mirror of
https://github.com/espressif/esp-idf.git
synced 2024-10-05 20:47:46 -04:00
secure boot: Enable based on sdkconfig, remove "secure boot flag" from binary image
This commit is contained in:
Angus Gratton
parent
ff1b2c6039
commit
fe66dd85f0
@ -28,6 +28,12 @@ config LOG_BOOTLOADER_LEVEL
|
|||||||
default 4 if LOG_BOOTLOADER_LEVEL_DEBUG
|
default 4 if LOG_BOOTLOADER_LEVEL_DEBUG
|
||||||
default 5 if LOG_BOOTLOADER_LEVEL_VERBOSE
|
default 5 if LOG_BOOTLOADER_LEVEL_VERBOSE
|
||||||
|
|
||||||
|
endmenu
|
||||||
|
|
||||||
|
|
||||||
|
|
||||||
|
menu "Secure boot configuration"
|
||||||
|
|
||||||
choice SECURE_BOOTLOADER
|
choice SECURE_BOOTLOADER
|
||||||
bool "Secure bootloader"
|
bool "Secure bootloader"
|
||||||
default SECURE_BOOTLOADER_DISABLED
|
default SECURE_BOOTLOADER_DISABLED
|
||||||
@ -78,8 +84,35 @@ config SECURE_BOOT_SIGNING_KEY
|
|||||||
|
|
||||||
See docs/security/secure-boot.rst for details.
|
See docs/security/secure-boot.rst for details.
|
||||||
|
|
||||||
|
config SECURE_BOOT_DISABLE_JTAG
|
||||||
|
bool "First boot: Permanently disable JTAG"
|
||||||
|
depends on SECURE_BOOTLOADER_ENABLED
|
||||||
|
default Y
|
||||||
|
help
|
||||||
|
Bootloader permanently disable JTAG (across entire chip) when enabling secure boot. This happens on first boot of the bootloader.
|
||||||
|
|
||||||
|
It is recommended this option remains set for production environments.
|
||||||
|
|
||||||
|
config SECURE_BOOT_DISABLE_UART_BOOTLOADER
|
||||||
|
bool "First boot: Permanently disable UART bootloader"
|
||||||
|
depends on SECURE_BOOTLOADER_ENABLED
|
||||||
|
default Y
|
||||||
|
help
|
||||||
|
Bootloader permanently disables UART and other bootloader modes when enabling secure boot. This happens on first boot.
|
||||||
|
|
||||||
|
It is recommended this option remains set for production environments.
|
||||||
|
|
||||||
|
config SECURE_BOOT_TEST_MODE
|
||||||
|
bool "Test mode: don't actually enable secure boot"
|
||||||
|
depends on SECURE_BOOTLOADER_ENABLED
|
||||||
|
default N
|
||||||
|
help
|
||||||
|
If this option is set, all permanent secure boot changes (via Efuse) are disabled.
|
||||||
|
|
||||||
|
This option is for testing purposes only - it effectively completely disables secure boot protection.
|
||||||
|
|
||||||
config SECURE_BOOTLOADER_ENABLED
|
config SECURE_BOOTLOADER_ENABLED
|
||||||
bool
|
bool
|
||||||
default SECURE_BOOTLOADER_ONE_TIME_FLASH || SECURE_BOOTLOADER_REFLASHABLE
|
default SECURE_BOOTLOADER_ONE_TIME_FLASH || SECURE_BOOTLOADER_REFLASHABLE
|
||||||
|
|
||||||
endmenu
|
endmenu
|
||||||
@ -316,17 +316,17 @@ void bootloader_main()
|
|||||||
|
|
||||||
ESP_LOGI(TAG, "Loading app partition at offset %08x", load_part_pos);
|
ESP_LOGI(TAG, "Loading app partition at offset %08x", load_part_pos);
|
||||||
|
|
||||||
if(fhdr.secure_boot_flag == 0x01) {
|
#ifdef CONFIG_SECURE_BOOTLOADER_ENABLED
|
||||||
/* Generate secure digest from this bootloader to protect future
|
/* Generate secure digest from this bootloader to protect future
|
||||||
modifications */
|
modifications */
|
||||||
err = esp_secure_boot_permanently_enable();
|
err = esp_secure_boot_permanently_enable();
|
||||||
if (err != ESP_OK){
|
if (err != ESP_OK) {
|
||||||
ESP_LOGE(TAG, "Bootloader digest generation failed (%d). SECURE BOOT IS NOT ENABLED.", err);
|
ESP_LOGE(TAG, "Bootloader digest generation failed (%d). SECURE BOOT IS NOT ENABLED.", err);
|
||||||
/* Allow booting to continue, as the failure is probably
|
/* Allow booting to continue, as the failure is probably
|
||||||
due to user-configured EFUSEs for testing...
|
due to user-configured EFUSEs for testing...
|
||||||
*/
|
*/
|
||||||
}
|
|
||||||
}
|
}
|
||||||
|
#endif
|
||||||
|
|
||||||
if(fhdr.encrypt_flag == 0x01) {
|
if(fhdr.encrypt_flag == 0x01) {
|
||||||
/* encrypt flash */
|
/* encrypt flash */
|
||||||
@ -354,12 +354,16 @@ static void unpack_load_app(const esp_partition_pos_t* partition)
|
|||||||
ESP_LOGE(TAG, "Failed to verify app image @ 0x%x (%d)", partition->offset, err);
|
ESP_LOGE(TAG, "Failed to verify app image @ 0x%x (%d)", partition->offset, err);
|
||||||
return;
|
return;
|
||||||
}
|
}
|
||||||
|
#ifdef CONFIG_SECURE_BOOTLOADER_ENABLED
|
||||||
|
ESP_LOGI(TAG, "Verifying app signature @ 0x%x (length 0x%x)", partition->offset, image_length);
|
||||||
err = esp_secure_boot_verify_signature(partition->offset, image_length);
|
err = esp_secure_boot_verify_signature(partition->offset, image_length);
|
||||||
if (err != ESP_OK) {
|
if (err != ESP_OK) {
|
||||||
ESP_LOGE(TAG, "App image @ 0x%x failed signature verification (%d)", partition->offset, err);
|
ESP_LOGE(TAG, "App image @ 0x%x failed signature verification (%d)", partition->offset, err);
|
||||||
return;
|
return;
|
||||||
}
|
}
|
||||||
|
ESP_LOGD(TAG, "App signature is valid");
|
||||||
}
|
}
|
||||||
|
#endif
|
||||||
|
|
||||||
if (esp_image_load_header(partition->offset, &image_header) != ESP_OK) {
|
if (esp_image_load_header(partition->offset, &image_header) != ESP_OK) {
|
||||||
ESP_LOGE(TAG, "Failed to load app image header @ 0x%x", partition->offset);
|
ESP_LOGE(TAG, "Failed to load app image header @ 0x%x", partition->offset);
|
||||||
|
|||||||
@ -64,8 +64,7 @@ typedef struct {
|
|||||||
uint8_t spi_size: 4; /* flash chip size (esp_image_flash_size_t as uint8_t) */
|
uint8_t spi_size: 4; /* flash chip size (esp_image_flash_size_t as uint8_t) */
|
||||||
uint32_t entry_addr;
|
uint32_t entry_addr;
|
||||||
uint8_t encrypt_flag; /* encrypt flag */
|
uint8_t encrypt_flag; /* encrypt flag */
|
||||||
uint8_t secure_boot_flag; /* secure boot flag */
|
uint8_t extra_header[15]; /* ESP32 additional header, unused by second bootloader */
|
||||||
uint8_t extra_header[14]; /* ESP32 additional header, unused by second bootloader */
|
|
||||||
} esp_image_header_t;
|
} esp_image_header_t;
|
||||||
|
|
||||||
/* Header of binary image segment */
|
/* Header of binary image segment */
|
||||||
|
|||||||
@ -32,7 +32,7 @@
|
|||||||
* @return true if secure boot is enabled.
|
* @return true if secure boot is enabled.
|
||||||
*/
|
*/
|
||||||
static inline bool esp_secure_boot_enabled(void) {
|
static inline bool esp_secure_boot_enabled(void) {
|
||||||
return REG_GET_FIELD(EFUSE_BLK0_RDATA6_REG, EFUSE_RD_ABS_DONE_0);
|
return REG_READ(EFUSE_BLK0_RDATA6_REG) & EFUSE_RD_ABS_DONE_0;
|
||||||
}
|
}
|
||||||
|
|
||||||
|
|
||||||
|
|||||||
@ -110,12 +110,16 @@ static bool secure_boot_generate(uint32_t image_len){
|
|||||||
/* Burn values written to the efuse write registers */
|
/* Burn values written to the efuse write registers */
|
||||||
static inline void burn_efuses()
|
static inline void burn_efuses()
|
||||||
{
|
{
|
||||||
|
#ifdef CONFIG_SECURE_BOOT_TEST_MODE
|
||||||
|
ESP_LOGE(TAG, "SECURE BOOT TEST MODE. Not really burning any efuses!");
|
||||||
|
#else
|
||||||
REG_WRITE(EFUSE_CONF_REG, 0x5A5A); /* efuse_pgm_op_ena, force no rd/wr disable */
|
REG_WRITE(EFUSE_CONF_REG, 0x5A5A); /* efuse_pgm_op_ena, force no rd/wr disable */
|
||||||
REG_WRITE(EFUSE_CMD_REG, 0x02); /* efuse_pgm_cmd */
|
REG_WRITE(EFUSE_CMD_REG, 0x02); /* efuse_pgm_cmd */
|
||||||
while (REG_READ(EFUSE_CMD_REG)); /* wait for efuse_pagm_cmd=0 */
|
while (REG_READ(EFUSE_CMD_REG)); /* wait for efuse_pagm_cmd=0 */
|
||||||
REG_WRITE(EFUSE_CONF_REG, 0x5AA5); /* efuse_read_op_ena, release force */
|
REG_WRITE(EFUSE_CONF_REG, 0x5AA5); /* efuse_read_op_ena, release force */
|
||||||
REG_WRITE(EFUSE_CMD_REG, 0x01); /* efuse_read_cmd */
|
REG_WRITE(EFUSE_CMD_REG, 0x01); /* efuse_read_cmd */
|
||||||
while (REG_READ(EFUSE_CMD_REG)); /* wait for efuse_read_cmd=0 */
|
while (REG_READ(EFUSE_CMD_REG)); /* wait for efuse_read_cmd=0 */
|
||||||
|
#endif
|
||||||
}
|
}
|
||||||
|
|
||||||
esp_err_t esp_secure_boot_permanently_enable(void) {
|
esp_err_t esp_secure_boot_permanently_enable(void) {
|
||||||
@ -185,10 +189,22 @@ esp_err_t esp_secure_boot_permanently_enable(void) {
|
|||||||
return ESP_ERR_INVALID_STATE;
|
return ESP_ERR_INVALID_STATE;
|
||||||
}
|
}
|
||||||
|
|
||||||
ESP_LOGI(TAG, "blowing secure boot efuse & disabling JTAG...");
|
ESP_LOGI(TAG, "blowing secure boot efuse...");
|
||||||
ESP_LOGD(TAG, "before updating, EFUSE_BLK0_RDATA6 %x", REG_READ(EFUSE_BLK0_RDATA6_REG));
|
ESP_LOGD(TAG, "before updating, EFUSE_BLK0_RDATA6 %x", REG_READ(EFUSE_BLK0_RDATA6_REG));
|
||||||
REG_WRITE(EFUSE_BLK0_WDATA6_REG,
|
|
||||||
EFUSE_RD_ABS_DONE_0 | EFUSE_RD_DISABLE_JTAG);
|
uint32_t new_wdata6 = EFUSE_RD_ABS_DONE_0;
|
||||||
|
|
||||||
|
#ifdef CONFIG_SECURE_BOOT_DISABLE_JTAG
|
||||||
|
ESP_LOGI(TAG, "disabling JTAG...");
|
||||||
|
new_wdata6 |= EFUSE_RD_DISABLE_JTAG;
|
||||||
|
#endif
|
||||||
|
|
||||||
|
#ifdef CONFIG_SECURE_BOOT_DISABLE_UART_BOOTLOADER
|
||||||
|
ESP_LOGI(TAG, "disabling UART bootloader...");
|
||||||
|
new_wdata6 |= EFUSE_RD_CONSOLE_DEBUG_DISABLE_S;
|
||||||
|
#endif
|
||||||
|
|
||||||
|
REG_WRITE(EFUSE_BLK0_WDATA6_REG, new_wdata6);
|
||||||
burn_efuses();
|
burn_efuses();
|
||||||
uint32_t after = REG_READ(EFUSE_BLK0_RDATA6_REG);
|
uint32_t after = REG_READ(EFUSE_BLK0_RDATA6_REG);
|
||||||
ESP_LOGD(TAG, "after updating, EFUSE_BLK0_RDATA6 %x", after);
|
ESP_LOGD(TAG, "after updating, EFUSE_BLK0_RDATA6 %x", after);
|
||||||
@ -196,7 +212,11 @@ esp_err_t esp_secure_boot_permanently_enable(void) {
|
|||||||
ESP_LOGI(TAG, "secure boot is now enabled for bootloader image");
|
ESP_LOGI(TAG, "secure boot is now enabled for bootloader image");
|
||||||
return ESP_OK;
|
return ESP_OK;
|
||||||
} else {
|
} else {
|
||||||
|
#ifdef CONFIG_SECURE_BOOT_TEST_MODE
|
||||||
|
ESP_LOGE(TAG, "secure boot not enabled due to test mode");
|
||||||
|
#else
|
||||||
ESP_LOGE(TAG, "secure boot not enabled for bootloader image, EFUSE_RD_ABS_DONE_0 is probably write protected!");
|
ESP_LOGE(TAG, "secure boot not enabled for bootloader image, EFUSE_RD_ABS_DONE_0 is probably write protected!");
|
||||||
|
#endif
|
||||||
return ESP_ERR_INVALID_STATE;
|
return ESP_ERR_INVALID_STATE;
|
||||||
}
|
}
|
||||||
}
|
}
|
||||||
|
|||||||
Loading…
Reference in New Issue
Block a user