diff --git a/components/bootloader/Kconfig.projbuild b/components/bootloader/Kconfig.projbuild index e4ae246932..4a2bef8455 100644 --- a/components/bootloader/Kconfig.projbuild +++ b/components/bootloader/Kconfig.projbuild @@ -437,15 +437,21 @@ menu "Security features" select MBEDTLS_ECDSA_C depends on SECURE_SIGNED_ON_BOOT || SECURE_SIGNED_ON_UPDATE - config SECURE_BOOT_SUPPORTS_RSA + config SECURE_BOOT_V2_RSA_SUPPORTED bool default y - depends on ESP32_REV_MIN_3 || IDF_TARGET_ESP32S2 || IDF_TARGET_ESP32C3 || IDF_TARGET_ESP32S3 + # RSA secure boot is supported in ESP32 revision >= ECO3 + depends on ESP32_REV_MIN >= 3 || SOC_SECURE_BOOT_V2_RSA - config SECURE_TARGET_HAS_SECURE_ROM_DL_MODE + config SECURE_BOOT_V1_SUPPORTED bool default y - depends on IDF_TARGET_ESP32S2 || IDF_TARGET_ESP32C3 || IDF_TARGET_ESP32S3 + depends on SOC_SECURE_BOOT_V1 + + config SECURE_BOOT_V2_PREFERRED + bool + default y + depends on ESP32_REV_MIN >= 3 config SECURE_SIGNED_APPS_NO_SECURE_BOOT @@ -474,7 +480,7 @@ menu "Security features" config SECURE_SIGNED_APPS_ECDSA_SCHEME bool "ECDSA" - depends on IDF_TARGET_ESP32 && (SECURE_SIGNED_APPS_NO_SECURE_BOOT || SECURE_BOOT_V1_ENABLED) + depends on SECURE_BOOT_V1_SUPPORTED && (SECURE_SIGNED_APPS_NO_SECURE_BOOT || SECURE_BOOT_V1_ENABLED) help Embeds the ECDSA public key in the bootloader and signs the application with an ECDSA key. @@ -482,7 +488,7 @@ menu "Security features" config SECURE_SIGNED_APPS_RSA_SCHEME bool "RSA" - depends on SECURE_BOOT_SUPPORTS_RSA && (SECURE_SIGNED_APPS_NO_SECURE_BOOT || SECURE_BOOT_V2_ENABLED) + depends on SECURE_BOOT_V2_RSA_SUPPORTED && (SECURE_SIGNED_APPS_NO_SECURE_BOOT || SECURE_BOOT_V2_ENABLED) help Appends the RSA-3072 based Signature block to the application. Refer to before enabling. @@ -517,7 +523,8 @@ menu "Security features" config SECURE_BOOT bool "Enable hardware Secure Boot in bootloader (READ DOCS FIRST)" default n - depends on IDF_TARGET_ESP32 || IDF_TARGET_ESP32S2 || ESP32C3_REV_MIN >= 3 || IDF_TARGET_ESP32S3 + # Secure boot is not supported for ESP32-C3 revision < ECO3 + depends on SOC_SECURE_BOOT_SUPPORTED && !(IDF_TARGET_ESP32C3 && ESP32C3_REV_MIN < 3) select ESPTOOLPY_NO_STUB if !IDF_TARGET_ESP32 && !IDF_TARGET_ESP32S2 help Build a bootloader which enables Secure Boot on first boot. @@ -530,7 +537,7 @@ menu "Security features" choice SECURE_BOOT_VERSION bool "Select secure boot version" - default SECURE_BOOT_V2_ENABLED if ESP32_REV_MIN_3 + default SECURE_BOOT_V2_ENABLED if SECURE_BOOT_V2_PREFERRED depends on SECURE_BOOT help Select the Secure Boot Version. Depends on the Chip Revision. @@ -541,14 +548,14 @@ menu "Security features" config SECURE_BOOT_V1_ENABLED bool "Enable Secure Boot version 1" - depends on IDF_TARGET_ESP32 + depends on SECURE_BOOT_V1_SUPPORTED help Build a bootloader which enables secure boot version 1 on first boot. Refer to the Secure Boot section of the ESP-IDF Programmer's Guide for this version before enabling. config SECURE_BOOT_V2_ENABLED bool "Enable Secure Boot version 2" - depends on SECURE_BOOT_SUPPORTS_RSA + depends on SECURE_BOOT_V2_RSA_SUPPORTED help Build a bootloader which enables Secure Boot version 2 on first boot. Refer to Secure Boot V2 section of the ESP-IDF Programmer's Guide for this version before enabling. @@ -632,7 +639,7 @@ menu "Security features" config SECURE_BOOT_ENABLE_AGGRESSIVE_KEY_REVOKE bool "Enable Aggressive key revoke strategy" - depends on SECURE_BOOT && (IDF_TARGET_ESP32S2 || IDF_TARGET_ESP32C3 || IDF_TARGET_ESP32S3) + depends on SECURE_BOOT && SOC_SUPPORT_SECURE_BOOT_REVOKE_KEY default N help If this option is set, ROM bootloader will revoke the public key digest burned in efuse block @@ -697,7 +704,7 @@ menu "Security features" choice SECURE_FLASH_ENCRYPTION_KEYSIZE bool "Size of generated AES-XTS key" default SECURE_FLASH_ENCRYPTION_AES128 - depends on (IDF_TARGET_ESP32S2 || IDF_TARGET_ESP32S3 || IDF_TARGET_ESP32C2) && SECURE_FLASH_ENC_ENABLED + depends on SOC_FLASH_ENCRYPTION_XTS_AES_256 && SECURE_FLASH_ENC_ENABLED help Size of generated AES-XTS key. @@ -709,11 +716,9 @@ menu "Security features" config SECURE_FLASH_ENCRYPTION_AES128 bool "AES-128 (256-bit key)" - depends on !IDF_TARGET_ESP32C2 # TODO: IDF-3899 config SECURE_FLASH_ENCRYPTION_AES256 bool "AES-256 (512-bit key)" - depends on !IDF_TARGET_ESP32C2 # TODO: IDF-3899 endchoice choice SECURE_FLASH_ENCRYPTION_MODE @@ -813,7 +818,7 @@ menu "Security features" config SECURE_BOOT_ALLOW_UNUSED_DIGEST_SLOTS bool "Leave unused digest slots available (not revoke)" - depends on SECURE_BOOT_INSECURE && !IDF_TARGET_ESP32 + depends on SECURE_BOOT_INSECURE && SOC_EFUSE_REVOKE_BOOT_KEY_DIGESTS default N help If not set (default), during startup in the app all unused digest slots will be revoked. @@ -882,7 +887,7 @@ menu "Security features" config SECURE_ROM_DL_MODE_ENABLED bool - default y if SECURE_TARGET_HAS_SECURE_ROM_DL_MODE && !SECURE_FLASH_ENCRYPTION_MODE_DEVELOPMENT + default y if SOC_SUPPORTS_SECURE_DL_MODE && !SECURE_FLASH_ENCRYPTION_MODE_DEVELOPMENT choice SECURE_UART_ROM_DL_MODE bool "UART ROM download mode" @@ -908,7 +913,7 @@ menu "Security features" config SECURE_ENABLE_SECURE_ROM_DL_MODE bool "UART ROM download mode (Permanently switch to Secure mode (recommended))" - depends on SECURE_TARGET_HAS_SECURE_ROM_DL_MODE + depends on SOC_SUPPORTS_SECURE_DL_MODE select ESPTOOLPY_NO_STUB help If set, during startup the app will burn an eFuse bit to permanently switch the UART ROM diff --git a/components/soc/esp32/include/soc/Kconfig.soc_caps.in b/components/soc/esp32/include/soc/Kconfig.soc_caps.in index 9c61ff279e..14c981046c 100644 --- a/components/soc/esp32/include/soc/Kconfig.soc_caps.in +++ b/components/soc/esp32/include/soc/Kconfig.soc_caps.in @@ -75,10 +75,6 @@ config SOC_CCOMP_TIMER_SUPPORTED bool default y -config SOC_EFUSE_SECURE_BOOT_KEY_DIGESTS - bool - default y - config SOC_RTC_FAST_MEM_SUPPORTED bool default y @@ -115,6 +111,14 @@ config SOC_SHA_SUPPORTED bool default y +config SOC_FLASH_ENC_SUPPORTED + bool + default y + +config SOC_SECURE_BOOT_SUPPORTED + bool + default y + config SOC_ADC_RTC_CTRL_SUPPORTED bool default y @@ -571,6 +575,14 @@ config SOC_AES_SUPPORT_AES_256 bool default y +config SOC_SECURE_BOOT_V1 + bool + default y + +config SOC_EFUSE_SECURE_BOOT_KEY_DIGESTS + bool + default y + config SOC_FLASH_ENCRYPTED_XTS_AES_BLOCK_MAX int default 32 diff --git a/components/soc/esp32/include/soc/soc_caps.h b/components/soc/esp32/include/soc/soc_caps.h index 234869cea1..5ff1f07b28 100644 --- a/components/soc/esp32/include/soc/soc_caps.h +++ b/components/soc/esp32/include/soc/soc_caps.h @@ -78,7 +78,6 @@ #define SOC_CPU_CORES_NUM 2 #define SOC_ULP_SUPPORTED 1 #define SOC_CCOMP_TIMER_SUPPORTED 1 -#define SOC_EFUSE_SECURE_BOOT_KEY_DIGESTS 1 #define SOC_RTC_FAST_MEM_SUPPORTED 1 #define SOC_RTC_SLOW_MEM_SUPPORTED 1 #define SOC_I2S_SUPPORTED 1 @@ -88,6 +87,8 @@ #define SOC_AES_SUPPORTED 1 #define SOC_MPI_SUPPORTED 1 #define SOC_SHA_SUPPORTED 1 +#define SOC_FLASH_ENC_SUPPORTED 1 +#define SOC_SECURE_BOOT_SUPPORTED 1 /*-------------------------- ADC CAPS ----------------------------------------*/ /** @@ -319,6 +320,15 @@ #define SOC_AES_SUPPORT_AES_192 (1) #define SOC_AES_SUPPORT_AES_256 (1) +/*-------------------------- Secure Boot CAPS----------------------------*/ +/* + * ESP32 ECO3 revision also supports `SOC_SECURE_BOOT_V2_RSA` but for that we will need selected ECO + * version from `Kconfig`, which is not possible while generating `Kconfig.soc_caps.in` from this header. + * Hence, for now we are handling this special capability in bootloader "security" configuration itself. + */ +#define SOC_SECURE_BOOT_V1 1 +#define SOC_EFUSE_SECURE_BOOT_KEY_DIGESTS 1 + /*-------------------------- Flash Encryption CAPS----------------------------*/ #define SOC_FLASH_ENCRYPTED_XTS_AES_BLOCK_MAX (32) diff --git a/components/soc/esp32c2/include/soc/Kconfig.soc_caps.in b/components/soc/esp32c2/include/soc/Kconfig.soc_caps.in index 0343113898..a03acaf634 100644 --- a/components/soc/esp32c2/include/soc/Kconfig.soc_caps.in +++ b/components/soc/esp32c2/include/soc/Kconfig.soc_caps.in @@ -35,14 +35,6 @@ config SOC_SUPPORTS_SECURE_DL_MODE bool default y -config SOC_EFUSE_SECURE_BOOT_KEY_DIGESTS - bool - default y - -config SOC_EFUSE_REVOKE_BOOT_KEY_DIGESTS - bool - default n - config SOC_EFUSE_KEY_PURPOSE_FIELD bool default n @@ -59,14 +51,6 @@ config SOC_RTC_SLOW_MEM_SUPPORTED bool default n -config SOC_SUPPORT_SECURE_BOOT_REVOKE_KEY - bool - default n - -config SOC_FLASH_ENCRYPTION_XTS_AES - bool - default y - config SOC_SHA_SUPPORTED bool default n @@ -75,6 +59,14 @@ config SOC_ECC_SUPPORTED bool default y +config SOC_FLASH_ENC_SUPPORTED + bool + default y + +config SOC_SECURE_BOOT_SUPPORTED + bool + default y + config SOC_ADC_DIG_CTRL_SUPPORTED bool default y @@ -431,10 +423,26 @@ config SOC_TOUCH_SENSOR_NUM int default 0 +config SOC_SECURE_BOOT_V2_ECC + bool + default y + +config SOC_EFUSE_SECURE_BOOT_KEY_DIGESTS + bool + default y + config SOC_FLASH_ENCRYPTED_XTS_AES_BLOCK_MAX int default 32 +config SOC_FLASH_ENCRYPTION_XTS_AES + bool + default y + +config SOC_FLASH_ENCRYPTION_XTS_AES_128 + bool + default n + config SOC_UART_NUM int default 2 diff --git a/components/soc/esp32c2/include/soc/soc_caps.h b/components/soc/esp32c2/include/soc/soc_caps.h index f59ed617f0..11fe98e3a5 100644 --- a/components/soc/esp32c2/include/soc/soc_caps.h +++ b/components/soc/esp32c2/include/soc/soc_caps.h @@ -33,16 +33,15 @@ #define SOC_WIFI_SUPPORTED 0 // Enable during bringup, IDF-3905 #define SOC_ASYNC_MEMCPY_SUPPORTED 1 #define SOC_SUPPORTS_SECURE_DL_MODE 1 -#define SOC_EFUSE_SECURE_BOOT_KEY_DIGESTS 1 -#define SOC_EFUSE_REVOKE_BOOT_KEY_DIGESTS 0 #define SOC_EFUSE_KEY_PURPOSE_FIELD 0 #define SOC_EFUSE_CONSISTS_OF_ONE_KEY_BLOCK 1 #define SOC_RTC_FAST_MEM_SUPPORTED 0 #define SOC_RTC_SLOW_MEM_SUPPORTED 0 -#define SOC_SUPPORT_SECURE_BOOT_REVOKE_KEY 0 -#define SOC_FLASH_ENCRYPTION_XTS_AES 1 + #define SOC_SHA_SUPPORTED 0 // This will be enabled with IDF-3830 #define SOC_ECC_SUPPORTED 1 +#define SOC_FLASH_ENC_SUPPORTED 1 +#define SOC_SECURE_BOOT_SUPPORTED 1 /*-------------------------- ADC CAPS -------------------------------*/ /*!< SAR ADC Module*/ @@ -224,8 +223,14 @@ /*-------------------------- TOUCH SENSOR CAPS -------------------------------*/ #define SOC_TOUCH_SENSOR_NUM (0U) /*! No touch sensors on ESP32-C2 */ +/*-------------------------- Secure Boot CAPS----------------------------*/ +#define SOC_SECURE_BOOT_V2_ECC 1 +#define SOC_EFUSE_SECURE_BOOT_KEY_DIGESTS 1 + /*-------------------------- Flash Encryption CAPS----------------------------*/ #define SOC_FLASH_ENCRYPTED_XTS_AES_BLOCK_MAX (32) +#define SOC_FLASH_ENCRYPTION_XTS_AES 1 +#define SOC_FLASH_ENCRYPTION_XTS_AES_128 0 // This will be enabled with IDF-3899 /*-------------------------- UART CAPS ---------------------------------------*/ // ESP32-C2 has 2 UARTs diff --git a/components/soc/esp32c3/include/soc/Kconfig.soc_caps.in b/components/soc/esp32c3/include/soc/Kconfig.soc_caps.in index a06174d3df..e2046cf987 100644 --- a/components/soc/esp32c3/include/soc/Kconfig.soc_caps.in +++ b/components/soc/esp32c3/include/soc/Kconfig.soc_caps.in @@ -43,10 +43,6 @@ config SOC_TEMP_SENSOR_SUPPORTED bool default y -config SOC_FLASH_ENCRYPTION_XTS_AES - bool - default y - config SOC_XT_WDT_SUPPORTED bool default y @@ -59,14 +55,6 @@ config SOC_SUPPORTS_SECURE_DL_MODE bool default y -config SOC_EFUSE_SECURE_BOOT_KEY_DIGESTS - int - default 3 - -config SOC_EFUSE_REVOKE_BOOT_KEY_DIGESTS - bool - default y - config SOC_EFUSE_KEY_PURPOSE_FIELD bool default y @@ -79,10 +67,6 @@ config SOC_RTC_SLOW_MEM_SUPPORTED bool default n -config SOC_SUPPORT_SECURE_BOOT_REVOKE_KEY - bool - default y - config SOC_I2S_SUPPORTED bool default y @@ -119,6 +103,14 @@ config SOC_DIG_SIGN_SUPPORTED bool default y +config SOC_FLASH_ENC_SUPPORTED + bool + default y + +config SOC_SECURE_BOOT_SUPPORTED + bool + default y + config SOC_AES_SUPPORT_DMA bool default y @@ -607,10 +599,34 @@ config SOC_TWAI_SUPPORTS_RX_STATUS bool default y +config SOC_SECURE_BOOT_V2_RSA + bool + default y + +config SOC_EFUSE_SECURE_BOOT_KEY_DIGESTS + int + default 3 + +config SOC_EFUSE_REVOKE_BOOT_KEY_DIGESTS + bool + default y + +config SOC_SUPPORT_SECURE_BOOT_REVOKE_KEY + bool + default y + config SOC_FLASH_ENCRYPTED_XTS_AES_BLOCK_MAX int default 32 +config SOC_FLASH_ENCRYPTION_XTS_AES + bool + default y + +config SOC_FLASH_ENCRYPTION_XTS_AES_128 + bool + default y + config SOC_UART_NUM int default 2 diff --git a/components/soc/esp32c3/include/soc/soc_caps.h b/components/soc/esp32c3/include/soc/soc_caps.h index dc7805d960..1071b6155c 100644 --- a/components/soc/esp32c3/include/soc/soc_caps.h +++ b/components/soc/esp32c3/include/soc/soc_caps.h @@ -35,16 +35,12 @@ #define SOC_ASYNC_MEMCPY_SUPPORTED 1 #define SOC_USB_SERIAL_JTAG_SUPPORTED 1 #define SOC_TEMP_SENSOR_SUPPORTED 1 -#define SOC_FLASH_ENCRYPTION_XTS_AES 1 #define SOC_XT_WDT_SUPPORTED 1 #define SOC_WIFI_SUPPORTED 1 #define SOC_SUPPORTS_SECURE_DL_MODE 1 -#define SOC_EFUSE_SECURE_BOOT_KEY_DIGESTS 3 -#define SOC_EFUSE_REVOKE_BOOT_KEY_DIGESTS 1 #define SOC_EFUSE_KEY_PURPOSE_FIELD 1 #define SOC_RTC_FAST_MEM_SUPPORTED 1 #define SOC_RTC_SLOW_MEM_SUPPORTED 0 -#define SOC_SUPPORT_SECURE_BOOT_REVOKE_KEY 1 #define SOC_I2S_SUPPORTED 1 #define SOC_RMT_SUPPORTED 1 #define SOC_SIGMADELTA_SUPPORTED 1 @@ -54,6 +50,11 @@ #define SOC_SHA_SUPPORTED 1 #define SOC_HMAC_SUPPORTED 1 #define SOC_DIG_SIGN_SUPPORTED 1 +#define SOC_FLASH_ENC_SUPPORTED 1 +/* Secure boot is only supported in ESP32-C3 revision > ECO3. We check ECO revision in + * bootloader "security" configuration and accordingly prevent its usage for ECO2 and + * earlier revisions */ +#define SOC_SECURE_BOOT_SUPPORTED 1 /*-------------------------- AES CAPS -----------------------------------------*/ #define SOC_AES_SUPPORT_DMA (1) @@ -291,8 +292,16 @@ #define SOC_TWAI_BRP_MAX 16384 #define SOC_TWAI_SUPPORTS_RX_STATUS 1 +/*-------------------------- Secure Boot CAPS----------------------------*/ +#define SOC_SECURE_BOOT_V2_RSA 1 +#define SOC_EFUSE_SECURE_BOOT_KEY_DIGESTS 3 +#define SOC_EFUSE_REVOKE_BOOT_KEY_DIGESTS 1 +#define SOC_SUPPORT_SECURE_BOOT_REVOKE_KEY 1 + /*-------------------------- Flash Encryption CAPS----------------------------*/ #define SOC_FLASH_ENCRYPTED_XTS_AES_BLOCK_MAX (32) +#define SOC_FLASH_ENCRYPTION_XTS_AES 1 +#define SOC_FLASH_ENCRYPTION_XTS_AES_128 1 /*-------------------------- UART CAPS ---------------------------------------*/ // ESP32-C3 has 2 UARTs diff --git a/components/soc/esp32h2/include/soc/Kconfig.soc_caps.in b/components/soc/esp32h2/include/soc/Kconfig.soc_caps.in index b826034b13..a5439cb851 100644 --- a/components/soc/esp32h2/include/soc/Kconfig.soc_caps.in +++ b/components/soc/esp32h2/include/soc/Kconfig.soc_caps.in @@ -47,10 +47,6 @@ config SOC_SUPPORTS_SECURE_DL_MODE bool default y -config SOC_EFUSE_SECURE_BOOT_KEY_DIGESTS - int - default 3 - config SOC_EFUSE_KEY_PURPOSE_FIELD bool default y @@ -67,10 +63,6 @@ config SOC_RTC_SLOW_MEM_SUPPORTED bool default n -config SOC_SUPPORT_SECURE_BOOT_REVOKE_KEY - bool - default y - config SOC_I2S_SUPPORTED bool default y @@ -107,6 +99,14 @@ config SOC_ECC_SUPPORTED bool default n +config SOC_FLASH_ENC_SUPPORTED + bool + default y + +config SOC_SECURE_BOOT_SUPPORTED + bool + default y + config SOC_AES_SUPPORT_DMA bool default y @@ -591,10 +591,34 @@ config SOC_TWAI_SUPPORTS_RX_STATUS bool default y +config SOC_SECURE_BOOT_V2_RSA + bool + default y + +config SOC_EFUSE_SECURE_BOOT_KEY_DIGESTS + int + default 3 + +config SOC_EFUSE_REVOKE_BOOT_KEY_DIGESTS + bool + default y + +config SOC_SUPPORT_SECURE_BOOT_REVOKE_KEY + bool + default y + config SOC_FLASH_ENCRYPTED_XTS_AES_BLOCK_MAX int default 32 +config SOC_FLASH_ENCRYPTION_XTS_AES + bool + default y + +config SOC_FLASH_ENCRYPTION_XTS_AES_128 + bool + default y + config SOC_UART_NUM int default 2 diff --git a/components/soc/esp32h2/include/soc/soc_caps.h b/components/soc/esp32h2/include/soc/soc_caps.h index b07fce3379..688b08d5fb 100644 --- a/components/soc/esp32h2/include/soc/soc_caps.h +++ b/components/soc/esp32h2/include/soc/soc_caps.h @@ -44,12 +44,10 @@ #define SOC_ASYNC_MEMCPY_SUPPORTED 1 #define SOC_USB_SERIAL_JTAG_SUPPORTED 1 #define SOC_SUPPORTS_SECURE_DL_MODE 1 -#define SOC_EFUSE_SECURE_BOOT_KEY_DIGESTS 3 #define SOC_EFUSE_KEY_PURPOSE_FIELD 1 #define SOC_TEMP_SENSOR_SUPPORTED 1 #define SOC_RTC_FAST_MEM_SUPPORTED 1 #define SOC_RTC_SLOW_MEM_SUPPORTED 0 -#define SOC_SUPPORT_SECURE_BOOT_REVOKE_KEY 1 #define SOC_I2S_SUPPORTED 1 #define SOC_RMT_SUPPORTED 1 #define SOC_SIGMADELTA_SUPPORTED 1 @@ -59,6 +57,9 @@ #define SOC_HMAC_SUPPORTED 1 #define SOC_DIG_SIGN_SUPPORTED 1 #define SOC_ECC_SUPPORTED 0 // This will be enabled with IDF-3397 +#define SOC_FLASH_ENC_SUPPORTED 1 +#define SOC_SECURE_BOOT_SUPPORTED 1 + /*-------------------------- AES CAPS -----------------------------------------*/ #define SOC_AES_SUPPORT_DMA (1) @@ -302,8 +303,16 @@ #define SOC_TWAI_BRP_MAX 16384 #define SOC_TWAI_SUPPORTS_RX_STATUS 1 +/*-------------------------- Secure Boot CAPS----------------------------*/ +#define SOC_SECURE_BOOT_V2_RSA 1 +#define SOC_EFUSE_SECURE_BOOT_KEY_DIGESTS 3 +#define SOC_EFUSE_REVOKE_BOOT_KEY_DIGESTS 1 +#define SOC_SUPPORT_SECURE_BOOT_REVOKE_KEY 1 + /*-------------------------- Flash Encryption CAPS----------------------------*/ #define SOC_FLASH_ENCRYPTED_XTS_AES_BLOCK_MAX (32) +#define SOC_FLASH_ENCRYPTION_XTS_AES 1 +#define SOC_FLASH_ENCRYPTION_XTS_AES_128 1 /*-------------------------- UART CAPS ---------------------------------------*/ // ESP32-H2 has 2 UARTs diff --git a/components/soc/esp32s2/include/soc/Kconfig.soc_caps.in b/components/soc/esp32s2/include/soc/Kconfig.soc_caps.in index c4ad57a9ed..13250f74fc 100644 --- a/components/soc/esp32s2/include/soc/Kconfig.soc_caps.in +++ b/components/soc/esp32s2/include/soc/Kconfig.soc_caps.in @@ -59,14 +59,6 @@ config SOC_ASYNC_MEMCPY_SUPPORTED bool default y -config SOC_EFUSE_SECURE_BOOT_KEY_DIGESTS - int - default 3 - -config SOC_EFUSE_REVOKE_BOOT_KEY_DIGESTS - bool - default y - config SOC_EFUSE_KEY_PURPOSE_FIELD bool default y @@ -79,14 +71,6 @@ config SOC_CACHE_SUPPORT_WRAP bool default y -config SOC_FLASH_ENCRYPTION_XTS_AES - bool - default y - -config SOC_FLASH_ENCRYPTION_XTS_AES_256 - bool - default y - config SOC_RTC_FAST_MEM_SUPPORTED bool default y @@ -103,10 +87,6 @@ config SOC_XT_WDT_SUPPORTED bool default y -config SOC_SUPPORT_SECURE_BOOT_REVOKE_KEY - bool - default y - config SOC_I2S_SUPPORTED bool default y @@ -143,6 +123,14 @@ config SOC_DIG_SIGN_SUPPORTED bool default y +config SOC_FLASH_ENC_SUPPORTED + bool + default y + +config SOC_SECURE_BOOT_SUPPORTED + bool + default y + config SOC_ADC_RTC_CTRL_SUPPORTED bool default y @@ -707,10 +695,38 @@ config SOC_AES_SUPPORT_GCM bool default y +config SOC_SECURE_BOOT_V2_RSA + bool + default y + +config SOC_EFUSE_SECURE_BOOT_KEY_DIGESTS + int + default 3 + +config SOC_EFUSE_REVOKE_BOOT_KEY_DIGESTS + bool + default y + +config SOC_SUPPORT_SECURE_BOOT_REVOKE_KEY + bool + default y + config SOC_FLASH_ENCRYPTED_XTS_AES_BLOCK_MAX int default 64 +config SOC_FLASH_ENCRYPTION_XTS_AES + bool + default y + +config SOC_FLASH_ENCRYPTION_XTS_AES_128 + bool + default y + +config SOC_FLASH_ENCRYPTION_XTS_AES_256 + bool + default y + config SOC_AES_CRYPTO_DMA bool default y diff --git a/components/soc/esp32s2/include/soc/soc_caps.h b/components/soc/esp32s2/include/soc/soc_caps.h index 18ebe84e30..b38a02f993 100644 --- a/components/soc/esp32s2/include/soc/soc_caps.h +++ b/components/soc/esp32s2/include/soc/soc_caps.h @@ -53,18 +53,13 @@ #define SOC_ULP_SUPPORTED 1 #define SOC_CCOMP_TIMER_SUPPORTED 1 #define SOC_ASYNC_MEMCPY_SUPPORTED 1 -#define SOC_EFUSE_SECURE_BOOT_KEY_DIGESTS 3 -#define SOC_EFUSE_REVOKE_BOOT_KEY_DIGESTS 1 #define SOC_EFUSE_KEY_PURPOSE_FIELD 1 #define SOC_TEMP_SENSOR_SUPPORTED 1 #define SOC_CACHE_SUPPORT_WRAP 1 -#define SOC_FLASH_ENCRYPTION_XTS_AES 1 -#define SOC_FLASH_ENCRYPTION_XTS_AES_256 1 #define SOC_RTC_FAST_MEM_SUPPORTED 1 #define SOC_RTC_SLOW_MEM_SUPPORTED 1 #define SOC_PSRAM_DMA_CAPABLE 1 #define SOC_XT_WDT_SUPPORTED 1 -#define SOC_SUPPORT_SECURE_BOOT_REVOKE_KEY 1 #define SOC_I2S_SUPPORTED 1 #define SOC_RMT_SUPPORTED 1 #define SOC_SIGMADELTA_SUPPORTED 1 @@ -74,6 +69,8 @@ #define SOC_SHA_SUPPORTED 1 #define SOC_HMAC_SUPPORTED 1 #define SOC_DIG_SIGN_SUPPORTED 1 +#define SOC_FLASH_ENC_SUPPORTED 1 +#define SOC_SECURE_BOOT_SUPPORTED 1 /*-------------------------- ADC CAPS ----------------------------------------*/ @@ -332,8 +329,17 @@ #define SOC_AES_SUPPORT_DMA (1) #define SOC_AES_SUPPORT_GCM (1) +/*-------------------------- Secure Boot CAPS----------------------------*/ +#define SOC_SECURE_BOOT_V2_RSA 1 +#define SOC_EFUSE_SECURE_BOOT_KEY_DIGESTS 3 +#define SOC_EFUSE_REVOKE_BOOT_KEY_DIGESTS 1 +#define SOC_SUPPORT_SECURE_BOOT_REVOKE_KEY 1 + /*-------------------------- Flash Encryption CAPS----------------------------*/ #define SOC_FLASH_ENCRYPTED_XTS_AES_BLOCK_MAX (64) +#define SOC_FLASH_ENCRYPTION_XTS_AES 1 +#define SOC_FLASH_ENCRYPTION_XTS_AES_128 1 +#define SOC_FLASH_ENCRYPTION_XTS_AES_256 1 /* Has "crypto DMA", which is shared with SHA */ #define SOC_AES_CRYPTO_DMA (1) diff --git a/components/soc/esp32s3/include/soc/Kconfig.soc_caps.in b/components/soc/esp32s3/include/soc/Kconfig.soc_caps.in index e3fe1f47fe..4b1ccb59ed 100644 --- a/components/soc/esp32s3/include/soc/Kconfig.soc_caps.in +++ b/components/soc/esp32s3/include/soc/Kconfig.soc_caps.in @@ -135,14 +135,6 @@ config SOC_SUPPORTS_SECURE_DL_MODE bool default y -config SOC_EFUSE_SECURE_BOOT_KEY_DIGESTS - int - default 3 - -config SOC_EFUSE_REVOKE_BOOT_KEY_DIGESTS - bool - default y - config SOC_EFUSE_KEY_PURPOSE_FIELD bool default y @@ -151,10 +143,6 @@ config SOC_SDMMC_HOST_SUPPORTED bool default y -config SOC_FLASH_ENCRYPTION_XTS_AES - bool - default y - config SOC_RTC_FAST_MEM_SUPPORTED bool default y @@ -163,14 +151,6 @@ config SOC_RTC_SLOW_MEM_SUPPORTED bool default y -config SOC_FLASH_ENCRYPTION_XTS_AES_256 - bool - default y - -config SOC_SUPPORT_SECURE_BOOT_REVOKE_KEY - bool - default y - config SOC_PSRAM_DMA_CAPABLE bool default y @@ -219,6 +199,14 @@ config SOC_DIG_SIGN_SUPPORTED bool default y +config SOC_FLASH_ENC_SUPPORTED + bool + default y + +config SOC_SECURE_BOOT_SUPPORTED + bool + default y + config SOC_APPCPU_HAS_CLOCK_GATING_BUG bool default y @@ -839,10 +827,38 @@ config SOC_PM_SUPPORT_DEEPSLEEP_CHECK_STUB_ONLY bool default y +config SOC_SECURE_BOOT_V2_RSA + bool + default y + +config SOC_EFUSE_SECURE_BOOT_KEY_DIGESTS + int + default 3 + +config SOC_EFUSE_REVOKE_BOOT_KEY_DIGESTS + bool + default y + +config SOC_SUPPORT_SECURE_BOOT_REVOKE_KEY + bool + default y + config SOC_FLASH_ENCRYPTED_XTS_AES_BLOCK_MAX int default 64 +config SOC_FLASH_ENCRYPTION_XTS_AES + bool + default y + +config SOC_FLASH_ENCRYPTION_XTS_AES_128 + bool + default y + +config SOC_FLASH_ENCRYPTION_XTS_AES_256 + bool + default y + config SOC_WIFI_HW_TSF bool default y diff --git a/components/soc/esp32s3/include/soc/soc_caps.h b/components/soc/esp32s3/include/soc/soc_caps.h index cdf43d6479..e8384523b2 100644 --- a/components/soc/esp32s3/include/soc/soc_caps.h +++ b/components/soc/esp32s3/include/soc/soc_caps.h @@ -44,15 +44,10 @@ #define SOC_CCOMP_TIMER_SUPPORTED 1 #define SOC_ASYNC_MEMCPY_SUPPORTED 1 #define SOC_SUPPORTS_SECURE_DL_MODE 1 -#define SOC_EFUSE_SECURE_BOOT_KEY_DIGESTS 3 -#define SOC_EFUSE_REVOKE_BOOT_KEY_DIGESTS 1 #define SOC_EFUSE_KEY_PURPOSE_FIELD 1 #define SOC_SDMMC_HOST_SUPPORTED 1 -#define SOC_FLASH_ENCRYPTION_XTS_AES 1 #define SOC_RTC_FAST_MEM_SUPPORTED 1 #define SOC_RTC_SLOW_MEM_SUPPORTED 1 -#define SOC_FLASH_ENCRYPTION_XTS_AES_256 1 -#define SOC_SUPPORT_SECURE_BOOT_REVOKE_KEY 1 #define SOC_PSRAM_DMA_CAPABLE 1 #define SOC_XT_WDT_SUPPORTED 1 #define SOC_I2S_SUPPORTED 1 @@ -65,6 +60,8 @@ #define SOC_SHA_SUPPORTED 1 #define SOC_HMAC_SUPPORTED 1 #define SOC_DIG_SIGN_SUPPORTED 1 +#define SOC_FLASH_ENC_SUPPORTED 1 +#define SOC_SECURE_BOOT_SUPPORTED 1 /*-------------------------- SOC CAPS ----------------------------------------*/ @@ -364,10 +361,17 @@ #define SOC_PM_SUPPORT_DEEPSLEEP_CHECK_STUB_ONLY (1) +/*-------------------------- Secure Boot CAPS----------------------------*/ +#define SOC_SECURE_BOOT_V2_RSA 1 +#define SOC_EFUSE_SECURE_BOOT_KEY_DIGESTS 3 +#define SOC_EFUSE_REVOKE_BOOT_KEY_DIGESTS 1 +#define SOC_SUPPORT_SECURE_BOOT_REVOKE_KEY 1 /*-------------------------- Flash Encryption CAPS----------------------------*/ #define SOC_FLASH_ENCRYPTED_XTS_AES_BLOCK_MAX (64) - +#define SOC_FLASH_ENCRYPTION_XTS_AES 1 +#define SOC_FLASH_ENCRYPTION_XTS_AES_128 1 +#define SOC_FLASH_ENCRYPTION_XTS_AES_256 1 /*-------------------------- WI-FI HARDWARE TSF CAPS -------------------------------*/ #define SOC_WIFI_HW_TSF (1)