diff --git a/components/bootloader_support/include/esp_flash_encrypt.h b/components/bootloader_support/include/esp_flash_encrypt.h index efb7eb8bce..2a5c690298 100644 --- a/components/bootloader_support/include/esp_flash_encrypt.h +++ b/components/bootloader_support/include/esp_flash_encrypt.h @@ -12,6 +12,7 @@ #include "esp_spi_flash.h" #endif #include "soc/efuse_periph.h" +#include "hal/efuse_hal.h" #include "sdkconfig.h" #ifdef CONFIG_EFUSE_VIRTUAL_KEEP_IN_FLASH @@ -46,19 +47,15 @@ typedef enum { */ static inline /** @cond */ IRAM_ATTR /** @endcond */ bool esp_flash_encryption_enabled(void) { +#ifndef CONFIG_EFUSE_VIRTUAL_KEEP_IN_FLASH + return efuse_hal_flash_encryption_enabled(); +#else + uint32_t flash_crypt_cnt = 0; #if CONFIG_IDF_TARGET_ESP32 - #ifndef CONFIG_EFUSE_VIRTUAL_KEEP_IN_FLASH - flash_crypt_cnt = REG_GET_FIELD(EFUSE_BLK0_RDATA0_REG, EFUSE_RD_FLASH_CRYPT_CNT); - #else - esp_efuse_read_field_blob(ESP_EFUSE_FLASH_CRYPT_CNT, &flash_crypt_cnt, ESP_EFUSE_FLASH_CRYPT_CNT[0]->bit_count); - #endif + esp_efuse_read_field_blob(ESP_EFUSE_FLASH_CRYPT_CNT, &flash_crypt_cnt, ESP_EFUSE_FLASH_CRYPT_CNT[0]->bit_count); #else - #ifndef CONFIG_EFUSE_VIRTUAL_KEEP_IN_FLASH - flash_crypt_cnt = REG_GET_FIELD(EFUSE_RD_REPEAT_DATA1_REG, EFUSE_SPI_BOOT_CRYPT_CNT); - #else - esp_efuse_read_field_blob(ESP_EFUSE_SPI_BOOT_CRYPT_CNT, &flash_crypt_cnt, ESP_EFUSE_SPI_BOOT_CRYPT_CNT[0]->bit_count); - #endif + esp_efuse_read_field_blob(ESP_EFUSE_SPI_BOOT_CRYPT_CNT, &flash_crypt_cnt, ESP_EFUSE_SPI_BOOT_CRYPT_CNT[0]->bit_count); #endif /* __builtin_parity is in flash, so we calculate parity inline */ bool enabled = false; @@ -69,6 +66,7 @@ static inline /** @cond */ IRAM_ATTR /** @endcond */ bool esp_flash_encryption_e flash_crypt_cnt >>= 1; } return enabled; +#endif // CONFIG_EFUSE_VIRTUAL_KEEP_IN_FLASH } /* @brief Update on-device flash encryption diff --git a/components/bootloader_support/src/bootloader_flash.c b/components/bootloader_support/src/bootloader_flash.c index d358bcf904..3c971d3b7e 100644 --- a/components/bootloader_support/src/bootloader_flash.c +++ b/components/bootloader_support/src/bootloader_flash.c @@ -10,6 +10,7 @@ #include #include "sdkconfig.h" #include "soc/soc_caps.h" +#include "hal/efuse_hal.h" #if CONFIG_IDF_TARGET_ESP32 # include "soc/spi_struct.h" @@ -36,7 +37,7 @@ #endif #ifdef CONFIG_EFUSE_VIRTUAL_KEEP_IN_FLASH -#define ENCRYPTION_IS_VIRTUAL 1 +#define ENCRYPTION_IS_VIRTUAL (!efuse_hal_flash_encryption_enabled()) #else #define ENCRYPTION_IS_VIRTUAL 0 #endif diff --git a/components/efuse/src/esp_efuse_utility.c b/components/efuse/src/esp_efuse_utility.c index db5b4a9af9..ab1c3e664d 100644 --- a/components/efuse/src/esp_efuse_utility.c +++ b/components/efuse/src/esp_efuse_utility.c @@ -439,7 +439,7 @@ bool esp_efuse_utility_load_efuses_from_flash(void) } uint32_t efuses_in_flash[sizeof(virt_blocks)]; - esp_err_t err = bootloader_flash_read(esp_efuse_flash_offset, &efuses_in_flash, sizeof(efuses_in_flash), true); + esp_err_t err = bootloader_flash_read(esp_efuse_flash_offset, &efuses_in_flash, sizeof(efuses_in_flash), false); if (err != ESP_OK) { ESP_EARLY_LOGE(TAG, "Can not read eFuse partition from flash (err=0x%x)", err); abort(); diff --git a/components/hal/efuse_hal.c b/components/hal/efuse_hal.c index 133a81c477..d1d740ce20 100644 --- a/components/hal/efuse_hal.c +++ b/components/hal/efuse_hal.c @@ -17,3 +17,16 @@ IRAM_ATTR uint32_t efuse_hal_chip_revision(void) { return efuse_hal_get_major_chip_version() * 100 + efuse_hal_get_minor_chip_version(); } + +IRAM_ATTR bool efuse_hal_flash_encryption_enabled(void) +{ + uint32_t flash_crypt_cnt = efuse_ll_get_flash_crypt_cnt(); + bool enabled = false; + while (flash_crypt_cnt) { + if (flash_crypt_cnt & 1) { + enabled = !enabled; + } + flash_crypt_cnt >>= 1; + } + return enabled; +} diff --git a/components/hal/include/hal/efuse_hal.h b/components/hal/include/hal/efuse_hal.h index ca7fcd2003..21877d508a 100644 --- a/components/hal/include/hal/efuse_hal.h +++ b/components/hal/include/hal/efuse_hal.h @@ -21,6 +21,15 @@ extern "C" { */ uint32_t efuse_hal_chip_revision(void); +/** + * @brief Is flash encryption currently enabled in hardware? + * + * Flash encryption is enabled if the FLASH_CRYPT_CNT efuse has an odd number of bits set. + * + * @return true if flash encryption is enabled. + */ +bool efuse_hal_flash_encryption_enabled(void); + /** * @brief Returns major chip version */ diff --git a/docs/en/api-reference/system/efuse.rst b/docs/en/api-reference/system/efuse.rst index d972f000e1..9e90131bb6 100644 --- a/docs/en/api-reference/system/efuse.rst +++ b/docs/en/api-reference/system/efuse.rst @@ -361,6 +361,11 @@ During startup, the eFuses are copied to RAM. All eFuse operations (read and wri In addition to the :ref:`CONFIG_EFUSE_VIRTUAL` option there is :ref:`CONFIG_EFUSE_VIRTUAL_KEEP_IN_FLASH` option that adds a feature to keep eFuses in flash memory. To use this mode the partition_table should have the `efuse` partition. partition.csv: ``"efuse_em, data, efuse, , 0x2000,"``. During startup, the eFuses are copied from flash or, in case if flash is empty, from real eFuse to RAM and then update flash. This option allows keeping eFuses after reboots (possible to test secure_boot and flash_encryption features with this option). +Flash Encryption Testing +"""""""""""""""""""""""" + +Flash Encryption (FE) is a hardware feature that requires the physical burning of eFuses: key and FLASH_CRYPT_CNT. If FE is not actually enabled then enabling the :ref:`CONFIG_EFUSE_VIRTUAL_KEEP_IN_FLASH` option just gives testing possibilities and does not encrypt anything in the flash, even though the logs say encryption happens. The :cpp:func:`bootloader_flash_write` is adapted for this purpose. But if FE is already enabled on the chip and you run an application or bootloader created with the :ref:`CONFIG_EFUSE_VIRTUAL_KEEP_IN_FLASH` option then the flash encryption/decryption operations will work properly (data are encrypted as it is written into an encrypted flash partition and decrypted when they are read from an encrypted partition). + espefuse.py ^^^^^^^^^^^