flash encryption: Add config option to disable any plaintext reflashes

Enabled by default when Secure Boot is on, so Flash Encryption protection is always available in case of a Secure Boot bypass.
2025-10-04 19:10:58 +02:00 · 2019-06-12 11:03:42 +10:00
parent d1f40c15ac
commit ec331b3979
4 changed files with 67 additions and 15 deletions
--- a/components/esp32/cpu_start.c
+++ b/components/esp32/cpu_start.c
@@ -69,6 +69,7 @@
 #include "esp_clk_internal.h"
 #include "esp_timer.h"
 #include "esp_pm.h"
+#include "esp_flash_encrypt.h"
 #include "pm_impl.h"
 #include "trax.h"
 #include "bootloader_common.h"
@@ -329,6 +330,11 @@ void start_cpu0_default(void)
 #endif
 #if CONFIG_DISABLE_BASIC_ROM_CONSOLE
    esp_efuse_disable_basic_rom_console();
+#endif
+#ifdef CONFIG_FLASH_ENCRYPTION_DISABLE_PLAINTEXT
+    if (esp_flash_encryption_enabled()) {
+        esp_flash_write_protect_crypt_cnt();
+    }
 #endif
    rtc_gpio_force_hold_dis_all();
    esp_vfs_dev_uart_register();