Merge branch 'fix/remove_warning_when_disabling_rom_dl_mode_v4.4' into 'release/v4.4'

secure_boot: Fix warning when UART ROM DL mode is disabled (v4.4)

See merge request espressif/esp-idf!16228

components/bootloader_support/src/esp32/secure_boot_secure_features.c

@@ -79,7 +79,7 @@ esp_err_t esp_secure_boot_enable_secure_features(void)
         return err;
     }
 #else
-    ESP_LOGW(TAG, "Not disabling ROM Download mode - SECURITY COMPROMISED");
+    ESP_LOGW(TAG, "UART ROM Download mode kept enabled - SECURITY COMPROMISED");
 #endif
 
 #ifndef CONFIG_SECURE_BOOT_V2_ALLOW_EFUSE_RD_DIS

components/bootloader_support/src/esp32c3/secure_boot_secure_features.c

@@ -20,9 +20,20 @@ esp_err_t esp_secure_boot_enable_secure_features(void)
 
 #ifdef CONFIG_SECURE_ENABLE_SECURE_ROM_DL_MODE
     ESP_LOGI(TAG, "Enabling Security download mode...");
-    esp_efuse_write_field_bit(ESP_EFUSE_ENABLE_SECURITY_DOWNLOAD);
+    esp_err_t err = esp_efuse_enable_rom_secure_download_mode();
+    if (err != ESP_OK) {
+        ESP_LOGE(TAG, "Could not enable Security download mode...");
+        return err;
+    }
+#elif CONFIG_SECURE_DISABLE_ROM_DL_MODE
+    ESP_LOGI(TAG, "Disable ROM Download mode...");
+    esp_err_t err = esp_efuse_disable_rom_download_mode();
+    if (err != ESP_OK) {
+        ESP_LOGE(TAG, "Could not disable ROM Download mode...");
+        return err;
+    }
 #else
-    ESP_LOGW(TAG, "Not enabling Security download mode - SECURITY COMPROMISED");
+    ESP_LOGW(TAG, "UART ROM Download mode kept enabled - SECURITY COMPROMISED");
 #endif
 
 #ifndef CONFIG_SECURE_BOOT_ALLOW_JTAG

components/bootloader_support/src/esp32h2/secure_boot.c

@@ -250,11 +250,23 @@ esp_err_t esp_secure_boot_v2_permanently_enable(const esp_image_metadata_t *imag
 
     esp_efuse_write_field_bit(ESP_EFUSE_DIS_LEGACY_SPI_BOOT);
 
+    esp_err_t err = ESP_FAIL;
 #ifdef CONFIG_SECURE_ENABLE_SECURE_ROM_DL_MODE
     ESP_LOGI(TAG, "Enabling Security download mode...");
-    esp_efuse_write_field_bit(ESP_EFUSE_ENABLE_SECURITY_DOWNLOAD);
+    err = esp_efuse_enable_rom_secure_download_mode();
+    if (err != ESP_OK) {
+        ESP_LOGE(TAG, "Could not enable Security download mode...");
+        return err;
+    }
+#elif CONFIG_SECURE_DISABLE_ROM_DL_MODE
+    ESP_LOGI(TAG, "Disable ROM Download mode...");
+    err = esp_efuse_disable_rom_download_mode();
+    if (err != ESP_OK) {
+        ESP_LOGE(TAG, "Could not disable ROM Download mode...");
+        return err;
+    }
 #else
-    ESP_LOGW(TAG, "Not enabling Security download mode - SECURITY COMPROMISED");
+    ESP_LOGW(TAG, "UART ROM Download mode kept enabled - SECURITY COMPROMISED");
 #endif
 
 #ifndef CONFIG_SECURE_BOOT_ALLOW_JTAG
@@ -272,7 +284,7 @@ esp_err_t esp_secure_boot_v2_permanently_enable(const esp_image_metadata_t *imag
 
     esp_efuse_write_field_bit(ESP_EFUSE_SECURE_BOOT_EN);
 
-    esp_err_t err = esp_efuse_batch_write_commit();
+    err = esp_efuse_batch_write_commit();
     if (err != ESP_OK) {
         ESP_LOGE(TAG, "Error programming security eFuses (err=0x%x).", err);
         return err;

components/bootloader_support/src/esp32s2/secure_boot_secure_features.c

@@ -21,9 +21,20 @@ esp_err_t esp_secure_boot_enable_secure_features(void)
 
 #ifdef CONFIG_SECURE_ENABLE_SECURE_ROM_DL_MODE
     ESP_LOGI(TAG, "Enabling Security download mode...");
-    esp_efuse_write_field_bit(ESP_EFUSE_ENABLE_SECURITY_DOWNLOAD);
+    esp_err_t err = esp_efuse_enable_rom_secure_download_mode();
+    if (err != ESP_OK) {
+        ESP_LOGE(TAG, "Could not enable Security download mode...");
+        return err;
+    }
+#elif CONFIG_SECURE_DISABLE_ROM_DL_MODE
+    ESP_LOGI(TAG, "Disable ROM Download mode...");
+    esp_err_t err = esp_efuse_disable_rom_download_mode();
+    if (err != ESP_OK) {
+        ESP_LOGE(TAG, "Could not disable ROM Download mode...");
+        return err;
+    }
 #else
-    ESP_LOGW(TAG, "Not enabling Security download mode - SECURITY COMPROMISED");
+    ESP_LOGW(TAG, "UART ROM Download mode kept enabled - SECURITY COMPROMISED");
 #endif
 
 #ifndef CONFIG_SECURE_BOOT_ALLOW_JTAG

components/bootloader_support/src/esp32s3/secure_boot_secure_features.c

@@ -20,9 +20,20 @@ esp_err_t esp_secure_boot_enable_secure_features(void)
 
 #ifdef CONFIG_SECURE_ENABLE_SECURE_ROM_DL_MODE
     ESP_LOGI(TAG, "Enabling Security download mode...");
-    esp_efuse_write_field_bit(ESP_EFUSE_ENABLE_SECURITY_DOWNLOAD);
+    esp_err_t err = esp_efuse_enable_rom_secure_download_mode();
+    if (err != ESP_OK) {
+        ESP_LOGE(TAG, "Could not enable Security download mode...");
+        return err;
+    }
+#elif CONFIG_SECURE_DISABLE_ROM_DL_MODE
+    ESP_LOGI(TAG, "Disable ROM Download mode...");
+    esp_err_t err = esp_efuse_disable_rom_download_mode();
+    if (err != ESP_OK) {
+        ESP_LOGE(TAG, "Could not disable ROM Download mode...");
+        return err;
+    }
 #else
-    ESP_LOGW(TAG, "Not enabling Security download mode - SECURITY COMPROMISED");
+    ESP_LOGW(TAG, "UART ROM Download mode kept enabled - SECURITY COMPROMISED");
 #endif
 
 #ifndef CONFIG_SECURE_BOOT_ALLOW_JTAG

examples/system/efuse/example_test.py

@@ -385,7 +385,7 @@ def test_examples_efuse_with_virt_secure_boot_v2(env, _):  # type: (ttfw_idf.Tin
     dut.expect('secure_boot_v2: blowing secure boot efuse...')
     dut.expect('Disable JTAG...')
     dut.expect('Disable ROM BASIC interpreter fallback...')
-    dut.expect('Not disabling ROM Download mode - SECURITY COMPROMISED')
+    dut.expect('UART ROM Download mode kept enabled - SECURITY COMPROMISED')
     dut.expect('Prevent read disabling of additional efuses...')
     dut.expect('secure_boot_v2: Secure boot permanently enabled')
 
@@ -449,7 +449,7 @@ def test_examples_efuse_with_virt_secure_boot_v2_pre_loaded(env, _):  # type: (t
     dut.expect('secure_boot_v2: blowing secure boot efuse...')
     dut.expect('Disable JTAG...')
     dut.expect('Disable ROM BASIC interpreter fallback...')
-    dut.expect('Not disabling ROM Download mode - SECURITY COMPROMISED')
+    dut.expect('UART ROM Download mode kept enabled - SECURITY COMPROMISED')
     dut.expect('Prevent read disabling of additional efuses...')
     dut.expect('secure_boot_v2: Secure boot permanently enabled')
 
@@ -508,7 +508,7 @@ def test_examples_efuse_with_virt_secure_boot_v2_esp32xx(env, _):  # type: (ttfw
     dut.expect('secure_boot_v2: Revoking empty key digest slot (1)...')
     dut.expect('secure_boot_v2: Revoking empty key digest slot (2)...')
     dut.expect('secure_boot_v2: blowing secure boot efuse...')
-    dut.expect('Not enabling Security download mode - SECURITY COMPROMISED')
+    dut.expect('UART ROM Download mode kept enabled - SECURITY COMPROMISED')
     dut.expect('Disable hardware & software JTAG...')
     dut.expect('secure_boot_v2: Secure boot permanently enabled')
 
@@ -570,7 +570,7 @@ def test_examples_efuse_with_virt_secure_boot_v2_esp32xx_pre_loaded(env, _):  #
     dut.expect('secure_boot_v2: Revoking empty key digest slot (2)...')
 
     dut.expect('secure_boot_v2: blowing secure boot efuse...')
-    dut.expect('Not enabling Security download mode - SECURITY COMPROMISED')
+    dut.expect('UART ROM Download mode kept enabled - SECURITY COMPROMISED')
     dut.expect('Disable hardware & software JTAG...')
     dut.expect('secure_boot_v2: Secure boot permanently enabled')
 
@@ -691,7 +691,7 @@ def test_examples_efuse_with_virt_sb_v2_and_fe(env, _):  # type: (ttfw_idf.TinyF
     dut.expect('secure_boot_v2: blowing secure boot efuse...')
     dut.expect('Disable JTAG...')
     dut.expect('Disable ROM BASIC interpreter fallback...')
-    dut.expect('Not disabling ROM Download mode - SECURITY COMPROMISED')
+    dut.expect('UART ROM Download mode kept enabled - SECURITY COMPROMISED')
     dut.expect('secure_boot_v2: Secure boot permanently enabled')
 
     dut.expect('Checking flash encryption...')
@@ -769,7 +769,7 @@ def test_examples_efuse_with_virt_sb_v2_and_fe_esp32xx(env, _):  # type: (ttfw_i
     dut.expect('secure_boot_v2: Revoking empty key digest slot (1)...')
     dut.expect('secure_boot_v2: Revoking empty key digest slot (2)...')
     dut.expect('secure_boot_v2: blowing secure boot efuse...')
-    dut.expect('Not enabling Security download mode - SECURITY COMPROMISED')
+    dut.expect('UART ROM Download mode kept enabled - SECURITY COMPROMISED')
     dut.expect('Disable hardware & software JTAG...')
     dut.expect('secure_boot_v2: Secure boot permanently enabled')