From fa35d505a15f8f4c7640df18757435b39485a43b Mon Sep 17 00:00:00 2001
From: 0xFEEDC0DE64 <daniel@brunner.ninja>
Date: Mon, 22 Apr 2024 17:21:37 +0200
Subject: [PATCH 1/2] Show remote ip address when somebody requests and invalid
 path to ease debugging

---
 components/esp_http_server/src/httpd_uri.c | 23 +++++++++++++++++++++-
 1 file changed, 22 insertions(+), 1 deletion(-)

diff --git a/components/esp_http_server/src/httpd_uri.c b/components/esp_http_server/src/httpd_uri.c
index 5a871902ca..a1a617c876 100644
--- a/components/esp_http_server/src/httpd_uri.c
+++ b/components/esp_http_server/src/httpd_uri.c
@@ -292,10 +292,31 @@ esp_err_t httpd_uri(struct httpd_data *hd)
 
     /* If URI with method not found, respond with error code */
     if (uri == NULL) {
+
         switch (err) {
             case HTTPD_404_NOT_FOUND:
-                ESP_LOGW(TAG, LOG_FMT("URI '%s' not found"), req->uri);
+            {
+                char ipstr[INET6_ADDRSTRLEN] = "UNKNOWN";
+
+                const int sockfd = httpd_req_to_sockfd(req);
+
+                if (sockfd < 0)
+                    ESP_LOGW(TAG, "httpd_req_to_sockfd() failed with %i", sockfd);
+                else
+                {
+                    struct sockaddr_in6 addr;   // esp_http_server uses IPv6 addressing
+                    socklen_t addr_size = sizeof(addr);
+                    const int result = getpeername(sockfd, (struct sockaddr *)&addr, &addr_size);
+
+                    if (result < 0)
+                        ESP_LOGW(TAG, "getpeername() failed with %i", result);
+                    else
+                        inet_ntop(AF_INET, &addr.sin6_addr.un.u32_addr[3], ipstr, sizeof(ipstr));
+                }
+
+                ESP_LOGW(TAG, LOG_FMT("URI '%s' not found for %s"), req->uri, ipstr);
                 return httpd_req_handle_err(req, HTTPD_404_NOT_FOUND);
+            }
             case HTTPD_405_METHOD_NOT_ALLOWED:
                 ESP_LOGW(TAG, LOG_FMT("Method '%d' not allowed for URI '%s'"),
                          req->method, req->uri);

From 138a47c750d1c9f5f2f589e96612110f7858d264 Mon Sep 17 00:00:00 2001
From: Tobias Schramm <tobias@t-sys.eu>
Date: Mon, 17 Jun 2024 11:00:05 +0200
Subject: [PATCH 2/2] bootloader_support: burn security efuses if flash
 encryption is enabled

Previously security eFuses were only burnt if the flash was not encrypted
yet.
To enhance robustness of the security eFuse settings their correct setup
should be verified on each bootup. Else it would be possible for an
already encrypted ESP to be reflashed with firmware containing updated,
more restrictive eFuse settings without them ever being applied.
Additionally this change enables easy, secure use of ESPs with host sidee
flash preencryption. Flash preencryption by the host computer performing
the programming procedure can speed up the programming process by a great
deal since the flash no longer needs to be read, erased and written again
by the bootloader self-encryption routines. Additionally it avoids
bricking of ESPs through interruption of the self-ecnryption procedure.
Without this change the host would have to set up all fuses in the ESP
correctly by itself, duplicating the fuse configuration code already
present in the bootloader and creating additional maintenance burden for
the host software if anything about the fuse setup logic changes.
This commit changes the security eFuse configuration logic to always burn
any configured security eFuses on bootup, regardless of current flash
encryption status.
---
 .../src/bootloader_utility.c                  | 20 ++++++++++++++++++-
 1 file changed, 19 insertions(+), 1 deletion(-)

diff --git a/components/bootloader_support/src/bootloader_utility.c b/components/bootloader_support/src/bootloader_utility.c
index 7aad0fa5b5..77a345697e 100644
--- a/components/bootloader_support/src/bootloader_utility.c
+++ b/components/bootloader_support/src/bootloader_utility.c
@@ -615,7 +615,25 @@ static void load_image(const esp_image_metadata_t *image_data)
      */
     ESP_LOGI(TAG, "Checking flash encryption...");
     bool flash_encryption_enabled = esp_flash_encrypt_state();
-    if (!flash_encryption_enabled) {
+    if (flash_encryption_enabled) {
+#if BOOTLOADER_BUILD
+        /* Ensure security eFuses are burnt */
+        esp_efuse_batch_write_begin();
+        esp_err_t err = esp_flash_encryption_enable_secure_features();
+        if (err != ESP_OK) {
+            ESP_LOGE(TAG, "Error setting security eFuses (err=0x%x).", err);
+            esp_efuse_batch_write_cancel();
+            return;
+        }
+
+        err = esp_efuse_batch_write_commit();
+        if (err != ESP_OK) {
+            ESP_LOGE(TAG, "Error programming security eFuses (err=0x%x).", err);
+            return;
+        }
+        ESP_LOGI(TAG, "Security eFuses are burnt");
+#endif // BOOTLOADER_BUILD
+    } else {
 #ifdef CONFIG_SECURE_FLASH_REQUIRE_ALREADY_ENABLED
         ESP_LOGE(TAG, "flash encryption is not enabled, and SECURE_FLASH_REQUIRE_ALREADY_ENABLED is set, refusing to boot.");
         return;