Some additional checks related to secure version of the application in
anti-rollback case have been added to avoid any attempts to boot lower
security version but valid application (e.g., passive partition image).
- Read secure_version under sha256 protection
- First check has been added in the bootloader to ensure correct secure
version after application verification and loading stage. This check
happens before setting up the flash cache mapping and handling over
the final control to application. This check ensures that application
was not swapped (e.g., to lower security version but valid image) just
before the load stage in bootloader.
- Second check has been added in the application startup code to ensure
that currently booting app has higher security version than the one
programmed in the eFuse for anti-rollback scenario. This will ensure
that only the legit application boots-up on the device for
anti-rollback case.
For some of the MSPI high frequency setting (e.g. 80M DDR mode Flash or PSRAM), timing tuning is required.
Certain delays will be added to the MSPI RX direction. When system clock switches down, the delays should be
cleared. When system clock switches up, the delays should be restored.
Replaced hyphens with underscores in examples
project definition for all examples which had
hyphens in their project name. dpp-enrollee is
an exceptions because the name matches the
project directory name while the project
directory also contains hyphens.
* On S3, the placement of ROM functions is
ECO-dependent. Hence, we don't jump into
the middle of the longjmp function in ROM
on S3 anymore.
Instead, the whole longjump function is used
in the patch.
* Also properly excluded the patch from
bootloader build with Makefiles
Closes IDF-3391
The previous location was the return from the first ets_printf call
that prints ROM sign-on message. Since the main function was patched
in ECO3, the new address no longer works — there is no instruction at
0x40007901 in ECO3 ROM. This could be solved by setting two
breakpoints (one would work for ECO <=2, the other for ECO3), but we
would need to remove the unused breakpoint later.
Fix this by setting the breakpoint at ets_printf. This means that when
debugging a loadable ELF the ROM sign-on message will no longer be
shown, but this doesn't seem to be an issue.
* Patched longjmp to be context-switch safe
longjmp modifies the windowbase and windowstart
registers, which isn't safe if a context switch
occurs during the modification. After a context
switch, windowstart and windowbase will be
different, leading to a wrongly set windowstart
bit due to longjmp writing it based on the
windowbase before the context switch. This
corrupts the registers at the next window
overflow reaching that wrongly set bit.
The solution is to disable interrupts during
this code. It is only 6 instructions long,
the impact shouldn't be significant.
The fix is implemented as a wrapper which
replaces the original first instructions of
longjmp which are buggy. Then, it jumps back
to execute the rest of the original longjmp
function.
Added a comparably reliable test to the
test apps.
