From d1fa51e3c9d583fb38fd3bca110c9b6ff8f4668a Mon Sep 17 00:00:00 2001 From: "nilesh.kale" Date: Tue, 12 Mar 2024 14:12:01 +0530 Subject: [PATCH] feat: enable flash encryption support for c5 This commit provide support for flash encryption feature in ESP32C5 --- .../src/flash_encryption/flash_encrypt.c | 22 ++- .../include/hal/spi_flash_encrypted_ll.h | 85 ++++---- .../soc/esp32c5/beta3/include/soc/soc_caps.h | 6 +- .../soc/esp32c5/mp/include/soc/soc_caps.h | 6 +- .../spi_flash/test_apps/.build-test-rules.yml | 6 +- .../test_apps/flash_encryption/README.md | 4 +- docs/docs_not_updated/esp32c5.txt | 1 - docs/en/security/esp32c5_log.inc | 184 +++++++++++++++++- docs/zh_CN/security/esp32c5_log.inc | 184 +++++++++++++++++- examples/security/.build-test-rules.yml | 6 +- examples/security/flash_encryption/README.md | 6 +- 11 files changed, 427 insertions(+), 83 deletions(-) diff --git a/components/bootloader_support/src/flash_encryption/flash_encrypt.c b/components/bootloader_support/src/flash_encryption/flash_encrypt.c index a0a48312e0..c33631bec4 100644 --- a/components/bootloader_support/src/flash_encryption/flash_encrypt.c +++ b/components/bootloader_support/src/flash_encryption/flash_encrypt.c @@ -16,10 +16,16 @@ #include "esp_log.h" #include "hal/wdt_hal.h" -#if SOC_KEY_MANAGER_SUPPORTED +// Need to remove check and merge accordingly for ESP32C5 once key manager support added in IDF-8621 +#if SOC_KEY_MANAGER_SUPPORTED || CONFIG_IDF_TARGET_ESP32C5 +#if CONFIG_IDF_TARGET_ESP32C5 +#include "soc/keymng_reg.h" +#include "hal/key_mgr_types.h" +#include "soc/pcr_reg.h" +#else #include "hal/key_mgr_hal.h" #include "hal/mspi_timing_tuning_ll.h" -#include "soc/keymng_reg.h" +#endif /* CONFIG_IDF_TARGET_ESP32C5 */ #endif #ifdef CONFIG_SOC_EFUSE_CONSISTS_OF_ONE_KEY_BLOCK @@ -216,17 +222,17 @@ static esp_err_t check_and_generate_encryption_keys(void) } ESP_LOGI(TAG, "Using pre-loaded flash encryption key in efuse"); } - -#if SOC_KEY_MANAGER_SUPPORTED -#if CONFIG_IDF_TARGET_ESP32C5 && SOC_KEY_MANAGER_SUPPORTED - // TODO: [ESP32C5] IDF-8622 find a more proper place for these codes - REG_SET_BIT(KEYMNG_STATIC_REG, KEYMNG_USE_EFUSE_KEY_FLASH); +// Need to remove check for ESP32C5 and merge accordingly once key manager support added in IDF-8621 +#if SOC_KEY_MANAGER_SUPPORTED || CONFIG_IDF_TARGET_ESP32C5 +#if CONFIG_IDF_TARGET_ESP32C5 + REG_SET_FIELD(KEYMNG_STATIC_REG, KEYMNG_USE_EFUSE_KEY, 2); REG_SET_BIT(PCR_MSPI_CLK_CONF_REG, PCR_MSPI_AXI_RST_EN); REG_CLR_BIT(PCR_MSPI_CLK_CONF_REG, PCR_MSPI_AXI_RST_EN); -#endif +#else // Force Key Manager to use eFuse key for XTS-AES operation key_mgr_hal_set_key_usage(ESP_KEY_MGR_XTS_AES_128_KEY, ESP_KEY_MGR_USE_EFUSE_KEY); _mspi_timing_ll_reset_mspi(); +#endif /* CONFIG_IDF_TARGET_ESP32C5 */ #endif return ESP_OK; diff --git a/components/hal/esp32c5/include/hal/spi_flash_encrypted_ll.h b/components/hal/esp32c5/include/hal/spi_flash_encrypted_ll.h index 30d0174744..23c6275a85 100644 --- a/components/hal/esp32c5/include/hal/spi_flash_encrypted_ll.h +++ b/components/hal/esp32c5/include/hal/spi_flash_encrypted_ll.h @@ -1,5 +1,5 @@ /* - * SPDX-FileCopyrightText: 2022-2023 Espressif Systems (Shanghai) CO LTD + * SPDX-FileCopyrightText: 2022-2024 Espressif Systems (Shanghai) CO LTD * * SPDX-License-Identifier: Apache-2.0 */ @@ -15,7 +15,7 @@ #include #include #include "soc/hp_system_reg.h" -// #include "soc/xts_aes_reg.h" +#include "soc/spi_mem_reg.h" #include "soc/soc.h" #include "soc/soc_caps.h" #include "hal/assert.h" @@ -27,7 +27,6 @@ extern "C" { /// Choose type of chip you want to encrypt manually typedef enum { - // TODO: [ESP32C5] IDF-8622, IDF-8649 FLASH_ENCRYPTION_MANU = 0, ///!< Manually encrypt the flash chip. PSRAM_ENCRYPTION_MANU = 1 ///!< Manually encrypt the psram chip. } flash_encrypt_ll_type_t; @@ -37,11 +36,15 @@ typedef enum */ static inline void spi_flash_encrypt_ll_enable(void) { - // TODO: [ESP32C5] IDF-8622, IDF-8649 - // REG_SET_BIT(HP_SYSTEM_EXTERNAL_DEVICE_ENCRYPT_DECRYPT_CONTROL_REG, - // HP_SYSTEM_ENABLE_DOWNLOAD_MANUAL_ENCRYPT | - // HP_SYSTEM_ENABLE_SPI_MANUAL_ENCRYPT); - abort(); +#if CONFIG_IDF_TARGET_ESP32C5_BETA3_VERSION + REG_SET_BIT(HP_SYS_EXTERNAL_DEVICE_ENCRYPT_DECRYPT_CONTROL_REG, + HP_SYS_ENABLE_DOWNLOAD_MANUAL_ENCRYPT | + HP_SYS_ENABLE_SPI_MANUAL_ENCRYPT); +#else + REG_SET_BIT(HP_SYSTEM_EXTERNAL_DEVICE_ENCRYPT_DECRYPT_CONTROL_REG, + HP_SYSTEM_ENABLE_DOWNLOAD_MANUAL_ENCRYPT | + HP_SYSTEM_ENABLE_SPI_MANUAL_ENCRYPT); +#endif } /* @@ -49,14 +52,17 @@ static inline void spi_flash_encrypt_ll_enable(void) */ static inline void spi_flash_encrypt_ll_disable(void) { - // TODO: [ESP32C5] IDF-8622, IDF-8649 - // REG_CLR_BIT(HP_SYSTEM_EXTERNAL_DEVICE_ENCRYPT_DECRYPT_CONTROL_REG, - // HP_SYSTEM_ENABLE_SPI_MANUAL_ENCRYPT); - abort(); +#if CONFIG_IDF_TARGET_ESP32C5_BETA3_VERSION + REG_CLR_BIT(HP_SYS_EXTERNAL_DEVICE_ENCRYPT_DECRYPT_CONTROL_REG, + HP_SYS_ENABLE_SPI_MANUAL_ENCRYPT); +#else + REG_CLR_BIT(HP_SYSTEM_EXTERNAL_DEVICE_ENCRYPT_DECRYPT_CONTROL_REG, + HP_SYSTEM_ENABLE_SPI_MANUAL_ENCRYPT); +#endif } /** - * Choose type of chip you want to encrypt manully + * Choose type of chip you want to encrypt manually * * @param type The type of chip to be encrypted * @@ -64,11 +70,9 @@ static inline void spi_flash_encrypt_ll_disable(void) */ static inline void spi_flash_encrypt_ll_type(flash_encrypt_ll_type_t type) { - // TODO: [ESP32C5] IDF-8622, IDF-8649 - // // Our hardware only support flash encryption - // HAL_ASSERT(type == FLASH_ENCRYPTION_MANU); - // REG_SET_FIELD(XTS_AES_DESTINATION_REG(0), XTS_AES_DESTINATION, type); - abort(); + // Our hardware only support flash encryption + HAL_ASSERT(type == FLASH_ENCRYPTION_MANU); + REG_SET_FIELD(SPI_MEM_XTS_DESTINATION_REG(0), SPI_XTS_DESTINATION, type); } /** @@ -78,10 +82,8 @@ static inline void spi_flash_encrypt_ll_type(flash_encrypt_ll_type_t type) */ static inline void spi_flash_encrypt_ll_buffer_length(uint32_t size) { - // TODO: [ESP32C5] IDF-8622, IDF-8649 - // // Desired block should not be larger than the block size. - // REG_SET_FIELD(XTS_AES_LINESIZE_REG(0), XTS_AES_LINESIZE, size >> 5); - abort(); + // Desired block should not be larger than the block size. + REG_SET_FIELD(SPI_MEM_XTS_LINESIZE_REG(0), SPI_XTS_LINESIZE, size >> 5); } /** @@ -94,11 +96,9 @@ static inline void spi_flash_encrypt_ll_buffer_length(uint32_t size) */ static inline void spi_flash_encrypt_ll_plaintext_save(uint32_t address, const uint32_t* buffer, uint32_t size) { - // TODO: [ESP32C5] IDF-8622, IDF-8649 - // uint32_t plaintext_offs = (address % SOC_FLASH_ENCRYPTED_XTS_AES_BLOCK_MAX); - // HAL_ASSERT(plaintext_offs + size <= SOC_FLASH_ENCRYPTED_XTS_AES_BLOCK_MAX); - // memcpy((void *)(XTS_AES_PLAIN_MEM(0) + plaintext_offs), buffer, size); - abort(); + uint32_t plaintext_offs = (address % SOC_FLASH_ENCRYPTED_XTS_AES_BLOCK_MAX); + HAL_ASSERT(plaintext_offs + size <= SOC_FLASH_ENCRYPTED_XTS_AES_BLOCK_MAX); + memcpy((void *)(SPI_MEM_XTS_PLAIN_BASE_REG(0) + plaintext_offs), buffer, size); } /** @@ -108,9 +108,7 @@ static inline void spi_flash_encrypt_ll_plaintext_save(uint32_t address, const u */ static inline void spi_flash_encrypt_ll_address_save(uint32_t flash_addr) { - // TODO: [ESP32C5] IDF-8622, IDF-8649 - // REG_SET_FIELD(XTS_AES_PHYSICAL_ADDRESS_REG(0), XTS_AES_PHYSICAL_ADDRESS, flash_addr); - abort(); + REG_SET_FIELD(SPI_MEM_XTS_PHYSICAL_ADDRESS_REG(0), SPI_XTS_PHYSICAL_ADDRESS, flash_addr); } /** @@ -118,9 +116,7 @@ static inline void spi_flash_encrypt_ll_address_save(uint32_t flash_addr) */ static inline void spi_flash_encrypt_ll_calculate_start(void) { - // TODO: [ESP32C5] IDF-8622, IDF-8649 - // REG_SET_FIELD(XTS_AES_TRIGGER_REG(0), XTS_AES_TRIGGER, 1); - abort(); + REG_SET_FIELD(SPI_MEM_XTS_TRIGGER_REG(0), SPI_XTS_TRIGGER, 1); } /** @@ -128,10 +124,8 @@ static inline void spi_flash_encrypt_ll_calculate_start(void) */ static inline void spi_flash_encrypt_ll_calculate_wait_idle(void) { - // TODO: [ESP32C5] IDF-8622, IDF-8649 - // while(REG_GET_FIELD(XTS_AES_STATE_REG(0), XTS_AES_STATE) == 0x1) { - // } - abort(); + while(REG_GET_FIELD(SPI_MEM_XTS_STATE_REG(0), SPI_XTS_STATE) == 0x1) { + } } /** @@ -139,11 +133,9 @@ static inline void spi_flash_encrypt_ll_calculate_wait_idle(void) */ static inline void spi_flash_encrypt_ll_done(void) { - // TODO: [ESP32C5] IDF-8622, IDF-8649 - // REG_SET_BIT(XTS_AES_RELEASE_REG(0), XTS_AES_RELEASE); - // while(REG_GET_FIELD(XTS_AES_STATE_REG(0), XTS_AES_STATE) != 0x3) { - // } - abort(); + REG_SET_BIT(SPI_MEM_XTS_RELEASE_REG(0), SPI_XTS_RELEASE); + while(REG_GET_FIELD(SPI_MEM_XTS_STATE_REG(0), SPI_XTS_STATE) != 0x3) { + } } /** @@ -151,9 +143,7 @@ static inline void spi_flash_encrypt_ll_done(void) */ static inline void spi_flash_encrypt_ll_destroy(void) { - // TODO: [ESP32C5] IDF-8622, IDF-8649 - // REG_SET_BIT(XTS_AES_DESTROY_REG(0), XTS_AES_DESTROY); - abort(); + REG_SET_BIT(SPI_MEM_XTS_DESTROY_REG(0), SPI_XTS_DESTROY); } /** @@ -164,10 +154,7 @@ static inline void spi_flash_encrypt_ll_destroy(void) */ static inline bool spi_flash_encrypt_ll_check(uint32_t address, uint32_t length) { - // TODO: [ESP32C5] IDF-8622, IDF-8649 - // return ((address % length) == 0) ? true : false; - abort(); - return (bool)0; + return ((address % length) == 0) ? true : false; } #ifdef __cplusplus diff --git a/components/soc/esp32c5/beta3/include/soc/soc_caps.h b/components/soc/esp32c5/beta3/include/soc/soc_caps.h index 863a3d4d83..9d9b1bbaeb 100644 --- a/components/soc/esp32c5/beta3/include/soc/soc_caps.h +++ b/components/soc/esp32c5/beta3/include/soc/soc_caps.h @@ -55,7 +55,7 @@ #define SOC_DIG_SIGN_SUPPORTED 1 #define SOC_ECC_SUPPORTED 1 #define SOC_ECC_EXTENDED_MODES_SUPPORTED 1 -#define SOC_FLASH_ENC_SUPPORTED 1 // TODO: [ESP32C5] IDF-8622 +#define SOC_FLASH_ENC_SUPPORTED 1 #define SOC_SECURE_BOOT_SUPPORTED 1 // #define SOC_BOD_SUPPORTED 1 // TODO: [ESP32C5] IDF-8647 // #define SOC_APM_SUPPORTED 1 // TODO: [ESP32C5] IDF-8614, IDF-8615 @@ -474,9 +474,9 @@ #define SOC_SUPPORT_SECURE_BOOT_REVOKE_KEY 1 /*-------------------------- Flash Encryption CAPS----------------------------*/ -#define SOC_FLASH_ENCRYPTED_XTS_AES_BLOCK_MAX (64) // TODO: [ESP32C5] IDF-8622 +#define SOC_FLASH_ENCRYPTED_XTS_AES_BLOCK_MAX (64) #define SOC_FLASH_ENCRYPTION_XTS_AES 1 -#define SOC_FLASH_ENCRYPTION_XTS_AES_128 1 // TODO: [ESP32C5] IDF-8622 +#define SOC_FLASH_ENCRYPTION_XTS_AES_128 1 /*------------------------ Anti DPA (Security) CAPS --------------------------*/ // #define SOC_CRYPTO_DPA_PROTECTION_SUPPORTED 1 diff --git a/components/soc/esp32c5/mp/include/soc/soc_caps.h b/components/soc/esp32c5/mp/include/soc/soc_caps.h index 252df8ac54..9f2762b069 100644 --- a/components/soc/esp32c5/mp/include/soc/soc_caps.h +++ b/components/soc/esp32c5/mp/include/soc/soc_caps.h @@ -53,7 +53,7 @@ #define SOC_DIG_SIGN_SUPPORTED 1 #define SOC_ECC_SUPPORTED 1 #define SOC_ECC_EXTENDED_MODES_SUPPORTED 1 -#define SOC_FLASH_ENC_SUPPORTED 1 // TODO: [ESP32C5] IDF-8622 +#define SOC_FLASH_ENC_SUPPORTED 1 #define SOC_SECURE_BOOT_SUPPORTED 1 // #define SOC_BOD_SUPPORTED 1 // TODO: [ESP32C5] IDF-8647 // #define SOC_APM_SUPPORTED 1 // TODO: [ESP32C5] IDF-8614, IDF-8615 @@ -475,9 +475,9 @@ #define SOC_SUPPORT_SECURE_BOOT_REVOKE_KEY 1 /*-------------------------- Flash Encryption CAPS----------------------------*/ -#define SOC_FLASH_ENCRYPTED_XTS_AES_BLOCK_MAX (64) // TODO: [ESP32C5] IDF-8622 +#define SOC_FLASH_ENCRYPTED_XTS_AES_BLOCK_MAX (64) #define SOC_FLASH_ENCRYPTION_XTS_AES 1 -#define SOC_FLASH_ENCRYPTION_XTS_AES_128 1 // TODO: [ESP32C5] IDF-8622 +#define SOC_FLASH_ENCRYPTION_XTS_AES_128 1 /*------------------------ Anti DPA (Security) CAPS --------------------------*/ // #define SOC_CRYPTO_DPA_PROTECTION_SUPPORTED 1 diff --git a/components/spi_flash/test_apps/.build-test-rules.yml b/components/spi_flash/test_apps/.build-test-rules.yml index 01b9231ef6..0639ebde39 100644 --- a/components/spi_flash/test_apps/.build-test-rules.yml +++ b/components/spi_flash/test_apps/.build-test-rules.yml @@ -22,12 +22,8 @@ components/spi_flash/test_apps/esp_flash_stress: reason: not support yet # TODO: [ESP32C5] IDF-8715 components/spi_flash/test_apps/flash_encryption: - disable: - - if: IDF_TARGET == "esp32c5" - temporary: true - reason: not support yet # TODO: [ESP32C5] IDF-8622 disable_test: - - if: IDF_TARGET in ["esp32c2", "esp32s2", "esp32c6", "esp32h2", "esp32p4"] + - if: IDF_TARGET in ["esp32c2", "esp32s2", "esp32c6", "esp32h2", "esp32p4", "esp32c5"] temporary: true reason: No runners # IDF-5634 diff --git a/components/spi_flash/test_apps/flash_encryption/README.md b/components/spi_flash/test_apps/flash_encryption/README.md index 5e87c92c2a..458eaae092 100644 --- a/components/spi_flash/test_apps/flash_encryption/README.md +++ b/components/spi_flash/test_apps/flash_encryption/README.md @@ -1,5 +1,5 @@ -| Supported Targets | ESP32 | ESP32-C2 | ESP32-C3 | ESP32-C6 | ESP32-H2 | ESP32-P4 | ESP32-S2 | ESP32-S3 | -| ----------------- | ----- | -------- | -------- | -------- | -------- | -------- | -------- | -------- | +| Supported Targets | ESP32 | ESP32-C2 | ESP32-C3 | ESP32-C5 | ESP32-C6 | ESP32-H2 | ESP32-P4 | ESP32-S2 | ESP32-S3 | +| ----------------- | ----- | -------- | -------- | -------- | -------- | -------- | -------- | -------- | -------- | ## Prepare runner diff --git a/docs/docs_not_updated/esp32c5.txt b/docs/docs_not_updated/esp32c5.txt index 389a6e87af..71b031a83e 100644 --- a/docs/docs_not_updated/esp32c5.txt +++ b/docs/docs_not_updated/esp32c5.txt @@ -222,7 +222,6 @@ api-reference/protocols/esp_tls.rst api-reference/protocols/mdns.rst api-reference/protocols/index.rst api-reference/protocols/asio.rst -security/flash-encryption.rst about.rst resources.rst migration-guides/release-5.x/5.2/ieee802154.rst diff --git a/docs/en/security/esp32c5_log.inc b/docs/en/security/esp32c5_log.inc index 64c5df4264..124feb16ec 100644 --- a/docs/en/security/esp32c5_log.inc +++ b/docs/en/security/esp32c5_log.inc @@ -3,7 +3,65 @@ .. code-block:: none - To be updated for C5 + rst:0x1 (POWERON),boot:0x3d (SPI_FAST_FLASH_BOOT) + SPI mode:DIO, clock div:2 + load:0x40855c10,len:0x2c34 + load:0x4084c7a0,len:0x6f8 + load:0x4084e9a0,len:0x41c4 + entry 0x4084c804 + I (32) boot: ESP-IDF v5.3-dev-3860-g5d36288649-dirty 2nd stage bootloader + I (33) boot: compile time May 7 2024 17:31:13 + I (34) boot: chip revision: v0.0 + I (37) boot.esp32c5: SPI Speed : 40MHz + I (42) boot.esp32c5: SPI Mode : DIO + I (47) boot.esp32c5: SPI Flash Size : 2MB + I (52) boot: Enabling RNG early entropy source... + I (64) boot: Partition Table: + I (68) boot: ## Label Usage Type ST Offset Length + I (75) boot: 0 nvs WiFi data 01 02 0000e000 00006000 + I (82) boot: 1 storage Unknown data 01 ff 00014000 00001000 + I (90) boot: 2 factory factory app 00 00 00020000 00100000 + I (97) boot: 3 nvs_key NVS keys 01 04 00120000 00001000 + I (105) boot: 4 custom_nvs WiFi data 01 02 00121000 00006000 + I (113) boot: End of partition table + I (117) esp_image: segment 0: paddr=00020020 vaddr=42010020 size=09674h ( 38516) map + I (169) esp_image: segment 1: paddr=0002969c vaddr=40800000 size=0697ch ( 27004) load + I (197) esp_image: segment 2: paddr=00030020 vaddr=42000020 size=0f4fch ( 62716) map + I (256) esp_image: segment 3: paddr=0003f524 vaddr=4080697c size=00c28h ( 3112) load + I (261) esp_image: segment 4: paddr=00040154 vaddr=408075b0 size=00d18h ( 3352) load + I (269) boot: Loaded app from partition at offset 0x20000 + I (270) boot: Checking flash encryption... + I (273) efuse: Batch mode of writing fields is enabled + I (279) flash_encrypt: Generating new flash encryption key... + I (297) efuse: Writing EFUSE_BLK_KEY0 with purpose 4 + I (300) flash_encrypt: Disable UART bootloader encryption... + I (306) flash_encrypt: Disable JTAG... + I (312) efuse: BURN BLOCK4 + I (317) efuse: BURN BLOCK4 - OK (write block == read block) + I (320) efuse: BURN BLOCK0 + I (326) efuse: BURN BLOCK0 - OK (write block == read block) + I (330) efuse: Batch mode. Prepared fields are committed + I (335) esp_image: segment 0: paddr=00002020 vaddr=40855c10 size=02c34h ( 11316) + I (353) esp_image: segment 1: paddr=00004c5c vaddr=4084c7a0 size=006f8h ( 1784) + I (356) esp_image: segment 2: paddr=0000535c vaddr=4084e9a0 size=041c4h ( 16836) + I (1091) flash_encrypt: bootloader encrypted successfully + I (1182) flash_encrypt: partition table encrypted and loaded successfully + I (1183) flash_encrypt: Encrypting partition 1 at offset 0x14000 (length 0x1000)... + I (1271) flash_encrypt: Done encrypting + I (1272) esp_image: segment 0: paddr=00020020 vaddr=42010020 size=09674h ( 38516) map + I (1309) esp_image: segment 1: paddr=0002969c vaddr=40800000 size=0697ch ( 27004) + I (1336) esp_image: segment 2: paddr=00030020 vaddr=42000020 size=0f4fch ( 62716) map + I (1395) esp_image: segment 3: paddr=0003f524 vaddr=4080697c size=00c28h ( 3112) + I (1400) esp_image: segment 4: paddr=00040154 vaddr=408075b0 size=00d18h ( 3352) + I (1405) flash_encrypt: Encrypting partition 2 at offset 0x20000 (length 0x100000)... + I (24123) flash_encrypt: Done encrypting + I (24124) flash_encrypt: Encrypting partition 3 at offset 0x120000 (length 0x1000)... + I (24215) flash_encrypt: Done encrypting + I (24216) flash_encrypt: Setting CRYPT_CNT for permanent encryption + I (24217) efuse: BURN BLOCK0 + I (24221) efuse: BURN BLOCK0 - OK (all write block bits are set) + I (24226) flash_encrypt: Flash encryption completed + I (24231) boot: Resetting with flash encryption enabled... ------ @@ -12,6 +70,128 @@ .. code-block:: none - To be updated for C5 + rst:0x1 (POWERON),boot:0x3d (SPI_FAST_FLASH_BOOT) + SPI mode:DIO, clock div:2 + load:0x40855c10,len:0x2be8 + load:0x4084c7a0,len:0x6f8 + load:0x4084e9a0,len:0x418c + entry 0x4084c804 + I (32) boot: ESP-IDF v5.3-dev-3860-g5d36288649 2nd stage bootloader + I (33) boot: compile time May 7 2024 17:24:43 + I (34) boot: chip revision: v0.0 + I (37) boot.esp32c5: SPI Speed : 40MHz + I (42) boot.esp32c5: SPI Mode : DIO + I (46) boot.esp32c5: SPI Flash Size : 2MB + I (51) boot: Enabling RNG early entropy source... + I (64) boot: Partition Table: + I (67) boot: ## Label Usage Type ST Offset Length + I (74) boot: 0 nvs WiFi data 01 02 0000e000 00006000 + I (82) boot: 1 storage Unknown data 01 ff 00014000 00001000 + I (89) boot: 2 factory factory app 00 00 00020000 00100000 + I (97) boot: 3 nvs_key NVS keys 01 04 00120000 00001000 + I (104) boot: 4 custom_nvs WiFi data 01 02 00121000 00006000 + I (113) boot: End of partition table + I (116) esp_image: segment 0: paddr=00020020 vaddr=42010020 size=095c4h ( 38340) map + E (125) fpga_rng: Project configuration is for internal FPGA use, RNG will not work + I (169) esp_image: segment 1: paddr=000295ec vaddr=40800000 size=06a2ch ( 27180) load + I (197) esp_image: segment 2: paddr=00030020 vaddr=42000020 size=0f4d4h ( 62676) map + I (256) esp_image: segment 3: paddr=0003f4fc vaddr=40806a2c size=00b78h ( 2936) load + I (261) esp_image: segment 4: paddr=0004007c vaddr=408075b0 size=00d18h ( 3352) load + I (269) boot: Loaded app from partition at offset 0x20000 + I (270) boot: Checking flash encryption... + I (273) efuse: Batch mode of writing fields is enabled + I (278) flash_encrypt: Generating new flash encryption key... + E (285) fpga_rng: Project configuration is for internal FPGA use, RNG will not work + I (295) efuse: Writing EFUSE_BLK_KEY0 with purpose 4 + W (300) flash_encrypt: Not disabling UART bootloader encryption + I (305) flash_encrypt: Disable JTAG... + I (312) efuse: BURN BLOCK4 + I (317) efuse: BURN BLOCK4 - OK (write block == read block) + I (319) efuse: BURN BLOCK0 + I (325) efuse: BURN BLOCK0 - OK (all write block bits are set) + I (330) efuse: Batch mode. Prepared fields are committed + I (335) esp_image: segment 0: paddr=00002020 vaddr=40855c10 size=02be8h ( 11240) + I (353) esp_image: segment 1: paddr=00004c10 vaddr=4084c7a0 size=006f8h ( 1784) + I (356) esp_image: segment 2: paddr=00005310 vaddr=4084e9a0 size=0418ch ( 16780) + I (1131) flash_encrypt: bootloader encrypted successfully + I (1229) flash_encrypt: partition table encrypted and loaded successfully + I (1230) flash_encrypt: Encrypting partition 1 at offset 0x14000 (length 0x1000)... + I (1325) flash_encrypt: Done encrypting + I (1325) esp_image: segment 0: paddr=00020020 vaddr=42010020 size=095c4h ( 38340) map + I (1362) esp_image: segment 1: paddr=000295ec vaddr=40800000 size=06a2ch ( 27180) + I (1389) esp_image: segment 2: paddr=00030020 vaddr=42000020 size=0f4d4h ( 62676) map + I (1448) esp_image: segment 3: paddr=0003f4fc vaddr=40806a2c size=00b78h ( 2936) + I (1453) esp_image: segment 4: paddr=0004007c vaddr=408075b0 size=00d18h ( 3352) + I (1458) flash_encrypt: Encrypting partition 2 at offset 0x20000 (length 0x100000)... + I (24332) flash_encrypt: Done encrypting + I (24332) flash_encrypt: Encrypting partition 3 at offset 0x120000 (length 0x1000)... + I (24422) flash_encrypt: Done encrypting + I (24423) efuse: BURN BLOCK0 + I (24425) efuse: BURN BLOCK0 - OK (all write block bits are set) + I (24427) flash_encrypt: Flash encryption completed + I (24431) boot: Resetting with flash encryption enabled... + ESP-ROM:esp32c5-20240329 + Build:Mar 29 2024 + rst:0x3 (RTC_SW_HPSYS),boot:0x3d (SPI_FAST_FLASH_BOOT) + Core0 Saved PC:0x4084fe1c + use legacy efuse key + SPI mode:DIO, clock div:2 + load:0x40855c10,len:0x2be8 + load:0x4084c7a0,len:0x6f8 + load:0x4084e9a0,len:0x418c + entry 0x4084c804 + I (39) boot: ESP-IDF v5.3-dev-3860-g5d36288649 2nd stage bootloader + I (40) boot: compile time May 7 2024 17:24:43 + I (41) boot: chip revision: v0.0 + I (44) boot.esp32c5: SPI Speed : 40MHz + I (48) boot.esp32c5: SPI Mode : DIO + I (53) boot.esp32c5: SPI Flash Size : 2MB + I (58) boot: Enabling RNG early entropy source... + I (70) boot: Partition Table: + I (74) boot: ## Label Usage Type ST Offset Length + I (81) boot: 0 nvs WiFi data 01 02 0000e000 00006000 + I (89) boot: 1 storage Unknown data 01 ff 00014000 00001000 + I (96) boot: 2 factory factory app 00 00 00020000 00100000 + I (103) boot: 3 nvs_key NVS keys 01 04 00120000 00001000 + I (111) boot: 4 custom_nvs WiFi data 01 02 00121000 00006000 + I (119) boot: End of partition table + I (123) esp_image: segment 0: paddr=00020020 vaddr=42010020 size=095c4h ( 38340) map + I (177) esp_image: segment 1: paddr=000295ec vaddr=40800000 size=06a2ch ( 27180) load + I (207) esp_image: segment 2: paddr=00030020 vaddr=42000020 size=0f4d4h ( 62676) map + I (269) esp_image: segment 3: paddr=0003f4fc vaddr=40806a2c size=00b78h ( 2936) load + I (274) esp_image: segment 4: paddr=0004007c vaddr=408075b0 size=00d18h ( 3352) load + I (283) boot: Loaded app from partition at offset 0x20000 + I (283) boot: Checking flash encryption... + I (286) flash_encrypt: flash encryption is enabled (1 plaintext flashes left) + I (294) boot: Disabling RNG early entropy source... + I (318) cpu_start: Unicore app + I (326) cpu_start: Pro cpu start user code + I (330) cpu_start: cpu freq: 40000000 Hz + I (335) app_init: Application information: + I (340) app_init: Project name: flash_encryption + I (345) app_init: App version: qa-test-v5.3-20240419-267-g5d36 + I (352) app_init: Compile time: May 7 2024 17:24:35 + I (358) app_init: ELF file SHA256: 712933cde... + I (364) app_init: ESP-IDF: v5.3-dev-3860-g5d36288649 + I (370) efuse_init: Min chip rev: v0.0 + I (375) efuse_init: Max chip rev: v0.99 + I (380) efuse_init: Chip rev: v0.0 + I (385) heap_init: Initializing. RAM available for dynamic allocation: + I (392) heap_init: At 408091A0 len 00051730 (325 KiB): RAM + I (398) heap_init: At 4085A8D0 len 00004C30 (19 KiB): RAM + I (404) heap_init: At 50000000 len 00003FE8 (15 KiB): RTCRAM + I (426) spi_flash: detected chip: generic + I (427) spi_flash: flash io: dio + W (431) spi_flash: Detected size(4096k) larger than the size in the binary image header(2048k). Using the size in the binary image header. + W (445) flash_encrypt: Flash encryption mode is DEVELOPMENT (not secure) + I (452) nvs_sec_provider: NVS Encryption - Registering Flash encryption-based scheme... + I (466) main_task: Started on CPU0 + I (466) main_task: Calling app_main() + + Example to check Flash Encryption status + This is esp32c5 chip with 1 CPU core(s), WiFi/BLE, silicon revision v0.0, 2MB external flash + FLASH_CRYPT_CNT eFuse value is 1 + Flash encryption feature is enabled in DEVELOPMENT mode + ------ diff --git a/docs/zh_CN/security/esp32c5_log.inc b/docs/zh_CN/security/esp32c5_log.inc index 64c5df4264..124feb16ec 100644 --- a/docs/zh_CN/security/esp32c5_log.inc +++ b/docs/zh_CN/security/esp32c5_log.inc @@ -3,7 +3,65 @@ .. code-block:: none - To be updated for C5 + rst:0x1 (POWERON),boot:0x3d (SPI_FAST_FLASH_BOOT) + SPI mode:DIO, clock div:2 + load:0x40855c10,len:0x2c34 + load:0x4084c7a0,len:0x6f8 + load:0x4084e9a0,len:0x41c4 + entry 0x4084c804 + I (32) boot: ESP-IDF v5.3-dev-3860-g5d36288649-dirty 2nd stage bootloader + I (33) boot: compile time May 7 2024 17:31:13 + I (34) boot: chip revision: v0.0 + I (37) boot.esp32c5: SPI Speed : 40MHz + I (42) boot.esp32c5: SPI Mode : DIO + I (47) boot.esp32c5: SPI Flash Size : 2MB + I (52) boot: Enabling RNG early entropy source... + I (64) boot: Partition Table: + I (68) boot: ## Label Usage Type ST Offset Length + I (75) boot: 0 nvs WiFi data 01 02 0000e000 00006000 + I (82) boot: 1 storage Unknown data 01 ff 00014000 00001000 + I (90) boot: 2 factory factory app 00 00 00020000 00100000 + I (97) boot: 3 nvs_key NVS keys 01 04 00120000 00001000 + I (105) boot: 4 custom_nvs WiFi data 01 02 00121000 00006000 + I (113) boot: End of partition table + I (117) esp_image: segment 0: paddr=00020020 vaddr=42010020 size=09674h ( 38516) map + I (169) esp_image: segment 1: paddr=0002969c vaddr=40800000 size=0697ch ( 27004) load + I (197) esp_image: segment 2: paddr=00030020 vaddr=42000020 size=0f4fch ( 62716) map + I (256) esp_image: segment 3: paddr=0003f524 vaddr=4080697c size=00c28h ( 3112) load + I (261) esp_image: segment 4: paddr=00040154 vaddr=408075b0 size=00d18h ( 3352) load + I (269) boot: Loaded app from partition at offset 0x20000 + I (270) boot: Checking flash encryption... + I (273) efuse: Batch mode of writing fields is enabled + I (279) flash_encrypt: Generating new flash encryption key... + I (297) efuse: Writing EFUSE_BLK_KEY0 with purpose 4 + I (300) flash_encrypt: Disable UART bootloader encryption... + I (306) flash_encrypt: Disable JTAG... + I (312) efuse: BURN BLOCK4 + I (317) efuse: BURN BLOCK4 - OK (write block == read block) + I (320) efuse: BURN BLOCK0 + I (326) efuse: BURN BLOCK0 - OK (write block == read block) + I (330) efuse: Batch mode. Prepared fields are committed + I (335) esp_image: segment 0: paddr=00002020 vaddr=40855c10 size=02c34h ( 11316) + I (353) esp_image: segment 1: paddr=00004c5c vaddr=4084c7a0 size=006f8h ( 1784) + I (356) esp_image: segment 2: paddr=0000535c vaddr=4084e9a0 size=041c4h ( 16836) + I (1091) flash_encrypt: bootloader encrypted successfully + I (1182) flash_encrypt: partition table encrypted and loaded successfully + I (1183) flash_encrypt: Encrypting partition 1 at offset 0x14000 (length 0x1000)... + I (1271) flash_encrypt: Done encrypting + I (1272) esp_image: segment 0: paddr=00020020 vaddr=42010020 size=09674h ( 38516) map + I (1309) esp_image: segment 1: paddr=0002969c vaddr=40800000 size=0697ch ( 27004) + I (1336) esp_image: segment 2: paddr=00030020 vaddr=42000020 size=0f4fch ( 62716) map + I (1395) esp_image: segment 3: paddr=0003f524 vaddr=4080697c size=00c28h ( 3112) + I (1400) esp_image: segment 4: paddr=00040154 vaddr=408075b0 size=00d18h ( 3352) + I (1405) flash_encrypt: Encrypting partition 2 at offset 0x20000 (length 0x100000)... + I (24123) flash_encrypt: Done encrypting + I (24124) flash_encrypt: Encrypting partition 3 at offset 0x120000 (length 0x1000)... + I (24215) flash_encrypt: Done encrypting + I (24216) flash_encrypt: Setting CRYPT_CNT for permanent encryption + I (24217) efuse: BURN BLOCK0 + I (24221) efuse: BURN BLOCK0 - OK (all write block bits are set) + I (24226) flash_encrypt: Flash encryption completed + I (24231) boot: Resetting with flash encryption enabled... ------ @@ -12,6 +70,128 @@ .. code-block:: none - To be updated for C5 + rst:0x1 (POWERON),boot:0x3d (SPI_FAST_FLASH_BOOT) + SPI mode:DIO, clock div:2 + load:0x40855c10,len:0x2be8 + load:0x4084c7a0,len:0x6f8 + load:0x4084e9a0,len:0x418c + entry 0x4084c804 + I (32) boot: ESP-IDF v5.3-dev-3860-g5d36288649 2nd stage bootloader + I (33) boot: compile time May 7 2024 17:24:43 + I (34) boot: chip revision: v0.0 + I (37) boot.esp32c5: SPI Speed : 40MHz + I (42) boot.esp32c5: SPI Mode : DIO + I (46) boot.esp32c5: SPI Flash Size : 2MB + I (51) boot: Enabling RNG early entropy source... + I (64) boot: Partition Table: + I (67) boot: ## Label Usage Type ST Offset Length + I (74) boot: 0 nvs WiFi data 01 02 0000e000 00006000 + I (82) boot: 1 storage Unknown data 01 ff 00014000 00001000 + I (89) boot: 2 factory factory app 00 00 00020000 00100000 + I (97) boot: 3 nvs_key NVS keys 01 04 00120000 00001000 + I (104) boot: 4 custom_nvs WiFi data 01 02 00121000 00006000 + I (113) boot: End of partition table + I (116) esp_image: segment 0: paddr=00020020 vaddr=42010020 size=095c4h ( 38340) map + E (125) fpga_rng: Project configuration is for internal FPGA use, RNG will not work + I (169) esp_image: segment 1: paddr=000295ec vaddr=40800000 size=06a2ch ( 27180) load + I (197) esp_image: segment 2: paddr=00030020 vaddr=42000020 size=0f4d4h ( 62676) map + I (256) esp_image: segment 3: paddr=0003f4fc vaddr=40806a2c size=00b78h ( 2936) load + I (261) esp_image: segment 4: paddr=0004007c vaddr=408075b0 size=00d18h ( 3352) load + I (269) boot: Loaded app from partition at offset 0x20000 + I (270) boot: Checking flash encryption... + I (273) efuse: Batch mode of writing fields is enabled + I (278) flash_encrypt: Generating new flash encryption key... + E (285) fpga_rng: Project configuration is for internal FPGA use, RNG will not work + I (295) efuse: Writing EFUSE_BLK_KEY0 with purpose 4 + W (300) flash_encrypt: Not disabling UART bootloader encryption + I (305) flash_encrypt: Disable JTAG... + I (312) efuse: BURN BLOCK4 + I (317) efuse: BURN BLOCK4 - OK (write block == read block) + I (319) efuse: BURN BLOCK0 + I (325) efuse: BURN BLOCK0 - OK (all write block bits are set) + I (330) efuse: Batch mode. Prepared fields are committed + I (335) esp_image: segment 0: paddr=00002020 vaddr=40855c10 size=02be8h ( 11240) + I (353) esp_image: segment 1: paddr=00004c10 vaddr=4084c7a0 size=006f8h ( 1784) + I (356) esp_image: segment 2: paddr=00005310 vaddr=4084e9a0 size=0418ch ( 16780) + I (1131) flash_encrypt: bootloader encrypted successfully + I (1229) flash_encrypt: partition table encrypted and loaded successfully + I (1230) flash_encrypt: Encrypting partition 1 at offset 0x14000 (length 0x1000)... + I (1325) flash_encrypt: Done encrypting + I (1325) esp_image: segment 0: paddr=00020020 vaddr=42010020 size=095c4h ( 38340) map + I (1362) esp_image: segment 1: paddr=000295ec vaddr=40800000 size=06a2ch ( 27180) + I (1389) esp_image: segment 2: paddr=00030020 vaddr=42000020 size=0f4d4h ( 62676) map + I (1448) esp_image: segment 3: paddr=0003f4fc vaddr=40806a2c size=00b78h ( 2936) + I (1453) esp_image: segment 4: paddr=0004007c vaddr=408075b0 size=00d18h ( 3352) + I (1458) flash_encrypt: Encrypting partition 2 at offset 0x20000 (length 0x100000)... + I (24332) flash_encrypt: Done encrypting + I (24332) flash_encrypt: Encrypting partition 3 at offset 0x120000 (length 0x1000)... + I (24422) flash_encrypt: Done encrypting + I (24423) efuse: BURN BLOCK0 + I (24425) efuse: BURN BLOCK0 - OK (all write block bits are set) + I (24427) flash_encrypt: Flash encryption completed + I (24431) boot: Resetting with flash encryption enabled... + ESP-ROM:esp32c5-20240329 + Build:Mar 29 2024 + rst:0x3 (RTC_SW_HPSYS),boot:0x3d (SPI_FAST_FLASH_BOOT) + Core0 Saved PC:0x4084fe1c + use legacy efuse key + SPI mode:DIO, clock div:2 + load:0x40855c10,len:0x2be8 + load:0x4084c7a0,len:0x6f8 + load:0x4084e9a0,len:0x418c + entry 0x4084c804 + I (39) boot: ESP-IDF v5.3-dev-3860-g5d36288649 2nd stage bootloader + I (40) boot: compile time May 7 2024 17:24:43 + I (41) boot: chip revision: v0.0 + I (44) boot.esp32c5: SPI Speed : 40MHz + I (48) boot.esp32c5: SPI Mode : DIO + I (53) boot.esp32c5: SPI Flash Size : 2MB + I (58) boot: Enabling RNG early entropy source... + I (70) boot: Partition Table: + I (74) boot: ## Label Usage Type ST Offset Length + I (81) boot: 0 nvs WiFi data 01 02 0000e000 00006000 + I (89) boot: 1 storage Unknown data 01 ff 00014000 00001000 + I (96) boot: 2 factory factory app 00 00 00020000 00100000 + I (103) boot: 3 nvs_key NVS keys 01 04 00120000 00001000 + I (111) boot: 4 custom_nvs WiFi data 01 02 00121000 00006000 + I (119) boot: End of partition table + I (123) esp_image: segment 0: paddr=00020020 vaddr=42010020 size=095c4h ( 38340) map + I (177) esp_image: segment 1: paddr=000295ec vaddr=40800000 size=06a2ch ( 27180) load + I (207) esp_image: segment 2: paddr=00030020 vaddr=42000020 size=0f4d4h ( 62676) map + I (269) esp_image: segment 3: paddr=0003f4fc vaddr=40806a2c size=00b78h ( 2936) load + I (274) esp_image: segment 4: paddr=0004007c vaddr=408075b0 size=00d18h ( 3352) load + I (283) boot: Loaded app from partition at offset 0x20000 + I (283) boot: Checking flash encryption... + I (286) flash_encrypt: flash encryption is enabled (1 plaintext flashes left) + I (294) boot: Disabling RNG early entropy source... + I (318) cpu_start: Unicore app + I (326) cpu_start: Pro cpu start user code + I (330) cpu_start: cpu freq: 40000000 Hz + I (335) app_init: Application information: + I (340) app_init: Project name: flash_encryption + I (345) app_init: App version: qa-test-v5.3-20240419-267-g5d36 + I (352) app_init: Compile time: May 7 2024 17:24:35 + I (358) app_init: ELF file SHA256: 712933cde... + I (364) app_init: ESP-IDF: v5.3-dev-3860-g5d36288649 + I (370) efuse_init: Min chip rev: v0.0 + I (375) efuse_init: Max chip rev: v0.99 + I (380) efuse_init: Chip rev: v0.0 + I (385) heap_init: Initializing. RAM available for dynamic allocation: + I (392) heap_init: At 408091A0 len 00051730 (325 KiB): RAM + I (398) heap_init: At 4085A8D0 len 00004C30 (19 KiB): RAM + I (404) heap_init: At 50000000 len 00003FE8 (15 KiB): RTCRAM + I (426) spi_flash: detected chip: generic + I (427) spi_flash: flash io: dio + W (431) spi_flash: Detected size(4096k) larger than the size in the binary image header(2048k). Using the size in the binary image header. + W (445) flash_encrypt: Flash encryption mode is DEVELOPMENT (not secure) + I (452) nvs_sec_provider: NVS Encryption - Registering Flash encryption-based scheme... + I (466) main_task: Started on CPU0 + I (466) main_task: Calling app_main() + + Example to check Flash Encryption status + This is esp32c5 chip with 1 CPU core(s), WiFi/BLE, silicon revision v0.0, 2MB external flash + FLASH_CRYPT_CNT eFuse value is 1 + Flash encryption feature is enabled in DEVELOPMENT mode + ------ diff --git a/examples/security/.build-test-rules.yml b/examples/security/.build-test-rules.yml index 83414310bd..c540531f55 100644 --- a/examples/security/.build-test-rules.yml +++ b/examples/security/.build-test-rules.yml @@ -1,12 +1,8 @@ # Documentation: .gitlab/ci/README.md#manifest-file-to-control-the-buildtest-apps examples/security/flash_encryption: - disable: - - if: IDF_TARGET == "esp32c5" - temporary: true - reason: not supported yet # TODO: [ESP32C5] IDF-8622 disable_test: - - if: IDF_TARGET in ["esp32s2", "esp32s3", "esp32c6", "esp32h2", "esp32c2", "esp32p4"] + - if: IDF_TARGET in ["esp32s2", "esp32s3", "esp32c6", "esp32h2", "esp32c2", "esp32p4", "esp32c5"] temporary: true reason: lack of runners diff --git a/examples/security/flash_encryption/README.md b/examples/security/flash_encryption/README.md index 8df1c62965..c499289ff5 100644 --- a/examples/security/flash_encryption/README.md +++ b/examples/security/flash_encryption/README.md @@ -1,5 +1,5 @@ -| Supported Targets | ESP32 | ESP32-C2 | ESP32-C3 | ESP32-C6 | ESP32-H2 | ESP32-P4 | ESP32-S2 | ESP32-S3 | -| ----------------- | ----- | -------- | -------- | -------- | -------- | -------- | -------- | -------- | +| Supported Targets | ESP32 | ESP32-C2 | ESP32-C3 | ESP32-C5 | ESP32-C6 | ESP32-H2 | ESP32-P4 | ESP32-S2 | ESP32-S3 | +| ----------------- | ----- | -------- | -------- | -------- | -------- | -------- | -------- | -------- | -------- | # Flash Encryption @@ -32,7 +32,7 @@ The configuration for NVS encryption involves generating the XTS encryption keys When NVS encryption is enabled the `nvs_flash_init` API function can internally generate the XTS encryption keys on the ESP chip. The API function finds the first [NVS key partition](https://docs.espressif.com/projects/esp-idf/en/latest/esp32/api-reference/storage/nvs_flash.html#nvs-key-partition) i.e. a partition of type `data` and subtype `nvs_keys`. Then the API function automatically generates and stores the - nvs keys in that partition. New keys are generated and stored only when the respective key partiton is empty. (Consult the [`nvs_flash_init`](https://docs.espressif.com/projects/esp-idf/en/latest/esp32/api-reference/storage/nvs_flash.html#_CPPv414nvs_flash_initv) API documentation in the ESP-IDF programming guide for more details). + nvs keys in that partition. New keys are generated and stored only when the respective key partition is empty. (Consult the [`nvs_flash_init`](https://docs.espressif.com/projects/esp-idf/en/latest/esp32/api-reference/storage/nvs_flash.html#_CPPv414nvs_flash_initv) API documentation in the ESP-IDF programming guide for more details). **Please note that `nvs_keys` partition must be completely erased before starting the application. Otherwise the application may generate `ESP_ERR_NVS_CORRUPT_KEY_PART` error code assuming that `nvs_keys` partition was not empty and contains malformatted data.**