bootloader/ ESP32_ECO3: Do not disable UART download mode by default

components/bootloader/Kconfig.projbuild

@@ -502,8 +502,6 @@ menu "Security features"
         config SECURE_BOOT_V2_ENABLED
             bool "Enable Secure Boot version 2"
             depends on SECURE_BOOT_SUPPORTS_RSA
-            select SECURE_ENABLE_SECURE_ROM_DL_MODE if !IDF_TARGET_ESP32 && !SECURE_INSECURE_ALLOW_DL_MODE && !SECURE_DISABLE_ROM_DL_MODE # NOERROR
-            select SECURE_DISABLE_ROM_DL_MODE if ESP32_REV_MIN_3 && !SECURE_INSECURE_ALLOW_DL_MODE
             help
                 Build a bootloader which enables Secure Boot version 2 on first boot.
                 Refer to Secure Boot V2 section of the ESP-IDF Programmer's Guide for this version before enabling.
@@ -672,8 +670,6 @@ menu "Security features"
 
         config SECURE_FLASH_ENCRYPTION_MODE_RELEASE
             bool "Release"
-            select SECURE_ENABLE_SECURE_ROM_DL_MODE if SECURE_TARGET_HAS_SECURE_ROM_DL_MODE && !SECURE_DISABLE_ROM_DL_MODE # NOERROR
-
     endchoice
 
     menu "Potentially insecure options"
@@ -738,19 +734,6 @@ menu "Security features"
                 key digest, causing an immediate denial of service and possibly allowing an additional fault
                 injection attack to bypass the signature protection.
 
-        config SECURE_INSECURE_ALLOW_DL_MODE
-            bool "Don't automatically restrict UART download mode"
-            depends on SECURE_BOOT_INSECURE && SECURE_BOOT_V2_ENABLED
-            default N
-            help
-                By default, enabling either flash encryption in release mode or secure boot will automatically
-                disable UART download mode on ESP32 ECO3, or enable secure download mode on newer chips.
-                This is recommended to reduce the attack surface of the chip.
-
-                To allow the full UART download mode to stay enabled, enable this option and ensure
-                the options SECURE_DISABLE_ROM_DL_MODE and SECURE_ENABLE_SECURE_ROM_DL_MODE are disabled as applicable.
-                This is not recommended.
-
         config SECURE_FLASH_UART_BOOTLOADER_ALLOW_ENC
             bool "Leave UART bootloader encryption enabled"
             depends on SECURE_FLASH_ENCRYPTION_MODE_DEVELOPMENT
@@ -798,47 +781,58 @@ menu "Security features"
 
     endmenu  # Potentially Insecure
 
-    config SECURE_DISABLE_ROM_DL_MODE
-        bool "Permanently disable ROM Download Mode"
+    choice SECURE_UART_ROM_DL_MODE
+        bool "UART ROM download mode"
+        default SECURE_ENABLE_SECURE_ROM_DL_MODE if SECURE_TARGET_HAS_SECURE_ROM_DL_MODE && !SECURE_FLASH_ENCRYPTION_MODE_DEVELOPMENT # NOERROR
+        default SECURE_INSECURE_ALLOW_DL_MODE
+        depends on SECURE_BOOT_V2_ENABLED || SECURE_FLASH_ENC_ENABLED
         depends on !IDF_TARGET_ESP32 || ESP32_REV_MIN_3
-        default n
-        help
-            If set, during startup the app will burn an eFuse bit to permanently disable the UART ROM
-            Download Mode. This prevents any future use of esptool.py, espefuse.py and similar tools.
 
-            Once disabled, if the SoC is booted with strapping pins set for ROM Download Mode
-            then an error is printed instead.
+        config SECURE_DISABLE_ROM_DL_MODE
+            bool "UART ROM download mode (Permanently disabled (recommended))"
+            help
+                If set, during startup the app will burn an eFuse bit to permanently disable the UART ROM
+                Download Mode. This prevents any future use of esptool.py, espefuse.py and similar tools.
 
-            It is recommended to enable this option in any production application where Flash
-            Encryption and/or Secure Boot is enabled and access to Download Mode is not required.
+                Once disabled, if the SoC is booted with strapping pins set for ROM Download Mode
+                then an error is printed instead.
 
-            It is also possible to permanently disable Download Mode by calling
-            esp_efuse_disable_rom_download_mode() at runtime.
+                It is recommended to enable this option in any production application where Flash
+                Encryption and/or Secure Boot is enabled and access to Download Mode is not required.
 
-    config SECURE_ENABLE_SECURE_ROM_DL_MODE
-        bool "Permanently switch to ROM UART Secure Download mode"
-        depends on SECURE_TARGET_HAS_SECURE_ROM_DL_MODE && !SECURE_DISABLE_ROM_DL_MODE
-        select ESPTOOLPY_NO_STUB
-        help
-            If set, during startup the app will burn an eFuse bit to permanently switch the UART ROM
-            Download Mode into a separate Secure Download mode. This option can only work if
-            Download Mode is not already disabled by eFuse.
+                It is also possible to permanently disable Download Mode by calling
+                esp_efuse_disable_rom_download_mode() at runtime.
 
-            Secure Download mode limits the use of Download Mode functions to simple flash read,
-            write and erase operations, plus a command to return a summary of currently enabled
-            security features.
+        config SECURE_ENABLE_SECURE_ROM_DL_MODE
+            bool "UART ROM download mode (Permanently switch to Secure mode (recommended))"
+            depends on SECURE_TARGET_HAS_SECURE_ROM_DL_MODE
+            select ESPTOOLPY_NO_STUB
+            help
+                If set, during startup the app will burn an eFuse bit to permanently switch the UART ROM
+                Download Mode into a separate Secure Download mode. This option can only work if
+                Download Mode is not already disabled by eFuse.
 
-            Secure Download mode is not compatible with the esptool.py flasher stub feature,
-            espefuse.py, read/writing memory or registers, encrypted download, or any other
-            features that interact with unsupported Download Mode commands.
+                Secure Download mode limits the use of Download Mode functions to simple flash read,
+                write and erase operations, plus a command to return a summary of currently enabled
+                security features.
 
-            Secure Download mode should be enabled in any application where Flash Encryption
-            and/or Secure Boot is enabled. Disabling this option does not immediately cancel
-            the benefits of the security features, but it increases the potential "attack
-            surface" for an attacker to try and bypass them with a successful physical attack.
+                Secure Download mode is not compatible with the esptool.py flasher stub feature,
+                espefuse.py, read/writing memory or registers, encrypted download, or any other
+                features that interact with unsupported Download Mode commands.
 
-            It is also possible to enable secure download mode at runtime by calling
-            esp_efuse_enable_rom_secure_download_mode()
+                Secure Download mode should be enabled in any application where Flash Encryption
+                and/or Secure Boot is enabled. Disabling this option does not immediately cancel
+                the benefits of the security features, but it increases the potential "attack
+                surface" for an attacker to try and bypass them with a successful physical attack.
 
+                It is also possible to enable secure download mode at runtime by calling
+                esp_efuse_enable_rom_secure_download_mode()
 
+        config SECURE_INSECURE_ALLOW_DL_MODE
+            bool "UART ROM download mode (Enabled (not recommended))"
+            help
+                This is a potentially insecure option.
+                Enabling this option will allow the full UART download mode to stay enabled.
+                This option SHOULD NOT BE ENABLED for production use cases.
+    endchoice
 endmenu  # Security features

docs/en/security/flash-encryption.rst

@@ -257,6 +257,8 @@ To test flash encryption process, take the following steps:
 
     - :ref:`Enable flash encryption on boot <CONFIG_SECURE_FLASH_ENC_ENABLED>`
     - :ref:`Select encryption mode <CONFIG_SECURE_FLASH_ENCRYPTION_MODE>` (**Development mode** by default)
+    :esp32: - :ref: `Select UART ROM download mode <CONFIG_SECURE_UART_ROM_DL_MODE>` (**enabled** by default. Note that for the esp32 target, the choice is only available when :ref:`CONFIG_ESP32_REV_MIN` level is set to 3 (ESP32 V3)).
+    :not esp32: - :ref: `Select UART ROM download mode <CONFIG_SECURE_UART_ROM_DL_MODE>` (**enabled** by default.)
     :esp32s2: - Set :ref:`Size of generated AES-XTS key <CONFIG_SECURE_FLASH_ENCRYPTION_KEYSIZE>`
     - :ref:`Select the appropriate bootloader log verbosity <CONFIG_BOOTLOADER_LOG_LEVEL>`
     - Save the configuration and exit.
@@ -438,7 +440,9 @@ To use this mode, take the following steps:
 
     - :ref:`Enable flash encryption on boot <CONFIG_SECURE_FLASH_ENC_ENABLED>`
     :esp32: - :ref:`Select Release mode <CONFIG_SECURE_FLASH_ENCRYPTION_MODE>` (Note that once Release mode is selected, the ``DISABLE_DL_ENCRYPT`` and ``DISABLE_DL_DECRYPT`` eFuse bits will be burned to disable UART bootloader access to flash contents)
+    :esp32: - :ref:`Select UART ROM download mode <CONFIG_SECURE_UART_ROM_DL_MODE>` (Note that this option is only available when :ref:`CONFIG_ESP32_REV_MIN` is set to 3 (ESP32 V3). The default choice is to keep it enabled (insecure). This has been done in order to prevent permanently disabling of the UART download mode by default.)
     :not esp32: - :ref:`Select Release mode <CONFIG_SECURE_FLASH_ENCRYPTION_MODE>` (Note that once Release mode is selected, the ``EFUSE_DIS_DOWNLOAD_MANUAL_ENCRYPT`` eFuse bit will be burned to disable UART bootloader access to flash contents)
+    :not esp32: - :ref:`Select UART ROM download mode <CONFIG_SECURE_UART_ROM_DL_MODE>` (By default the option to permanently switch to UART ROM Secure download mode is selected)
     - :ref:`Select the appropriate bootloader log verbosity <CONFIG_BOOTLOADER_LOG_LEVEL>`
     - Save the configuration and exit.
 
@@ -472,8 +476,8 @@ When using Flash Encryption in production:
 .. list::
 
    - Do not reuse the same flash encryption key between multiple devices. This means that an attacker who copies encrypted data from one device cannot transfer it to a second device.
-   :esp32: - When using ESP32 V3, if the UART ROM Download Mode is not needed for a production device then it should be disabled to provide an extra level of protection. Do this by calling :cpp:func:`esp_efuse_disable_rom_download_mode` during application startup. Alternatively, configure the project :ref:`CONFIG_ESP32_REV_MIN` level to 3 (targeting ESP32 V3 only) and enable :ref:`CONFIG_SECURE_DISABLE_ROM_DL_MODE`. The ability to disable ROM Download Mode is not available on earlier ESP32 versions.
-   :not esp32: - The UART ROM Download Mode should be disabled entirely if it is not needed, or permanently set to "Secure Download Mode" otherwise. Secure Download Mode permanently limits the available commands to basic flash read and write only. The default behaviour is to set Secure Download Mode on first boot in Release mode. To disable Download Mode entirely, enable configuration option :ref:`CONFIG_SECURE_DISABLE_ROM_DL_MODE` or call :cpp:func:`esp_efuse_disable_rom_download_mode` at runtime.
+   :esp32: - When using ESP32 V3, if the UART ROM Download Mode is not needed for a production device then it should be disabled to provide an extra level of protection. Do this by calling :cpp:func:`esp_efuse_disable_rom_download_mode` during application startup. Alternatively, configure the project :ref:`CONFIG_ESP32_REV_MIN` level to 3 (targeting ESP32 V3 only) and select the :ref:`CONFIG_SECURE_UART_ROM_DL_MODE` to "Permanently disable ROM Download Mode (recommended)". The ability to disable ROM Download Mode is not available on earlier ESP32 versions.
+   :not esp32: - The UART ROM Download Mode should be disabled entirely if it is not needed, or permanently set to "Secure Download Mode" otherwise. Secure Download Mode permanently limits the available commands to basic flash read and write only. The default behaviour is to set Secure Download Mode on first boot in Release mode. To disable Download Mode entirely select select the :ref:`CONFIG_SECURE_UART_ROM_DL_MODE` to "Permanently disable ROM Download Mode (recommended)" or call :cpp:func:`esp_efuse_disable_rom_download_mode` at runtime.
    :not esp32c3: - Enable :doc:`Secure Boot <secure-boot-v2>` as an extra layer of protection, and to prevent an attacker from selectively corrupting any part of the flash before boot.
    :esp32c3: - Enable Secure Boot (not supported yet) as an extra layer of protection, and to prevent an attacker from selectively corrupting any part of the flash before boot.
 
@@ -945,4 +949,4 @@ The following sections provide some reference information about the operation of
 
   - The flash encryption key is stored in one ``BLOCK_KEYN`` eFuse and, by default, is protected from further writes or software readout.
 
-  - To see the full flash encryption algorithm implemented in Python, refer to the `_flash_encryption_operation()` function in the ``espsecure.py`` source code.
+  - To see the full flash encryption algorithm implemented in Python, refer to the `_flash_encryption_operation()` function in the ``espsecure.py`` source code.

docs/en/security/secure-boot-v2.rst

@@ -169,16 +169,18 @@ How To Enable Secure Boot V2
     2. For ESP32, Secure Boot V2 is available only ESP32 ECO3 onwards. To view the "Secure Boot V2" option the chip revision should be changed to revision 3 (ESP32- ECO3). To change the chip revision, set "Minimum Supported ESP32 Revision" to Rev 3 in "Component Config" -> "ESP32- Specific".
 
     3. Specify the secure boot signing key path. The file can be anywhere on your system. A relative path will be evaluated from the project directory. The file does not need to exist yet.
+    4. Select the UART ROM download mode in "Security features -> UART ROM download mode". By default the UART ROM download mode has been kept enabled in order to prevent permanently disabling it in the development phase, this option is a potentially insecure option. It is recommended to disable the UART download mode for better security.
 
 .. only:: esp32s2
 
     2. The "Secure Boot V2" option will be selected and the "App Signing Scheme" would be set to RSA by default.
 
     3. Select the number of keys to be used to sign the bootloader binary and chose one of them to sign the application. Specify the secure boot signing key paths for each one of these. The file can be anywhere on your system. A relative path will be evaluated from the project directory. The file does not need to exist yet.
+    4. Select the UART ROM download mode in "Security features -> UART ROM download mode".
 
-4. Set other menuconfig options (as desired). Pay particular attention to the "Bootloader Config" options, as you can only flash the bootloader once. Then exit menuconfig and save your configuration.
+5. Set other menuconfig options (as desired). Pay particular attention to the "Bootloader Config" options, as you can only flash the bootloader once. Then exit menuconfig and save your configuration.
 
-5. The first time you run ``make`` or ``idf.py build``, if the signing key is not found then an error message will be printed with a command to generate a signing key via ``espsecure.py generate_signing_key``.
+6. The first time you run ``make`` or ``idf.py build``, if the signing key is not found then an error message will be printed with a command to generate a signing key via ``espsecure.py generate_signing_key``.
 
 .. important::
    A signing key generated this way will use the best random number source available to the OS and its Python installation (`/dev/urandom` on OSX/Linux and `CryptGenRandom()` on Windows). If this random number source is weak, then the private key will be weak.
@@ -186,21 +188,21 @@ How To Enable Secure Boot V2
 .. important::
    For production environments, we recommend generating the keypair using openssl or another industry standard encryption program. See :ref:`secure-boot-v2-generate-key` for more details.
 
-6. Run ``idf.py bootloader`` to build a secure boot enabled bootloader. The build output will include a prompt for a flashing command, using ``esptool.py write_flash``.
+7. Run ``idf.py bootloader`` to build a secure boot enabled bootloader. The build output will include a prompt for a flashing command, using ``esptool.py write_flash``.
 
-7. When you're ready to flash the bootloader, run the specified command (you have to enter it yourself, this step is not performed by the build system) and then wait for flashing to complete.
+8. When you're ready to flash the bootloader, run the specified command (you have to enter it yourself, this step is not performed by the build system) and then wait for flashing to complete.
 
-8. Run ``idf.py flash`` to build and flash the partition table and the just-built app image. The app image will be signed using the signing key you generated in step 4.
+9. Run ``idf.py flash`` to build and flash the partition table and the just-built app image. The app image will be signed using the signing key you generated in step 4.
 
 .. note:: ``idf.py flash`` doesn't flash the bootloader if secure boot is enabled.
 
-9. Reset the {IDF_TARGET_NAME} and it will boot the software bootloader you flashed. The software bootloader will enable secure boot on the chip, and then it verifies the app image signature and boots the app. You should watch the serial console output from the {IDF_TARGET_NAME} to verify that secure boot is enabled and no errors have occurred due to the build configuration.
+10. Reset the {IDF_TARGET_NAME} and it will boot the software bootloader you flashed. The software bootloader will enable secure boot on the chip, and then it verifies the app image signature and boots the app. You should watch the serial console output from the {IDF_TARGET_NAME} to verify that secure boot is enabled and no errors have occurred due to the build configuration.
 
 .. note:: Secure boot won't be enabled until after a valid partition table and app image have been flashed. This is to prevent accidents before the system is fully configured.
 
 .. note:: If the {IDF_TARGET_NAME} is reset or powered down during the first boot, it will start the process again on the next boot.
 
-10. On subsequent boots, the secure boot hardware will verify the software bootloader has not changed and the software bootloader will verify the signed app image (using the validated public key portion of its appended signature block).
+11. On subsequent boots, the secure boot hardware will verify the software bootloader has not changed and the software bootloader will verify the signed app image (using the validated public key portion of its appended signature block).
 
 Restrictions after Secure Boot is enabled
 -----------------------------------------