Merge branch 'fix/mmu_psram_anti_fi' into 'master'

fix(security): add anti-FI checks while setting up PSRAM encryption Closes IDF-13761 See merge request espressif/esp-idf!41750
2025-10-02 18:10:57 +02:00 · 2025-09-30 21:18:01 +05:30
parent 053fb47e78 ad059d385b
commit b9cf9ea31f
6 changed files with 36 additions and 2 deletions
--- a/components/esp_hw_support/include/esp_fault.h
+++ b/components/esp_hw_support/include/esp_fault.h
--- a/components/hal/esp32c5/include/hal/mmu_ll.h
+++ b/components/hal/esp32c5/include/hal/mmu_ll.h
@@ -1,5 +1,5 @@
 /*
- * SPDX-FileCopyrightText: 2022-2024 Espressif Systems (Shanghai) CO LTD
+ * SPDX-FileCopyrightText: 2022-2025 Espressif Systems (Shanghai) CO LTD
 *
 * SPDX-License-Identifier: Apache-2.0
 */
@@ -15,6 +15,7 @@
 #include "soc/soc_caps.h"
 #include "hal/assert.h"
 #include "hal/mmu_types.h"
+#include "esp_fault.h"
 #if SOC_EFUSE_SUPPORTED
 #include "hal/efuse_ll.h"
 #include "hal/efuse_hal.h"
@@ -225,6 +226,15 @@ __attribute__((always_inline)) static inline void mmu_ll_write_entry(uint32_t mm
    mmu_raw_value = mmu_val | SOC_MMU_VALID;
    REG_WRITE(SPI_MEM_MMU_ITEM_INDEX_REG(0), entry_id);
    REG_WRITE(SPI_MEM_MMU_ITEM_CONTENT_REG(0), mmu_raw_value);
+
+    // Anti-FI check to confirm the encryption status for PSRAM entry.
+    // This avoids a potential FI attacks to keep PSRAM unencrypted and
+    // hence read out plaintext in execute from PSRAM model.
+    if (mmu_ll_cache_encryption_enabled() && target == MMU_TARGET_PSRAM0 && efuse_hal_chip_revision() > 100) {
+        ESP_FAULT_ASSERT(REG_READ(SPI_MEM_MMU_ITEM_CONTENT_REG(0)) & SOC_MMU_SENSITIVE);
+    } else {
+        ESP_FAULT_ASSERT(!(mmu_ll_cache_encryption_enabled() && mmu_id == MMU_LL_PSRAM_MMU_ID && efuse_hal_chip_revision() > 100));
+    }
 }

 /**
--- a/components/hal/esp32c61/include/hal/mmu_ll.h
+++ b/components/hal/esp32c61/include/hal/mmu_ll.h
@@ -1,5 +1,5 @@
 /*
- * SPDX-FileCopyrightText: 2024 Espressif Systems (Shanghai) CO LTD
+ * SPDX-FileCopyrightText: 2024-2025 Espressif Systems (Shanghai) CO LTD
 *
 * SPDX-License-Identifier: Apache-2.0
 */
@@ -14,6 +14,7 @@
 #include "hal/mmu_types.h"
 #include "hal/efuse_ll.h"
 #include "hal/efuse_hal.h"
+#include "esp_fault.h"

 // TODO: [ESP32C61] IDF-9265, inherit from c6

@@ -227,6 +228,15 @@ __attribute__((always_inline)) static inline void mmu_ll_write_entry(uint32_t mm
    mmu_raw_value = mmu_val | SOC_MMU_VALID;
    REG_WRITE(SPI_MEM_MMU_ITEM_INDEX_REG(0), entry_id);
    REG_WRITE(SPI_MEM_MMU_ITEM_CONTENT_REG(0), mmu_raw_value);
+
+    // Anti-FI check to confirm the encryption status for PSRAM entry.
+    // This avoids a potential FI attacks to keep PSRAM unencrypted and
+    // hence read out plaintext in execute from PSRAM model.
+    if (mmu_ll_cache_encryption_enabled() && target == MMU_TARGET_PSRAM0 && efuse_hal_chip_revision() > 100) {
+        ESP_FAULT_ASSERT(REG_READ(SPI_MEM_MMU_ITEM_CONTENT_REG(0)) & SOC_MMU_SENSITIVE);
+    } else {
+        ESP_FAULT_ASSERT(!(mmu_ll_cache_encryption_enabled() && mmu_id == MMU_LL_PSRAM_MMU_ID && efuse_hal_chip_revision() > 100));
+    }
 }

 /**
--- a/components/hal/esp32p4/include/hal/mmu_ll.h
+++ b/components/hal/esp32p4/include/hal/mmu_ll.h
@@ -14,6 +14,7 @@
 #include "hal/assert.h"
 #include "hal/mmu_types.h"
 #include "hal/efuse_ll.h"
+#include "esp_fault.h"


 #ifdef __cplusplus
@@ -289,6 +290,15 @@ __attribute__((always_inline)) static inline void mmu_ll_write_entry(uint32_t mm

    REG_WRITE(index_reg, entry_id);
    REG_WRITE(content_reg, mmu_val);
+
+    // Anti-FI check to confirm the encryption status for PSRAM entry.
+    // This avoids a potential FI attacks to keep PSRAM unencrypted and
+    // hence read out plaintext in execute from PSRAM model.
+    if (mmu_ll_cache_encryption_enabled() && mmu_id == MMU_LL_PSRAM_MMU_ID) {
+        ESP_FAULT_ASSERT(REG_READ(content_reg) & SOC_MMU_PSRAM_SENSITIVE);
+    } else {
+        ESP_FAULT_ASSERT(!(mmu_ll_cache_encryption_enabled() && mmu_id == MMU_LL_PSRAM_MMU_ID));
+    }
 }

 /**
--- a/docs/en/migration-guides/release-6.x/6.0/system.rst
+++ b/docs/en/migration-guides/release-6.x/6.0/system.rst
@@ -60,6 +60,8 @@ The deprecated ``intr_types.h`` header file has been removed. Please include the

 The deprecated ``esp_private/interrupt_deprecated.h`` header file, previously accessible through ``riscv/interrupt.h`` header, has been removed. The deprecated functions are no longer available; please use the non-deprecated versions instead.

+The ``esp_fault.h`` header file has been moved from the ``esp_hw_support`` component to the ``esp_common`` component. If your application encounters build errors after this change, add ``esp_common`` to your component's ``REQUIRES`` or ``PRIV_REQUIRES`` list in ``CMakeLists.txt``.
+
 ROM Headers
 -----------

--- a/docs/zh_CN/migration-guides/release-6.x/6.0/system.rst
+++ b/docs/zh_CN/migration-guides/release-6.x/6.0/system.rst
@@ -60,6 +60,8 @@ Xtensa 特殊寄存器头文件已更新，使用新的命名约定。旧的 ``s

 已弃用的头文件 ``esp_private/interrupt_deprecated.h`` （此前通过 ``riscv/interrupt.h`` 头文件提供）已被移除。相关已弃用的函数不再可用，请改用非弃用版本。

+头文件 ``esp_fault.h`` 已从 ``esp_hw_support`` 组件移动到 ``esp_common`` 组件。如果应用程序在此更改后遇到构建错误，请在 ``CMakeLists.txt`` 中将 ``esp_common`` 添加到组件的 ``REQUIRES`` 或 ``PRIV_REQUIRES`` 列表中。
+
 ROM 头文件
 -----------