Inicio Explorar Axuda
Iniciar sesión
RT-Thread-packages
/
esp-idf
réplica de https://github-proxy.rt-thread.io/RT-Thread-packages/esp-idf.git
2
0
Fork 0
Ficheiros Incidencias 0 Wiki
Árbore: 723b2e86e5
Ramas Etiquetas
esp-idf
/
components
/
bootloader_support
/
src
/
esp32s3
/
flash_encryption_secure_features.c

flash_encryption_secure_features.c 2.3 KB
Histórico Raw

12345678910111213141516171819202122232425262728293031323334353637383940414243444546474849505152535455565758596061 
  1. /*
    2. 

  2.  * SPDX-FileCopyrightText: 2015-2021 Espressif Systems (Shanghai) CO LTD
    3. 

  3.  *
    4. 

  4.  * SPDX-License-Identifier: Apache-2.0
    5. 

  5.  */
    6. 

  6. 

  7. #include <strings.h>
    8. 

  8. #include "esp_flash_encrypt.h"
    9. 

  9. #include "esp_secure_boot.h"
    10. 

  10. #include "esp_efuse.h"
    11. 

  11. #include "esp_efuse_table.h"
    12. 

  12. #include "esp_log.h"
    13. 

  13. #include "sdkconfig.h"
    14. 

  14. 

  15. static __attribute__((unused)) const char *TAG = "flash_encrypt";
    16. 

  16. 

  17. esp_err_t esp_flash_encryption_enable_secure_features(void)
    18. 

  18. {
    19. 

  19. #ifndef CONFIG_SECURE_FLASH_UART_BOOTLOADER_ALLOW_ENC
    20. 

  20.     ESP_LOGI(TAG, "Disable UART bootloader encryption...");
    21. 

  21.     esp_efuse_write_field_bit(ESP_EFUSE_DIS_DOWNLOAD_MANUAL_ENCRYPT);
    22. 

  22. #else
    23. 

  23.     ESP_LOGW(TAG, "Not disabling UART bootloader encryption");
    24. 

  24. #endif
    25. 

  25. 

  26. #ifndef CONFIG_SECURE_FLASH_UART_BOOTLOADER_ALLOW_CACHE
    27. 

  27.     ESP_LOGI(TAG, "Disable UART bootloader cache...");
    28. 

  28.     esp_efuse_write_field_bit(ESP_EFUSE_DIS_DOWNLOAD_DCACHE);
    29. 

  29.     esp_efuse_write_field_bit(ESP_EFUSE_DIS_DOWNLOAD_ICACHE);
    30. 

  30. #else
    31. 

  31.     ESP_LOGW(TAG, "Not disabling UART bootloader cache - SECURITY COMPROMISED");
    32. 

  32. #endif
    33. 

  33. 

  34. #ifndef CONFIG_SECURE_BOOT_ALLOW_JTAG
    35. 

  35.     ESP_LOGI(TAG, "Disable JTAG...");
    36. 

  36.     esp_efuse_write_field_bit(ESP_EFUSE_HARD_DIS_JTAG);
    37. 

  37.     esp_efuse_write_field_bit(ESP_EFUSE_DIS_USB_JTAG);
    38. 

  38. #else
    39. 

  39.     ESP_LOGW(TAG, "Not disabling JTAG - SECURITY COMPROMISED");
    40. 

  40. #endif
    41. 

  41. 

  42.     esp_efuse_write_field_bit(ESP_EFUSE_DIS_DIRECT_BOOT);
    43. 

  43. 

  44. #if defined(CONFIG_SECURE_BOOT_V2_ENABLED) && !defined(CONFIG_SECURE_BOOT_V2_ALLOW_EFUSE_RD_DIS)
    45. 

  45.     // This bit is set when enabling Secure Boot V2, but we can't enable it until this later point in the first boot
    46. 

  46.     // otherwise the Flash Encryption key cannot be read protected
    47. 

  47.     esp_efuse_write_field_bit(ESP_EFUSE_WR_DIS_RD_DIS);
    48. 

  48. #endif
    49. 

  49. 

  50. #ifdef CONFIG_SECURE_FLASH_ENCRYPTION_MODE_RELEASE
    51. 

  51.     // Set write-protection for DIS_ICACHE and DIS_DCACHE to prevent bricking chip in case it will be set accidentally.
    52. 

  52.     // esp32s3 has DIS_ICACHE and DIS_DCACHE. Write-protection bit = 2 for both.
    53. 

  53.     // List of eFuses with the same write protection bit:
    54. 

  54.     // DIS_ICACHE, DIS_DCACHE, DIS_DOWNLOAD_ICACHE, DIS_DOWNLOAD_DCACHE,
    55. 

  55.     // DIS_FORCE_DOWNLOAD, DIS_USB_OTG, DIS_TWAI, DIS_APP_CPU, DIS_PAD_JTAG,
    56. 

  56.     // DIS_DOWNLOAD_MANUAL_ENCRYPT, DIS_USB_JTAG, DIS_USB_SERIAL_JTAG, STRAP_JTAG_SEL, USB_PHY_SEL.
    57. 

  57.     esp_efuse_write_field_bit(ESP_EFUSE_WR_DIS_DIS_ICACHE);
    58. 

  58. #endif
    59. 

  59. 

  60.     return ESP_OK;
    61. 

  61. }
    62.