secure_boot.c 1.7 KB

1234567891011121314151617181920212223242526272829303132333435363738394041424344454647484950515253
  1. // Copyright 2015-2018 Espressif Systems (Shanghai) PTE LTD
  2. //
  3. // Licensed under the Apache License, Version 2.0 (the "License");
  4. // you may not use this file except in compliance with the License.
  5. // You may obtain a copy of the License at
  6. // http://www.apache.org/licenses/LICENSE-2.0
  7. //
  8. // Unless required by applicable law or agreed to in writing, software
  9. // distributed under the License is distributed on an "AS IS" BASIS,
  10. // WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
  11. // See the License for the specific language governing permissions and
  12. // limitations under the License.
  13. #include "esp_secure_boot.h"
  14. #include "esp_log.h"
  15. #include "esp32s2/rom/secure_boot.h"
  16. static const char *TAG = "secure_boot";
  17. esp_err_t esp_secure_boot_permanently_enable(void)
  18. {
  19. uint8_t hash[32];
  20. if (ets_efuse_secure_boot_enabled())
  21. {
  22. ESP_LOGI(TAG, "secure boot is already enabled, continuing..");
  23. return ESP_OK;
  24. }
  25. ESP_LOGI(TAG, "Verifying bootloader signature...\n");
  26. int r = ets_secure_boot_verify_bootloader(hash, false);
  27. if (r != ESP_OK) {
  28. ESP_LOGE(TAG, "Failed to verify bootloader signature");
  29. return r;
  30. }
  31. esp_efuse_batch_write_begin(); /* Batch all efuse writes at the end of this function */
  32. esp_efuse_write_field_bit(ESP_EFUSE_SECURE_BOOT_EN);
  33. esp_efuse_write_field_bit(ESP_EFUSE_DIS_BOOT_REMAP);
  34. esp_efuse_write_field_bit(ESP_EFUSE_DIS_LEGACY_SPI_BOOT);
  35. // TODO: also disable JTAG here, etc
  36. esp_err_t err = esp_efuse_batch_write_commit();
  37. if (err == ESP_OK) {
  38. assert(ets_efuse_secure_boot_enabled());
  39. ESP_LOGI(TAG, "Secure boot permanently enabled");
  40. }
  41. return ESP_OK;
  42. }