Commit Graph

267 Commits

Author SHA1 Message Date
Angus Gratton
8d1a99e026 paritition_table: Verify the partition table md5sum when loading the app
Additionally, always enable the partition MD5 check if flash encryption is on in
Release mode. This ensures the partition table ciphertext has not been modified
(CVE-2021-27926).

The exception is pre-V3.1 ESP-IDF bootloaders and partition tables, which
don't have support for the MD5 entry.
2021-06-02 16:31:19 +10:00
Michael (XIAO Xufeng)
f6da7f3305 spi_flash: add config option to override flash size in bootloader header
Sometimes the flash size read from bootloader is not correct. This may
forbid SPI Flash driver from reading the the area larger than the size
in bootloader header.

When the new config option is enabled, the latest configured
ESPTOOLPY_FLAHSIZE in the app header will be used to override the value
read from bootloader header.
2021-02-23 01:23:53 +08:00
Morozov-5F
cca370df47 secure boot v2: Fix crash if signature verification fails in app
sha_handle is "finished" when verify_secure_boot_signature() returns and
should be nulled out.

Alternative version of fix submitted in https://github.com/espressif/esp-idf/pull/6210

Closes https://github.com/espressif/esp-idf/pull/6210

Signed-off-by: Angus Gratton <angus@espressif.com>
2020-12-31 14:34:25 +05:30
Supreet Deshpande
801bbcc7ad Secure boot v2: Fixes the issue of passing the flash calculated digest for ota verification. 2020-12-24 14:25:28 +05:30
Supreet Deshpande
2427847229 Secure Boot v2: Fix the double padding of the image length during flash encryption
Fixes https://github.com/espressif/esp-idf/issues/6236
2020-12-24 14:22:08 +05:30
Angus Gratton
5b3734a04a efuse: Add ESP32 V3 'disable Download Mode' functionality 2020-12-16 17:08:04 +11:00
Angus Gratton
fca2d78459 efuse: Add new esp_efuse_read_field_bit() convenience function 2020-12-15 15:53:26 +11:00
Angus Gratton
1ef020f0a6 efuse: Add new esp_efuse_write_field_bit() convenience function 2020-12-15 15:53:26 +11:00
Angus Gratton
9b31bd54da efuse: Don't need to burn WR_CRYPT_CNT if CRYPT_CNT is already max
Reduces write cycles, and useful on ESP32 ECO3 as UART_DIS_DL is protected by
the same efuse.

Also fixes accidental macro definition introduced in 7635dce502
2020-12-15 15:53:26 +11:00
Angus Gratton
c9307cb16e secure boot: Fix regression enabling secure boot v2
Regression in 18b4ae2a65 - write-protecting BLK2 caused write
registers to be cleared, so key digest was all zeroes.
2020-12-15 15:53:26 +11:00
Supreet Deshpande
18b4ae2a65 Secure Boot V2: Fix an issue leading to manual enablement of Secure Boot v2.
Fixes https://github.com/espressif/esp-idf/issues/6050
2020-11-13 11:36:29 +05:30
Mahavir Jain
f7f81c33f7 bootloader_support: fix issue in memory mapping for getting app descriptor
For getting secure_version field in anti rollback case, bootloader tries
to map whole firmware partition but fails for cases where partition size
is beyond available MMU free pages capacity.

Fix here ensures to map only required length upto application descriptor
size in firmware partition.

Closes https://github.com/espressif/esp-idf/issues/5911
2020-10-06 14:42:45 +05:30
KonstantinKondrashov
66acb32665 bootloader: Fix esp_get_flash_encryption_mode(). RELEASE = (CRYPT_CNT == max) or (CRYPT_CNT.write_protect == true)
If the CRYPT_CNT efuse is max it means the same as a write protection bit for this efuse.

Closes: https://github.com/espressif/esp-idf/issues/5747
2020-10-01 14:29:43 +08:00
Ivan Grokhotkov
42e694bb8f bootloader_support: don't check signature when JTAG is attached
If an insecure configuration is enabled (no hardware secure boot, just
software signature check), skip the signature check in bootloader if
JTAG debugger is attached. This allows the debugger to set breakpoints
in Flash before the application runs.

Closes https://github.com/espressif/esp-idf/issues/4734
Closes https://github.com/espressif/esp-idf/issues/4878
2020-09-09 23:42:24 +02:00
KonstantinKondrashov
55fafa887c bootloader_support: Fix bootloader_common_get_sha256_of_partition, can handle a long image
Closes: IDFGH-3594
2020-08-05 22:09:15 +08:00
KonstantinKondrashov
0a1919abff esp32: Reduce using ESP_EARLY_LOGx and move some code after the stdout initialization
After setting _GLOBAL_REENT, ESP_LOGIx can be used instead of ESP_EARLY_LOGx.

Closes: https://github.com/espressif/esp-idf/issues/5343
2020-06-17 15:53:45 +08:00
Ivan Grokhotkov
bd3caffdcd bootloader_support: force alignment of flash_read argument 2020-06-04 21:01:56 +10:00
Angus Gratton
a5b4fda207 bootloader: Force bootloader_image_hdr to be word aligned
Possible due to linker order for this file to be placed unaligned,
causing failure from bootloader_flash_read() function.
2020-06-04 20:53:46 +10:00
Angus Gratton
b00f38f91c secure boot v2: Add anti-FI check that secure boot not enabled yet
Prevent a fault from causing bootloader to trust the provided signature incorrectly.
2020-06-02 16:14:01 +10:00
Angus Gratton
3c6b1b4c0a secure boot v2: Don't check efuse BLK2 if only boot-time signature verification is enabled 2020-06-02 16:14:01 +10:00
Angus Gratton
2c531d5bb3 secure boot v2: Don't log warnings when BLK2 is empty as expected
If BLK2 is empty then it's OK to continue with a warning (otherwise it may spook users into thinking
something this is wrong, but this is the expected workflow.)

If BLK2 is not empty and doesn't match then we need to fail because it won't be possible to
trust the signature.
2020-06-02 16:14:01 +10:00
chenjianqiang
eb5bafeb65 flash: fix spi flash clock config error
Closes https://github.com/espressif/esp-idf/issues/5099
2020-04-27 16:56:58 +08:00
Angus Gratton
c17d55eb9b esp32: Enable flash encryption by setting FLASH_CRYPT_CNT to max
Previous method was to write-protect this efuse, however on ECO3
the write protect field also covers the UART_DOWNLOAD_DIS efuse.

Doing it this way keeps the possibility of disabling UART download
mode, later.
2020-03-31 17:31:59 +11:00
Angus Gratton
cf8dd62fc4 secure boot v2: esp32: Prevent read disabling additional efuses
Also reduce the number of eFuse write cycles during first boot when
Secure Boot and/or Flash Encryption are enabled.
2020-03-31 17:31:56 +11:00
Mahavir Jain
b8fe1fdf27 bootloader_support: initialize mbedtls_ctr_drbg_context per mbedtls v2.16.5 requirement
In commit 02d2903e39, mbedtls was
updated to release v2.16.5, where it was made mandatory to initialize
mbedtls_ctr_drbg_context before using same. It was fixed in wpa supplicant
but missed out in secure boot v2 verification code. This commit
fixes that.
2020-03-23 11:22:20 +05:30
Angus Gratton
32756b165e bootloader: Add fault injection resistance to Secure Boot bootloader verification
Goal is that multiple faults would be required to bypass a boot-time signature check.

- Also strengthens some address range checks for safe app memory addresses
- Change pre-enable logic to also check the bootloader signature before enabling SBV2 on ESP32

Add some additional checks for invalid sections:

- Sections only partially in DRAM or IRAM are invalid
- If a section is in D/IRAM, allow the possibility only some is in D/IRAM
- Only pass sections that are entirely in the same type of RTC memory region
2020-03-06 01:16:04 +05:30
Angus Gratton
74b299c4c7 secure boot: Encrypt the bootloader signature when enabling flash encryption + secure boot v2 2020-03-06 01:16:04 +05:30
Supreet Deshpande
60fed38c0f feat/secure_boot_v2: Adding secure boot v2 support for ESP32-ECO3 2020-03-06 01:16:04 +05:30
suda-morris
1ffb546135 esp32s2:remove unsupported xtal choice
ESP32-S2 only supports 40MHz XTAL and doesn't have XTAL autodetection.
2020-01-09 13:09:21 +08:00
michael
4220752aed ut: Move tests back from "esp32" subfolder
DISABLED_FOR_TARGETS macros are used

Partly revert "ci: disable unavailable tests for esp32s2beta"

This partly reverts commit 76a3a5fb48.

Partly revert "ci: disable UTs for esp32s2beta without runners"

This partly reverts commit eb158e9a22.

Partly revert "fix unit test and examples for s2beta"

This partly reverts commit 9baa7826be.

Partly revert "efuse: Add support for esp32s2beta"

This partly reverts commit db84ba868c.
2020-01-06 17:13:53 +08:00
Angus Gratton
ba3f47efd6 bootloader_support: fix crash in image verification is SHA doesn't match 2019-12-30 13:48:11 +11:00
Angus Gratton
b2ed553bbf bootloader_support: Reduce log spam about chip revisions
* Don't bother checking the chip revision if it looks like the partition
  doesn't really contain an app
* Don't print the "info" level about the revision & min revision unless
  we're in the bootloader (otherwise it gets printed at random times
  during the OTA process)
2019-12-30 13:48:11 +11:00
Angus Gratton
5139934767 bootloader_common: Fix esp_partition_get_sha256(), add unit tests
Regression in 438d513a95

Reported here: https://esp32.com/viewtopic.php?f=13&t=13250&p=52460
2019-12-30 13:47:47 +11:00
morris
888316fc64 bootloader_support: refactor to better support multi target 2019-12-23 05:45:17 +00:00
morris
01ca687caa esp32s2beta: only support unicore 2019-12-09 09:48:37 +08:00
Angus Gratton
fd27c0a113 Merge branch 'bugfix/bootloader_unicore_cache_enable' into 'master'
bootloader: revert support for booting dual-core apps on single-core bootloader

See merge request espressif/esp-idf!6609
2019-11-27 08:01:59 +08:00
wanglei
7b2348baad fix bug that wrap mode not disabled in none-QIO mode 2019-11-15 15:59:07 +00:00
Angus Gratton
ba72de2099 Merge branch 'bugfix/i2s-bootloader-random-disable' into 'master'
bugfix(bootloader): fix  bootloader_random_disable bug

Closes IDFGH-1747 and IDFGH-1739

See merge request espressif/esp-idf!6522
2019-11-08 11:04:15 +08:00
Angus Gratton
75488f1806 Merge branch 'bugfix/cmake_secure_boot' into 'master'
secure boot: CMake bug fixes

See merge request espressif/esp-idf!6523
2019-11-08 10:58:04 +08:00
Ivan Grokhotkov
a8e3ad6bd9 bootloader: revert support for booting dual-core apps on single-core bootloader 2019-11-05 14:42:43 +01:00
Chen Zheng Wei
b4a02c57c2 bugfix(i2s_bootloader_random_disable): fix bug about i2s bootloader_random_disable
bootloader_random_disable disables the ADC incorrectly, causing the ADC to sometimes fail to work. Fix this bug

closes https://github.com/espressif/esp-idf/issues/3973
2019-11-05 10:36:53 +08:00
Angus Gratton
e8881352c5 secure boot: Fix bug where verification key was not embedded in app 2019-10-29 12:46:09 +11:00
Angus Gratton
7ce75a42c7 Merge branch 'master' into feature/esp32s2beta_merge 2019-10-25 15:13:52 +11:00
Angus Gratton
5bec9fb010 Merge branch 'bugfix/random_en_dis_for_app' into 'master'
bootloader_support: Fix using shared CLK_EN and RST_EN regs for random

See merge request espressif/esp-idf!6198
2019-10-23 13:18:01 +08:00
Angus Gratton
496ede9bcd Merge branch 'master' into feature/esp32s2beta_merge 2019-10-15 14:59:27 +11:00
Mahavir Jain
99659091fb bootloader_support: fix logging prints around chip revision 2019-10-11 14:35:22 +05:30
KonstantinKondrashov
807826f796 bootloader_support: Fix using shared CLK_EN and RST_EN regs for random
bootloader_random_enable() and bootloader_random_disable() functions
can be used in app.
This MR added the protection for shared CLK_EN and RST_EN registers.
2019-10-07 06:47:00 +00:00
Ivan Grokhotkov
6bddcdac67 bootloader: move esp32 specific code from bootloader_common
Also implements bootloader_clock_get_rated_freq_mhz for esp32s2beta.

Closes IDF-758
2019-10-03 09:38:13 +02:00
Ivan Grokhotkov
5830f529d8 Merge branch 'master' into feature/esp32s2beta_merge 2019-10-02 19:01:39 +02:00
suda-morris
cbab3c34f8 bootloader: shrink bin size
1. write a bootloader version of "getting chip revision" function.
2. reduce wordy log.
2019-09-27 10:58:30 +08:00