Skip to content

Commit

Permalink
docs: Fix Secure DL mode documentation about flash read being unsuppo…
Browse files Browse the repository at this point in the history
…rted

Simple flash read command is not supported if Secure DL mode is enabled on the target.
Remove reference of this from the relevant docs part.

Related: espressif/esptool#810
Related: ESPTOOL-567
Closes IDF-6468
  • Loading branch information
mahavirj committed Dec 16, 2022
1 parent b2396ce commit 88c3e0b
Show file tree
Hide file tree
Showing 2 changed files with 4 additions and 4 deletions.
6 changes: 3 additions & 3 deletions components/bootloader/Kconfig.projbuild
Original file line number Diff line number Diff line change
Expand Up @@ -997,9 +997,9 @@ menu "Security features"
Download Mode into a separate Secure Download mode. This option can only work if
Download Mode is not already disabled by eFuse.

Secure Download mode limits the use of Download Mode functions to simple flash read,
write and erase operations, plus a command to return a summary of currently enabled
security features.
Secure Download mode limits the use of Download Mode functions to update SPI config,
changing baud rate, basic flash write and a command to return a summary of currently
enabled security features (`get_security_info`).

Secure Download mode is not compatible with the esptool.py flasher stub feature,
espefuse.py, read/writing memory or registers, encrypted download, or any other
Expand Down
2 changes: 1 addition & 1 deletion docs/en/security/flash-encryption.rst
Original file line number Diff line number Diff line change
Expand Up @@ -544,7 +544,7 @@ When using Flash Encryption in production:

- Do not reuse the same flash encryption key between multiple devices. This means that an attacker who copies encrypted data from one device cannot transfer it to a second device.
:esp32: - When using ESP32 V3, if the UART ROM Download Mode is not needed for a production device then it should be disabled to provide an extra level of protection. Do this by calling :cpp:func:`esp_efuse_disable_rom_download_mode` during application startup. Alternatively, configure the project :ref:`CONFIG_ESP32_REV_MIN` level to 3 (targeting ESP32 V3 only) and select the :ref:`CONFIG_SECURE_UART_ROM_DL_MODE` to "Permanently disable ROM Download Mode (recommended)". The ability to disable ROM Download Mode is not available on earlier ESP32 versions.
:not esp32: - The UART ROM Download Mode should be disabled entirely if it is not needed, or permanently set to "Secure Download Mode" otherwise. Secure Download Mode permanently limits the available commands to basic flash read and write only. The default behaviour is to set Secure Download Mode on first boot in Release mode. To disable Download Mode entirely select select the :ref:`CONFIG_SECURE_UART_ROM_DL_MODE` to "Permanently disable ROM Download Mode (recommended)" or call :cpp:func:`esp_efuse_disable_rom_download_mode` at runtime.
:not esp32: - The UART ROM Download Mode should be disabled entirely if it is not needed, or permanently set to "Secure Download Mode" otherwise. Secure Download Mode permanently limits the available commands to update SPI config, changing baud rate, basic flash write and a command to return a summary of currently enabled security features (`get_security_info`). The default behaviour is to set Secure Download Mode on first boot in Release mode. To disable Download Mode entirely select select the :ref:`CONFIG_SECURE_UART_ROM_DL_MODE` to "Permanently disable ROM Download Mode (recommended)" or call :cpp:func:`esp_efuse_disable_rom_download_mode` at runtime.
- Enable :doc:`Secure Boot <secure-boot-v2>` as an extra layer of protection, and to prevent an attacker from selectively corrupting any part of the flash before boot.

Possible Failures
Expand Down

0 comments on commit 88c3e0b

Please sign in to comment.