From 5aa5366e7fd29aeb19abb25ef00ef847baa64fa1 Mon Sep 17 00:00:00 2001 From: "harshal.patil" Date: Mon, 1 Sep 2025 15:44:29 +0530 Subject: [PATCH] fix(bootloader_support): Reorder write disabling ECDSA_CURVE_MODE --- .../src/esp32h2/secure_boot_secure_features.c | 6 ------ .../src/esp32h21/secure_boot_secure_features.c | 4 ---- components/esp_security/src/init.c | 16 ++++++++++++++++ .../security-features-enablement-workflows.rst | 1 + 4 files changed, 17 insertions(+), 10 deletions(-) diff --git a/components/bootloader_support/src/esp32h2/secure_boot_secure_features.c b/components/bootloader_support/src/esp32h2/secure_boot_secure_features.c index cb1f69f8cf..9798c7e73b 100644 --- a/components/bootloader_support/src/esp32h2/secure_boot_secure_features.c +++ b/components/bootloader_support/src/esp32h2/secure_boot_secure_features.c @@ -37,12 +37,6 @@ esp_err_t esp_secure_boot_enable_secure_features(void) ESP_LOGW(TAG, "UART ROM Download mode kept enabled - SECURITY COMPROMISED"); #endif -#ifdef SOC_ECDSA_P192_CURVE_DEFAULT_DISABLED - if (ecdsa_ll_is_configurable_curve_supported()) { - esp_efuse_write_field_bit(ESP_EFUSE_WR_DIS_ECDSA_CURVE_MODE); - } -#endif - #ifndef CONFIG_SECURE_BOOT_ALLOW_JTAG ESP_LOGI(TAG, "Disable hardware & software JTAG..."); esp_efuse_write_field_bit(ESP_EFUSE_DIS_PAD_JTAG); diff --git a/components/bootloader_support/src/esp32h21/secure_boot_secure_features.c b/components/bootloader_support/src/esp32h21/secure_boot_secure_features.c index 86b501cc20..a63f05d6c6 100644 --- a/components/bootloader_support/src/esp32h21/secure_boot_secure_features.c +++ b/components/bootloader_support/src/esp32h21/secure_boot_secure_features.c @@ -36,10 +36,6 @@ esp_err_t esp_secure_boot_enable_secure_features(void) ESP_LOGW(TAG, "UART ROM Download mode kept enabled - SECURITY COMPROMISED"); #endif -#ifdef SOC_ECDSA_P192_CURVE_DEFAULT_DISABLED - esp_efuse_write_field_bit(ESP_EFUSE_WR_DIS_ECDSA_CURVE_MODE); -#endif - #ifndef CONFIG_SECURE_BOOT_ALLOW_JTAG ESP_LOGI(TAG, "Disable hardware & software JTAG..."); esp_efuse_write_field_bit(ESP_EFUSE_DIS_PAD_JTAG); diff --git a/components/esp_security/src/init.c b/components/esp_security/src/init.c index 56e812c4cf..e133b5a890 100644 --- a/components/esp_security/src/init.c +++ b/components/esp_security/src/init.c @@ -22,6 +22,10 @@ #include "hal/key_mgr_ll.h" #endif /* SOC_KEY_MANAGER_SUPPORT_KEY_DEPLOYMENT */ +#if SOC_ECDSA_P192_CURVE_DEFAULT_DISABLED +#include "hal/ecdsa_ll.h" +#endif /* SOC_ECDSA_P192_CURVE_DEFAULT_DISABLED */ + __attribute__((unused)) static const char *TAG = "esp_security"; static void esp_key_mgr_init(void) @@ -73,6 +77,18 @@ ESP_SYSTEM_INIT_FN(esp_security_init, SECONDARY, BIT(0), 103) #endif #if CONFIG_SECURE_BOOT_V2_ENABLED +// H2, H21 +#if SOC_ECDSA_P192_CURVE_DEFAULT_DISABLED + // Also write protects the ECDSA_CURVE_MODE efuse bit. + if (ecdsa_ll_is_configurable_curve_supported()) { + err = esp_efuse_write_field_bit(ESP_EFUSE_WR_DIS_ECDSA_CURVE_MODE); + if (err != ESP_OK) { + ESP_LOGE(TAG, "Failed to write protect the ECDSA_CURVE_MODE efuse bit."); + return err; + } + } +#endif + #if !CONFIG_SECURE_BOOT_SKIP_WRITE_PROTECTION_SCA // C5 #if SOC_ECDSA_SUPPORT_CURVE_P384 && !CONFIG_SECURE_BOOT_ECDSA_KEY_LEN_384_BITS diff --git a/docs/en/security/security-features-enablement-workflows.rst b/docs/en/security/security-features-enablement-workflows.rst index 2dd5283e05..410ca426aa 100644 --- a/docs/en/security/security-features-enablement-workflows.rst +++ b/docs/en/security/security-features-enablement-workflows.rst @@ -500,6 +500,7 @@ In this workflow we shall use ``espsecure`` tool to generate signing keys and us :SOC_EFUSE_DIS_USB_JTAG: - ``DIS_USB_JTAG``: Disable USB switch to JTAG. :SOC_EFUSE_DIS_PAD_JTAG: - ``DIS_PAD_JTAG``: Disable JTAG permanently. :SOC_EFUSE_REVOKE_BOOT_KEY_DIGESTS: - ``SECURE_BOOT_AGGRESSIVE_REVOKE``: Aggressive revocation of key digests, see :ref:`secure-boot-v2-aggressive-key-revocation` for more details. + :SOC_ECDSA_P192_CURVE_DEFAULT_DISABLED: - ``WR_DIS_ECDSA_CURVE_MODE``: Disable writing to the ECDSA curve mode eFuse bit (As this write protection bit is shared with ECC_FORCE_CONST_TIME, it is recommended to write protect this bit only after configuring the ECC_FORCE_CONST_TIME efuse). :SOC_ECDSA_SUPPORT_CURVE_P384: - ``WR_DIS_SECURE_BOOT_SHA384_EN``: Disable writing to the SHA-384 secure boot eFuse bit (As this write protection bit is shared with XTS_DPA_PSEUDO_LEVEL and ECC_FORCE_CONST_TIME, it is recommended to write protect this bit only after configuring all the other shared efuses). The respective eFuses can be burned by running: