Secure version in the image header is only available for the application
image. However, for certain security workflows, bootloader verifies
itself (own image) and hence the secure version check during that must be
avoided.
Regression introduced in recent commit-id: 3305cb4d
Tested that both secure boot and flash-enc workflows work correctly
with the anti-rollback scenario.
Some additional checks related to secure version of the application in
anti-rollback case have been added to avoid any attempts to boot lower
security version but valid application (e.g., passive partition image).
- Read secure_version under sha256 protection
- First check has been added in the bootloader to ensure correct secure
version after application verification and loading stage. This check
happens before setting up the flash cache mapping and handling over
the final control to application. This check ensures that application
was not swapped (e.g., to lower security version but valid image) just
before the load stage in bootloader.
- Second check has been added in the application startup code to ensure
that currently booting app has higher security version than the one
programmed in the eFuse for anti-rollback scenario. This will ensure
that only the legit application boots-up on the device for
anti-rollback case.
On ESP32-S3 with the default efuse settings, USB PHY is connected to
the USB_SERIAL_JTAG peripheral. If USB OTG peripheral is used for the
console, we need to additionally switch the PHY to USB OTG, otherwise
we won't get any output.
Closes https://github.com/espressif/esp-idf/issues/12437
For the following configuration case:
- CONFIG_SECURE_SIGNED_APPS_RSA_SCHEME
- CONFIG_SECURE_SIGNED_ON_UPDATE_NO_SECURE_BOOT
- CONFIG_SECURE_BOOT_ALLOW_SHORT_APP_PARTITION
verification of the application was failing because the externally
padded bytes were not considered in the hash (checksum) process.
This commit fixes the problem by enabling relevant code for secure OTA
without secure boot case.
Closes https://github.com/espressif/esp-idf/issues/11995
The commit fixes the case:
If variables in RTC RAM have been moved around by the linker,
they will be filled with garbage data. Any reset other than OTA would work fine
because the variables would still be initialized from the initial bootup.
So now system time will be valid even after OTA.
Closes https://github.com/espressif/esp-idf/issues/9448
* The RNG reading frequency of 200 KHz has been too high for
C6 and H2 since on these chips the RNG output is combined
with the RTC slow clock which is only 150KHz. Reduced the max
reading frequency via esp_random() from 200KHz to 62.5KHz,
which show best results in tests.
Also updated the bootloader_fill_random() max frequency to the
same value to be in line, even though it was just 83KHz.
ADDITIONAL_MAKE_CLEAN_FILES is deprecated and only worked with make.
Replaced with the new ADDITIONAL_CLEAN_FILES (CMake 3.15) which also works with ninja.
esp_efuse_utility_load_efuses_from_flash() read emul_efuse
as an encrypted partition, but that is not correct,
this partition was never encrypted.
Need to read it as not encrypted partition.
Fxed the case: If FE is already on then EFUSE VIRT mode can work with it.
Closes https://github.com/espressif/esp-idf/issues/10929
