From e09d50d244f1d2c13ac7de9206e92a5cbe89454f Mon Sep 17 00:00:00 2001 From: Aditya Patwardhan Date: Wed, 18 Oct 2023 16:49:30 +0530 Subject: [PATCH 1/2] feat(soc): Updated soc cap for flash encryption 1) In the ESP32-P4 SoC, we have an eFuse to disable the MSPI access when in download mode. This commit adds relevant soc cap for esp32p4 chip. 2) Added FE related soc caps 3) Removed unwanted cap from soc_caps 4) esp_hw_support: Enable flash encryption related ll APIs for esp32p4 --- .../esp32p4/include/hal/spi_flash_encrypted_ll.h | 14 +++++--------- .../soc/esp32p4/include/soc/Kconfig.soc_caps.in | 16 ++++++++++++---- components/soc/esp32p4/include/soc/soc_caps.h | 5 ++++- 3 files changed, 21 insertions(+), 14 deletions(-) diff --git a/components/hal/esp32p4/include/hal/spi_flash_encrypted_ll.h b/components/hal/esp32p4/include/hal/spi_flash_encrypted_ll.h index de642b56d6..fbdb899098 100644 --- a/components/hal/esp32p4/include/hal/spi_flash_encrypted_ll.h +++ b/components/hal/esp32p4/include/hal/spi_flash_encrypted_ll.h @@ -24,8 +24,6 @@ extern "C" { #endif -//TODO: IDF-7545 - /// Choose type of chip you want to encrypt manully typedef enum { @@ -38,10 +36,9 @@ typedef enum */ static inline void spi_flash_encrypt_ll_enable(void) { - // REG_SET_BIT(HP_SYSTEM_EXTERNAL_DEVICE_ENCRYPT_DECRYPT_CONTROL_REG, - // HP_SYSTEM_ENABLE_DOWNLOAD_MANUAL_ENCRYPT | - // HP_SYSTEM_ENABLE_SPI_MANUAL_ENCRYPT); - abort(); + REG_SET_BIT(HP_SYSTEM_CRYPTO_CTRL_REG, + HP_SYSTEM_REG_ENABLE_DOWNLOAD_MANUAL_ENCRYPT | + HP_SYSTEM_REG_ENABLE_SPI_MANUAL_ENCRYPT); } /* @@ -49,9 +46,8 @@ static inline void spi_flash_encrypt_ll_enable(void) */ static inline void spi_flash_encrypt_ll_disable(void) { - // REG_CLR_BIT(HP_SYSTEM_EXTERNAL_DEVICE_ENCRYPT_DECRYPT_CONTROL_REG, - // HP_SYSTEM_ENABLE_SPI_MANUAL_ENCRYPT); - abort(); + REG_CLR_BIT(HP_SYSTEM_CRYPTO_CTRL_REG, + HP_SYSTEM_REG_ENABLE_SPI_MANUAL_ENCRYPT); } /** diff --git a/components/soc/esp32p4/include/soc/Kconfig.soc_caps.in b/components/soc/esp32p4/include/soc/Kconfig.soc_caps.in index 759de281d7..4141a6ae7a 100644 --- a/components/soc/esp32p4/include/soc/Kconfig.soc_caps.in +++ b/components/soc/esp32p4/include/soc/Kconfig.soc_caps.in @@ -1111,10 +1111,6 @@ config SOC_TWAI_SUPPORTS_RX_STATUS bool default y -config SOC_EFUSE_DIS_DOWNLOAD_ICACHE - bool - default y - config SOC_EFUSE_DIS_PAD_JTAG bool default y @@ -1131,6 +1127,10 @@ config SOC_EFUSE_SOFT_DIS_JTAG bool default y +config SOC_EFUSE_DIS_DOWNLOAD_MSPI + bool + default y + config SOC_SECURE_BOOT_V2_RSA bool default y @@ -1159,10 +1159,18 @@ config SOC_FLASH_ENCRYPTION_XTS_AES bool default y +config SOC_FLASH_ENCRYPTION_XTS_AES_OPTIONS + bool + default y + config SOC_FLASH_ENCRYPTION_XTS_AES_128 bool default y +config SOC_FLASH_ENCRYPTION_XTS_AES_256 + bool + default y + config SOC_UART_NUM int default 6 diff --git a/components/soc/esp32p4/include/soc/soc_caps.h b/components/soc/esp32p4/include/soc/soc_caps.h index 6408b4c8f0..05a3aa41e0 100644 --- a/components/soc/esp32p4/include/soc/soc_caps.h +++ b/components/soc/esp32p4/include/soc/soc_caps.h @@ -491,11 +491,12 @@ #define SOC_TWAI_SUPPORTS_RX_STATUS 1 /*-------------------------- eFuse CAPS----------------------------*/ -#define SOC_EFUSE_DIS_DOWNLOAD_ICACHE 1 #define SOC_EFUSE_DIS_PAD_JTAG 1 #define SOC_EFUSE_DIS_USB_JTAG 1 #define SOC_EFUSE_DIS_DIRECT_BOOT 1 #define SOC_EFUSE_SOFT_DIS_JTAG 1 +/* Capability to disable the MSPI access in download mode */ +#define SOC_EFUSE_DIS_DOWNLOAD_MSPI 1 /*-------------------------- Secure Boot CAPS----------------------------*/ #define SOC_SECURE_BOOT_V2_RSA 1 @@ -507,7 +508,9 @@ /*-------------------------- Flash Encryption CAPS----------------------------*/ #define SOC_FLASH_ENCRYPTED_XTS_AES_BLOCK_MAX (64) #define SOC_FLASH_ENCRYPTION_XTS_AES 1 +#define SOC_FLASH_ENCRYPTION_XTS_AES_OPTIONS 1 #define SOC_FLASH_ENCRYPTION_XTS_AES_128 1 +#define SOC_FLASH_ENCRYPTION_XTS_AES_256 1 /*-------------------------- MEMPROT CAPS ------------------------------------*/ From a84234c23f41e6664453642af4fc46b5ce60ba7a Mon Sep 17 00:00:00 2001 From: Aditya Patwardhan Date: Mon, 6 Nov 2023 18:54:22 +0530 Subject: [PATCH 2/2] feat(security): Enable Flash encryption for ESP32P4 --- .../bootloader_support/src/flash_encrypt.c | 18 ++++++------------ .../src/flash_encryption/flash_encrypt.c | 13 ++++++++++++- components/esp_system/port/cpu_start.c | 6 ++++++ .../spi_flash/test_apps/.build-test-rules.yml | 7 ++----- .../test_apps/flash_encryption/README.md | 4 ++-- docs/en/security/flash-encryption.rst | 1 + .../security/host-based-security-workflows.rst | 1 + examples/security/.build-test-rules.yml | 2 +- .../sdkconfig.ci.virt_sb_v2_and_fe.esp32p4 | 18 ++++++++++++++++++ 9 files changed, 49 insertions(+), 21 deletions(-) create mode 100644 examples/system/efuse/sdkconfig.ci.virt_sb_v2_and_fe.esp32p4 diff --git a/components/bootloader_support/src/flash_encrypt.c b/components/bootloader_support/src/flash_encrypt.c index 40f70a8658..27f10317cb 100644 --- a/components/bootloader_support/src/flash_encrypt.c +++ b/components/bootloader_support/src/flash_encrypt.c @@ -137,16 +137,14 @@ esp_flash_enc_mode_t esp_get_flash_encryption_mode(void) } #else if (esp_efuse_read_field_bit(ESP_EFUSE_DIS_DOWNLOAD_MANUAL_ENCRYPT) -#if CONFIG_IDF_TARGET_ESP32P4 - //TODO: IDF-7545 +#if SOC_EFUSE_DIS_DOWNLOAD_MSPI && esp_efuse_read_field_bit(ESP_EFUSE_SPI_DOWNLOAD_MSPI_DIS) -#else +#endif #if SOC_EFUSE_DIS_DOWNLOAD_ICACHE && esp_efuse_read_field_bit(ESP_EFUSE_DIS_DOWNLOAD_ICACHE) #endif #if SOC_EFUSE_DIS_DOWNLOAD_DCACHE && esp_efuse_read_field_bit(ESP_EFUSE_DIS_DOWNLOAD_DCACHE) -#endif #endif ) { mode = ESP_FLASH_ENC_MODE_RELEASE; @@ -192,17 +190,15 @@ void esp_flash_encryption_set_release_mode(void) esp_efuse_write_field_bit(ESP_EFUSE_DISABLE_DL_DECRYPT); #else esp_efuse_write_field_bit(ESP_EFUSE_DIS_DOWNLOAD_MANUAL_ENCRYPT); -#if CONFIG_IDF_TARGET_ESP32P4 - //TODO: IDF-7545 +#if SOC_EFUSE_DIS_DOWNLOAD_MSPI esp_efuse_write_field_bit(ESP_EFUSE_SPI_DOWNLOAD_MSPI_DIS); -#else +#endif #if SOC_EFUSE_DIS_DOWNLOAD_ICACHE esp_efuse_write_field_bit(ESP_EFUSE_DIS_DOWNLOAD_ICACHE); #endif #if SOC_EFUSE_DIS_DOWNLOAD_DCACHE esp_efuse_write_field_bit(ESP_EFUSE_DIS_DOWNLOAD_DCACHE); #endif -#endif #ifdef CONFIG_SOC_FLASH_ENCRYPTION_XTS_AES_128_DERIVED // For AES128_DERIVED, FE key is 16 bytes and XTS_KEY_LENGTH_256 is 0. // It is important to protect XTS_KEY_LENGTH_256 from further changing it to 1. Set write protection for this bit. @@ -345,14 +341,13 @@ bool esp_flash_encryption_cfg_verify_release_mode(void) } #endif -#if CONFIG_IDF_TARGET_ESP32P4 - //TODO: IDF-7545 +#if SOC_EFUSE_DIS_DOWNLOAD_MSPI secure = esp_efuse_read_field_bit(ESP_EFUSE_SPI_DOWNLOAD_MSPI_DIS); result &= secure; if (!secure) { ESP_LOGW(TAG, "Not disabled UART bootloader download mspi (set DIS_DOWNLOAD_MSPI->1)"); } -#else +#endif #if SOC_EFUSE_DIS_DOWNLOAD_ICACHE secure = esp_efuse_read_field_bit(ESP_EFUSE_DIS_DOWNLOAD_ICACHE); result &= secure; @@ -360,7 +355,6 @@ bool esp_flash_encryption_cfg_verify_release_mode(void) ESP_LOGW(TAG, "Not disabled UART bootloader cache (set DIS_DOWNLOAD_ICACHE->1)"); } #endif -#endif #if SOC_EFUSE_DIS_PAD_JTAG secure = esp_efuse_read_field_bit(ESP_EFUSE_DIS_PAD_JTAG); diff --git a/components/bootloader_support/src/flash_encryption/flash_encrypt.c b/components/bootloader_support/src/flash_encryption/flash_encrypt.c index daf920564a..145fb23e6d 100644 --- a/components/bootloader_support/src/flash_encryption/flash_encrypt.c +++ b/components/bootloader_support/src/flash_encryption/flash_encrypt.c @@ -1,5 +1,5 @@ /* - * SPDX-FileCopyrightText: 2015-2022 Espressif Systems (Shanghai) CO LTD + * SPDX-FileCopyrightText: 2015-2023 Espressif Systems (Shanghai) CO LTD * * SPDX-License-Identifier: Apache-2.0 */ @@ -15,6 +15,11 @@ #include "esp_efuse_table.h" #include "esp_log.h" #include "hal/wdt_hal.h" + +#if CONFIG_IDF_TARGET_ESP32P4 //TODO-IDF-7925 +#include "soc/keymng_reg.h" +#endif + #ifdef CONFIG_SOC_EFUSE_CONSISTS_OF_ONE_KEY_BLOCK #include "soc/sensitive_reg.h" #endif @@ -209,6 +214,12 @@ static esp_err_t check_and_generate_encryption_keys(void) } ESP_LOGI(TAG, "Using pre-loaded flash encryption key in efuse"); } + +#if CONFIG_IDF_TARGET_ESP32P4 //TODO - IDF-7925 + // Force Key Manager to use eFuse key for XTS-AES operation + REG_SET_FIELD(KEYMNG_STATIC_REG, KEYMNG_USE_EFUSE_KEY, 2); +#endif + return ESP_OK; } diff --git a/components/esp_system/port/cpu_start.c b/components/esp_system/port/cpu_start.c index 99d6e8b42d..09fde98aed 100644 --- a/components/esp_system/port/cpu_start.c +++ b/components/esp_system/port/cpu_start.c @@ -66,6 +66,7 @@ #include "soc/hp_sys_clkrst_reg.h" #include "soc/interrupt_core0_reg.h" #include "soc/interrupt_core1_reg.h" +#include "soc/keymng_reg.h" #endif #include "esp_private/esp_mmu_map_private.h" @@ -299,6 +300,11 @@ static void start_other_core(void) if(REG_GET_BIT(HP_SYS_CLKRST_HP_RST_EN0_REG, HP_SYS_CLKRST_REG_RST_EN_CORE1_GLOBAL)){ REG_CLR_BIT(HP_SYS_CLKRST_HP_RST_EN0_REG, HP_SYS_CLKRST_REG_RST_EN_CORE1_GLOBAL); } + // The following operation makes the Key Manager to use eFuse key for ECDSA and XTS-AES operation by default + // This is to keep the default behavior same as the other chips + // If the Key Manager configuration is already locked then following operation does not have any effect + // TODO-IDF 7925 (Move this under SOC_KEY_MANAGER_SUPPORTED) + REG_SET_FIELD(KEYMNG_STATIC_REG, KEYMNG_USE_EFUSE_KEY, 3); #endif ets_set_appcpu_boot_addr((uint32_t)call_start_cpu1); diff --git a/components/spi_flash/test_apps/.build-test-rules.yml b/components/spi_flash/test_apps/.build-test-rules.yml index eb48921719..873efbdf70 100644 --- a/components/spi_flash/test_apps/.build-test-rules.yml +++ b/components/spi_flash/test_apps/.build-test-rules.yml @@ -17,13 +17,10 @@ components/spi_flash/test_apps/esp_flash: components/spi_flash/test_apps/flash_encryption: disable_test: - - if: IDF_TARGET in ["esp32c2", "esp32s2", "esp32c6", "esp32h2"] + - if: IDF_TARGET in ["esp32c2", "esp32s2", "esp32c6", "esp32h2", "esp32p4"] temporary: true reason: No runners # IDF-5634 - disable: - - if: IDF_TARGET == "esp32p4" - temporary: true - reason: target esp32p4 is not supported yet # TODO: IDF-7545 + depends_components: - esp_mm - spi_flash diff --git a/components/spi_flash/test_apps/flash_encryption/README.md b/components/spi_flash/test_apps/flash_encryption/README.md index 304c4d955a..5e87c92c2a 100644 --- a/components/spi_flash/test_apps/flash_encryption/README.md +++ b/components/spi_flash/test_apps/flash_encryption/README.md @@ -1,5 +1,5 @@ -| Supported Targets | ESP32 | ESP32-C2 | ESP32-C3 | ESP32-C6 | ESP32-H2 | ESP32-S2 | ESP32-S3 | -| ----------------- | ----- | -------- | -------- | -------- | -------- | -------- | -------- | +| Supported Targets | ESP32 | ESP32-C2 | ESP32-C3 | ESP32-C6 | ESP32-H2 | ESP32-P4 | ESP32-S2 | ESP32-S3 | +| ----------------- | ----- | -------- | -------- | -------- | -------- | -------- | -------- | -------- | ## Prepare runner diff --git a/docs/en/security/flash-encryption.rst b/docs/en/security/flash-encryption.rst index f8f93249f1..22db63990e 100644 --- a/docs/en/security/flash-encryption.rst +++ b/docs/en/security/flash-encryption.rst @@ -929,6 +929,7 @@ On the first boot, the flash encryption process burns by default the following e :SOC_EFUSE_DIS_PAD_JTAG and SOC_EFUSE_DIS_USB_JTAG: - ``DIS_PAD_JTAG`` and ``DIS_USB_JTAG`` which disables JTAG. :SOC_EFUSE_HARD_DIS_JTAG and SOC_EFUSE_DIS_USB_JTAG: - ``HARD_DIS_JTAG`` and ``DIS_USB_JTAG`` which disables JTAG. - ``DIS_DIRECT_BOOT`` (old name ``DIS_LEGACY_SPI_BOOT``) which disables direct boot mode + :SOC_EFUSE_DIS_DOWNLOAD_MSPI: - ``DIS_DOWNLOAD_MSPI`` which disables the MSPI access in download mode. However, before the first boot you can choose to keep any of these features enabled by burning only selected eFuses and write-protect the rest of eFuses with unset value 0. For example: diff --git a/docs/en/security/host-based-security-workflows.rst b/docs/en/security/host-based-security-workflows.rst index 5753572f92..96855700d3 100644 --- a/docs/en/security/host-based-security-workflows.rst +++ b/docs/en/security/host-based-security-workflows.rst @@ -290,6 +290,7 @@ In this case, all the eFuses related to flash encryption are written with help o :SOC_EFUSE_DIS_USB_JTAG: - ``DIS_USB_JTAG``: Disable USB switch to JTAG :SOC_EFUSE_DIS_PAD_JTAG: - ``DIS_PAD_JTAG``: Disable JTAG permanently :not esp32: - ``DIS_DOWNLOAD_MANUAL_ENCRYPT``: Disable UART bootloader encryption access + :SOC_EFUSE_DIS_DOWNLOAD_MSPI: - ``DIS_DOWNLOAD_MSPI``: Disable the MSPI access in download mode The respective eFuses can be burned by running: diff --git a/examples/security/.build-test-rules.yml b/examples/security/.build-test-rules.yml index 084469e45f..e24e449691 100644 --- a/examples/security/.build-test-rules.yml +++ b/examples/security/.build-test-rules.yml @@ -2,7 +2,7 @@ examples/security/flash_encryption: disable_test: - - if: IDF_TARGET in ["esp32s2", "esp32s3", "esp32c6", "esp32h2", "esp32c2"] + - if: IDF_TARGET in ["esp32s2", "esp32s3", "esp32c6", "esp32h2", "esp32c2", "esp32p4"] temporary: true reason: lack of runners diff --git a/examples/system/efuse/sdkconfig.ci.virt_sb_v2_and_fe.esp32p4 b/examples/system/efuse/sdkconfig.ci.virt_sb_v2_and_fe.esp32p4 new file mode 100644 index 0000000000..8df40e73f4 --- /dev/null +++ b/examples/system/efuse/sdkconfig.ci.virt_sb_v2_and_fe.esp32p4 @@ -0,0 +1,18 @@ +# FLASH_ENCRYPTION & SECURE_BOOT_V2 with EFUSE_VIRTUAL_KEEP_IN_FLASH + +CONFIG_IDF_TARGET="esp32p4" + +CONFIG_PARTITION_TABLE_OFFSET=0xD000 +CONFIG_PARTITION_TABLE_CUSTOM=y +CONFIG_PARTITION_TABLE_CUSTOM_FILENAME="test/partitions_efuse_emul.csv" + +CONFIG_SECURE_BOOT=y +CONFIG_SECURE_BOOT_V2_ENABLED=y +CONFIG_SECURE_BOOT_SIGNING_KEY="test/secure_boot_signing_key.pem" +CONFIG_SECURE_ENABLE_SECURE_ROM_DL_MODE=y + +CONFIG_SECURE_FLASH_ENC_ENABLED=y + +# IMPORTANT: ONLY VIRTUAL eFuse MODE! +CONFIG_EFUSE_VIRTUAL=y +CONFIG_EFUSE_VIRTUAL_KEEP_IN_FLASH=y