From 086766d83be58213b9a70ee885250b40cbaaa064 Mon Sep 17 00:00:00 2001 From: KonstantinKondrashov Date: Tue, 24 Jan 2023 01:20:16 +0800 Subject: [PATCH 1/3] examples(efuse): Set CONFIG_SECURE_ENABLE_SECURE_ROM_DL_MODE For efuse example test, we set CONFIG_SECURE_ENABLE_SECURE_ROM_DL_MODE=y by default because in the python test we expect secure boot is in RELEASE mode --- examples/system/efuse/pytest_system_efuse_example.py | 4 ++-- examples/system/efuse/sdkconfig.ci.virt_sb_v2_and_fe.esp32 | 1 + examples/system/efuse/sdkconfig.ci.virt_sb_v2_and_fe.esp32c2 | 1 + examples/system/efuse/sdkconfig.ci.virt_sb_v2_and_fe.esp32c3 | 1 + examples/system/efuse/sdkconfig.ci.virt_sb_v2_and_fe.esp32s2 | 1 + 5 files changed, 6 insertions(+), 2 deletions(-) diff --git a/examples/system/efuse/pytest_system_efuse_example.py b/examples/system/efuse/pytest_system_efuse_example.py index 327355e95c..996a7b1cf5 100644 --- a/examples/system/efuse/pytest_system_efuse_example.py +++ b/examples/system/efuse/pytest_system_efuse_example.py @@ -818,7 +818,7 @@ def test_examples_efuse_with_virt_sb_v2_and_fe(dut: Dut) -> None: dut.expect('secure_boot_v2: blowing secure boot efuse...') dut.expect('Disable JTAG...') dut.expect('Disable ROM BASIC interpreter fallback...') - dut.expect('UART ROM Download mode kept enabled - SECURITY COMPROMISED') + dut.expect('Disable ROM Download mode...') dut.expect('secure_boot_v2: Secure boot permanently enabled') dut.expect('Checking flash encryption...') @@ -900,7 +900,7 @@ def test_examples_efuse_with_virt_sb_v2_and_fe_esp32xx(dut: Dut) -> None: dut.expect_exact('secure_boot_v2: Revoking empty key digest slot (1)...') dut.expect_exact('secure_boot_v2: Revoking empty key digest slot (2)...') dut.expect('secure_boot_v2: blowing secure boot efuse...') - dut.expect('UART ROM Download mode kept enabled - SECURITY COMPROMISED') + dut.expect('Enabling Security download mode...') dut.expect('Disable hardware & software JTAG...') if dut.app.target != 'esp32c2': diff --git a/examples/system/efuse/sdkconfig.ci.virt_sb_v2_and_fe.esp32 b/examples/system/efuse/sdkconfig.ci.virt_sb_v2_and_fe.esp32 index 4abf5fcc95..271310afca 100644 --- a/examples/system/efuse/sdkconfig.ci.virt_sb_v2_and_fe.esp32 +++ b/examples/system/efuse/sdkconfig.ci.virt_sb_v2_and_fe.esp32 @@ -13,6 +13,7 @@ CONFIG_PARTITION_TABLE_CUSTOM_FILENAME="test/partitions_efuse_emul.csv" CONFIG_SECURE_BOOT=y CONFIG_SECURE_BOOT_V2_ENABLED=y CONFIG_SECURE_BOOT_SIGNING_KEY="test/secure_boot_signing_key.pem" +CONFIG_SECURE_DISABLE_ROM_DL_MODE=y CONFIG_SECURE_FLASH_ENC_ENABLED=y diff --git a/examples/system/efuse/sdkconfig.ci.virt_sb_v2_and_fe.esp32c2 b/examples/system/efuse/sdkconfig.ci.virt_sb_v2_and_fe.esp32c2 index 2be2ad7ea4..2232a13055 100644 --- a/examples/system/efuse/sdkconfig.ci.virt_sb_v2_and_fe.esp32c2 +++ b/examples/system/efuse/sdkconfig.ci.virt_sb_v2_and_fe.esp32c2 @@ -9,6 +9,7 @@ CONFIG_PARTITION_TABLE_CUSTOM_FILENAME="test/partitions_efuse_emul.csv" CONFIG_SECURE_BOOT=y CONFIG_SECURE_BOOT_V2_ENABLED=y CONFIG_SECURE_BOOT_SIGNING_KEY="test/secure_boot_signing_key_ecdsa_nistp256.pem" +CONFIG_SECURE_ENABLE_SECURE_ROM_DL_MODE=y CONFIG_SECURE_FLASH_ENC_ENABLED=y diff --git a/examples/system/efuse/sdkconfig.ci.virt_sb_v2_and_fe.esp32c3 b/examples/system/efuse/sdkconfig.ci.virt_sb_v2_and_fe.esp32c3 index 04c2764dfd..9ba5277387 100644 --- a/examples/system/efuse/sdkconfig.ci.virt_sb_v2_and_fe.esp32c3 +++ b/examples/system/efuse/sdkconfig.ci.virt_sb_v2_and_fe.esp32c3 @@ -13,6 +13,7 @@ CONFIG_PARTITION_TABLE_CUSTOM_FILENAME="test/partitions_efuse_emul.csv" CONFIG_SECURE_BOOT=y CONFIG_SECURE_BOOT_V2_ENABLED=y CONFIG_SECURE_BOOT_SIGNING_KEY="test/secure_boot_signing_key.pem" +CONFIG_SECURE_ENABLE_SECURE_ROM_DL_MODE=y CONFIG_SECURE_FLASH_ENC_ENABLED=y diff --git a/examples/system/efuse/sdkconfig.ci.virt_sb_v2_and_fe.esp32s2 b/examples/system/efuse/sdkconfig.ci.virt_sb_v2_and_fe.esp32s2 index 1ba66bfa5a..14cf4f2d95 100644 --- a/examples/system/efuse/sdkconfig.ci.virt_sb_v2_and_fe.esp32s2 +++ b/examples/system/efuse/sdkconfig.ci.virt_sb_v2_and_fe.esp32s2 @@ -9,6 +9,7 @@ CONFIG_PARTITION_TABLE_CUSTOM_FILENAME="test/partitions_efuse_emul.csv" CONFIG_SECURE_BOOT=y CONFIG_SECURE_BOOT_V2_ENABLED=y CONFIG_SECURE_BOOT_SIGNING_KEY="test/secure_boot_signing_key.pem" +CONFIG_SECURE_ENABLE_SECURE_ROM_DL_MODE=y CONFIG_SECURE_FLASH_ENC_ENABLED=y From 73d756d073eabe902478ce62d40d8efe312221d2 Mon Sep 17 00:00:00 2001 From: KonstantinKondrashov Date: Tue, 24 Jan 2023 18:16:19 +0800 Subject: [PATCH 2/3] bootloader_support(esp32c2): Fix esp_secure_boot_cfg_verify_release_mode API When FE and SB keys are set then: - 128 low bits are read protected - 128 hi bits are readable --- components/bootloader_support/src/secure_boot.c | 4 ++++ 1 file changed, 4 insertions(+) diff --git a/components/bootloader_support/src/secure_boot.c b/components/bootloader_support/src/secure_boot.c index 0b5bab46fc..5e9b8832fc 100644 --- a/components/bootloader_support/src/secure_boot.c +++ b/components/bootloader_support/src/secure_boot.c @@ -363,7 +363,11 @@ bool esp_secure_boot_cfg_verify_release_mode(void) } #endif ++num_keys; +#if SOC_EFUSE_CONSISTS_OF_ONE_KEY_BLOCK + secure = !esp_efuse_read_field_bit(ESP_EFUSE_RD_DIS_KEY0_HI); +#else secure = !esp_efuse_get_key_dis_read(block); +#endif // !SOC_EFUSE_CONSISTS_OF_ONE_KEY_BLOCK result &= secure; if (!secure) { ESP_LOGE(TAG, "Secure boot key in BLOCK%d must NOT be read-protected (can not be used)", block); From 74f26b1e198fa3b448a2fb41982b22199a4ecf76 Mon Sep 17 00:00:00 2001 From: KonstantinKondrashov Date: Tue, 24 Jan 2023 19:52:26 +0800 Subject: [PATCH 3/3] examples(efuse): Tests can be run on generic runners --- examples/system/efuse/pytest_system_efuse_example.py | 10 ++++++++-- 1 file changed, 8 insertions(+), 2 deletions(-) diff --git a/examples/system/efuse/pytest_system_efuse_example.py b/examples/system/efuse/pytest_system_efuse_example.py index 996a7b1cf5..7ee1a3e06e 100644 --- a/examples/system/efuse/pytest_system_efuse_example.py +++ b/examples/system/efuse/pytest_system_efuse_example.py @@ -355,6 +355,7 @@ def test_examples_efuse_with_virt_secure_boot_v1_pre_loaded(dut: Dut) -> None: dut.expect('example: Done') +@pytest.mark.generic @pytest.mark.esp32 @pytest.mark.parametrize('config', [('virt_secure_boot_v2.esp32'),], indirect=True) @pytest.mark.parametrize('skip_autoflash', ['y'], indirect=True) @@ -470,15 +471,16 @@ def test_examples_efuse_with_virt_secure_boot_v2(dut: Dut) -> None: dut.expect('example: Done') +@pytest.mark.generic @pytest.mark.esp32 @pytest.mark.parametrize('config', [('virt_secure_boot_v2.esp32'),], indirect=True) @pytest.mark.parametrize('skip_autoflash', ['y'], indirect=True) def test_examples_efuse_with_virt_secure_boot_v2_pre_loaded(dut: Dut) -> None: print(' - Erase flash') - dut.erase_flash() + dut.serial.erase_flash() print(' - Flash bootloader and app') - dut.bootloader_flash() + dut.serial.bootloader_flash() print(' - Start app (flash partition_table and app)') dut.serial.flash() dut.expect('Loading virtual efuse blocks from real efuses') @@ -778,6 +780,7 @@ def test_examples_efuse_with_virt_sb_v1_and_fe(dut: Dut) -> None: dut.expect('example: Done') +@pytest.mark.generic @pytest.mark.esp32 @pytest.mark.parametrize('config', ['virt_sb_v2_and_fe.esp32',], indirect=True) @pytest.mark.parametrize('skip_autoflash', ['y'], indirect=True) @@ -948,6 +951,7 @@ def test_examples_efuse_with_virt_sb_v2_and_fe_esp32xx(dut: Dut) -> None: dut.expect('example: Done') +@pytest.mark.generic @pytest.mark.esp32c3 @pytest.mark.parametrize('config', ['virt_sb_v2_and_fe.esp32c3'], indirect=True) @pytest.mark.parametrize('skip_autoflash', ['y'], indirect=True) @@ -955,6 +959,7 @@ def test_examples_efuse_with_virt_sb_v2_and_fe_esp32c3(dut: Dut) -> None: test_examples_efuse_with_virt_sb_v2_and_fe_esp32xx(dut) +@pytest.mark.generic @pytest.mark.esp32c2 @pytest.mark.parametrize('config', ['virt_sb_v2_and_fe.esp32c2'], indirect=True) @pytest.mark.parametrize('skip_autoflash', ['y'], indirect=True) @@ -962,6 +967,7 @@ def test_examples_efuse_with_virt_sb_v2_and_fe_esp32c2(dut: Dut) -> None: test_examples_efuse_with_virt_sb_v2_and_fe_esp32xx(dut) +@pytest.mark.generic @pytest.mark.esp32s2 @pytest.mark.parametrize('config', ['virt_sb_v2_and_fe.esp32s2'], indirect=True) @pytest.mark.parametrize('skip_autoflash', ['y'], indirect=True)