diff --git a/components/bootloader_support/src/esp32/secure_boot.c b/components/bootloader_support/src/esp32/secure_boot.c index 1e8dfe9906..e54e65b6c0 100644 --- a/components/bootloader_support/src/esp32/secure_boot.c +++ b/components/bootloader_support/src/esp32/secure_boot.c @@ -34,6 +34,7 @@ #include "esp_secure_boot.h" #include "esp_flash_encrypt.h" #include "esp_efuse.h" +#include "esp_efuse_table.h" /* The following API implementations are used only when called * from the bootloader code. @@ -290,9 +291,6 @@ done: esp_err_t esp_secure_boot_v2_permanently_enable(const esp_image_metadata_t *image_data) { - uint32_t new_wdata0 = 0; - uint32_t new_wdata6 = 0; - ESP_LOGI(TAG, "enabling secure boot v2..."); esp_err_t ret; if (esp_secure_boot_enabled()) { @@ -300,6 +298,12 @@ esp_err_t esp_secure_boot_v2_permanently_enable(const esp_image_metadata_t *imag return ESP_OK; } + ret = esp_efuse_batch_write_begin(); + if (ret != ESP_OK) { + ESP_LOGE(TAG, "Error batch programming security eFuses."); + return ret; + } + uint32_t coding_scheme = REG_GET_FIELD(EFUSE_BLK0_RDATA6_REG, EFUSE_CODING_SCHEME); if (coding_scheme != EFUSE_CODING_SCHEME_VAL_NONE) { ESP_LOGE(TAG, "No coding schemes are supported in secure boot v2.(Detected scheme: 0x%x)", coding_scheme); @@ -336,14 +340,19 @@ esp_err_t esp_secure_boot_v2_permanently_enable(const esp_image_metadata_t *imag } ESP_LOGI(TAG, "Burning public key hash to efuse."); - uint32_t *boot_public_key_digest_ptr = (uint32_t *) boot_pub_key_digest; - for (int i = 0; i < 8 ; i++) { - REG_WRITE(EFUSE_BLK2_WDATA0_REG + 4 * i, boot_public_key_digest_ptr[i]); - ESP_LOGD(TAG, "EFUSE_BLKx_WDATA%d_REG = 0x%08x", i, boot_public_key_digest_ptr[i]); + ret = esp_efuse_write_block(EFUSE_BLK2, boot_pub_key_digest, 0, (DIGEST_LEN * 8)); + if (ret != ESP_OK) { + ESP_LOGE(TAG, "Writing public key hash to efuse failed."); + return ret; } ESP_LOGI(TAG, "Write protecting public key digest..."); - new_wdata0 |= EFUSE_WR_DIS_BLK2; + ret = esp_efuse_set_write_protect(EFUSE_BLK2); + if (ret != ESP_OK) { + ESP_LOGE(TAG, "Write protecting public key digest...failed."); + return ret; + } + efuse_key_write_protected = true; efuse_key_read_protected = false; } else { @@ -375,26 +384,38 @@ esp_err_t esp_secure_boot_v2_permanently_enable(const esp_image_metadata_t *imag ESP_LOGI(TAG, "blowing secure boot efuse..."); ESP_LOGD(TAG, "before updating, EFUSE_BLK0_RDATA6 %x", REG_READ(EFUSE_BLK0_RDATA6_REG)); - new_wdata6 |= EFUSE_RD_ABS_DONE_1; + ret = esp_efuse_write_field_bit(ESP_EFUSE_ABS_DONE_1); + if (ret != ESP_OK) { + ESP_LOGE(TAG, "Blowing secure boot efuse...failed."); + return ret; + } #ifndef CONFIG_SECURE_BOOT_ALLOW_JTAG ESP_LOGI(TAG, "Disable JTAG..."); - new_wdata6 |= EFUSE_RD_DISABLE_JTAG; + ret = esp_efuse_write_field_bit(ESP_EFUSE_DISABLE_JTAG); + if (ret != ESP_OK) { + ESP_LOGE(TAG, "Disable JTAG...failed."); + return ret; + } #else ESP_LOGW(TAG, "Not disabling JTAG - SECURITY COMPROMISED"); #endif #ifndef CONFIG_SECURE_BOOT_ALLOW_ROM_BASIC ESP_LOGI(TAG, "Disable ROM BASIC interpreter fallback..."); - new_wdata6 |= EFUSE_RD_CONSOLE_DEBUG_DISABLE; + ret = esp_efuse_write_field_bit(ESP_EFUSE_CONSOLE_DEBUG_DISABLE); + if (ret != ESP_OK) { + ESP_LOGE(TAG, "Disable ROM BASIC interpreter fallback...failed."); + return ret; + } #else ESP_LOGW(TAG, "Not disabling ROM BASIC fallback - SECURITY COMPROMISED"); #endif #ifdef CONFIG_SECURE_DISABLE_ROM_DL_MODE ESP_LOGI(TAG, "Disable ROM Download mode..."); - esp_err_t err = esp_efuse_disable_rom_download_mode(); - if (err != ESP_OK) { + ret = esp_efuse_disable_rom_download_mode(); + if (ret != ESP_OK) { ESP_LOGE(TAG, "Could not disable ROM Download mode..."); return ESP_FAIL; } @@ -411,15 +432,21 @@ esp_err_t esp_secure_boot_v2_permanently_enable(const esp_image_metadata_t *imag #endif if (rd_dis_now) { ESP_LOGI(TAG, "Prevent read disabling of additional efuses..."); - new_wdata0 |= EFUSE_WR_DIS_RD_DIS; + ret = esp_efuse_write_field_bit(ESP_EFUSE_WR_DIS_EFUSE_RD_DISABLE); + if (ret != ESP_OK) { + ESP_LOGE(TAG, "Prevent read disabling of additional efuses...failed."); + return ret; + } } #else ESP_LOGW(TAG, "Allowing read disabling of additional efuses - SECURITY COMPROMISED"); #endif - REG_WRITE(EFUSE_BLK0_WDATA0_REG, new_wdata0); - REG_WRITE(EFUSE_BLK0_WDATA6_REG, new_wdata6); - esp_efuse_burn_new_values(); + ret = esp_efuse_batch_write_commit(); + if (ret != ESP_OK) { + ESP_LOGE(TAG, "Error programming security eFuses."); + return ret; + } uint32_t after = REG_READ(EFUSE_BLK0_RDATA6_REG); ESP_LOGD(TAG, "after updating, EFUSE_BLK0_RDATA0 0x%08x EFUSE_BLK0_RDATA6 0x%08x", REG_READ(EFUSE_BLK0_RDATA0_REG), after); diff --git a/components/efuse/esp32/esp_efuse_table.c b/components/efuse/esp32/esp_efuse_table.c index 3cbd746c6b..98d46d2f2b 100644 --- a/components/efuse/esp32/esp_efuse_table.c +++ b/components/efuse/esp32/esp_efuse_table.c @@ -17,7 +17,7 @@ #include #include "esp_efuse_table.h" -// md5_digest_table 11b691b6fa8546a3862a7a876be5f758 +// md5_digest_table 8c9f6537b47cc5b26a1a5896158c612a // This file was generated from the file esp_efuse_table.csv. DO NOT CHANGE THIS FILE MANUALLY. // If you want to change some fields, you need to change esp_efuse_table.csv file // then run `efuse_common_table` or `efuse_custom_table` command it will generate this file. @@ -64,7 +64,11 @@ static const esp_efuse_desc_t SECURE_BOOT_KEY[] = { }; static const esp_efuse_desc_t ABS_DONE_0[] = { - {EFUSE_BLK0, 196, 1}, // Secure boot is enabled for bootloader image. EFUSE_RD_ABS_DONE_0, + {EFUSE_BLK0, 196, 1}, // Secure boot V1 is enabled for bootloader image. EFUSE_RD_ABS_DONE_0, +}; + +static const esp_efuse_desc_t ABS_DONE_1[] = { + {EFUSE_BLK0, 197, 1}, // Secure boot V2 is enabled for bootloader image. EFUSE_RD_ABS_DONE_1, }; static const esp_efuse_desc_t ENCRYPT_FLASH_KEY[] = { @@ -103,6 +107,10 @@ static const esp_efuse_desc_t UART_DOWNLOAD_DIS[] = { {EFUSE_BLK0, 27, 1}, // Disable UART download mode. Valid for ESP32 V3 and newer, }; +static const esp_efuse_desc_t WR_DIS_EFUSE_RD_DISABLE[] = { + {EFUSE_BLK0, 0, 1}, // Write protection for EFUSE_RD_DISABLE, +}; + static const esp_efuse_desc_t WR_DIS_FLASH_CRYPT_CNT[] = { {EFUSE_BLK0, 2, 1}, // Flash encrypt. Write protection FLASH_CRYPT_CNT, }; @@ -235,7 +243,12 @@ const esp_efuse_desc_t* ESP_EFUSE_SECURE_BOOT_KEY[] = { }; const esp_efuse_desc_t* ESP_EFUSE_ABS_DONE_0[] = { - &ABS_DONE_0[0], // Secure boot is enabled for bootloader image. EFUSE_RD_ABS_DONE_0 + &ABS_DONE_0[0], // Secure boot V1 is enabled for bootloader image. EFUSE_RD_ABS_DONE_0 + NULL +}; + +const esp_efuse_desc_t* ESP_EFUSE_ABS_DONE_1[] = { + &ABS_DONE_1[0], // Secure boot V2 is enabled for bootloader image. EFUSE_RD_ABS_DONE_1 NULL }; @@ -284,6 +297,11 @@ const esp_efuse_desc_t* ESP_EFUSE_UART_DOWNLOAD_DIS[] = { NULL }; +const esp_efuse_desc_t* ESP_EFUSE_WR_DIS_EFUSE_RD_DISABLE[] = { + &WR_DIS_EFUSE_RD_DISABLE[0], // Write protection for EFUSE_RD_DISABLE + NULL +}; + const esp_efuse_desc_t* ESP_EFUSE_WR_DIS_FLASH_CRYPT_CNT[] = { &WR_DIS_FLASH_CRYPT_CNT[0], // Flash encrypt. Write protection FLASH_CRYPT_CNT NULL diff --git a/components/efuse/esp32/esp_efuse_table.csv b/components/efuse/esp32/esp_efuse_table.csv index ef790062b2..30f93dc660 100644 --- a/components/efuse/esp32/esp_efuse_table.csv +++ b/components/efuse/esp32/esp_efuse_table.csv @@ -29,7 +29,8 @@ MAC_CUSTOM_VER, EFUSE_BLK3, 184, 8, Custom MAC version # Security boot # ################# SECURE_BOOT_KEY, EFUSE_BLK2, 0, MAX_BLK_LEN, Security boot. Key. (length = "None" - 256. "3/4" - 192. "REPEAT" - 128) -ABS_DONE_0, EFUSE_BLK0, 196, 1, Secure boot is enabled for bootloader image. EFUSE_RD_ABS_DONE_0 +ABS_DONE_0, EFUSE_BLK0, 196, 1, Secure boot V1 is enabled for bootloader image. EFUSE_RD_ABS_DONE_0 +ABS_DONE_1, EFUSE_BLK0, 197, 1, Secure boot V2 is enabled for bootloader image. EFUSE_RD_ABS_DONE_1 # Flash encrypt # ################# @@ -48,6 +49,7 @@ UART_DOWNLOAD_DIS, EFUSE_BLK0, 27, 1, Disable UART download mode. # Write protection # #################### +WR_DIS_EFUSE_RD_DISABLE,EFUSE_BLK0, 0, 1, Write protection for EFUSE_RD_DISABLE WR_DIS_FLASH_CRYPT_CNT, EFUSE_BLK0, 2, 1, Flash encrypt. Write protection FLASH_CRYPT_CNT, UART_DOWNLOAD_DIS. EFUSE_WR_DIS_FLASH_CRYPT_CNT WR_DIS_BLK1, EFUSE_BLK0, 7, 1, Flash encrypt. Write protection encryption key. EFUSE_WR_DIS_BLK1 WR_DIS_BLK2, EFUSE_BLK0, 8, 1, Security boot. Write protection security key. EFUSE_WR_DIS_BLK2 diff --git a/components/efuse/esp32/include/esp_efuse_table.h b/components/efuse/esp32/include/esp_efuse_table.h index e818083912..3afd9a483e 100644 --- a/components/efuse/esp32/include/esp_efuse_table.h +++ b/components/efuse/esp32/include/esp_efuse_table.h @@ -17,7 +17,7 @@ extern "C" { #endif -// md5_digest_table 11b691b6fa8546a3862a7a876be5f758 +// md5_digest_table 8c9f6537b47cc5b26a1a5896158c612a // This file was generated from the file esp_efuse_table.csv. DO NOT CHANGE THIS FILE MANUALLY. // If you want to change some fields, you need to change esp_efuse_table.csv file // then run `efuse_common_table` or `efuse_custom_table` command it will generate this file. @@ -31,6 +31,7 @@ extern const esp_efuse_desc_t* ESP_EFUSE_MAC_CUSTOM[]; extern const esp_efuse_desc_t* ESP_EFUSE_MAC_CUSTOM_VER[]; extern const esp_efuse_desc_t* ESP_EFUSE_SECURE_BOOT_KEY[]; extern const esp_efuse_desc_t* ESP_EFUSE_ABS_DONE_0[]; +extern const esp_efuse_desc_t* ESP_EFUSE_ABS_DONE_1[]; extern const esp_efuse_desc_t* ESP_EFUSE_ENCRYPT_FLASH_KEY[]; extern const esp_efuse_desc_t* ESP_EFUSE_ENCRYPT_CONFIG[]; extern const esp_efuse_desc_t* ESP_EFUSE_DISABLE_DL_ENCRYPT[]; @@ -40,6 +41,7 @@ extern const esp_efuse_desc_t* ESP_EFUSE_FLASH_CRYPT_CNT[]; extern const esp_efuse_desc_t* ESP_EFUSE_DISABLE_JTAG[]; extern const esp_efuse_desc_t* ESP_EFUSE_CONSOLE_DEBUG_DISABLE[]; extern const esp_efuse_desc_t* ESP_EFUSE_UART_DOWNLOAD_DIS[]; +extern const esp_efuse_desc_t* ESP_EFUSE_WR_DIS_EFUSE_RD_DISABLE[]; extern const esp_efuse_desc_t* ESP_EFUSE_WR_DIS_FLASH_CRYPT_CNT[]; extern const esp_efuse_desc_t* ESP_EFUSE_WR_DIS_BLK1[]; extern const esp_efuse_desc_t* ESP_EFUSE_WR_DIS_BLK2[];