mirror of
https://github.com/espressif/esp-idf.git
synced 2024-10-05 20:47:46 -04:00
7c7edab328
Also add steps to disable flash encryption, as some people seem to accidentally enable it. Explicitly mark the flash encryption and secure boot as "READ DOCS FIRST" in menuconfig.
217 lines
8.8 KiB
Plaintext
217 lines
8.8 KiB
Plaintext
menu "Bootloader config"
|
|
choice LOG_BOOTLOADER_LEVEL
|
|
bool "Bootloader log verbosity"
|
|
default LOG_BOOTLOADER_LEVEL_INFO
|
|
help
|
|
Specify how much output to see in bootloader logs.
|
|
|
|
config LOG_BOOTLOADER_LEVEL_NONE
|
|
bool "No output"
|
|
config LOG_BOOTLOADER_LEVEL_ERROR
|
|
bool "Error"
|
|
config LOG_BOOTLOADER_LEVEL_WARN
|
|
bool "Warning"
|
|
config LOG_BOOTLOADER_LEVEL_INFO
|
|
bool "Info"
|
|
config LOG_BOOTLOADER_LEVEL_DEBUG
|
|
bool "Debug"
|
|
config LOG_BOOTLOADER_LEVEL_VERBOSE
|
|
bool "Verbose"
|
|
endchoice
|
|
|
|
config LOG_BOOTLOADER_LEVEL
|
|
int
|
|
default 0 if LOG_BOOTLOADER_LEVEL_NONE
|
|
default 1 if LOG_BOOTLOADER_LEVEL_ERROR
|
|
default 2 if LOG_BOOTLOADER_LEVEL_WARN
|
|
default 3 if LOG_BOOTLOADER_LEVEL_INFO
|
|
default 4 if LOG_BOOTLOADER_LEVEL_DEBUG
|
|
default 5 if LOG_BOOTLOADER_LEVEL_VERBOSE
|
|
|
|
endmenu
|
|
|
|
|
|
|
|
menu "Security features"
|
|
|
|
config SECURE_BOOT_ENABLED
|
|
bool "Enable secure boot in bootloader (READ DOCS FIRST)"
|
|
default N
|
|
help
|
|
Build a bootloader which enables secure boot on first boot.
|
|
|
|
Once enabled, secure boot will not boot a modified bootloader. The bootloader will only load a partition table or boot an app if the data has a verified digital signature. There are implications for reflashing updated apps once secure boot is enabled.
|
|
|
|
When enabling secure boot, JTAG and ROM BASIC Interpreter are permanently disabled by default.
|
|
|
|
Refer to http://esp-idf.readthedocs.io/en/latest/security/secure-boot.html before enabling.
|
|
|
|
choice SECURE_BOOTLOADER_MODE
|
|
bool "Secure bootloader mode"
|
|
depends on SECURE_BOOT_ENABLED
|
|
default SECURE_BOOTLOADER_ONE_TIME_FLASH
|
|
|
|
config SECURE_BOOTLOADER_ONE_TIME_FLASH
|
|
bool "One-time flash"
|
|
help
|
|
On first boot, the bootloader will generate a key which is not readable externally or by software. A digest is generated from the bootloader image itself. This digest will be verified on each subsequent boot.
|
|
|
|
Enabling this option means that the bootloader cannot be changed after the first time it is booted.
|
|
|
|
config SECURE_BOOTLOADER_REFLASHABLE
|
|
bool "Reflashable"
|
|
help
|
|
Generate a reusable secure bootloader key, derived (via SHA-256) from the secure boot signing key.
|
|
|
|
This allows the secure bootloader to be re-flashed by anyone with access to the secure boot signing key.
|
|
|
|
This option is less secure than one-time flash, because a leak of the digest key from one device allows reflashing of any device that uses it.
|
|
|
|
endchoice
|
|
|
|
config SECURE_BOOT_BUILD_SIGNED_BINARIES
|
|
bool "Sign binaries during build"
|
|
depends on SECURE_BOOT_ENABLED
|
|
default y
|
|
help
|
|
Once secure boot is enabled, bootloader will only boot if partition table and app image are signed.
|
|
|
|
If enabled, these binary files are signed as part of the build process. The file named in "Secure boot private signing key" will be used to sign the image.
|
|
|
|
If disabled, unsigned app/partition data will be built. They must be signed manually using espsecure.py (for example, on a remote signing server.)
|
|
|
|
config SECURE_BOOT_SIGNING_KEY
|
|
string "Secure boot private signing key"
|
|
depends on SECURE_BOOT_BUILD_SIGNED_BINARIES
|
|
default secure_boot_signing_key.pem
|
|
help
|
|
Path to the key file used to sign partition tables and app images for secure boot. Once secure boot is enabled, bootloader will only boot if partition table and app image are signed.
|
|
|
|
Key file is an ECDSA private key (NIST256p curve) in PEM format.
|
|
|
|
Path is evaluated relative to the project directory.
|
|
|
|
You can generate a new signing key by running the following command:
|
|
espsecure.py generate_signing_key secure_boot_signing_key.pem
|
|
|
|
See docs/security/secure-boot.rst for details.
|
|
|
|
config SECURE_BOOT_VERIFICATION_KEY
|
|
string "Secure boot public signature verification key"
|
|
depends on SECURE_BOOT_ENABLED && !SECURE_BOOT_BUILD_SIGNED_BINARIES
|
|
default signature_verification_key.bin
|
|
help
|
|
Path to a public key file used to verify signed images. This key is compiled into the bootloader,
|
|
and may also be used to verify signatures on OTA images after download.
|
|
|
|
Key file is in raw binary format, and can be extracted from a
|
|
PEM formatted private key using the espsecure.py
|
|
extract_public_key command.
|
|
|
|
Refer to http://esp-idf.readthedocs.io/en/latest/security/secure-boot.html before enabling.
|
|
|
|
config SECURE_BOOT_INSECURE
|
|
bool "Allow potentially insecure options"
|
|
depends on SECURE_BOOT_ENABLED
|
|
default N
|
|
help
|
|
You can disable some of the default protections offered by secure boot, in order to enable testing or a custom combination of security features.
|
|
|
|
Only enable these options if you are very sure.
|
|
|
|
Refer to http://esp-idf.readthedocs.io/en/latest/security/secure-boot.html before enabling.
|
|
|
|
config FLASH_ENCRYPTION_ENABLED
|
|
bool "Enable flash encryption on boot (READ DOCS FIRST)"
|
|
default N
|
|
help
|
|
If this option is set, flash contents will be encrypted by the bootloader on first boot.
|
|
|
|
Note: After first boot, the system will be permanently encrypted. Re-flashing an encrypted
|
|
system is complicated and not always possible.
|
|
|
|
Read http://esp-idf.readthedocs.io/en/latest/security/flash-encryption.html before enabling.
|
|
|
|
config FLASH_ENCRYPTION_INSECURE
|
|
bool "Allow potentially insecure options"
|
|
depends on FLASH_ENCRYPTION_ENABLED
|
|
default N
|
|
help
|
|
You can disable some of the default protections offered by flash encryption, in order to enable testing or a custom combination of security features.
|
|
|
|
Only enable these options if you are very sure.
|
|
|
|
Refer to docs/security/secure-boot.rst and docs/security/flash-encryption.rst for details.
|
|
|
|
menu "Potentially insecure options"
|
|
visible if FLASH_ENCRYPTION_INSECURE || SECURE_BOOT_INSECURE
|
|
|
|
# NOTE: Options in this menu NEED to have SECURE_BOOT_INSECURE
|
|
# and/or FLASH_ENCRYPTION_INSECURE in "depends on", as the menu
|
|
# itself doesn't enable/disable its children (if it's not set,
|
|
# it's possible for the insecure menu to be disabled but the insecure option
|
|
# to remain on which is very bad.)
|
|
|
|
config SECURE_BOOT_ALLOW_ROM_BASIC
|
|
bool "Leave ROM BASIC Interpreter available on reset"
|
|
depends on SECURE_BOOT_INSECURE
|
|
default N
|
|
help
|
|
If not set (default), bootloader permanently disables ROM BASIC (on UART console) as a fallback if the bootloader image becomes invalid. This happens on first boot.
|
|
|
|
Only set this option in testing environments.
|
|
|
|
config SECURE_BOOT_ALLOW_JTAG
|
|
bool "Allow JTAG Debugging"
|
|
depends on SECURE_BOOT_INSECURE || FLASH_ENCRYPTION_INSECURE
|
|
default N
|
|
help
|
|
If not set (default), the bootloader will permanently disable JTAG (across entire chip) on first boot when either secure boot or flash encryption is enabled.
|
|
|
|
Setting this option leaves JTAG on for debugging, which negates all protections of flash encryption and some of the protections of secure boot.
|
|
|
|
Only set this option in testing environments.
|
|
|
|
|
|
config FLASH_ENCRYPTION_UART_BOOTLOADER_ALLOW_ENCRYPT
|
|
bool "Leave UART bootloader encryption enabled"
|
|
depends on FLASH_ENCRYPTION_INSECURE
|
|
default N
|
|
help
|
|
If not set (default), the bootloader will permanently disable UART bootloader encryption access on first boot. If set, the UART bootloader will still be able to access hardware encryption.
|
|
|
|
It is recommended to only set this option in testing environments.
|
|
|
|
config FLASH_ENCRYPTION_UART_BOOTLOADER_ALLOW_DECRYPT
|
|
bool "Leave UART bootloader decryption enabled"
|
|
depends on FLASH_ENCRYPTION_INSECURE
|
|
default N
|
|
help
|
|
If not set (default), the bootloader will permanently disable UART bootloader decryption access on first boot. If set, the UART bootloader will still be able to access hardware decryption.
|
|
|
|
Only set this option in testing environments. Setting this option allows complete bypass of flash encryption.
|
|
|
|
config FLASH_ENCRYPTION_UART_BOOTLOADER_ALLOW_CACHE
|
|
bool "Leave UART bootloader flash cache enabled"
|
|
depends on FLASH_ENCRYPTION_INSECURE
|
|
default N
|
|
help
|
|
If not set (default), the bootloader will permanently disable UART bootloader flash cache access on first boot. If set, the UART bootloader will still be able to access the flash cache.
|
|
|
|
Only set this option in testing environments.
|
|
|
|
config SECURE_BOOT_TEST_MODE
|
|
bool "Secure boot test mode: don't permanently set any efuses"
|
|
depends on SECURE_BOOT_INSECURE
|
|
default N
|
|
help
|
|
If this option is set, all permanent secure boot changes (via Efuse) are disabled.
|
|
|
|
Log output will state changes which would be applied, but they will not be.
|
|
|
|
This option is for testing purposes only - it completely disables secure boot protection.
|
|
|
|
|
|
endmenu # potentially insecure
|
|
|
|
endmenu |