Secure version in the image header is only available for the application
image. However, for certain security workflows, bootloader verifies
itself (own image) and hence the secure version check during that must be
avoided.
Regression introduced in recent commit-id: 3305cb4d
Tested that both secure boot and flash-enc workflows work correctly
with the anti-rollback scenario.
This commit renames USB PHY related HAL files from "usb_phy_xxx" to
"usb_fsls_phy_xxx" since they are only designed to support Full-Speed/Low-Speed
Serial USB PHYs. This renmaing is done to accommodate future USB PHYs that use
other PHY interfaces (e.g., UTMI, ULPI etc).
Some additional checks related to secure version of the application in
anti-rollback case have been added to avoid any attempts to boot lower
security version but valid application (e.g., passive partition image).
- Read secure_version under sha256 protection
- First check has been added in the bootloader to ensure correct secure
version after application verification and loading stage. This check
happens before setting up the flash cache mapping and handling over
the final control to application. This check ensures that application
was not swapped (e.g., to lower security version but valid image) just
before the load stage in bootloader.
- Second check has been added in the application startup code to ensure
that currently booting app has higher security version than the one
programmed in the eFuse for anti-rollback scenario. This will ensure
that only the legit application boots-up on the device for
anti-rollback case.
* Closes https://github.com/espressif/esp-idf/issues/12849
In former versions of ESP-IDF, the user custom memory data in the retained memory
was taken into account during the CRC calculation. This was changed in a later
commit, the custom memory was ignored, therefore this can seen as a breaking change.
This commit gives the possibility to choose between the former (legacy) or
new way of calculating the CRC.
Currently, when flash encryption is enabled, the whole partition gets encrypted.
This can be optimised by encrypting only the app image instead of encrypting the whole partition.
Closes https://github.com/espressif/esp-idf/issues/12576
Fixed the value of the image_length field of the image metadata populated by esp_image_verfiy()
to include the size of the signature sector when Secure Boot V1 is enabled.
On ESP32-S3 with the default efuse settings, USB PHY is connected to
the USB_SERIAL_JTAG peripheral. If USB OTG peripheral is used for the
console, we need to additionally switch the PHY to USB OTG, otherwise
we won't get any output.
Closes https://github.com/espressif/esp-idf/issues/12437
Added an API to verify the bootloader and app image before revoking the key in Secure Boot V2.
This will help in preventing the device to be bricked if the bootloader/application cannot be
verified by any other keys in efuse
For the following configuration case:
- CONFIG_SECURE_SIGNED_APPS_RSA_SCHEME
- CONFIG_SECURE_SIGNED_ON_UPDATE_NO_SECURE_BOOT
- CONFIG_SECURE_BOOT_ALLOW_SHORT_APP_PARTITION
verification of the application was failing because the externally
padded bytes were not considered in the hash (checksum) process.
This commit fixes the problem by enabling relevant code for secure OTA
without secure boot case.
Closes https://github.com/espressif/esp-idf/issues/11995
There are some register description errors in parts of rom/gpio.h
This commit update the incorrect comments in rom/gpio.h And now
esp_rom_gpio.h is recommend instead of rom/gpio.h. So this commit adds
macro SIG_GPIO_OUT_IDX in esp_rom_gpio_connect_out_signal
function and removes the reference to gpio.h in some source files.
Closes https://github.com/espressif/esp-idf/issues/11737
esp_hw_support: Fix invalid system time if s_esp_rtc_time_us & s_rtc_last_ticks were moved around
Closes IDFGH-7930
See merge request espressif/esp-idf!23030
The commit fixes the case:
If variables in RTC RAM have been moved around by the linker,
they will be filled with garbage data. Any reset other than OTA would work fine
because the variables would still be initialized from the initial bootup.
So now system time will be valid even after OTA.
Closes https://github.com/espressif/esp-idf/issues/9448
* The RNG reading frequency of 200 KHz has been too high for
C6 and H2 since on these chips the RNG output is combined
with the RTC slow clock which is only 150KHz. Reduced the max
reading frequency via esp_random() from 200KHz to 62.5KHz,
which show best results in tests.
Also updated the bootloader_fill_random() max frequency to the
same value to be in line, even though it was just 83KHz.
