ROM code doesn't allow loader stub to be executed in case secure boot in
enabled. Providing --no-stub flag to esptool allows user to flash new
firmware, given download mode hasn't been disabled
- Add to docs & config descriptions
- Change to a "choice" to become self-documenting
- Keep the bootloader_common_check_long_hold_gpio() function for compatibility
Additionally, always enable the partition MD5 check if flash encryption is on in
Release mode. This ensures the partition table ciphertext has not been modified
(CVE-2021-27926).
The exception is pre-V3.1 ESP-IDF bootloaders and partition tables, which
don't have support for the MD5 entry.
ESP32 V1 and V2 - protection bits.
ESP32xx V2: revoke bits, protection bits
- refactor efuse component
- adds some APIs for esp32 chips as well as for esp32xx chips
- Cmake shows an error if the partition table has a test app.
- BOOTLOADER_APP_TEST depends on !BOOTLOADER_APP_ANTI_ROLLBACK.
- Bootloader does not boot the test app if secure version is low.
Closes: https://www.esp32.com/viewtopic.php?f=13&t=19164&p=71302#p71302
Currently USB CDC Download requires the `--no-stub` option of `esptool`. This change inverts the Kconfig option to negative, so that it can be `selected` by other options or enabled in applications through `sdkconfig.defaults`.
Allows booting in QIO/QOUT mode or with PSRAM on ESP32-PICO-V3 and
ESP32-PICO-V3-O2 without any config changes.
Custom WP pins (needed for fully custom circuit boards) should still be compatible.
flash_enctryption: enabled flash encryption example on esp32s2
bootloader: raise WDT overflow value providing sufficient interval to encrypt app partition
flash_ encrypt: Fixed the TODOs on flash encryption key generation for esp32s2
flash_encryption: added secure boot features to flash enctryption for esp32s2
bootloader: leave only esp32s2 compatible potentially insecure options on menuconfig.
flash_encryption: removed secure boot version 1 from esp32s2 encryption code
flash_encryption: added CONFIG_SECURE_FLASH_REQUIRE_ALREADY_ENABLED option for esp32s2
flash_encryption: fixed the count of left plaintext flash
flash_encryption: disable dcache and icache download when using encryption in release mode
flash_encryption: add cache potentally insecure options for s2 chips
flash_encryption: fixed bug which bricked some chips in relase mode
Change the default bootloader config to -Os to save size.
This is a useful feature because it allows switching between debug
and release configs in the app without also needing to account for a
size change in the bootloader.
and all ECDSA to be disabled if secure boot is not enabled
Previously if ECDSA disabled in config then secure_boot_signatures.c would
fail to build (whether or not secure boot was enabled).
To avoid breaking apps that might be using the signature scheme with custom OTA
without enabling secure boot signatures in config, this change just disables
this functionality if unavailable in mbedTLS config.
Possible fix for root cause of https://github.com/espressif/esp-idf/pull/3703
This saves time when waking up from deep sleep, but potentially decreases
the security of the system. If the application able to modify itself
(especially areas that are loaded into RAM) in flash while running
without crashing or is modifies the cached bits of information about
what was last booted from the bootloader, this could cause security
issues if the user does a "deep sleep reset" since the full validation
is skipped.
Signed-off-by: Tim Nordell <tim.nordell@nimbelink.com>
This MR improves existing flash encryption document to provide simplified steps
Adds two new modes for user: Development & Release
Adds a simple example
Supports encrypted write through make command
Added:
* set a secure version in app/bootloader.
* description anti-rollback to ota part
* emulate the secure_version write and read operations
* efuse_em partition.
* a description about a rollback for native_ota_example.
Closes: TW26335
Allows OTA updates to be secured via signature checks, without requiring the overhead or complexity
of a full secure boot implementation.
Uses same signing mechanisms (build system and/or espsecure.py as Secure Boot).
Requires:
* [ ] More testing
* [ ] Documentation
Because address space is mapped in 64KB pages, it was possible for unauthenticated data after the
app .bin to become mapped into the flash cache address space.
This problem is solved by 2 changes:
* "esptool elf2image --secure-pad" will pad the image so that the signature block ends close to the
64KB boundary. Due to alignment constraints it will be 12 bytes too short after signing (but
with flash encryption, these 12 bytes are still encrypted as part of the last block and can't be
arbitrarily changed).
* By default, secure boot now requires all app partitions to be a multiple of 64KB in size.
Added feature:
- reset firmware to Factory app.(by long pressing of the button)
- boot Test app. (by long pressing of the button)
- Added feature erase data partitions from factory reset.
TW10281
TW10280
Also add steps to disable flash encryption, as some people seem to
accidentally enable it.
Explicitly mark the flash encryption and secure boot as "READ DOCS
FIRST" in menuconfig.
* App access functions are all flash encryption-aware
* Documentation for flash encryption
* Partition read/write is flash aware
* New encrypted write function
This also removes logging implementation from bootloader and replaces it
with the one provided by the log component. Some occurrences of printf
and ets_printf have been changed to ESP_LOGx APIs.