espressif/esp-idf
1
0
Fork 1
mirror of https://github.com/espressif/esp-idf.git synced 2025-08-02 12:14:32 +02:00
Code Issues Packages Projects Releases Wiki Activity

ESP32 SecureBoot V2: eFuse write operations are updated to use the eFuse Manager APIs

Browse Source 
Closes IDF-2034

Closes https://github.com/espressif/esp-idf/issues/5771
This commit is contained in:
Sachin Billore
2020-08-23 01:30:46 +05:30
committed by bot
parent 3eac0ec5be
commit f1dae0d6e1
4 changed files with 71 additions and 22 deletions
Download Patch File Download Diff File Expand all files Collapse all files

61
components/bootloader_support/src/esp32/secure_boot.c
View File

@@ -34,6 +34,7 @@
#include "esp_secure_boot.h" #include "esp_secure_boot.h"
#include "esp_flash_encrypt.h" #include "esp_flash_encrypt.h"
#include "esp_efuse.h" #include "esp_efuse.h"
#include "esp_efuse_table.h"
/* The following API implementations are used only when called /* The following API implementations are used only when called
* from the bootloader code. * from the bootloader code.
@@ -290,9 +291,6 @@ done:
esp_err_t esp_secure_boot_v2_permanently_enable(const esp_image_metadata_t *image_data) esp_err_t esp_secure_boot_v2_permanently_enable(const esp_image_metadata_t *image_data)
{ {
uint32_t new_wdata0 = 0;
uint32_t new_wdata6 = 0;
ESP_LOGI(TAG, "enabling secure boot v2..."); ESP_LOGI(TAG, "enabling secure boot v2...");
esp_err_t ret; esp_err_t ret;
if (esp_secure_boot_enabled()) { if (esp_secure_boot_enabled()) {
@@ -300,6 +298,12 @@ esp_err_t esp_secure_boot_v2_permanently_enable(const esp_image_metadata_t *imag
return ESP_OK; return ESP_OK;
} }
ret = esp_efuse_batch_write_begin();
if (ret != ESP_OK) {
ESP_LOGE(TAG, "Error batch programming security eFuses.");
return ret;
}
uint32_t coding_scheme = REG_GET_FIELD(EFUSE_BLK0_RDATA6_REG, EFUSE_CODING_SCHEME); uint32_t coding_scheme = REG_GET_FIELD(EFUSE_BLK0_RDATA6_REG, EFUSE_CODING_SCHEME);
if (coding_scheme != EFUSE_CODING_SCHEME_VAL_NONE) { if (coding_scheme != EFUSE_CODING_SCHEME_VAL_NONE) {
ESP_LOGE(TAG, "No coding schemes are supported in secure boot v2.(Detected scheme: 0x%x)", coding_scheme); ESP_LOGE(TAG, "No coding schemes are supported in secure boot v2.(Detected scheme: 0x%x)", coding_scheme);
@@ -336,14 +340,19 @@ esp_err_t esp_secure_boot_v2_permanently_enable(const esp_image_metadata_t *imag
} }
ESP_LOGI(TAG, "Burning public key hash to efuse."); ESP_LOGI(TAG, "Burning public key hash to efuse.");
uint32_t *boot_public_key_digest_ptr = (uint32_t *) boot_pub_key_digest; ret = esp_efuse_write_block(EFUSE_BLK2, boot_pub_key_digest, 0, (DIGEST_LEN * 8));
for (int i = 0; i < 8 ; i++) { if (ret != ESP_OK) {
REG_WRITE(EFUSE_BLK2_WDATA0_REG + 4 * i, boot_public_key_digest_ptr[i]); ESP_LOGE(TAG, "Writing public key hash to efuse failed.");
ESP_LOGD(TAG, "EFUSE_BLKx_WDATA%d_REG = 0x%08x", i, boot_public_key_digest_ptr[i]); return ret;
} }
ESP_LOGI(TAG, "Write protecting public key digest..."); ESP_LOGI(TAG, "Write protecting public key digest...");
new_wdata0 |= EFUSE_WR_DIS_BLK2; ret = esp_efuse_set_write_protect(EFUSE_BLK2);
if (ret != ESP_OK) {
ESP_LOGE(TAG, "Write protecting public key digest...failed.");
return ret;
}
efuse_key_write_protected = true; efuse_key_write_protected = true;
efuse_key_read_protected = false; efuse_key_read_protected = false;
} else { } else {
@@ -375,26 +384,38 @@ esp_err_t esp_secure_boot_v2_permanently_enable(const esp_image_metadata_t *imag
ESP_LOGI(TAG, "blowing secure boot efuse..."); ESP_LOGI(TAG, "blowing secure boot efuse...");
ESP_LOGD(TAG, "before updating, EFUSE_BLK0_RDATA6 %x", REG_READ(EFUSE_BLK0_RDATA6_REG)); ESP_LOGD(TAG, "before updating, EFUSE_BLK0_RDATA6 %x", REG_READ(EFUSE_BLK0_RDATA6_REG));
new_wdata6 |= EFUSE_RD_ABS_DONE_1; ret = esp_efuse_write_field_bit(ESP_EFUSE_ABS_DONE_1);
if (ret != ESP_OK) {
ESP_LOGE(TAG, "Blowing secure boot efuse...failed.");
return ret;
}
#ifndef CONFIG_SECURE_BOOT_ALLOW_JTAG #ifndef CONFIG_SECURE_BOOT_ALLOW_JTAG
ESP_LOGI(TAG, "Disable JTAG..."); ESP_LOGI(TAG, "Disable JTAG...");
new_wdata6 |= EFUSE_RD_DISABLE_JTAG; ret = esp_efuse_write_field_bit(ESP_EFUSE_DISABLE_JTAG);
if (ret != ESP_OK) {
ESP_LOGE(TAG, "Disable JTAG...failed.");
return ret;
}
#else #else
ESP_LOGW(TAG, "Not disabling JTAG - SECURITY COMPROMISED"); ESP_LOGW(TAG, "Not disabling JTAG - SECURITY COMPROMISED");
#endif #endif
#ifndef CONFIG_SECURE_BOOT_ALLOW_ROM_BASIC #ifndef CONFIG_SECURE_BOOT_ALLOW_ROM_BASIC
ESP_LOGI(TAG, "Disable ROM BASIC interpreter fallback..."); ESP_LOGI(TAG, "Disable ROM BASIC interpreter fallback...");
new_wdata6 |= EFUSE_RD_CONSOLE_DEBUG_DISABLE; ret = esp_efuse_write_field_bit(ESP_EFUSE_CONSOLE_DEBUG_DISABLE);
if (ret != ESP_OK) {
ESP_LOGE(TAG, "Disable ROM BASIC interpreter fallback...failed.");
return ret;
}
#else #else
ESP_LOGW(TAG, "Not disabling ROM BASIC fallback - SECURITY COMPROMISED"); ESP_LOGW(TAG, "Not disabling ROM BASIC fallback - SECURITY COMPROMISED");
#endif #endif
#ifdef CONFIG_SECURE_DISABLE_ROM_DL_MODE #ifdef CONFIG_SECURE_DISABLE_ROM_DL_MODE
ESP_LOGI(TAG, "Disable ROM Download mode..."); ESP_LOGI(TAG, "Disable ROM Download mode...");
esp_err_t err = esp_efuse_disable_rom_download_mode(); ret = esp_efuse_disable_rom_download_mode();
if (err != ESP_OK) { if (ret != ESP_OK) {
ESP_LOGE(TAG, "Could not disable ROM Download mode..."); ESP_LOGE(TAG, "Could not disable ROM Download mode...");
return ESP_FAIL; return ESP_FAIL;
} }
@@ -411,15 +432,21 @@ esp_err_t esp_secure_boot_v2_permanently_enable(const esp_image_metadata_t *imag
#endif #endif
if (rd_dis_now) { if (rd_dis_now) {
ESP_LOGI(TAG, "Prevent read disabling of additional efuses..."); ESP_LOGI(TAG, "Prevent read disabling of additional efuses...");
new_wdata0 |= EFUSE_WR_DIS_RD_DIS; ret = esp_efuse_write_field_bit(ESP_EFUSE_WR_DIS_EFUSE_RD_DISABLE);
if (ret != ESP_OK) {
ESP_LOGE(TAG, "Prevent read disabling of additional efuses...failed.");
return ret;
}
} }
#else #else
ESP_LOGW(TAG, "Allowing read disabling of additional efuses - SECURITY COMPROMISED"); ESP_LOGW(TAG, "Allowing read disabling of additional efuses - SECURITY COMPROMISED");
#endif #endif
REG_WRITE(EFUSE_BLK0_WDATA0_REG, new_wdata0); ret = esp_efuse_batch_write_commit();
REG_WRITE(EFUSE_BLK0_WDATA6_REG, new_wdata6); if (ret != ESP_OK) {
esp_efuse_burn_new_values(); ESP_LOGE(TAG, "Error programming security eFuses.");
return ret;
}
uint32_t after = REG_READ(EFUSE_BLK0_RDATA6_REG); uint32_t after = REG_READ(EFUSE_BLK0_RDATA6_REG);
ESP_LOGD(TAG, "after updating, EFUSE_BLK0_RDATA0 0x%08x EFUSE_BLK0_RDATA6 0x%08x", ESP_LOGD(TAG, "after updating, EFUSE_BLK0_RDATA0 0x%08x EFUSE_BLK0_RDATA6 0x%08x",
REG_READ(EFUSE_BLK0_RDATA0_REG), after); REG_READ(EFUSE_BLK0_RDATA0_REG), after);

24
components/efuse/esp32/esp_efuse_table.c
View File

@@ -17,7 +17,7 @@
#include <assert.h> #include <assert.h>
#include "esp_efuse_table.h" #include "esp_efuse_table.h"
// md5_digest_table 11b691b6fa8546a3862a7a876be5f758 // md5_digest_table 8c9f6537b47cc5b26a1a5896158c612a
// This file was generated from the file esp_efuse_table.csv. DO NOT CHANGE THIS FILE MANUALLY. // This file was generated from the file esp_efuse_table.csv. DO NOT CHANGE THIS FILE MANUALLY.
// If you want to change some fields, you need to change esp_efuse_table.csv file // If you want to change some fields, you need to change esp_efuse_table.csv file
// then run `efuse_common_table` or `efuse_custom_table` command it will generate this file. // then run `efuse_common_table` or `efuse_custom_table` command it will generate this file.
@@ -64,7 +64,11 @@ static const esp_efuse_desc_t SECURE_BOOT_KEY[] = {
}; };
static const esp_efuse_desc_t ABS_DONE_0[] = { static const esp_efuse_desc_t ABS_DONE_0[] = {
{EFUSE_BLK0, 196, 1}, // Secure boot is enabled for bootloader image. EFUSE_RD_ABS_DONE_0, {EFUSE_BLK0, 196, 1}, // Secure boot V1 is enabled for bootloader image. EFUSE_RD_ABS_DONE_0,
};
static const esp_efuse_desc_t ABS_DONE_1[] = {
{EFUSE_BLK0, 197, 1}, // Secure boot V2 is enabled for bootloader image. EFUSE_RD_ABS_DONE_1,
}; };
static const esp_efuse_desc_t ENCRYPT_FLASH_KEY[] = { static const esp_efuse_desc_t ENCRYPT_FLASH_KEY[] = {
@@ -103,6 +107,10 @@ static const esp_efuse_desc_t UART_DOWNLOAD_DIS[] = {
{EFUSE_BLK0, 27, 1}, // Disable UART download mode. Valid for ESP32 V3 and newer, {EFUSE_BLK0, 27, 1}, // Disable UART download mode. Valid for ESP32 V3 and newer,
}; };
static const esp_efuse_desc_t WR_DIS_EFUSE_RD_DISABLE[] = {
{EFUSE_BLK0, 0, 1}, // Write protection for EFUSE_RD_DISABLE,
};
static const esp_efuse_desc_t WR_DIS_FLASH_CRYPT_CNT[] = { static const esp_efuse_desc_t WR_DIS_FLASH_CRYPT_CNT[] = {
{EFUSE_BLK0, 2, 1}, // Flash encrypt. Write protection FLASH_CRYPT_CNT, {EFUSE_BLK0, 2, 1}, // Flash encrypt. Write protection FLASH_CRYPT_CNT,
}; };
@@ -235,7 +243,12 @@ const esp_efuse_desc_t* ESP_EFUSE_SECURE_BOOT_KEY[] = {
}; };
const esp_efuse_desc_t* ESP_EFUSE_ABS_DONE_0[] = { const esp_efuse_desc_t* ESP_EFUSE_ABS_DONE_0[] = {
&ABS_DONE_0[0], // Secure boot is enabled for bootloader image. EFUSE_RD_ABS_DONE_0 &ABS_DONE_0[0], // Secure boot V1 is enabled for bootloader image. EFUSE_RD_ABS_DONE_0
NULL
};
const esp_efuse_desc_t* ESP_EFUSE_ABS_DONE_1[] = {
&ABS_DONE_1[0], // Secure boot V2 is enabled for bootloader image. EFUSE_RD_ABS_DONE_1
NULL NULL
}; };
@@ -284,6 +297,11 @@ const esp_efuse_desc_t* ESP_EFUSE_UART_DOWNLOAD_DIS[] = {
NULL NULL
}; };
const esp_efuse_desc_t* ESP_EFUSE_WR_DIS_EFUSE_RD_DISABLE[] = {
&WR_DIS_EFUSE_RD_DISABLE[0], // Write protection for EFUSE_RD_DISABLE
NULL
};
const esp_efuse_desc_t* ESP_EFUSE_WR_DIS_FLASH_CRYPT_CNT[] = { const esp_efuse_desc_t* ESP_EFUSE_WR_DIS_FLASH_CRYPT_CNT[] = {
&WR_DIS_FLASH_CRYPT_CNT[0], // Flash encrypt. Write protection FLASH_CRYPT_CNT &WR_DIS_FLASH_CRYPT_CNT[0], // Flash encrypt. Write protection FLASH_CRYPT_CNT
NULL NULL

4
components/efuse/esp32/esp_efuse_table.csv
View File

@@ -29,7 +29,8 @@ MAC_CUSTOM_VER, EFUSE_BLK3, 184, 8, Custom MAC version
# Security boot # # Security boot #
################# #################
SECURE_BOOT_KEY, EFUSE_BLK2, 0, MAX_BLK_LEN, Security boot. Key. (length = "None" - 256. "3/4" - 192. "REPEAT" - 128) SECURE_BOOT_KEY, EFUSE_BLK2, 0, MAX_BLK_LEN, Security boot. Key. (length = "None" - 256. "3/4" - 192. "REPEAT" - 128)
ABS_DONE_0, EFUSE_BLK0, 196, 1, Secure boot is enabled for bootloader image. EFUSE_RD_ABS_DONE_0 ABS_DONE_0, EFUSE_BLK0, 196, 1, Secure boot V1 is enabled for bootloader image. EFUSE_RD_ABS_DONE_0
ABS_DONE_1, EFUSE_BLK0, 197, 1, Secure boot V2 is enabled for bootloader image. EFUSE_RD_ABS_DONE_1
# Flash encrypt # # Flash encrypt #
################# #################
@@ -48,6 +49,7 @@ UART_DOWNLOAD_DIS, EFUSE_BLK0, 27, 1, Disable UART download mode.
# Write protection # # Write protection #
#################### ####################
WR_DIS_EFUSE_RD_DISABLE,EFUSE_BLK0, 0, 1, Write protection for EFUSE_RD_DISABLE
WR_DIS_FLASH_CRYPT_CNT, EFUSE_BLK0, 2, 1, Flash encrypt. Write protection FLASH_CRYPT_CNT, UART_DOWNLOAD_DIS. EFUSE_WR_DIS_FLASH_CRYPT_CNT WR_DIS_FLASH_CRYPT_CNT, EFUSE_BLK0, 2, 1, Flash encrypt. Write protection FLASH_CRYPT_CNT, UART_DOWNLOAD_DIS. EFUSE_WR_DIS_FLASH_CRYPT_CNT
WR_DIS_BLK1, EFUSE_BLK0, 7, 1, Flash encrypt. Write protection encryption key. EFUSE_WR_DIS_BLK1 WR_DIS_BLK1, EFUSE_BLK0, 7, 1, Flash encrypt. Write protection encryption key. EFUSE_WR_DIS_BLK1
WR_DIS_BLK2, EFUSE_BLK0, 8, 1, Security boot. Write protection security key. EFUSE_WR_DIS_BLK2 WR_DIS_BLK2, EFUSE_BLK0, 8, 1, Security boot. Write protection security key. EFUSE_WR_DIS_BLK2
Can't render this file because it contains an unexpected character in line 7 and column 87.

4
components/efuse/esp32/include/esp_efuse_table.h
View File

@@ -17,7 +17,7 @@ extern "C" {
#endif #endif
// md5_digest_table 11b691b6fa8546a3862a7a876be5f758 // md5_digest_table 8c9f6537b47cc5b26a1a5896158c612a
// This file was generated from the file esp_efuse_table.csv. DO NOT CHANGE THIS FILE MANUALLY. // This file was generated from the file esp_efuse_table.csv. DO NOT CHANGE THIS FILE MANUALLY.
// If you want to change some fields, you need to change esp_efuse_table.csv file // If you want to change some fields, you need to change esp_efuse_table.csv file
// then run `efuse_common_table` or `efuse_custom_table` command it will generate this file. // then run `efuse_common_table` or `efuse_custom_table` command it will generate this file.
@@ -31,6 +31,7 @@ extern const esp_efuse_desc_t* ESP_EFUSE_MAC_CUSTOM[];
extern const esp_efuse_desc_t* ESP_EFUSE_MAC_CUSTOM_VER[]; extern const esp_efuse_desc_t* ESP_EFUSE_MAC_CUSTOM_VER[];
extern const esp_efuse_desc_t* ESP_EFUSE_SECURE_BOOT_KEY[]; extern const esp_efuse_desc_t* ESP_EFUSE_SECURE_BOOT_KEY[];
extern const esp_efuse_desc_t* ESP_EFUSE_ABS_DONE_0[]; extern const esp_efuse_desc_t* ESP_EFUSE_ABS_DONE_0[];
extern const esp_efuse_desc_t* ESP_EFUSE_ABS_DONE_1[];
extern const esp_efuse_desc_t* ESP_EFUSE_ENCRYPT_FLASH_KEY[]; extern const esp_efuse_desc_t* ESP_EFUSE_ENCRYPT_FLASH_KEY[];
extern const esp_efuse_desc_t* ESP_EFUSE_ENCRYPT_CONFIG[]; extern const esp_efuse_desc_t* ESP_EFUSE_ENCRYPT_CONFIG[];
extern const esp_efuse_desc_t* ESP_EFUSE_DISABLE_DL_ENCRYPT[]; extern const esp_efuse_desc_t* ESP_EFUSE_DISABLE_DL_ENCRYPT[];
@@ -40,6 +41,7 @@ extern const esp_efuse_desc_t* ESP_EFUSE_FLASH_CRYPT_CNT[];
extern const esp_efuse_desc_t* ESP_EFUSE_DISABLE_JTAG[]; extern const esp_efuse_desc_t* ESP_EFUSE_DISABLE_JTAG[];
extern const esp_efuse_desc_t* ESP_EFUSE_CONSOLE_DEBUG_DISABLE[]; extern const esp_efuse_desc_t* ESP_EFUSE_CONSOLE_DEBUG_DISABLE[];
extern const esp_efuse_desc_t* ESP_EFUSE_UART_DOWNLOAD_DIS[]; extern const esp_efuse_desc_t* ESP_EFUSE_UART_DOWNLOAD_DIS[];
extern const esp_efuse_desc_t* ESP_EFUSE_WR_DIS_EFUSE_RD_DISABLE[];
extern const esp_efuse_desc_t* ESP_EFUSE_WR_DIS_FLASH_CRYPT_CNT[]; extern const esp_efuse_desc_t* ESP_EFUSE_WR_DIS_FLASH_CRYPT_CNT[];
extern const esp_efuse_desc_t* ESP_EFUSE_WR_DIS_BLK1[]; extern const esp_efuse_desc_t* ESP_EFUSE_WR_DIS_BLK1[];
extern const esp_efuse_desc_t* ESP_EFUSE_WR_DIS_BLK2[]; extern const esp_efuse_desc_t* ESP_EFUSE_WR_DIS_BLK2[];