bootloader_support: burn security efuses if flash encryption is enabled

Previously security eFuses were only burnt if the flash was not encrypted yet. To enhance robustness of the security eFuse settings their correct setup should be verified on each bootup. Else it would be possible for an already encrypted ESP to be reflashed with firmware containing updated, more restrictive eFuse settings without them ever being applied. Additionally this change enables easy, secure use of ESPs with host sidee flash preencryption. Flash preencryption by the host computer performing the programming procedure can speed up the programming process by a great deal since the flash no longer needs to be read, erased and written again by the bootloader self-encryption routines. Additionally it avoids bricking of ESPs through interruption of the self-ecnryption procedure. Without this change the host would have to set up all fuses in the ESP correctly by itself, duplicating the fuse configuration code already present in the bootloader and creating additional maintenance burden for the host software if anything about the fuse setup logic changes. This commit changes the security eFuse configuration logic to always burn any configured security eFuses on bootup, regardless of current flash encryption status.
2024-06-17 11:00:05 +02:00
parent 1c43cecb72
commit 43575c2f85
1 changed files with 19 additions and 1 deletions
--- a/components/bootloader_support/src/bootloader_utility.c
+++ b/components/bootloader_support/src/bootloader_utility.c
@ -717,7 +717,25 @@ static void load_image(const esp_image_metadata_t *image_data)
     */
    ESP_LOGI(TAG, "Checking flash encryption...");
    bool flash_encryption_enabled = esp_flash_encrypt_state();
-    if (!flash_encryption_enabled) {
+    if (flash_encryption_enabled) {
+#if BOOTLOADER_BUILD
+        /* Ensure security eFuses are burnt */
+        esp_efuse_batch_write_begin();
+        esp_err_t err = esp_flash_encryption_enable_secure_features();
+        if (err != ESP_OK) {
+            ESP_LOGE(TAG, "Error setting security eFuses (err=0x%x).", err);
+            esp_efuse_batch_write_cancel();
+            return;
+        }
+
+        err = esp_efuse_batch_write_commit();
+        if (err != ESP_OK) {
+            ESP_LOGE(TAG, "Error programming security eFuses (err=0x%x).", err);
+            return;
+        }
+        ESP_LOGI(TAG, "Security eFuses are burnt");
+#endif // BOOTLOADER_BUILD
+    } else {
 #ifdef CONFIG_SECURE_FLASH_REQUIRE_ALREADY_ENABLED
        ESP_LOGE(TAG, "flash encryption is not enabled, and SECURE_FLASH_REQUIRE_ALREADY_ENABLED is set, refusing to boot.");
        return;