diff --git a/components/bootloader_support/src/esp32/secure_boot.c b/components/bootloader_support/src/esp32/secure_boot.c index 411c4cf38f..a8110b3a2e 100644 --- a/components/bootloader_support/src/esp32/secure_boot.c +++ b/components/bootloader_support/src/esp32/secure_boot.c @@ -352,6 +352,7 @@ esp_err_t esp_secure_boot_v2_permanently_enable(const esp_image_metadata_t *imag REG_WRITE(EFUSE_BLK2_WDATA0_REG + 4 * i, boot_public_key_digest_ptr[i]); ESP_LOGD(TAG, "EFUSE_BLKx_WDATA%d_REG = 0x%08x", i, boot_public_key_digest_ptr[i]); } + // delay burning until second half of this function } else { uint32_t efuse_blk2_digest[8]; @@ -367,14 +368,11 @@ esp_err_t esp_secure_boot_v2_permanently_enable(const esp_image_metadata_t *imag ESP_LOGW(TAG, "Using pre-loaded secure boot v2 public key digest in EFUSE block 2"); } + // This case is needed either if a pre-burned digest is present but not write-protected, + // or if we are burning the digest now if (efuse_key_write_protected == false) { ESP_LOGI(TAG, "Write protecting public key digest..."); - ret = esp_efuse_set_write_protect(EFUSE_BLK2); - if (ret != ESP_OK) { - ESP_LOGE(TAG, "Write protecting public key digest...failed."); - return ret; - } - efuse_key_write_protected = true; + new_wdata0 |= EFUSE_WR_DIS_BLK2; // delay burning until second half of this function } uint8_t app_pub_key_digest[DIGEST_LEN]; @@ -394,10 +392,6 @@ esp_err_t esp_secure_boot_v2_permanently_enable(const esp_image_metadata_t *imag ESP_LOGE(TAG, "Efuse BLK2 (public key digest) is read protected. Refusing to blow secure boot efuse."); return ESP_ERR_INVALID_STATE; } - if (!efuse_key_write_protected) { - ESP_LOGE(TAG, "Efuse BLK2 (public key digest) is not write protected. Refusing to blow secure boot efuse."); - return ESP_ERR_INVALID_STATE; - } ESP_LOGI(TAG, "blowing secure boot efuse..."); ESP_LOGD(TAG, "before updating, EFUSE_BLK0_RDATA6 %x", REG_READ(EFUSE_BLK0_RDATA6_REG));