espressif/esp-idf
1
0
Fork 1
mirror of https://github.com/espressif/esp-idf.git synced 2025-07-31 19:24:33 +02:00
Code Issues Packages Projects Releases Wiki Activity

bootloader_support(esp32c2): Fix WR_DIS_RD_DIS burn for secure boot key

Browse Source 
SB key is left readable, the corresponding bit in RD_DIS is unset.
We set write-protection for RD_DIS to ensure that the SB key is always readable.
This commit is contained in:
KonstantinKondrashov
2023-01-06 00:44:46 +08:00
parent 07bf145e06
commit 1cb0472520
4 changed files with 22 additions and 10 deletions
Download Patch File Download Diff File Expand all files Collapse all files

12
components/bootloader_support/src/esp32c2/secure_boot_secure_features.c
View File

@@ -45,5 +45,17 @@ esp_err_t esp_secure_boot_enable_secure_features(void)
esp_efuse_write_field_bit(ESP_EFUSE_SECURE_BOOT_EN); esp_efuse_write_field_bit(ESP_EFUSE_SECURE_BOOT_EN);
#ifndef CONFIG_SECURE_BOOT_V2_ALLOW_EFUSE_RD_DIS
// Secure boot and Flash encryption share one eFuse key block so they can not be set separately.
// CONFIG_SECURE_BOOT_FLASH_ENC_KEYS_BURN_TOGETHER option is used to burn SB and FE at the same time.
// SB key is readable, the corresponding bit in RD_DIS is unset.
// We set write-protection for RD_DIS to ensure that the SB key is always readable.
// FE key is read-protected, the corresponding bit in RD_DIS is set.
ESP_LOGI(TAG, "Prevent read disabling of additional efuses...");
esp_efuse_write_field_bit(ESP_EFUSE_WR_DIS_RD_DIS);
#else
ESP_LOGW(TAG, "Allowing read disabling of additional efuses - SECURITY COMPROMISED");
#endif
return ESP_OK; return ESP_OK;
} }

12
components/efuse/esp32c2/esp_efuse_table.c
View File

@@ -1,5 +1,5 @@
/* /*
* SPDX-FileCopyrightText: 2017-2022 Espressif Systems (Shanghai) CO LTD * SPDX-FileCopyrightText: 2017-2023 Espressif Systems (Shanghai) CO LTD
* *
* SPDX-License-Identifier: Apache-2.0 * SPDX-License-Identifier: Apache-2.0
*/ */
@@ -9,7 +9,7 @@
#include <assert.h> #include <assert.h>
#include "esp_efuse_table.h" #include "esp_efuse_table.h"
// md5_digest_table 5bc3d3149d5d4c75461337fa415d6533 // md5_digest_table 4d0ed19c755bd49610cefdd83f798536
// This file was generated from the file esp_efuse_table.csv. DO NOT CHANGE THIS FILE MANUALLY. // This file was generated from the file esp_efuse_table.csv. DO NOT CHANGE THIS FILE MANUALLY.
// If you want to change some fields, you need to change esp_efuse_table.csv file // If you want to change some fields, you need to change esp_efuse_table.csv file
// then run `efuse_common_table` or `efuse_custom_table` command it will generate this file. // then run `efuse_common_table` or `efuse_custom_table` command it will generate this file.
@@ -19,8 +19,8 @@ static const esp_efuse_desc_t WR_DIS[] = {
{EFUSE_BLK0, 0, 8}, // Write protection, {EFUSE_BLK0, 0, 8}, // Write protection,
}; };
static const esp_efuse_desc_t WR_DIS_KEY0_RD_DIS[] = { static const esp_efuse_desc_t WR_DIS_RD_DIS[] = {
{EFUSE_BLK0, 0, 1}, // Write protection for KEY0_RD_DIS, {EFUSE_BLK0, 0, 1}, // Write protection for RD_DIS,
}; };
static const esp_efuse_desc_t WR_DIS_GROUP_1[] = { static const esp_efuse_desc_t WR_DIS_GROUP_1[] = {
@@ -249,8 +249,8 @@ const esp_efuse_desc_t* ESP_EFUSE_WR_DIS[] = {
NULL NULL
}; };
const esp_efuse_desc_t* ESP_EFUSE_WR_DIS_KEY0_RD_DIS[] = { const esp_efuse_desc_t* ESP_EFUSE_WR_DIS_RD_DIS[] = {
&WR_DIS_KEY0_RD_DIS[0], // Write protection for KEY0_RD_DIS &WR_DIS_RD_DIS[0], // Write protection for RD_DIS
NULL NULL
}; };

2
components/efuse/esp32c2/esp_efuse_table.csv
View File

@@ -12,7 +12,7 @@
############################## ##############################
# EFUSE_RD_WR_DIS_REG # # EFUSE_RD_WR_DIS_REG #
WR_DIS, EFUSE_BLK0, 0, 8, Write protection WR_DIS, EFUSE_BLK0, 0, 8, Write protection
WR_DIS.KEY0_RD_DIS, EFUSE_BLK0, 0, 1, Write protection for KEY0_RD_DIS WR_DIS.RD_DIS, EFUSE_BLK0, 0, 1, Write protection for RD_DIS
WR_DIS.GROUP_1, EFUSE_BLK0, 1, 1, Write protection for WDT_DELAY DIS_PAD_JTAG DIS_DOWNLOAD_ICACHE WR_DIS.GROUP_1, EFUSE_BLK0, 1, 1, Write protection for WDT_DELAY DIS_PAD_JTAG DIS_DOWNLOAD_ICACHE
WR_DIS.GROUP_2, EFUSE_BLK0, 2, 1, Write protection for DOWNLOAD_DIS_MANUAL_ENCRYPT SPI_BOOT_CRYPT_CNT XTS_KEY_LENGTH_256 SECURE_BOOT_EN WR_DIS.GROUP_2, EFUSE_BLK0, 2, 1, Write protection for DOWNLOAD_DIS_MANUAL_ENCRYPT SPI_BOOT_CRYPT_CNT XTS_KEY_LENGTH_256 SECURE_BOOT_EN
WR_DIS.SPI_BOOT_CRYPT_CNT, EFUSE_BLK0, 2, 1, Write protection for DOWNLOAD_DIS_MANUAL_ENCRYPT [SPI_BOOT_CRYPT_CNT] XTS_KEY_LENGTH_256 SECURE_BOOT_EN WR_DIS.SPI_BOOT_CRYPT_CNT, EFUSE_BLK0, 2, 1, Write protection for DOWNLOAD_DIS_MANUAL_ENCRYPT [SPI_BOOT_CRYPT_CNT] XTS_KEY_LENGTH_256 SECURE_BOOT_EN
Can't render this file because it contains an unexpected character in line 7 and column 53.

6
components/efuse/esp32c2/include/esp_efuse_table.h
View File

@@ -1,5 +1,5 @@
/* /*
* SPDX-FileCopyrightText: 2017-2022 Espressif Systems (Shanghai) CO LTD * SPDX-FileCopyrightText: 2017-2023 Espressif Systems (Shanghai) CO LTD
* *
* SPDX-License-Identifier: Apache-2.0 * SPDX-License-Identifier: Apache-2.0
*/ */
@@ -10,7 +10,7 @@ extern "C" {
#include "esp_efuse.h" #include "esp_efuse.h"
// md5_digest_table 5bc3d3149d5d4c75461337fa415d6533 // md5_digest_table 4d0ed19c755bd49610cefdd83f798536
// This file was generated from the file esp_efuse_table.csv. DO NOT CHANGE THIS FILE MANUALLY. // This file was generated from the file esp_efuse_table.csv. DO NOT CHANGE THIS FILE MANUALLY.
// If you want to change some fields, you need to change esp_efuse_table.csv file // If you want to change some fields, you need to change esp_efuse_table.csv file
// then run `efuse_common_table` or `efuse_custom_table` command it will generate this file. // then run `efuse_common_table` or `efuse_custom_table` command it will generate this file.
@@ -18,7 +18,7 @@ extern "C" {
extern const esp_efuse_desc_t* ESP_EFUSE_WR_DIS[]; extern const esp_efuse_desc_t* ESP_EFUSE_WR_DIS[];
extern const esp_efuse_desc_t* ESP_EFUSE_WR_DIS_KEY0_RD_DIS[]; extern const esp_efuse_desc_t* ESP_EFUSE_WR_DIS_RD_DIS[];
extern const esp_efuse_desc_t* ESP_EFUSE_WR_DIS_GROUP_1[]; extern const esp_efuse_desc_t* ESP_EFUSE_WR_DIS_GROUP_1[];
extern const esp_efuse_desc_t* ESP_EFUSE_WR_DIS_GROUP_2[]; extern const esp_efuse_desc_t* ESP_EFUSE_WR_DIS_GROUP_2[];
extern const esp_efuse_desc_t* ESP_EFUSE_WR_DIS_SPI_BOOT_CRYPT_CNT[]; extern const esp_efuse_desc_t* ESP_EFUSE_WR_DIS_SPI_BOOT_CRYPT_CNT[];