From 9e3424709aa24f909fd49d91e4aa58381e184804 Mon Sep 17 00:00:00 2001 From: Aditya Patwardhan Date: Thu, 11 Apr 2024 15:12:01 +0530 Subject: [PATCH] fix(bootloader_support): Allow SOFT_DIS_JTAG in verify_release_mode --- .../bootloader_support/src/flash_encrypt.c | 55 ++++++++++++------- .../bootloader_support/src/secure_boot.c | 53 ++++++++++-------- 2 files changed, 67 insertions(+), 41 deletions(-) diff --git a/components/bootloader_support/src/flash_encrypt.c b/components/bootloader_support/src/flash_encrypt.c index 4c0cf8615a..5b37480dc2 100644 --- a/components/bootloader_support/src/flash_encrypt.c +++ b/components/bootloader_support/src/flash_encrypt.c @@ -357,23 +357,48 @@ bool esp_flash_encryption_cfg_verify_release_mode(void) ESP_LOGW(TAG, "Not disabled UART bootloader cache (set DIS_DOWNLOAD_ICACHE->1)"); } #endif - -#if SOC_EFUSE_DIS_PAD_JTAG - secure = esp_efuse_read_field_bit(ESP_EFUSE_DIS_PAD_JTAG); - result &= secure; - if (!secure) { - ESP_LOGW(TAG, "Not disabled JTAG PADs (set DIS_PAD_JTAG->1)"); + bool soft_dis_jtag = false; +#if SOC_EFUSE_SOFT_DIS_JTAG + size_t soft_dis_jtag_cnt_val = 0; + esp_efuse_read_field_cnt(ESP_EFUSE_SOFT_DIS_JTAG, &soft_dis_jtag_cnt_val); + soft_dis_jtag = (soft_dis_jtag_cnt_val == ESP_EFUSE_SOFT_DIS_JTAG[0]->bit_count); + if (soft_dis_jtag) { + bool hmac_key_found = false; + hmac_key_found = esp_efuse_find_purpose(ESP_EFUSE_KEY_PURPOSE_HMAC_DOWN_JTAG, NULL); + hmac_key_found |= esp_efuse_find_purpose(ESP_EFUSE_KEY_PURPOSE_HMAC_DOWN_ALL, NULL); + if (!hmac_key_found) { + ESP_LOGW(TAG, "SOFT_DIS_JTAG is set but HMAC key with respective purpose not found"); + soft_dis_jtag = false; + } } #endif + if (!soft_dis_jtag) { +#if SOC_EFUSE_DIS_PAD_JTAG + secure = esp_efuse_read_field_bit(ESP_EFUSE_DIS_PAD_JTAG); + result &= secure; + if (!secure) { + ESP_LOGW(TAG, "Not disabled JTAG PADs (set DIS_PAD_JTAG->1)"); + } +#endif + #if SOC_EFUSE_DIS_USB_JTAG - secure = esp_efuse_read_field_bit(ESP_EFUSE_DIS_USB_JTAG); - result &= secure; - if (!secure) { - ESP_LOGW(TAG, "Not disabled USB JTAG (set DIS_USB_JTAG->1)"); - } + secure = esp_efuse_read_field_bit(ESP_EFUSE_DIS_USB_JTAG); + result &= secure; + if (!secure) { + ESP_LOGW(TAG, "Not disabled USB JTAG (set DIS_USB_JTAG->1)"); + } #endif +#if SOC_EFUSE_HARD_DIS_JTAG + secure = esp_efuse_read_field_bit(ESP_EFUSE_HARD_DIS_JTAG); + result &= secure; + if (!secure) { + ESP_LOGW(TAG, "Not disabled JTAG (set HARD_DIS_JTAG->1)"); + } +#endif + } + #if SOC_EFUSE_DIS_DIRECT_BOOT secure = esp_efuse_read_field_bit(ESP_EFUSE_DIS_DIRECT_BOOT); result &= secure; @@ -382,14 +407,6 @@ bool esp_flash_encryption_cfg_verify_release_mode(void) } #endif -#if SOC_EFUSE_HARD_DIS_JTAG - secure = esp_efuse_read_field_bit(ESP_EFUSE_HARD_DIS_JTAG); - result &= secure; - if (!secure) { - ESP_LOGW(TAG, "Not disabled JTAG (set HARD_DIS_JTAG->1)"); - } -#endif - #if SOC_EFUSE_DIS_BOOT_REMAP secure = esp_efuse_read_field_bit(ESP_EFUSE_DIS_BOOT_REMAP); result &= secure; diff --git a/components/bootloader_support/src/secure_boot.c b/components/bootloader_support/src/secure_boot.c index 9015bdfd5a..b077469e04 100644 --- a/components/bootloader_support/src/secure_boot.c +++ b/components/bootloader_support/src/secure_boot.c @@ -1,5 +1,5 @@ /* - * SPDX-FileCopyrightText: 2015-2021 Espressif Systems (Shanghai) CO LTD + * SPDX-FileCopyrightText: 2015-2024 Espressif Systems (Shanghai) CO LTD * * SPDX-License-Identifier: Apache-2.0 */ @@ -298,38 +298,47 @@ bool esp_secure_boot_cfg_verify_release_mode(void) } #endif -#if SOC_EFUSE_HARD_DIS_JTAG - secure = esp_efuse_read_field_bit(ESP_EFUSE_HARD_DIS_JTAG); - result &= secure; - if (!secure) { - ESP_LOGW(TAG, "Not disabled JTAG (set HARD_DIS_JTAG->1)"); - } -#endif - + bool soft_dis_jtag = false; #if SOC_EFUSE_SOFT_DIS_JTAG size_t soft_dis_jtag_cnt_val = 0; esp_efuse_read_field_cnt(ESP_EFUSE_SOFT_DIS_JTAG, &soft_dis_jtag_cnt_val); - if (soft_dis_jtag_cnt_val != ESP_EFUSE_SOFT_DIS_JTAG[0]->bit_count) { - result &= secure; - ESP_LOGW(TAG, "Not disabled JTAG in the soft way (set SOFT_DIS_JTAG->max)"); + soft_dis_jtag = (soft_dis_jtag_cnt_val == ESP_EFUSE_SOFT_DIS_JTAG[0]->bit_count); + if (soft_dis_jtag) { + bool hmac_key_found = false; + hmac_key_found = esp_efuse_find_purpose(ESP_EFUSE_KEY_PURPOSE_HMAC_DOWN_JTAG, NULL); + hmac_key_found |= esp_efuse_find_purpose(ESP_EFUSE_KEY_PURPOSE_HMAC_DOWN_ALL, NULL); + if (!hmac_key_found) { + ESP_LOGW(TAG, "SOFT_DIS_JTAG is set but HMAC key with respective purpose not found"); + soft_dis_jtag = false; + } } #endif + if (!soft_dis_jtag) { +#if SOC_EFUSE_HARD_DIS_JTAG + secure = esp_efuse_read_field_bit(ESP_EFUSE_HARD_DIS_JTAG); + result &= secure; + if (!secure) { + ESP_LOGW(TAG, "Not disabled JTAG (set HARD_DIS_JTAG->1)"); + } +#endif + #if SOC_EFUSE_DIS_PAD_JTAG - secure = esp_efuse_read_field_bit(ESP_EFUSE_DIS_PAD_JTAG); - result &= secure; - if (!secure) { - ESP_LOGW(TAG, "Not disabled JTAG PADs (set DIS_PAD_JTAG->1)"); - } + secure = esp_efuse_read_field_bit(ESP_EFUSE_DIS_PAD_JTAG); + result &= secure; + if (!secure) { + ESP_LOGW(TAG, "Not disabled JTAG PADs (set DIS_PAD_JTAG->1)"); + } #endif #if SOC_EFUSE_DIS_USB_JTAG - secure = esp_efuse_read_field_bit(ESP_EFUSE_DIS_USB_JTAG); - result &= secure; - if (!secure) { - ESP_LOGW(TAG, "Not disabled USB JTAG (set DIS_USB_JTAG->1)"); - } + secure = esp_efuse_read_field_bit(ESP_EFUSE_DIS_USB_JTAG); + result &= secure; + if (!secure) { + ESP_LOGW(TAG, "Not disabled USB JTAG (set DIS_USB_JTAG->1)"); + } #endif + } #ifdef CONFIG_SECURE_BOOT_ENABLE_AGGRESSIVE_KEY_REVOKE secure = esp_efuse_read_field_bit(ESP_EFUSE_SECURE_BOOT_AGGRESSIVE_REVOKE);