif
}
}
result &= secure;
return result;
}
#endif // not CONFIG_IDF_TARGET_ESP32

View File

@ -10,6 +10,7 @@
#include "esp_efuse.h"
#include "esp_efuse_table.h"
#include "esp_secure_boot.h"
#include "hal/efuse_hal.h"
#ifndef BOOTLOADER_BUILD
static __attribute__((unused)) const char *TAG = "secure_boot";
@ -188,4 +189,220 @@ void esp_secure_boot_init_checks(void)
#endif // CONFIG_SECURE_SIGNED_APPS_RSA_SCHEME && CONFIG_SECURE_SIGNED_ON_UPDATE_NO_SECURE_BOOT
}
#ifdef CONFIG_IDF_TARGET_ESP32
bool esp_secure_boot_cfg_verify_release_mode(void)
{
bool result = false;
bool secure;
bool secure_boot_v1 = esp_efuse_read_field_bit(ESP_EFUSE_ABS_DONE_0);
bool chip_supports_sbv2 = efuse_hal_chip_revision() >= 300;
bool secure_boot_v2 = (chip_supports_sbv2) ? esp_efuse_read_field_bit(ESP_EFUSE_ABS_DONE_1) : false;
result = secure_boot_v1 || secure_boot_v2;
if (secure_boot_v1 && secure_boot_v2) {
ESP_LOGI(TAG, "ABS_DONE_0=1 (V1) and ABS_DONE_1=1 (V2)");
ESP_LOGI(TAG, "Secure boot V2 shall take the precedence");
} else if (!secure_boot_v1 && !secure_boot_v2) {
result = false;
ESP_LOGE(TAG, "Not enabled Secure Boot V1 (set ABS_DONE_0->1)");
if (chip_supports_sbv2) {
ESP_LOGE(TAG, "Not enabled Secure Boot V2 (set ABS_DONE_1->1)");
}
}
if (secure_boot_v1 && !secure_boot_v2) {
secure = esp_efuse_read_field_bit(ESP_EFUSE_RD_DIS_BLK2);
result &= secure;
if (!secure) {
ESP_LOGW(TAG, "Not read-protected secure boot key (set RD_DIS_BLK2->1)");
}
}
secure = esp_efuse_read_field_bit(ESP_EFUSE_WR_DIS_BLK2);
result &= secure;
if (!secure) {
ESP_LOGW(TAG, "Not write-protected secure boot key (set WR_DIS_BLK2->1)");
}
secure = esp_efuse_read_field_bit(ESP_EFUSE_DISABLE_JTAG);
result &= secure;
if (!secure) {
ESP_LOGW(TAG, "Not disabled JTAG (set DISABLE_JTAG->1)");
}
secure = esp_efuse_read_field_bit(ESP_EFUSE_CONSOLE_DEBUG_DISABLE);
result &= secure;
if (!secure) {
ESP_LOGW(TAG, "Not disabled ROM BASIC interpreter fallback (set CONSOLE_DEBUG_DISABLE->1)");
}
if (secure_boot_v2) {
secure = esp_efuse_read_field_bit(ESP_EFUSE_UART_DOWNLOAD_DIS);
result &= secure;
if (!secure) {
ESP_LOGW(TAG, "Not disabled UART ROM Download mode (set UART_DOWNLOAD_DIS->1)");
}
secure = esp_efuse_read_field_bit(ESP_EFUSE_WR_DIS_EFUSE_RD_DISABLE);
result &= secure;
if (!secure) {
ESP_LOGW(TAG, "Not disabled write-protection for read-protection (set WR_DIS_EFUSE_RD_DISABLE->1)");
}
}
return result;
}
#else // not CONFIG_IDF_TARGET_ESP32
bool esp_secure_boot_cfg_verify_release_mode(void)
{
bool result = false;
bool secure;
secure = esp_secure_boot_enabled();
result = secure;
if (!secure) {
ESP_LOGW(TAG, "Not enabled Secure Boot (SECURE_BOOT_EN->1)");
}
secure = esp_efuse_read_field_bit(ESP_EFUSE_DIS_DOWNLOAD_MODE);
bool en_secure_download = esp_efuse_read_field_bit(ESP_EFUSE_ENABLE_SECURITY_DOWNLOAD);
if (!secure && !en_secure_download) {
result &= false;
ESP_LOGW(TAG, "Download mode has not been changed, disable it or set security mode:");
ESP_LOGW(TAG, "Not disabled ROM Download mode (DIS_DOWNLOAD_MODE->1)");
ESP_LOGW(TAG, "Not enabled Security download mode (ENABLE_SECURITY_DOWNLOAD->1)");
}
#if SOC_EFUSE_DIS_BOOT_REMAP
secure = esp_efuse_read_field_bit(ESP_EFUSE_DIS_BOOT_REMAP);
result &= secure;
if (!secure) {
ESP_LOGW(TAG, "Not disabled boot from RAM (set DIS_BOOT_REMAP->1)");
}
#endif
#if SOC_EFUSE_DIS_LEGACY_SPI_BOOT
secure = esp_efuse_read_field_bit(ESP_EFUSE_DIS_LEGACY_SPI_BOOT);
result &= secure;
if (!secure) {
ESP_LOGW(TAG, "Not disabled Legcy SPI boot (set DIS_LEGACY_SPI_BOOT->1)");
}
#endif
#if SOC_EFUSE_DIS_DIRECT_BOOT
secure = esp_efuse_read_field_bit(ESP_EFUSE_DIS_DIRECT_BOOT);
result &= secure;
if (!secure) {
ESP_LOGW(TAG, "Not disabled direct boot mode (set DIS_DIRECT_BOOT->1)");
}
#endif
#if SOC_EFUSE_HARD_DIS_JTAG
secure = esp_efuse_read_field_bit(ESP_EFUSE_HARD_DIS_JTAG);
result &= secure;
if (!secure) {
ESP_LOGW(TAG, "Not disabled JTAG (set HARD_DIS_JTAG->1)");
}
#endif
#if SOC_EFUSE_SOFT_DIS_JTAG
size_t soft_dis_jtag_cnt_val = 0;
esp_efuse_read_field_cnt(ESP_EFUSE_SOFT_DIS_JTAG, &soft_dis_jtag_cnt_val);
if (soft_dis_jtag_cnt_val != ESP_EFUSE_SOFT_DIS_JTAG[0]->bit_count) {
result &= secure;
ESP_LOGW(TAG, "Not disabled JTAG in the soft way (set SOFT_DIS_JTAG->max)");
}
#endif
#if SOC_EFUSE_DIS_PAD_JTAG
secure = esp_efuse_read_field_bit(ESP_EFUSE_DIS_PAD_JTAG);
result &= secure;
if (!secure) {
ESP_LOGW(TAG, "Not disabled JTAG PADs (set DIS_PAD_JTAG->1)");
}
#endif
#if SOC_EFUSE_DIS_USB_JTAG
secure = esp_efuse_read_field_bit(ESP_EFUSE_DIS_USB_JTAG);
result &= secure;
if (!secure) {
ESP_LOGW(TAG, "Not disabled USB JTAG (set DIS_USB_JTAG->1)");
}
#endif
#ifdef CONFIG_SECURE_BOOT_ENABLE_AGGRESSIVE_KEY_REVOKE
secure = esp_efuse_read_field_bit(ESP_EFUSE_SECURE_BOOT_AGGRESSIVE_REVOKE);
result &= secure;
if (!secure) {
ESP_LOGW(TAG, "Not enabled AGGRESSIVE KEY REVOKE (set SECURE_BOOT_AGGRESSIVE_REVOKE->1)");
}
#endif
secure = esp_efuse_read_field_bit(ESP_EFUSE_WR_DIS_RD_DIS);
result &= secure;
if (!secure) {
ESP_LOGW(TAG, "Not disabled write-protection for read-protection (set WR_DIS_RD_DIS->1)");
}
#if SOC_EFUSE_SECURE_BOOT_KEY_DIGESTS == 1
unsigned purpose = ESP_EFUSE_KEY_PURPOSE_SECURE_BOOT_V2;
#else
unsigned purpose = ESP_EFUSE_KEY_PURPOSE_SECURE_BOOT_DIGEST0; // DIGEST0, DIGEST1 and DIGEST2
#endif
secure = false;
unsigned num_keys = 0;
for (unsigned i = 0; i < SOC_EFUSE_SECURE_BOOT_KEY_DIGESTS; ++i) {
esp_efuse_block_t block;
if (esp_efuse_find_purpose(purpose + i, &block)) {
// if chip has a few secure boot slots then we check all
#if SOC_SUPPORT_SECURE_BOOT_REVOKE_KEY
bool revoke = esp_efuse_get_digest_revoke(i);
if (revoke) {
continue;
}
#endif
++num_keys;
secure = !esp_efuse_get_key_dis_read(block);
result &= secure;
if (!secure) {
ESP_LOGE(TAG, "Secure boot key in BLOCK%d must NOT be read-protected (can not be used)", block);
#if SOC_SUPPORT_SECURE_BOOT_REVOKE_KEY
ESP_LOGE(TAG, "Revoke this secure boot key (set SECURE_BOOT_KEY_REVOKE%d->1)", i);
#endif
}
secure = !esp_efuse_block_is_empty(block);
result &= secure;
if (!secure) {
ESP_LOGE(TAG, "Secure boot key in BLOCK%d must NOT be empty (can not be used)", block);
#if SOC_SUPPORT_SECURE_BOOT_REVOKE_KEY
ESP_LOGE(TAG, "Revoke this secure boot key (set SECURE_BOOT_KEY_REVOKE%d->1)", i);
#endif
}
secure = esp_efuse_get_key_dis_write(block);
result &= secure;
if (!secure) {
ESP_LOGW(TAG, "Not write-protected secure boot key in BLOCK%d (set WR_DIS_KEY%d->1)", block, block - EFUSE_BLK_KEY0);
}
#if SOC_EFUSE_KEY_PURPOSE_FIELD
secure = esp_efuse_get_keypurpose_dis_write(block);
result &= secure;
if (!secure) {
ESP_LOGW(TAG, "Not write-protected KEY_PURPOSE for BLOCK%d (set WR_DIS_KEY_PURPOSE%d->1)", block, block - EFUSE_BLK_KEY0);
}
#endif
}
}
result &= secure;
secure = (num_keys != 0);
result &= secure;
if (!secure) {
ESP_LOGE(TAG, "No secure boot key found");
}
return result;
}
#endif // not CONFIG_IDF_TARGET_ESP32
#endif // not BOOTLOADER_BUILD

View File

@ -1,5 +1,5 @@
/*
* SPDX-FileCopyrightText: 2017-2022 Espressif Systems (Shanghai) CO LTD
* SPDX-FileCopyrightText: 2017-2023 Espressif Systems (Shanghai) CO LTD
*
* SPDX-License-Identifier: Apache-2.0
*/
@ -9,7 +9,7 @@
#include <assert.h>
#include "esp_efuse_table.h"
// md5_digest_table ceedae45d1a885ced865a05eeca7d7ee
// md5_digest_table 2216d0ff3e0f4e8803f85711b5cc2829
// This file was generated from the file esp_efuse_table.csv. DO NOT CHANGE THIS FILE MANUALLY.
// If you want to change some fields, you need to change esp_efuse_table.csv file
// then run `efuse_common_table` or `efuse_custom_table` command it will generate this file.
@ -19,8 +19,8 @@ static const esp_efuse_desc_t WR_DIS[] = {
{EFUSE_BLK0, 0, 8}, // Write protection,
};
static const esp_efuse_desc_t WR_DIS_KEY0_RD_DIS[] = {
{EFUSE_BLK0, 0, 1}, // Write protection for KEY0_RD_DIS,
static const esp_efuse_desc_t WR_DIS_RD_DIS[] = {
{EFUSE_BLK0, 0, 1}, // Write protection for RD_DIS,
};
static const esp_efuse_desc_t WR_DIS_GROUP_1[] = {
@ -265,8 +265,8 @@ const esp_efuse_desc_t* ESP_EFUSE_WR_DIS[] = {
NULL
};
const esp_efuse_desc_t* ESP_EFUSE_WR_DIS_KEY0_RD_DIS[] = {
&WR_DIS_KEY0_RD_DIS[0], // Write protection for KEY0_RD_DIS
const esp_efuse_desc_t* ESP_EFUSE_WR_DIS_RD_DIS[] = {
&WR_DIS_RD_DIS[0], // Write protection for RD_DIS
NULL
};

View File

@ -12,7 +12,7 @@
##############################
# EFUSE_RD_WR_DIS_REG #
WR_DIS, EFUSE_BLK0, 0, 8, Write protection
WR_DIS.KEY0_RD_DIS, EFUSE_BLK0, 0, 1, Write protection for KEY0_RD_DIS
WR_DIS.RD_DIS, EFUSE_BLK0, 0, 1, Write protection for RD_DIS
WR_DIS.GROUP_1, EFUSE_BLK0, 1, 1, Write protection for WDT_DELAY DIS_PAD_JTAG DIS_DOWNLOAD_ICACHE
WR_DIS.GROUP_2, EFUSE_BLK0, 2, 1, Write protection for DOWNLOAD_DIS_MANUAL_ENCRYPT SPI_BOOT_CRYPT_CNT XTS_KEY_LENGTH_256 SECURE_BOOT_EN
WR_DIS.SPI_BOOT_CRYPT_CNT, EFUSE_BLK0, 2, 1, Write protection for DOWNLOAD_DIS_MANUAL_ENCRYPT [SPI_BOOT_CRYPT_CNT] XTS_KEY_LENGTH_256 SECURE_BOOT_EN

Can't render this file because it contains an unexpected character in line 7 and column 53.

View File

@ -1,5 +1,5 @@
/*
* SPDX-FileCopyrightText: 2017-2022 Espressif Systems (Shanghai) CO LTD
* SPDX-FileCopyrightText: 2017-2023 Espressif Systems (Shanghai) CO LTD
*
* SPDX-License-Identifier: Apache-2.0
*/
@ -10,7 +10,7 @@ extern "C" {
#include "esp_efuse.h"
// md5_digest_table ceedae45d1a885ced865a05eeca7d7ee
// md5_digest_table 2216d0ff3e0f4e8803f85711b5cc2829
// This file was generated from the file esp_efuse_table.csv. DO NOT CHANGE THIS FILE MANUALLY.
// If you want to change some fields, you need to change esp_efuse_table.csv file
// then run `efuse_common_table` or `efuse_custom_table` command it will generate this file.
@ -18,7 +18,7 @@ extern "C" {
extern const esp_efuse_desc_t* ESP_EFUSE_WR_DIS[];
extern const esp_efuse_desc_t* ESP_EFUSE_WR_DIS_KEY0_RD_DIS[];
extern const esp_efuse_desc_t* ESP_EFUSE_WR_DIS_RD_DIS[];
extern const esp_efuse_desc_t* ESP_EFUSE_WR_DIS_GROUP_1[];
extern const esp_efuse_desc_t* ESP_EFUSE_WR_DIS_GROUP_2[];
extern const esp_efuse_desc_t* ESP_EFUSE_WR_DIS_SPI_BOOT_CRYPT_CNT[];

View File

@ -495,6 +495,14 @@ config SOC_TIMER_GROUP_TOTAL_TIMERS
int
default 1
config SOC_EFUSE_DIS_PAD_JTAG
bool
default y
config SOC_EFUSE_DIS_DIRECT_BOOT
bool
default y
config SOC_SECURE_BOOT_V2_ECC
bool
default y

View File

@ -241,6 +241,10 @@
#define SOC_TIMER_GROUP_SUPPORT_PLL_F40M (1)
#define SOC_TIMER_GROUP_TOTAL_TIMERS (1U)
/*-------------------------- eFuse CAPS----------------------------*/
#define SOC_EFUSE_DIS_PAD_JTAG 1
#define SOC_EFUSE_DIS_DIRECT_BOOT 1
/*-------------------------- Secure Boot CAPS----------------------------*/
#define SOC_SECURE_BOOT_V2_ECC 1
#define SOC_EFUSE_SECURE_BOOT_KEY_DIGESTS (1U)

View File

@ -731,6 +731,22 @@ config SOC_TWAI_SUPPORTS_RX_STATUS
bool
default y
config SOC_EFUSE_DIS_PAD_JTAG
bool
default y
config SOC_EFUSE_DIS_USB_JTAG
bool
default y
config SOC_EFUSE_DIS_DIRECT_BOOT
bool
default y
config SOC_EFUSE_SOFT_DIS_JTAG
bool
default y
config SOC_SECURE_BOOT_V2_RSA
bool
default y

View File

@ -329,6 +329,12 @@
#define SOC_TWAI_BRP_MAX 16384
#define SOC_TWAI_SUPPORTS_RX_STATUS 1
/*-------------------------- eFuse CAPS----------------------------*/
#define SOC_EFUSE_DIS_PAD_JTAG 1
#define SOC_EFUSE_DIS_USB_JTAG 1
#define SOC_EFUSE_DIS_DIRECT_BOOT 1
#define SOC_EFUSE_SOFT_DIS_JTAG 1
/*-------------------------- Secure Boot CAPS----------------------------*/
#define SOC_SECURE_BOOT_V2_RSA 1
#define SOC_EFUSE_SECURE_BOOT_KEY_DIGESTS 3

View File

@ -867,6 +867,22 @@ config SOC_TWAI_SUPPORTS_RX_STATUS
bool
default y
config SOC_EFUSE_DIS_PAD_JTAG
bool
default y
config SOC_EFUSE_DIS_USB_JTAG
bool
default y
config SOC_EFUSE_DIS_DIRECT_BOOT
bool
default y
config SOC_EFUSE_SOFT_DIS_JTAG
bool
default y
config SOC_SECURE_BOOT_V2_RSA
bool
default y

View File

@ -381,6 +381,12 @@
#define SOC_TWAI_BRP_MAX 32768
#define SOC_TWAI_SUPPORTS_RX_STATUS 1
/*-------------------------- eFuse CAPS----------------------------*/
#define SOC_EFUSE_DIS_PAD_JTAG 1
#define SOC_EFUSE_DIS_USB_JTAG 1
#define SOC_EFUSE_DIS_DIRECT_BOOT 1
#define SOC_EFUSE_SOFT_DIS_JTAG 1
// TODO: IDF-5357 (Copy from esp32c3, need check)
/*-------------------------- Secure Boot CAPS----------------------------*/
#define SOC_SECURE_BOOT_V2_RSA 1

View File

@ -687,6 +687,22 @@ config SOC_TWAI_SUPPORTS_RX_STATUS
bool
default y
config SOC_EFUSE_DIS_PAD_JTAG
bool
default y
config SOC_EFUSE_DIS_USB_JTAG
bool
default y
config SOC_EFUSE_DIS_DIRECT_BOOT
bool
default y
config SOC_EFUSE_SOFT_DIS_JTAG
bool
default y
config SOC_SECURE_BOOT_V2_RSA
bool
default y

View File

@ -361,6 +361,12 @@
#define SOC_TWAI_BRP_MAX 32768
#define SOC_TWAI_SUPPORTS_RX_STATUS 1
/*-------------------------- eFuse CAPS----------------------------*/
#define SOC_EFUSE_DIS_PAD_JTAG 1
#define SOC_EFUSE_DIS_USB_JTAG 1
#define SOC_EFUSE_DIS_DIRECT_BOOT 1
#define SOC_EFUSE_SOFT_DIS_JTAG 1
// TODO: IDF-6281 (Copy from esp32c6, need check)
/*-------------------------- Secure Boot CAPS----------------------------*/
#define SOC_SECURE_BOOT_V2_RSA 1

View File

@ -707,6 +707,22 @@ config SOC_TWAI_SUPPORTS_RX_STATUS
bool
default y
config SOC_EFUSE_DIS_PAD_JTAG
bool
default y
config SOC_EFUSE_DIS_USB_JTAG
bool
default y
config SOC_EFUSE_DIS_DIRECT_BOOT
bool
default y
config SOC_EFUSE_SOFT_DIS_JTAG
bool
default y
config SOC_SECURE_BOOT_V2_RSA
bool
default y

View File

@ -336,6 +336,12 @@
#define SOC_TWAI_BRP_MAX 16384
#define SOC_TWAI_SUPPORTS_RX_STATUS 1
/*-------------------------- eFuse CAPS----------------------------*/
#define SOC_EFUSE_DIS_PAD_JTAG 1
#define SOC_EFUSE_DIS_USB_JTAG 1
#define SOC_EFUSE_DIS_DIRECT_BOOT 1
#define SOC_EFUSE_SOFT_DIS_JTAG 1
/*-------------------------- Secure Boot CAPS----------------------------*/
#define SOC_SECURE_BOOT_V2_RSA 1
#define SOC_EFUSE_SECURE_BOOT_KEY_DIGESTS 3

View File

@ -815,6 +815,26 @@ config SOC_AES_SUPPORT_GCM
bool
default y
config SOC_EFUSE_DIS_DOWNLOAD_DCACHE
bool
default y
config SOC_EFUSE_HARD_DIS_JTAG
bool
default y
config SOC_EFUSE_SOFT_DIS_JTAG
bool
default y
config SOC_EFUSE_DIS_BOOT_REMAP
bool
default y
config SOC_EFUSE_DIS_LEGACY_SPI_BOOT
bool
default y
config SOC_SECURE_BOOT_V2_RSA
bool
default y

View File

@ -362,6 +362,13 @@
#define SOC_AES_SUPPORT_DMA (1)
#define SOC_AES_SUPPORT_GCM (1)
/*-------------------------- eFuse CAPS----------------------------*/
#define SOC_EFUSE_DIS_DOWNLOAD_DCACHE 1
#define SOC_EFUSE_HARD_DIS_JTAG 1
#define SOC_EFUSE_SOFT_DIS_JTAG 1
#define SOC_EFUSE_DIS_BOOT_REMAP 1
#define SOC_EFUSE_DIS_LEGACY_SPI_BOOT 1
/*-------------------------- Secure Boot CAPS----------------------------*/
#define SOC_SECURE_BOOT_V2_RSA 1
#define SOC_EFUSE_SECURE_BOOT_KEY_DIGESTS 3

View File

@ -1011,6 +1011,26 @@ config SOC_CLK_RC_FAST_SUPPORT_CALIBRATION
bool
default y
config SOC_EFUSE_DIS_DOWNLOAD_DCACHE
bool
default y
config SOC_EFUSE_HARD_DIS_JTAG
bool
default y
config SOC_EFUSE_DIS_USB_JTAG
bool
default y
config SOC_EFUSE_SOFT_DIS_JTAG
bool
default y
config SOC_EFUSE_DIS_DIRECT_BOOT
bool
default y
config SOC_SECURE_BOOT_V2_RSA
bool
default y

View File

@ -417,6 +417,13 @@
#define SOC_RTC_SLOW_CLK_SUPPORT_RC_FAST_D256 (1)
#define SOC_CLK_RC_FAST_SUPPORT_CALIBRATION (1)
/*-------------------------- eFuse CAPS----------------------------*/
#define SOC_EFUSE_DIS_DOWNLOAD_DCACHE 1
#define SOC_EFUSE_HARD_DIS_JTAG 1
#define SOC_EFUSE_DIS_USB_JTAG 1
#define SOC_EFUSE_SOFT_DIS_JTAG 1
#define SOC_EFUSE_DIS_DIRECT_BOOT 1
/*-------------------------- Secure Boot CAPS----------------------------*/
#define SOC_SECURE_BOOT_V2_RSA 1
#define SOC_EFUSE_SECURE_BOOT_KEY_DIGESTS 3

View File

@ -106,6 +106,14 @@ Setup
.. note:: The API *esp_efuse_write_field_cnt(ESP_EFUSE_SOFT_DIS_JTAG, ESP_EFUSE_SOFT_DIS_JTAG[0]->bit_count)* can be used to burn "soft JTAG disable" bits on {IDF_TARGET_NAME}.
.. only:: esp32s2 or esp32s3
.. note:: If ``HARD_DIS_JTAG`` eFuse is set, then ``SOFT_DIS_JTAG`` functionality does not work because JTAG is permanently disabled.
.. only:: not esp32s2 and not esp32s3
.. note:: If ``DIS_PAD_JTAG`` eFuse is set, then ``SOFT_DIS_JTAG`` functionality does not work because JTAG is permanently disabled.
JTAG enable
1. The key to re-enable JTAG is the output of the HMAC-SHA256 function using the secret key in eFuse and 32 0x00 bytes as the message.

View File

@ -15,10 +15,8 @@
#include "esp_efuse.h"
#include "esp_efuse_table.h"
#include "esp_efuse_custom_table.h"
#if CONFIG_IDF_TARGET_ESP32C2
#include "esp_secure_boot.h"
#include "esp_flash_encrypt.h"
#endif
#include "sdkconfig.h"
static const char* TAG = "example";
@ -135,6 +133,21 @@ void app_main(void)
{
ESP_LOGI(TAG, "Start eFuse example");
#ifdef CONFIG_SECURE_FLASH_ENC_ENABLED
if (esp_flash_encryption_cfg_verify_release_mode()) {
ESP_LOGI(TAG, "Flash Encryption is in RELEASE mode");
} else {
ESP_LOGW(TAG, "Flash Encryption is NOT in RELEASE mode");
}
#endif
#ifdef CONFIG_SECURE_BOOT
if (esp_secure_boot_cfg_verify_release_mode()) {
ESP_LOGI(TAG, "Secure Boot is in RELEASE mode");
} else {
ESP_LOGW(TAG, "Secure Boot is NOT in RELEASE mode");
}
#endif
esp_efuse_coding_scheme_t coding_scheme = get_coding_scheme();
(void) coding_scheme;

View File

@ -1,4 +1,4 @@
# SPDX-FileCopyrightText: 2022 Espressif Systems (Shanghai) CO LTD
# SPDX-FileCopyrightText: 2022-2023 Espressif Systems (Shanghai) CO LTD
# SPDX-License-Identifier: Unlicense OR CC0-1.0
from __future__ import unicode_literals
@ -248,6 +248,7 @@ def test_examples_efuse_with_virt_flash_enc_release(dut: Dut) -> None:
dut.expect_exact('flash encryption is enabled (0 plaintext flashes left)', timeout=5)
dut.expect('Flash encryption mode is RELEASE')
dut.expect('Start eFuse example')
dut.expect('Flash Encryption is in RELEASE mode')
dut.expect('example: Done')
@ -772,6 +773,8 @@ def test_examples_efuse_with_virt_sb_v1_and_fe(dut: Dut) -> None:
dut.expect_exact('flash_encrypt: Flash encryption mode is DEVELOPMENT (not secure)')
dut.expect('main_task: Calling app_main()')
dut.expect('Start eFuse example')
dut.expect('example: Flash Encryption is NOT in RELEASE mode')
dut.expect('example: Secure Boot is in RELEASE mode')
dut.expect('example: Done')
@ -851,6 +854,8 @@ def test_examples_efuse_with_virt_sb_v2_and_fe(dut: Dut) -> None:
dut.expect_exact('flash_encrypt: Flash encryption mode is DEVELOPMENT (not secure)')
dut.expect('main_task: Calling app_main()')
dut.expect('Start eFuse example')
dut.expect('example: Flash Encryption is NOT in RELEASE mode')
dut.expect('example: Secure Boot is in RELEASE mode')
dut.expect('example: Done')
@ -938,6 +943,8 @@ def test_examples_efuse_with_virt_sb_v2_and_fe_esp32xx(dut: Dut) -> None:
dut.expect_exact('flash_encrypt: Flash encryption mode is DEVELOPMENT (not secure)')
dut.expect('main_task: Calling app_main()')
dut.expect('Start eFuse example')
dut.expect('example: Flash Encryption is NOT in RELEASE mode')
dut.expect('example: Secure Boot is in RELEASE mode')
dut.expect('example: Done')