espressif/esp-idf
1
0
Fork 1
mirror of https://github.com/espressif/esp-idf.git synced 2025-07-30 18:57:19 +02:00
Code Issues Packages Projects Releases Wiki Activity

secure boot: Fix regression enabling secure boot v2

Browse Source 
Regression in 18b4ae2a65 - write-protecting BLK2 caused write
registers to be cleared, so key digest was all zeroes.
This commit is contained in:
Angus Gratton
2020-12-15 15:12:23 +11:00
parent f4739d69ab
commit c9307cb16e
1 changed files with 4 additions and 10 deletions
Download Patch File Download Diff File Expand all files Collapse all files

14
components/bootloader_support/src/esp32/secure_boot.c
View File

@ -352,6 +352,7 @@ esp_err_t esp_secure_boot_v2_permanently_enable(const esp_image_metadata_t *imag
REG_WRITE(EFUSE_BLK2_WDATA0_REG + 4 * i, boot_public_key_digest_ptr[i]); REG_WRITE(EFUSE_BLK2_WDATA0_REG + 4 * i, boot_public_key_digest_ptr[i]);
ESP_LOGD(TAG, "EFUSE_BLKx_WDATA%d_REG = 0x%08x", i, boot_public_key_digest_ptr[i]); ESP_LOGD(TAG, "EFUSE_BLKx_WDATA%d_REG = 0x%08x", i, boot_public_key_digest_ptr[i]);
} }
// delay burning until second half of this function
} else { } else {
uint32_t efuse_blk2_digest[8]; uint32_t efuse_blk2_digest[8];
@ -367,14 +368,11 @@ esp_err_t esp_secure_boot_v2_permanently_enable(const esp_image_metadata_t *imag
ESP_LOGW(TAG, "Using pre-loaded secure boot v2 public key digest in EFUSE block 2"); ESP_LOGW(TAG, "Using pre-loaded secure boot v2 public key digest in EFUSE block 2");
} }
// This case is needed either if a pre-burned digest is present but not write-protected,
// or if we are burning the digest now
if (efuse_key_write_protected == false) { if (efuse_key_write_protected == false) {
ESP_LOGI(TAG, "Write protecting public key digest..."); ESP_LOGI(TAG, "Write protecting public key digest...");
ret = esp_efuse_set_write_protect(EFUSE_BLK2); new_wdata0 |= EFUSE_WR_DIS_BLK2; // delay burning until second half of this function
if (ret != ESP_OK) {
ESP_LOGE(TAG, "Write protecting public key digest...failed.");
return ret;
}
efuse_key_write_protected = true;
} }
uint8_t app_pub_key_digest[DIGEST_LEN]; uint8_t app_pub_key_digest[DIGEST_LEN];
@ -394,10 +392,6 @@ esp_err_t esp_secure_boot_v2_permanently_enable(const esp_image_metadata_t *imag
ESP_LOGE(TAG, "Efuse BLK2 (public key digest) is read protected. Refusing to blow secure boot efuse."); ESP_LOGE(TAG, "Efuse BLK2 (public key digest) is read protected. Refusing to blow secure boot efuse.");
return ESP_ERR_INVALID_STATE; return ESP_ERR_INVALID_STATE;
} }
if (!efuse_key_write_protected) {
ESP_LOGE(TAG, "Efuse BLK2 (public key digest) is not write protected. Refusing to blow secure boot efuse.");
return ESP_ERR_INVALID_STATE;
}
ESP_LOGI(TAG, "blowing secure boot efuse..."); ESP_LOGI(TAG, "blowing secure boot efuse...");
ESP_LOGD(TAG, "before updating, EFUSE_BLK0_RDATA6 %x", REG_READ(EFUSE_BLK0_RDATA6_REG)); ESP_LOGD(TAG, "before updating, EFUSE_BLK0_RDATA6 %x", REG_READ(EFUSE_BLK0_RDATA6_REG));