Some additional checks related to secure version of the application in
anti-rollback case have been added to avoid any attempts to boot lower
security version but valid application (e.g., passive partition image).
- Read secure_version under sha256 protection
- First check has been added in the bootloader to ensure correct secure
version after application verification and loading stage. This check
happens before setting up the flash cache mapping and handling over
the final control to application. This check ensures that application
was not swapped (e.g., to lower security version but valid image) just
before the load stage in bootloader.
- Second check has been added in the application startup code to ensure
that currently booting app has higher security version than the one
programmed in the eFuse for anti-rollback scenario. This will ensure
that only the legit application boots-up on the device for
anti-rollback case.
For cases where the bootloader is not enabled with the security features
ends up receiving an incorrect application with flash encryption enabled
should not really program any security efuses.
In the startup sequence, we first used to program the ROM DL mode
configuration but now we check for the flash encryption related checks
first. If the flash encryption related checks finds that flash
encryption is not enabled on the device then it aborts the boot process.
This is the case with `CONFIG_SECURE_FLASH_CHECK_ENC_EN_IN_APP` enabled.
This would at-least ensure that accidental program of security enabled
application does not really program any ROM DL mode efuses and there is
chance to recover the device.
The commit fixes the case:
If variables in RTC RAM have been moved around by the linker,
they will be filled with garbage data. Any reset other than OTA would work fine
because the variables would still be initialized from the initial bootup.
So now system time will be valid even after OTA.
Closes https://github.com/espressif/esp-idf/issues/9448
Prior to this commit, we don't consider the offset of the irom vaddr
start.
If the offset + size is bigger than the MMU page size, for example:
MMU page size: 0x10000
irom vaddr: 0x4200_0800, so offset = 0x800
irom size: 0xF900
offset + size = 0x10100
Under this condition, the 0x4200_0000 ~ 0x4202_0000, two MMU pages are
used.
With this commit, when reserving the irom and drom, we take the offset
into consideration as well.
Closes https://github.com/espressif/esp-idf/issues/2561
The race condition is very unlikely on real hardware but can be observed with
qemu under heavy load.
Also add missing `memw` instructions which are generated by the C compiler but
absent in the assembly code.
Signed-off-by: Paul Guyot <pguyot@kallisys.net>
Signed-off-by: KonstantinKondrashov <konstantin@espressif.com>
Merges https://github.com/espressif/esp-idf/pull/11447
Closes https://github.com/espressif/esp-idf/issues/11433
1. Fix deep sleep wakeup IOs can not be unhold issue
2. Correct hold related APIs' description
3. Fix gpio_force_hold_all API
docs: Add GPIO wakeup source to sleep_modes doc for ESP32C3 and C2
If the TimerGroup 0 clock is disabled and then reenabled, the watchdog
registers (Flashboot protection included) will be re-enabled, and some
seconds later, will trigger an unintended reset.
Signed-off-by: Gustavo Henrique Nihei <gustavo.nihei@espressif.com>
