diff --git a/components/bootloader_support/include/esp_flash_encrypt.h b/components/bootloader_support/include/esp_flash_encrypt.h index 35129c8b97..d6b0a54c5a 100644 --- a/components/bootloader_support/include/esp_flash_encrypt.h +++ b/components/bootloader_support/include/esp_flash_encrypt.h @@ -8,6 +8,7 @@ #include #include "esp_attr.h" #include "esp_err.h" +#include "soc/soc_caps.h" #ifndef BOOTLOADER_BUILD #include "spi_flash_mmap.h" #endif @@ -184,6 +185,19 @@ void esp_flash_encryption_init_checks(void); */ esp_err_t esp_flash_encryption_enable_secure_features(void); +/** @brief Returns the verification status for all physical security features of flash encryption in release mode + * + * If the device has flash encryption feature configured in the release mode, + * then it is highly recommended to call this API in the application startup code. + * This API verifies the sanity of the eFuse configuration against + * the release (production) mode of the flash encryption feature. + * + * @return + * - True - all eFuses are configured correctly + * - False - not all eFuses are configured correctly. + */ +bool esp_flash_encryption_cfg_verify_release_mode(void); + /** @brief Switches Flash Encryption from "Development" to "Release" * * If already in "Release" mode, the function will do nothing. diff --git a/components/bootloader_support/include/esp_secure_boot.h b/components/bootloader_support/include/esp_secure_boot.h index 95ccf39000..fa5c13e25f 100644 --- a/components/bootloader_support/include/esp_secure_boot.h +++ b/components/bootloader_support/include/esp_secure_boot.h @@ -269,6 +269,19 @@ esp_err_t esp_secure_boot_get_signature_blocks_for_running_app(bool digest_publi */ esp_err_t esp_secure_boot_enable_secure_features(void); +/** @brief Returns the verification status for all physical security features of secure boot in release mode + * + * If the device has secure boot feature configured in the release mode, + * then it is highly recommended to call this API in the application startup code. + * This API verifies the sanity of the eFuse configuration against + * the release (production) mode of the secure boot feature. + * + * @return + * - True - all eFuses are configured correctly + * - False - not all eFuses are configured correctly. + */ +bool esp_secure_boot_cfg_verify_release_mode(void); + #ifdef __cplusplus } #endif diff --git a/components/bootloader_support/src/esp32c2/secure_boot_secure_features.c b/components/bootloader_support/src/esp32c2/secure_boot_secure_features.c index 20f9319589..ec6d6e7ef9 100644 --- a/components/bootloader_support/src/esp32c2/secure_boot_secure_features.c +++ b/components/bootloader_support/src/esp32c2/secure_boot_secure_features.c @@ -45,5 +45,17 @@ esp_err_t esp_secure_boot_enable_secure_features(void) esp_efuse_write_field_bit(ESP_EFUSE_SECURE_BOOT_EN); +#ifndef CONFIG_SECURE_BOOT_V2_ALLOW_EFUSE_RD_DIS + // Secure boot and Flash encryption share one eFuse key block so they can not be set separately. + // CONFIG_SECURE_BOOT_FLASH_ENC_KEYS_BURN_TOGETHER option is used to burn SB and FE at the same time. + // SB key is readable, the corresponding bit in RD_DIS is unset. + // We set write-protection for RD_DIS to ensure that the SB key is always readable. + // FE key is read-protected, the corresponding bit in RD_DIS is set. + ESP_LOGI(TAG, "Prevent read disabling of additional efuses..."); + esp_efuse_write_field_bit(ESP_EFUSE_WR_DIS_RD_DIS); +#else + ESP_LOGW(TAG, "Allowing read disabling of additional efuses - SECURITY COMPROMISED"); +#endif + return ESP_OK; } diff --git a/components/bootloader_support/src/flash_encrypt.c b/components/bootloader_support/src/flash_encrypt.c index 9fe6be6bf3..50eebed9b7 100644 --- a/components/bootloader_support/src/flash_encrypt.c +++ b/components/bootloader_support/src/flash_encrypt.c @@ -218,3 +218,206 @@ void esp_flash_encryption_set_release_mode(void) } ESP_LOGI(TAG, "Flash encryption mode is RELEASE"); } + +#ifdef CONFIG_IDF_TARGET_ESP32 +bool esp_flash_encryption_cfg_verify_release_mode(void) +{ + bool result = false; + bool secure; + + secure = esp_flash_encryption_enabled(); + result = secure; + if (!secure) { + ESP_LOGW(TAG, "Not enabled Flash Encryption (FLASH_CRYPT_CNT->1 or max)"); + } + + uint8_t crypt_config = 0; + esp_efuse_read_field_blob(ESP_EFUSE_ENCRYPT_CONFIG, &crypt_config, 4); + if (crypt_config != EFUSE_FLASH_CRYPT_CONFIG) { + result &= false; + ESP_LOGW(TAG, "ENCRYPT_CONFIG must be set 0xF (set ENCRYPT_CONFIG->0xF)"); + } + + uint8_t flash_crypt_cnt = 0; + esp_efuse_read_field_blob(ESP_EFUSE_FLASH_CRYPT_CNT, &flash_crypt_cnt, ESP_EFUSE_FLASH_CRYPT_CNT[0]->bit_count); + if (flash_crypt_cnt != (1 << (ESP_EFUSE_FLASH_CRYPT_CNT[0]->bit_count)) - 1) { + if (!esp_efuse_read_field_bit(ESP_EFUSE_WR_DIS_FLASH_CRYPT_CNT)) { + result &= false; + ESP_LOGW(TAG, "Not release mode of Flash Encryption (set FLASH_CRYPT_CNT->max or WR_DIS_FLASH_CRYPT_CNT->1)"); + } + } + + secure = esp_efuse_read_field_bit(ESP_EFUSE_DISABLE_DL_ENCRYPT); + result &= secure; + if (!secure) { + ESP_LOGW(TAG, "Not disabled UART bootloader encryption (set DISABLE_DL_ENCRYPT->1)"); + } + + secure = esp_efuse_read_field_bit(ESP_EFUSE_DISABLE_DL_DECRYPT); + result &= secure; + if (!secure) { + ESP_LOGW(TAG, "Not disabled UART bootloader decryption (set DISABLE_DL_DECRYPT->1)"); + } + + secure = esp_efuse_read_field_bit(ESP_EFUSE_DISABLE_DL_CACHE); + result &= secure; + if (!secure) { + ESP_LOGW(TAG, "Not disabled UART bootloader MMU cache (set DISABLE_DL_CACHE->1)"); + } + + secure = esp_efuse_read_field_bit(ESP_EFUSE_DISABLE_JTAG); + result &= secure; + if (!secure) { + ESP_LOGW(TAG, "Not disabled JTAG (set DISABLE_JTAG->1)"); + } + + secure = esp_efuse_read_field_bit(ESP_EFUSE_CONSOLE_DEBUG_DISABLE); + result &= secure; + if (!secure) { + ESP_LOGW(TAG, "Not disabled ROM BASIC interpreter fallback (set CONSOLE_DEBUG_DISABLE->1)"); + } + + secure = esp_efuse_read_field_bit(ESP_EFUSE_RD_DIS_BLK1); + result &= secure; + if (!secure) { + ESP_LOGW(TAG, "Not read-protected flash ecnryption key (set RD_DIS_BLK1->1)"); + } + + secure = esp_efuse_read_field_bit(ESP_EFUSE_WR_DIS_BLK1); + result &= secure; + if (!secure) { + ESP_LOGW(TAG, "Not write-protected flash ecnryption key (set WR_DIS_BLK1->1)"); + } + return result; +} +#else // not CONFIG_IDF_TARGET_ESP32 +bool esp_flash_encryption_cfg_verify_release_mode(void) +{ + bool result = false; + bool secure; + + secure = esp_flash_encryption_enabled(); + result = secure; + if (!secure) { + ESP_LOGW(TAG, "Not enabled Flash Encryption (SPI_BOOT_CRYPT_CNT->1 or max)"); + } + + uint8_t flash_crypt_cnt = 0; + esp_efuse_read_field_blob(ESP_EFUSE_SPI_BOOT_CRYPT_CNT, &flash_crypt_cnt, ESP_EFUSE_SPI_BOOT_CRYPT_CNT[0]->bit_count); + if (flash_crypt_cnt != (1 << (ESP_EFUSE_SPI_BOOT_CRYPT_CNT[0]->bit_count)) - 1) { + if (!esp_efuse_read_field_bit(ESP_EFUSE_WR_DIS_SPI_BOOT_CRYPT_CNT)) { + result &= false; + ESP_LOGW(TAG, "Not release mode of Flash Encryption (set SPI_BOOT_CRYPT_CNT->max or WR_DIS_SPI_BOOT_CRYPT_CNT->1)"); + } + } + + secure = esp_efuse_read_field_bit(ESP_EFUSE_DIS_DOWNLOAD_MANUAL_ENCRYPT); + result &= secure; + if (!secure) { + ESP_LOGW(TAG, "Not disabled UART bootloader encryption (set DIS_DOWNLOAD_MANUAL_ENCRYPT->1)"); + } + +#if SOC_EFUSE_DIS_DOWNLOAD_DCACHE + secure = esp_efuse_read_field_bit(ESP_EFUSE_DIS_DOWNLOAD_DCACHE); + result &= secure; + if (!secure) { + ESP_LOGW(TAG, "Not disabled UART bootloader Dcache (set DIS_DOWNLOAD_DCACHE->1)"); + } +#endif + + secure = esp_efuse_read_field_bit(ESP_EFUSE_DIS_DOWNLOAD_ICACHE); + result &= secure; + if (!secure) { + ESP_LOGW(TAG, "Not disabled UART bootloader cache (set DIS_DOWNLOAD_ICACHE->1)"); + } + +#if SOC_EFUSE_DIS_PAD_JTAG + secure = esp_efuse_read_field_bit(ESP_EFUSE_DIS_PAD_JTAG); + result &= secure; + if (!secure) { + ESP_LOGW(TAG, "Not disabled JTAG PADs (set DIS_PAD_JTAG->1)"); + } +#endif + +#if SOC_EFUSE_DIS_USB_JTAG + secure = esp_efuse_read_field_bit(ESP_EFUSE_DIS_USB_JTAG); + result &= secure; + if (!secure) { + ESP_LOGW(TAG, "Not disabled USB JTAG (set DIS_USB_JTAG->1)"); + } +#endif + +#if SOC_EFUSE_DIS_DIRECT_BOOT + secure = esp_efuse_read_field_bit(ESP_EFUSE_DIS_DIRECT_BOOT); + result &= secure; + if (!secure) { + ESP_LOGW(TAG, "Not disabled direct boot mode (set DIS_DIRECT_BOOT->1)"); + } +#endif + +#if SOC_EFUSE_HARD_DIS_JTAG + secure = esp_efuse_read_field_bit(ESP_EFUSE_HARD_DIS_JTAG); + result &= secure; + if (!secure) { + ESP_LOGW(TAG, "Not disabled JTAG (set HARD_DIS_JTAG->1)"); + } +#endif + +#if SOC_EFUSE_DIS_BOOT_REMAP + secure = esp_efuse_read_field_bit(ESP_EFUSE_DIS_BOOT_REMAP); + result &= secure; + if (!secure) { + ESP_LOGW(TAG, "Not disabled boot from RAM (set DIS_BOOT_REMAP->1)"); + } +#endif + +#if SOC_EFUSE_DIS_LEGACY_SPI_BOOT + secure = esp_efuse_read_field_bit(ESP_EFUSE_DIS_LEGACY_SPI_BOOT); + result &= secure; + if (!secure) { + ESP_LOGW(TAG, "Not disabled Legcy SPI boot (set DIS_LEGACY_SPI_BOOT->1)"); + } +#endif + + esp_efuse_purpose_t purposes[] = { +#if SOC_FLASH_ENCRYPTION_XTS_AES_256 + ESP_EFUSE_KEY_PURPOSE_XTS_AES_256_KEY_1, + ESP_EFUSE_KEY_PURPOSE_XTS_AES_256_KEY_2, +#endif +#if SOC_FLASH_ENCRYPTION_XTS_AES_128 + ESP_EFUSE_KEY_PURPOSE_XTS_AES_128_KEY, +#endif + }; + // S2 and S3 chips have both XTS_AES_128_KEY and XTS_AES_256_KEY_1/2. + // The check below does not take into account that XTS_AES_128_KEY and XTS_AES_256_KEY_1/2 + // are mutually exclusive because this will make the chip not functional. + // Only one type key must be configured in eFuses. + secure = false; + for (unsigned i = 0; i < sizeof(purposes) / sizeof(esp_efuse_purpose_t); i++) { + esp_efuse_block_t block; + if (esp_efuse_find_purpose(purposes[i], &block)) { + secure = esp_efuse_get_key_dis_read(block); + result &= secure; + if (!secure) { + ESP_LOGW(TAG, "Not read-protected Flash encryption key in BLOCK%d (set RD_DIS_KEY%d->1)", block, block - EFUSE_BLK_KEY0); + } + secure = esp_efuse_get_key_dis_write(block); + result &= secure; + if (!secure) { + ESP_LOGW(TAG, "Not write-protected Flash encryption key in BLOCK%d (set WR_DIS_KEY%d->1)", block, block - EFUSE_BLK_KEY0); + } + +#if SOC_EFUSE_KEY_PURPOSE_FIELD + secure = esp_efuse_get_keypurpose_dis_write(block); + result &= secure; + if (!secure) { + ESP_LOGW(TAG, "Not write-protected KEY_PURPOSE for BLOCK%d (set WR_DIS_KEY_PURPOSE%d->1)", block, block - EFUSE_BLK_KEY0); + } +#endif + } + } + result &= secure; + + return result; +} +#endif // not CONFIG_IDF_TARGET_ESP32 diff --git a/components/bootloader_support/src/secure_boot.c b/components/bootloader_support/src/secure_boot.c index 524e15f962..0b5bab46fc 100644 --- a/components/bootloader_support/src/secure_boot.c +++ b/components/bootloader_support/src/secure_boot.c @@ -10,6 +10,7 @@ #include "esp_efuse.h" #include "esp_efuse_table.h" #include "esp_secure_boot.h" +#include "hal/efuse_hal.h" #ifndef BOOTLOADER_BUILD static __attribute__((unused)) const char *TAG = "secure_boot"; @@ -188,4 +189,220 @@ void esp_secure_boot_init_checks(void) #endif // CONFIG_SECURE_SIGNED_APPS_RSA_SCHEME && CONFIG_SECURE_SIGNED_ON_UPDATE_NO_SECURE_BOOT } + +#ifdef CONFIG_IDF_TARGET_ESP32 +bool esp_secure_boot_cfg_verify_release_mode(void) +{ + bool result = false; + bool secure; + + bool secure_boot_v1 = esp_efuse_read_field_bit(ESP_EFUSE_ABS_DONE_0); + bool chip_supports_sbv2 = efuse_hal_chip_revision() >= 300; + bool secure_boot_v2 = (chip_supports_sbv2) ? esp_efuse_read_field_bit(ESP_EFUSE_ABS_DONE_1) : false; + result = secure_boot_v1 || secure_boot_v2; + if (secure_boot_v1 && secure_boot_v2) { + ESP_LOGI(TAG, "ABS_DONE_0=1 (V1) and ABS_DONE_1=1 (V2)"); + ESP_LOGI(TAG, "Secure boot V2 shall take the precedence"); + } else if (!secure_boot_v1 && !secure_boot_v2) { + result = false; + ESP_LOGE(TAG, "Not enabled Secure Boot V1 (set ABS_DONE_0->1)"); + if (chip_supports_sbv2) { + ESP_LOGE(TAG, "Not enabled Secure Boot V2 (set ABS_DONE_1->1)"); + } + } + + if (secure_boot_v1 && !secure_boot_v2) { + secure = esp_efuse_read_field_bit(ESP_EFUSE_RD_DIS_BLK2); + result &= secure; + if (!secure) { + ESP_LOGW(TAG, "Not read-protected secure boot key (set RD_DIS_BLK2->1)"); + } + } + + secure = esp_efuse_read_field_bit(ESP_EFUSE_WR_DIS_BLK2); + result &= secure; + if (!secure) { + ESP_LOGW(TAG, "Not write-protected secure boot key (set WR_DIS_BLK2->1)"); + } + + secure = esp_efuse_read_field_bit(ESP_EFUSE_DISABLE_JTAG); + result &= secure; + if (!secure) { + ESP_LOGW(TAG, "Not disabled JTAG (set DISABLE_JTAG->1)"); + } + + secure = esp_efuse_read_field_bit(ESP_EFUSE_CONSOLE_DEBUG_DISABLE); + result &= secure; + if (!secure) { + ESP_LOGW(TAG, "Not disabled ROM BASIC interpreter fallback (set CONSOLE_DEBUG_DISABLE->1)"); + } + + if (secure_boot_v2) { + secure = esp_efuse_read_field_bit(ESP_EFUSE_UART_DOWNLOAD_DIS); + result &= secure; + if (!secure) { + ESP_LOGW(TAG, "Not disabled UART ROM Download mode (set UART_DOWNLOAD_DIS->1)"); + } + + secure = esp_efuse_read_field_bit(ESP_EFUSE_WR_DIS_EFUSE_RD_DISABLE); + result &= secure; + if (!secure) { + ESP_LOGW(TAG, "Not disabled write-protection for read-protection (set WR_DIS_EFUSE_RD_DISABLE->1)"); + } + } + + return result; +} +#else // not CONFIG_IDF_TARGET_ESP32 +bool esp_secure_boot_cfg_verify_release_mode(void) +{ + bool result = false; + bool secure; + + secure = esp_secure_boot_enabled(); + result = secure; + if (!secure) { + ESP_LOGW(TAG, "Not enabled Secure Boot (SECURE_BOOT_EN->1)"); + } + + secure = esp_efuse_read_field_bit(ESP_EFUSE_DIS_DOWNLOAD_MODE); + bool en_secure_download = esp_efuse_read_field_bit(ESP_EFUSE_ENABLE_SECURITY_DOWNLOAD); + if (!secure && !en_secure_download) { + result &= false; + ESP_LOGW(TAG, "Download mode has not been changed, disable it or set security mode:"); + ESP_LOGW(TAG, "Not disabled ROM Download mode (DIS_DOWNLOAD_MODE->1)"); + ESP_LOGW(TAG, "Not enabled Security download mode (ENABLE_SECURITY_DOWNLOAD->1)"); + } + +#if SOC_EFUSE_DIS_BOOT_REMAP + secure = esp_efuse_read_field_bit(ESP_EFUSE_DIS_BOOT_REMAP); + result &= secure; + if (!secure) { + ESP_LOGW(TAG, "Not disabled boot from RAM (set DIS_BOOT_REMAP->1)"); + } +#endif + +#if SOC_EFUSE_DIS_LEGACY_SPI_BOOT + secure = esp_efuse_read_field_bit(ESP_EFUSE_DIS_LEGACY_SPI_BOOT); + result &= secure; + if (!secure) { + ESP_LOGW(TAG, "Not disabled Legcy SPI boot (set DIS_LEGACY_SPI_BOOT->1)"); + } +#endif + +#if SOC_EFUSE_DIS_DIRECT_BOOT + secure = esp_efuse_read_field_bit(ESP_EFUSE_DIS_DIRECT_BOOT); + result &= secure; + if (!secure) { + ESP_LOGW(TAG, "Not disabled direct boot mode (set DIS_DIRECT_BOOT->1)"); + } +#endif + +#if SOC_EFUSE_HARD_DIS_JTAG + secure = esp_efuse_read_field_bit(ESP_EFUSE_HARD_DIS_JTAG); + result &= secure; + if (!secure) { + ESP_LOGW(TAG, "Not disabled JTAG (set HARD_DIS_JTAG->1)"); + } +#endif + +#if SOC_EFUSE_SOFT_DIS_JTAG + size_t soft_dis_jtag_cnt_val = 0; + esp_efuse_read_field_cnt(ESP_EFUSE_SOFT_DIS_JTAG, &soft_dis_jtag_cnt_val); + if (soft_dis_jtag_cnt_val != ESP_EFUSE_SOFT_DIS_JTAG[0]->bit_count) { + result &= secure; + ESP_LOGW(TAG, "Not disabled JTAG in the soft way (set SOFT_DIS_JTAG->max)"); + } +#endif + +#if SOC_EFUSE_DIS_PAD_JTAG + secure = esp_efuse_read_field_bit(ESP_EFUSE_DIS_PAD_JTAG); + result &= secure; + if (!secure) { + ESP_LOGW(TAG, "Not disabled JTAG PADs (set DIS_PAD_JTAG->1)"); + } +#endif + +#if SOC_EFUSE_DIS_USB_JTAG + secure = esp_efuse_read_field_bit(ESP_EFUSE_DIS_USB_JTAG); + result &= secure; + if (!secure) { + ESP_LOGW(TAG, "Not disabled USB JTAG (set DIS_USB_JTAG->1)"); + } +#endif + +#ifdef CONFIG_SECURE_BOOT_ENABLE_AGGRESSIVE_KEY_REVOKE + secure = esp_efuse_read_field_bit(ESP_EFUSE_SECURE_BOOT_AGGRESSIVE_REVOKE); + result &= secure; + if (!secure) { + ESP_LOGW(TAG, "Not enabled AGGRESSIVE KEY REVOKE (set SECURE_BOOT_AGGRESSIVE_REVOKE->1)"); + } +#endif + + secure = esp_efuse_read_field_bit(ESP_EFUSE_WR_DIS_RD_DIS); + result &= secure; + if (!secure) { + ESP_LOGW(TAG, "Not disabled write-protection for read-protection (set WR_DIS_RD_DIS->1)"); + } + +#if SOC_EFUSE_SECURE_BOOT_KEY_DIGESTS == 1 + unsigned purpose = ESP_EFUSE_KEY_PURPOSE_SECURE_BOOT_V2; +#else + unsigned purpose = ESP_EFUSE_KEY_PURPOSE_SECURE_BOOT_DIGEST0; // DIGEST0, DIGEST1 and DIGEST2 +#endif + secure = false; + unsigned num_keys = 0; + for (unsigned i = 0; i < SOC_EFUSE_SECURE_BOOT_KEY_DIGESTS; ++i) { + esp_efuse_block_t block; + if (esp_efuse_find_purpose(purpose + i, &block)) { + // if chip has a few secure boot slots then we check all +#if SOC_SUPPORT_SECURE_BOOT_REVOKE_KEY + bool revoke = esp_efuse_get_digest_revoke(i); + if (revoke) { + continue; + } +#endif + ++num_keys; + secure = !esp_efuse_get_key_dis_read(block); + result &= secure; + if (!secure) { + ESP_LOGE(TAG, "Secure boot key in BLOCK%d must NOT be read-protected (can not be used)", block); +#if SOC_SUPPORT_SECURE_BOOT_REVOKE_KEY + ESP_LOGE(TAG, "Revoke this secure boot key (set SECURE_BOOT_KEY_REVOKE%d->1)", i); +#endif + } + secure = !esp_efuse_block_is_empty(block); + result &= secure; + if (!secure) { + ESP_LOGE(TAG, "Secure boot key in BLOCK%d must NOT be empty (can not be used)", block); +#if SOC_SUPPORT_SECURE_BOOT_REVOKE_KEY + ESP_LOGE(TAG, "Revoke this secure boot key (set SECURE_BOOT_KEY_REVOKE%d->1)", i); +#endif + } + secure = esp_efuse_get_key_dis_write(block); + result &= secure; + if (!secure) { + ESP_LOGW(TAG, "Not write-protected secure boot key in BLOCK%d (set WR_DIS_KEY%d->1)", block, block - EFUSE_BLK_KEY0); + } +#if SOC_EFUSE_KEY_PURPOSE_FIELD + secure = esp_efuse_get_keypurpose_dis_write(block); + result &= secure; + if (!secure) { + ESP_LOGW(TAG, "Not write-protected KEY_PURPOSE for BLOCK%d (set WR_DIS_KEY_PURPOSE%d->1)", block, block - EFUSE_BLK_KEY0); + } +#endif + } + } + result &= secure; + + secure = (num_keys != 0); + result &= secure; + if (!secure) { + ESP_LOGE(TAG, "No secure boot key found"); + } + + return result; +} +#endif // not CONFIG_IDF_TARGET_ESP32 + #endif // not BOOTLOADER_BUILD diff --git a/components/efuse/esp32c2/esp_efuse_table.c b/components/efuse/esp32c2/esp_efuse_table.c index c1d712e148..a518074239 100644 --- a/components/efuse/esp32c2/esp_efuse_table.c +++ b/components/efuse/esp32c2/esp_efuse_table.c @@ -1,5 +1,5 @@ /* - * SPDX-FileCopyrightText: 2017-2022 Espressif Systems (Shanghai) CO LTD + * SPDX-FileCopyrightText: 2017-2023 Espressif Systems (Shanghai) CO LTD * * SPDX-License-Identifier: Apache-2.0 */ @@ -9,7 +9,7 @@ #include #include "esp_efuse_table.h" -// md5_digest_table ceedae45d1a885ced865a05eeca7d7ee +// md5_digest_table 2216d0ff3e0f4e8803f85711b5cc2829 // This file was generated from the file esp_efuse_table.csv. DO NOT CHANGE THIS FILE MANUALLY. // If you want to change some fields, you need to change esp_efuse_table.csv file // then run `efuse_common_table` or `efuse_custom_table` command it will generate this file. @@ -19,8 +19,8 @@ static const esp_efuse_desc_t WR_DIS[] = { {EFUSE_BLK0, 0, 8}, // Write protection, }; -static const esp_efuse_desc_t WR_DIS_KEY0_RD_DIS[] = { - {EFUSE_BLK0, 0, 1}, // Write protection for KEY0_RD_DIS, +static const esp_efuse_desc_t WR_DIS_RD_DIS[] = { + {EFUSE_BLK0, 0, 1}, // Write protection for RD_DIS, }; static const esp_efuse_desc_t WR_DIS_GROUP_1[] = { @@ -265,8 +265,8 @@ const esp_efuse_desc_t* ESP_EFUSE_WR_DIS[] = { NULL }; -const esp_efuse_desc_t* ESP_EFUSE_WR_DIS_KEY0_RD_DIS[] = { - &WR_DIS_KEY0_RD_DIS[0], // Write protection for KEY0_RD_DIS +const esp_efuse_desc_t* ESP_EFUSE_WR_DIS_RD_DIS[] = { + &WR_DIS_RD_DIS[0], // Write protection for RD_DIS NULL }; diff --git a/components/efuse/esp32c2/esp_efuse_table.csv b/components/efuse/esp32c2/esp_efuse_table.csv index ee34254c17..7334923b2e 100644 --- a/components/efuse/esp32c2/esp_efuse_table.csv +++ b/components/efuse/esp32c2/esp_efuse_table.csv @@ -12,7 +12,7 @@ ############################## # EFUSE_RD_WR_DIS_REG # WR_DIS, EFUSE_BLK0, 0, 8, Write protection - WR_DIS.KEY0_RD_DIS, EFUSE_BLK0, 0, 1, Write protection for KEY0_RD_DIS + WR_DIS.RD_DIS, EFUSE_BLK0, 0, 1, Write protection for RD_DIS WR_DIS.GROUP_1, EFUSE_BLK0, 1, 1, Write protection for WDT_DELAY DIS_PAD_JTAG DIS_DOWNLOAD_ICACHE WR_DIS.GROUP_2, EFUSE_BLK0, 2, 1, Write protection for DOWNLOAD_DIS_MANUAL_ENCRYPT SPI_BOOT_CRYPT_CNT XTS_KEY_LENGTH_256 SECURE_BOOT_EN WR_DIS.SPI_BOOT_CRYPT_CNT, EFUSE_BLK0, 2, 1, Write protection for DOWNLOAD_DIS_MANUAL_ENCRYPT [SPI_BOOT_CRYPT_CNT] XTS_KEY_LENGTH_256 SECURE_BOOT_EN diff --git a/components/efuse/esp32c2/include/esp_efuse_table.h b/components/efuse/esp32c2/include/esp_efuse_table.h index 23f580c7d4..7cac756bcf 100644 --- a/components/efuse/esp32c2/include/esp_efuse_table.h +++ b/components/efuse/esp32c2/include/esp_efuse_table.h @@ -1,5 +1,5 @@ /* - * SPDX-FileCopyrightText: 2017-2022 Espressif Systems (Shanghai) CO LTD + * SPDX-FileCopyrightText: 2017-2023 Espressif Systems (Shanghai) CO LTD * * SPDX-License-Identifier: Apache-2.0 */ @@ -10,7 +10,7 @@ extern "C" { #include "esp_efuse.h" -// md5_digest_table ceedae45d1a885ced865a05eeca7d7ee +// md5_digest_table 2216d0ff3e0f4e8803f85711b5cc2829 // This file was generated from the file esp_efuse_table.csv. DO NOT CHANGE THIS FILE MANUALLY. // If you want to change some fields, you need to change esp_efuse_table.csv file // then run `efuse_common_table` or `efuse_custom_table` command it will generate this file. @@ -18,7 +18,7 @@ extern "C" { extern const esp_efuse_desc_t* ESP_EFUSE_WR_DIS[]; -extern const esp_efuse_desc_t* ESP_EFUSE_WR_DIS_KEY0_RD_DIS[]; +extern const esp_efuse_desc_t* ESP_EFUSE_WR_DIS_RD_DIS[]; extern const esp_efuse_desc_t* ESP_EFUSE_WR_DIS_GROUP_1[]; extern const esp_efuse_desc_t* ESP_EFUSE_WR_DIS_GROUP_2[]; extern const esp_efuse_desc_t* ESP_EFUSE_WR_DIS_SPI_BOOT_CRYPT_CNT[]; diff --git a/components/soc/esp32c2/include/soc/Kconfig.soc_caps.in b/components/soc/esp32c2/include/soc/Kconfig.soc_caps.in index 1cae988ad1..581ae70901 100644 --- a/components/soc/esp32c2/include/soc/Kconfig.soc_caps.in +++ b/components/soc/esp32c2/include/soc/Kconfig.soc_caps.in @@ -495,6 +495,14 @@ config SOC_TIMER_GROUP_TOTAL_TIMERS int default 1 +config SOC_EFUSE_DIS_PAD_JTAG + bool + default y + +config SOC_EFUSE_DIS_DIRECT_BOOT + bool + default y + config SOC_SECURE_BOOT_V2_ECC bool default y diff --git a/components/soc/esp32c2/include/soc/soc_caps.h b/components/soc/esp32c2/include/soc/soc_caps.h index 333fbce1b2..d883c46be6 100644 --- a/components/soc/esp32c2/include/soc/soc_caps.h +++ b/components/soc/esp32c2/include/soc/soc_caps.h @@ -241,6 +241,10 @@ #define SOC_TIMER_GROUP_SUPPORT_PLL_F40M (1) #define SOC_TIMER_GROUP_TOTAL_TIMERS (1U) +/*-------------------------- eFuse CAPS----------------------------*/ +#define SOC_EFUSE_DIS_PAD_JTAG 1 +#define SOC_EFUSE_DIS_DIRECT_BOOT 1 + /*-------------------------- Secure Boot CAPS----------------------------*/ #define SOC_SECURE_BOOT_V2_ECC 1 #define SOC_EFUSE_SECURE_BOOT_KEY_DIGESTS (1U) diff --git a/components/soc/esp32c3/include/soc/Kconfig.soc_caps.in b/components/soc/esp32c3/include/soc/Kconfig.soc_caps.in index 02c229e8c8..e3c0bd6215 100644 --- a/components/soc/esp32c3/include/soc/Kconfig.soc_caps.in +++ b/components/soc/esp32c3/include/soc/Kconfig.soc_caps.in @@ -731,6 +731,22 @@ config SOC_TWAI_SUPPORTS_RX_STATUS bool default y +config SOC_EFUSE_DIS_PAD_JTAG + bool + default y + +config SOC_EFUSE_DIS_USB_JTAG + bool + default y + +config SOC_EFUSE_DIS_DIRECT_BOOT + bool + default y + +config SOC_EFUSE_SOFT_DIS_JTAG + bool + default y + config SOC_SECURE_BOOT_V2_RSA bool default y diff --git a/components/soc/esp32c3/include/soc/soc_caps.h b/components/soc/esp32c3/include/soc/soc_caps.h index d93832955e..b02b02fc03 100644 --- a/components/soc/esp32c3/include/soc/soc_caps.h +++ b/components/soc/esp32c3/include/soc/soc_caps.h @@ -329,6 +329,12 @@ #define SOC_TWAI_BRP_MAX 16384 #define SOC_TWAI_SUPPORTS_RX_STATUS 1 +/*-------------------------- eFuse CAPS----------------------------*/ +#define SOC_EFUSE_DIS_PAD_JTAG 1 +#define SOC_EFUSE_DIS_USB_JTAG 1 +#define SOC_EFUSE_DIS_DIRECT_BOOT 1 +#define SOC_EFUSE_SOFT_DIS_JTAG 1 + /*-------------------------- Secure Boot CAPS----------------------------*/ #define SOC_SECURE_BOOT_V2_RSA 1 #define SOC_EFUSE_SECURE_BOOT_KEY_DIGESTS 3 diff --git a/components/soc/esp32c6/include/soc/Kconfig.soc_caps.in b/components/soc/esp32c6/include/soc/Kconfig.soc_caps.in index b9b07b3824..8b6165ffb4 100644 --- a/components/soc/esp32c6/include/soc/Kconfig.soc_caps.in +++ b/components/soc/esp32c6/include/soc/Kconfig.soc_caps.in @@ -867,6 +867,22 @@ config SOC_TWAI_SUPPORTS_RX_STATUS bool default y +config SOC_EFUSE_DIS_PAD_JTAG + bool + default y + +config SOC_EFUSE_DIS_USB_JTAG + bool + default y + +config SOC_EFUSE_DIS_DIRECT_BOOT + bool + default y + +config SOC_EFUSE_SOFT_DIS_JTAG + bool + default y + config SOC_SECURE_BOOT_V2_RSA bool default y diff --git a/components/soc/esp32c6/include/soc/soc_caps.h b/components/soc/esp32c6/include/soc/soc_caps.h index f38713cebc..8d67a42e99 100644 --- a/components/soc/esp32c6/include/soc/soc_caps.h +++ b/components/soc/esp32c6/include/soc/soc_caps.h @@ -381,6 +381,12 @@ #define SOC_TWAI_BRP_MAX 32768 #define SOC_TWAI_SUPPORTS_RX_STATUS 1 +/*-------------------------- eFuse CAPS----------------------------*/ +#define SOC_EFUSE_DIS_PAD_JTAG 1 +#define SOC_EFUSE_DIS_USB_JTAG 1 +#define SOC_EFUSE_DIS_DIRECT_BOOT 1 +#define SOC_EFUSE_SOFT_DIS_JTAG 1 + // TODO: IDF-5357 (Copy from esp32c3, need check) /*-------------------------- Secure Boot CAPS----------------------------*/ #define SOC_SECURE_BOOT_V2_RSA 1 diff --git a/components/soc/esp32h2/include/soc/Kconfig.soc_caps.in b/components/soc/esp32h2/include/soc/Kconfig.soc_caps.in index 206dcc6077..54f9594469 100644 --- a/components/soc/esp32h2/include/soc/Kconfig.soc_caps.in +++ b/components/soc/esp32h2/include/soc/Kconfig.soc_caps.in @@ -687,6 +687,22 @@ config SOC_TWAI_SUPPORTS_RX_STATUS bool default y +config SOC_EFUSE_DIS_PAD_JTAG + bool + default y + +config SOC_EFUSE_DIS_USB_JTAG + bool + default y + +config SOC_EFUSE_DIS_DIRECT_BOOT + bool + default y + +config SOC_EFUSE_SOFT_DIS_JTAG + bool + default y + config SOC_SECURE_BOOT_V2_RSA bool default y diff --git a/components/soc/esp32h2/include/soc/soc_caps.h b/components/soc/esp32h2/include/soc/soc_caps.h index 97d6dbf53a..85822dddd7 100644 --- a/components/soc/esp32h2/include/soc/soc_caps.h +++ b/components/soc/esp32h2/include/soc/soc_caps.h @@ -361,6 +361,12 @@ #define SOC_TWAI_BRP_MAX 32768 #define SOC_TWAI_SUPPORTS_RX_STATUS 1 +/*-------------------------- eFuse CAPS----------------------------*/ +#define SOC_EFUSE_DIS_PAD_JTAG 1 +#define SOC_EFUSE_DIS_USB_JTAG 1 +#define SOC_EFUSE_DIS_DIRECT_BOOT 1 +#define SOC_EFUSE_SOFT_DIS_JTAG 1 + // TODO: IDF-6281 (Copy from esp32c6, need check) /*-------------------------- Secure Boot CAPS----------------------------*/ #define SOC_SECURE_BOOT_V2_RSA 1 diff --git a/components/soc/esp32h4/include/soc/Kconfig.soc_caps.in b/components/soc/esp32h4/include/soc/Kconfig.soc_caps.in index e87b99fc96..2bc33ea092 100644 --- a/components/soc/esp32h4/include/soc/Kconfig.soc_caps.in +++ b/components/soc/esp32h4/include/soc/Kconfig.soc_caps.in @@ -707,6 +707,22 @@ config SOC_TWAI_SUPPORTS_RX_STATUS bool default y +config SOC_EFUSE_DIS_PAD_JTAG + bool + default y + +config SOC_EFUSE_DIS_USB_JTAG + bool + default y + +config SOC_EFUSE_DIS_DIRECT_BOOT + bool + default y + +config SOC_EFUSE_SOFT_DIS_JTAG + bool + default y + config SOC_SECURE_BOOT_V2_RSA bool default y diff --git a/components/soc/esp32h4/include/soc/soc_caps.h b/components/soc/esp32h4/include/soc/soc_caps.h index 67af6d6f44..666e2e9dc3 100644 --- a/components/soc/esp32h4/include/soc/soc_caps.h +++ b/components/soc/esp32h4/include/soc/soc_caps.h @@ -336,6 +336,12 @@ #define SOC_TWAI_BRP_MAX 16384 #define SOC_TWAI_SUPPORTS_RX_STATUS 1 +/*-------------------------- eFuse CAPS----------------------------*/ +#define SOC_EFUSE_DIS_PAD_JTAG 1 +#define SOC_EFUSE_DIS_USB_JTAG 1 +#define SOC_EFUSE_DIS_DIRECT_BOOT 1 +#define SOC_EFUSE_SOFT_DIS_JTAG 1 + /*-------------------------- Secure Boot CAPS----------------------------*/ #define SOC_SECURE_BOOT_V2_RSA 1 #define SOC_EFUSE_SECURE_BOOT_KEY_DIGESTS 3 diff --git a/components/soc/esp32s2/include/soc/Kconfig.soc_caps.in b/components/soc/esp32s2/include/soc/Kconfig.soc_caps.in index 91eb332985..94c0c6892d 100644 --- a/components/soc/esp32s2/include/soc/Kconfig.soc_caps.in +++ b/components/soc/esp32s2/include/soc/Kconfig.soc_caps.in @@ -815,6 +815,26 @@ config SOC_AES_SUPPORT_GCM bool default y +config SOC_EFUSE_DIS_DOWNLOAD_DCACHE + bool + default y + +config SOC_EFUSE_HARD_DIS_JTAG + bool + default y + +config SOC_EFUSE_SOFT_DIS_JTAG + bool + default y + +config SOC_EFUSE_DIS_BOOT_REMAP + bool + default y + +config SOC_EFUSE_DIS_LEGACY_SPI_BOOT + bool + default y + config SOC_SECURE_BOOT_V2_RSA bool default y diff --git a/components/soc/esp32s2/include/soc/soc_caps.h b/components/soc/esp32s2/include/soc/soc_caps.h index a0974f047c..308da2c218 100644 --- a/components/soc/esp32s2/include/soc/soc_caps.h +++ b/components/soc/esp32s2/include/soc/soc_caps.h @@ -362,6 +362,13 @@ #define SOC_AES_SUPPORT_DMA (1) #define SOC_AES_SUPPORT_GCM (1) +/*-------------------------- eFuse CAPS----------------------------*/ +#define SOC_EFUSE_DIS_DOWNLOAD_DCACHE 1 +#define SOC_EFUSE_HARD_DIS_JTAG 1 +#define SOC_EFUSE_SOFT_DIS_JTAG 1 +#define SOC_EFUSE_DIS_BOOT_REMAP 1 +#define SOC_EFUSE_DIS_LEGACY_SPI_BOOT 1 + /*-------------------------- Secure Boot CAPS----------------------------*/ #define SOC_SECURE_BOOT_V2_RSA 1 #define SOC_EFUSE_SECURE_BOOT_KEY_DIGESTS 3 diff --git a/components/soc/esp32s3/include/soc/Kconfig.soc_caps.in b/components/soc/esp32s3/include/soc/Kconfig.soc_caps.in index c45be24cbe..93cf5face7 100644 --- a/components/soc/esp32s3/include/soc/Kconfig.soc_caps.in +++ b/components/soc/esp32s3/include/soc/Kconfig.soc_caps.in @@ -1011,6 +1011,26 @@ config SOC_CLK_RC_FAST_SUPPORT_CALIBRATION bool default y +config SOC_EFUSE_DIS_DOWNLOAD_DCACHE + bool + default y + +config SOC_EFUSE_HARD_DIS_JTAG + bool + default y + +config SOC_EFUSE_DIS_USB_JTAG + bool + default y + +config SOC_EFUSE_SOFT_DIS_JTAG + bool + default y + +config SOC_EFUSE_DIS_DIRECT_BOOT + bool + default y + config SOC_SECURE_BOOT_V2_RSA bool default y diff --git a/components/soc/esp32s3/include/soc/soc_caps.h b/components/soc/esp32s3/include/soc/soc_caps.h index dc99d120f3..3993e6b4d7 100644 --- a/components/soc/esp32s3/include/soc/soc_caps.h +++ b/components/soc/esp32s3/include/soc/soc_caps.h @@ -417,6 +417,13 @@ #define SOC_RTC_SLOW_CLK_SUPPORT_RC_FAST_D256 (1) #define SOC_CLK_RC_FAST_SUPPORT_CALIBRATION (1) +/*-------------------------- eFuse CAPS----------------------------*/ +#define SOC_EFUSE_DIS_DOWNLOAD_DCACHE 1 +#define SOC_EFUSE_HARD_DIS_JTAG 1 +#define SOC_EFUSE_DIS_USB_JTAG 1 +#define SOC_EFUSE_SOFT_DIS_JTAG 1 +#define SOC_EFUSE_DIS_DIRECT_BOOT 1 + /*-------------------------- Secure Boot CAPS----------------------------*/ #define SOC_SECURE_BOOT_V2_RSA 1 #define SOC_EFUSE_SECURE_BOOT_KEY_DIGESTS 3 diff --git a/docs/en/api-reference/peripherals/hmac.rst b/docs/en/api-reference/peripherals/hmac.rst index fb9bdc0a0e..a09962e32a 100644 --- a/docs/en/api-reference/peripherals/hmac.rst +++ b/docs/en/api-reference/peripherals/hmac.rst @@ -106,6 +106,14 @@ Setup .. note:: The API *esp_efuse_write_field_cnt(ESP_EFUSE_SOFT_DIS_JTAG, ESP_EFUSE_SOFT_DIS_JTAG[0]->bit_count)* can be used to burn "soft JTAG disable" bits on {IDF_TARGET_NAME}. +.. only:: esp32s2 or esp32s3 + + .. note:: If ``HARD_DIS_JTAG`` eFuse is set, then ``SOFT_DIS_JTAG`` functionality does not work because JTAG is permanently disabled. + +.. only:: not esp32s2 and not esp32s3 + + .. note:: If ``DIS_PAD_JTAG`` eFuse is set, then ``SOFT_DIS_JTAG`` functionality does not work because JTAG is permanently disabled. + JTAG enable 1. The key to re-enable JTAG is the output of the HMAC-SHA256 function using the secret key in eFuse and 32 0x00 bytes as the message. diff --git a/examples/system/efuse/main/efuse_main.c b/examples/system/efuse/main/efuse_main.c index 8c24a407d9..53afd94600 100644 --- a/examples/system/efuse/main/efuse_main.c +++ b/examples/system/efuse/main/efuse_main.c @@ -15,10 +15,8 @@ #include "esp_efuse.h" #include "esp_efuse_table.h" #include "esp_efuse_custom_table.h" -#if CONFIG_IDF_TARGET_ESP32C2 #include "esp_secure_boot.h" #include "esp_flash_encrypt.h" -#endif #include "sdkconfig.h" static const char* TAG = "example"; @@ -135,6 +133,21 @@ void app_main(void) { ESP_LOGI(TAG, "Start eFuse example"); +#ifdef CONFIG_SECURE_FLASH_ENC_ENABLED + if (esp_flash_encryption_cfg_verify_release_mode()) { + ESP_LOGI(TAG, "Flash Encryption is in RELEASE mode"); + } else { + ESP_LOGW(TAG, "Flash Encryption is NOT in RELEASE mode"); + } +#endif +#ifdef CONFIG_SECURE_BOOT + if (esp_secure_boot_cfg_verify_release_mode()) { + ESP_LOGI(TAG, "Secure Boot is in RELEASE mode"); + } else { + ESP_LOGW(TAG, "Secure Boot is NOT in RELEASE mode"); + } +#endif + esp_efuse_coding_scheme_t coding_scheme = get_coding_scheme(); (void) coding_scheme; diff --git a/examples/system/efuse/pytest_system_efuse_example.py b/examples/system/efuse/pytest_system_efuse_example.py index 2f52f56e39..327355e95c 100644 --- a/examples/system/efuse/pytest_system_efuse_example.py +++ b/examples/system/efuse/pytest_system_efuse_example.py @@ -1,4 +1,4 @@ -# SPDX-FileCopyrightText: 2022 Espressif Systems (Shanghai) CO LTD +# SPDX-FileCopyrightText: 2022-2023 Espressif Systems (Shanghai) CO LTD # SPDX-License-Identifier: Unlicense OR CC0-1.0 from __future__ import unicode_literals @@ -248,6 +248,7 @@ def test_examples_efuse_with_virt_flash_enc_release(dut: Dut) -> None: dut.expect_exact('flash encryption is enabled (0 plaintext flashes left)', timeout=5) dut.expect('Flash encryption mode is RELEASE') dut.expect('Start eFuse example') + dut.expect('Flash Encryption is in RELEASE mode') dut.expect('example: Done') @@ -772,6 +773,8 @@ def test_examples_efuse_with_virt_sb_v1_and_fe(dut: Dut) -> None: dut.expect_exact('flash_encrypt: Flash encryption mode is DEVELOPMENT (not secure)') dut.expect('main_task: Calling app_main()') dut.expect('Start eFuse example') + dut.expect('example: Flash Encryption is NOT in RELEASE mode') + dut.expect('example: Secure Boot is in RELEASE mode') dut.expect('example: Done') @@ -851,6 +854,8 @@ def test_examples_efuse_with_virt_sb_v2_and_fe(dut: Dut) -> None: dut.expect_exact('flash_encrypt: Flash encryption mode is DEVELOPMENT (not secure)') dut.expect('main_task: Calling app_main()') dut.expect('Start eFuse example') + dut.expect('example: Flash Encryption is NOT in RELEASE mode') + dut.expect('example: Secure Boot is in RELEASE mode') dut.expect('example: Done') @@ -938,6 +943,8 @@ def test_examples_efuse_with_virt_sb_v2_and_fe_esp32xx(dut: Dut) -> None: dut.expect_exact('flash_encrypt: Flash encryption mode is DEVELOPMENT (not secure)') dut.expect('main_task: Calling app_main()') dut.expect('Start eFuse example') + dut.expect('example: Flash Encryption is NOT in RELEASE mode') + dut.expect('example: Secure Boot is in RELEASE mode') dut.expect('example: Done')