feedc0de/esp-idf
1
0
Fork 0
forked from espressif/esp-idf
Code Pull Requests Activity

fix(bootloader_support): Allow SOFT_DIS_JTAG in verify_release_mode

Browse Source
This commit is contained in:
Aditya Patwardhan
2024-04-11 15:12:01 +05:30
parent 92b42310b1
commit 9e3424709a
2 changed files with 67 additions and 41 deletions
Download Patch File Download Diff File Expand all files Collapse all files

33
components/bootloader_support/src/flash_encrypt.c
View File

@@ -357,7 +357,23 @@ bool esp_flash_encryption_cfg_verify_release_mode(void)
ESP_LOGW(TAG, "Not disabled UART bootloader cache (set DIS_DOWNLOAD_ICACHE->1)"); ESP_LOGW(TAG, "Not disabled UART bootloader cache (set DIS_DOWNLOAD_ICACHE->1)");
} }
#endif #endif
bool soft_dis_jtag = false;
#if SOC_EFUSE_SOFT_DIS_JTAG
size_t soft_dis_jtag_cnt_val = 0;
esp_efuse_read_field_cnt(ESP_EFUSE_SOFT_DIS_JTAG, &soft_dis_jtag_cnt_val);
soft_dis_jtag = (soft_dis_jtag_cnt_val == ESP_EFUSE_SOFT_DIS_JTAG[0]->bit_count);
if (soft_dis_jtag) {
bool hmac_key_found = false;
hmac_key_found = esp_efuse_find_purpose(ESP_EFUSE_KEY_PURPOSE_HMAC_DOWN_JTAG, NULL);
hmac_key_found |= esp_efuse_find_purpose(ESP_EFUSE_KEY_PURPOSE_HMAC_DOWN_ALL, NULL);
if (!hmac_key_found) {
ESP_LOGW(TAG, "SOFT_DIS_JTAG is set but HMAC key with respective purpose not found");
soft_dis_jtag = false;
}
}
#endif
if (!soft_dis_jtag) {
#if SOC_EFUSE_DIS_PAD_JTAG #if SOC_EFUSE_DIS_PAD_JTAG
secure = esp_efuse_read_field_bit(ESP_EFUSE_DIS_PAD_JTAG); secure = esp_efuse_read_field_bit(ESP_EFUSE_DIS_PAD_JTAG);
result &= secure; result &= secure;
@@ -374,14 +390,6 @@ bool esp_flash_encryption_cfg_verify_release_mode(void)
} }
#endif #endif
#if SOC_EFUSE_DIS_DIRECT_BOOT
secure = esp_efuse_read_field_bit(ESP_EFUSE_DIS_DIRECT_BOOT);
result &= secure;
if (!secure) {
ESP_LOGW(TAG, "Not disabled direct boot mode (set DIS_DIRECT_BOOT->1)");
}
#endif
#if SOC_EFUSE_HARD_DIS_JTAG #if SOC_EFUSE_HARD_DIS_JTAG
secure = esp_efuse_read_field_bit(ESP_EFUSE_HARD_DIS_JTAG); secure = esp_efuse_read_field_bit(ESP_EFUSE_HARD_DIS_JTAG);
result &= secure; result &= secure;
@@ -389,6 +397,15 @@ bool esp_flash_encryption_cfg_verify_release_mode(void)
ESP_LOGW(TAG, "Not disabled JTAG (set HARD_DIS_JTAG->1)"); ESP_LOGW(TAG, "Not disabled JTAG (set HARD_DIS_JTAG->1)");
} }
#endif #endif
}
#if SOC_EFUSE_DIS_DIRECT_BOOT
secure = esp_efuse_read_field_bit(ESP_EFUSE_DIS_DIRECT_BOOT);
result &= secure;
if (!secure) {
ESP_LOGW(TAG, "Not disabled direct boot mode (set DIS_DIRECT_BOOT->1)");
}
#endif
#if SOC_EFUSE_DIS_BOOT_REMAP #if SOC_EFUSE_DIS_BOOT_REMAP
secure = esp_efuse_read_field_bit(ESP_EFUSE_DIS_BOOT_REMAP); secure = esp_efuse_read_field_bit(ESP_EFUSE_DIS_BOOT_REMAP);

29
components/bootloader_support/src/secure_boot.c
View File

@@ -1,5 +1,5 @@
/* /*
* SPDX-FileCopyrightText: 2015-2021 Espressif Systems (Shanghai) CO LTD * SPDX-FileCopyrightText: 2015-2024 Espressif Systems (Shanghai) CO LTD
* *
* SPDX-License-Identifier: Apache-2.0 * SPDX-License-Identifier: Apache-2.0
*/ */
@@ -298,6 +298,23 @@ bool esp_secure_boot_cfg_verify_release_mode(void)
} }
#endif #endif
bool soft_dis_jtag = false;
#if SOC_EFUSE_SOFT_DIS_JTAG
size_t soft_dis_jtag_cnt_val = 0;
esp_efuse_read_field_cnt(ESP_EFUSE_SOFT_DIS_JTAG, &soft_dis_jtag_cnt_val);
soft_dis_jtag = (soft_dis_jtag_cnt_val == ESP_EFUSE_SOFT_DIS_JTAG[0]->bit_count);
if (soft_dis_jtag) {
bool hmac_key_found = false;
hmac_key_found = esp_efuse_find_purpose(ESP_EFUSE_KEY_PURPOSE_HMAC_DOWN_JTAG, NULL);
hmac_key_found |= esp_efuse_find_purpose(ESP_EFUSE_KEY_PURPOSE_HMAC_DOWN_ALL, NULL);
if (!hmac_key_found) {
ESP_LOGW(TAG, "SOFT_DIS_JTAG is set but HMAC key with respective purpose not found");
soft_dis_jtag = false;
}
}
#endif
if (!soft_dis_jtag) {
#if SOC_EFUSE_HARD_DIS_JTAG #if SOC_EFUSE_HARD_DIS_JTAG
secure = esp_efuse_read_field_bit(ESP_EFUSE_HARD_DIS_JTAG); secure = esp_efuse_read_field_bit(ESP_EFUSE_HARD_DIS_JTAG);
result &= secure; result &= secure;
@@ -306,15 +323,6 @@ bool esp_secure_boot_cfg_verify_release_mode(void)
} }
#endif #endif
#if SOC_EFUSE_SOFT_DIS_JTAG
size_t soft_dis_jtag_cnt_val = 0;
esp_efuse_read_field_cnt(ESP_EFUSE_SOFT_DIS_JTAG, &soft_dis_jtag_cnt_val);
if (soft_dis_jtag_cnt_val != ESP_EFUSE_SOFT_DIS_JTAG[0]->bit_count) {
result &= secure;
ESP_LOGW(TAG, "Not disabled JTAG in the soft way (set SOFT_DIS_JTAG->max)");
}
#endif
#if SOC_EFUSE_DIS_PAD_JTAG #if SOC_EFUSE_DIS_PAD_JTAG
secure = esp_efuse_read_field_bit(ESP_EFUSE_DIS_PAD_JTAG); secure = esp_efuse_read_field_bit(ESP_EFUSE_DIS_PAD_JTAG);
result &= secure; result &= secure;
@@ -330,6 +338,7 @@ bool esp_secure_boot_cfg_verify_release_mode(void)
ESP_LOGW(TAG, "Not disabled USB JTAG (set DIS_USB_JTAG->1)"); ESP_LOGW(TAG, "Not disabled USB JTAG (set DIS_USB_JTAG->1)");
} }
#endif #endif
}
#ifdef CONFIG_SECURE_BOOT_ENABLE_AGGRESSIVE_KEY_REVOKE #ifdef CONFIG_SECURE_BOOT_ENABLE_AGGRESSIVE_KEY_REVOKE
secure = esp_efuse_read_field_bit(ESP_EFUSE_SECURE_BOOT_AGGRESSIVE_REVOKE); secure = esp_efuse_read_field_bit(ESP_EFUSE_SECURE_BOOT_AGGRESSIVE_REVOKE);