From c627a1b6a0d65fbf62146a114634082a56eb95e4 Mon Sep 17 00:00:00 2001 From: Ivan Grokhotkov Date: Fri, 17 Jul 2020 21:00:43 +0200 Subject: [PATCH 1/3] ci: add build test for CONFIG_SECURE_FLASH_ENCRYPTION_MODE_RELEASE --- .../system/build_test/sdkconfig.ci.flash_encryption_release | 2 ++ 1 file changed, 2 insertions(+) create mode 100644 tools/test_apps/system/build_test/sdkconfig.ci.flash_encryption_release diff --git a/tools/test_apps/system/build_test/sdkconfig.ci.flash_encryption_release b/tools/test_apps/system/build_test/sdkconfig.ci.flash_encryption_release new file mode 100644 index 0000000000..47e4a657c6 --- /dev/null +++ b/tools/test_apps/system/build_test/sdkconfig.ci.flash_encryption_release @@ -0,0 +1,2 @@ +CONFIG_SECURE_FLASH_ENC_ENABLED=y +CONFIG_SECURE_FLASH_ENCRYPTION_MODE_RELEASE=y From c943516c9652613e618de103c7044b5dfae419ec Mon Sep 17 00:00:00 2001 From: Ivan Grokhotkov Date: Fri, 17 Jul 2020 19:14:22 +0200 Subject: [PATCH 2/3] esp_system: fix compilation error when security features are enabled affects CONFIG_SECURE_DISABLE_ROM_DL_MODE, CONFIG_SECURE_ENABLE_SECURE_ROM_DL_MODE --- components/esp_system/startup.c | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/components/esp_system/startup.c b/components/esp_system/startup.c index 05d74b6470..d1c8f06c18 100644 --- a/components/esp_system/startup.c +++ b/components/esp_system/startup.c @@ -229,6 +229,8 @@ static void IRAM_ATTR do_core_init(void) esp_flash_encryption_init_checks(); #endif + esp_err_t err; + #if CONFIG_SECURE_DISABLE_ROM_DL_MODE err = esp_efuse_disable_rom_download_mode(); assert(err == ESP_OK && "Failed to disable ROM download mode"); @@ -243,8 +245,6 @@ static void IRAM_ATTR do_core_init(void) esp_efuse_disable_basic_rom_console(); #endif - esp_err_t err; - esp_timer_init(); esp_set_time_from_rtc(); From eff6a1eaab4683b62879b08ddae4c0134d8f3aa6 Mon Sep 17 00:00:00 2001 From: Ivan Grokhotkov Date: Fri, 17 Jul 2020 20:50:51 +0200 Subject: [PATCH 3/3] bootloader: fix SECURE_TARGET_HAS_SECURE_ROM_DL_MODE enabled for esp32 --- components/bootloader/Kconfig.projbuild | 9 +++++++-- 1 file changed, 7 insertions(+), 2 deletions(-) diff --git a/components/bootloader/Kconfig.projbuild b/components/bootloader/Kconfig.projbuild index b0dc4881bb..aa09d41d1c 100644 --- a/components/bootloader/Kconfig.projbuild +++ b/components/bootloader/Kconfig.projbuild @@ -320,6 +320,11 @@ menu "Security features" select MBEDTLS_ECDSA_C depends on SECURE_SIGNED_ON_BOOT || SECURE_SIGNED_ON_UPDATE + config SECURE_TARGET_HAS_SECURE_ROM_DL_MODE + bool + default y + depends on IDF_TARGET_ESP32S2 + config SECURE_SIGNED_APPS_NO_SECURE_BOOT bool "Require signed app images" @@ -587,7 +592,7 @@ menu "Security features" config SECURE_FLASH_ENCRYPTION_MODE_RELEASE bool "Release" - select SECURE_ENABLE_SECURE_ROM_DL_MODE + select SECURE_ENABLE_SECURE_ROM_DL_MODE if SECURE_TARGET_HAS_SECURE_ROM_DL_MODE endchoice @@ -719,7 +724,7 @@ menu "Security features" config SECURE_ENABLE_SECURE_ROM_DL_MODE bool "Permanently switch to ROM UART Secure Download mode" - depends on IDF_TARGET_ESP32S2 && !SECURE_DISABLE_ROM_DL_MODE + depends on SECURE_TARGET_HAS_SECURE_ROM_DL_MODE && !SECURE_DISABLE_ROM_DL_MODE help If set, during startup the app will burn an eFuse bit to permanently switch the UART ROM Download Mode into a separate Secure Download mode. This option can only work if