From 696f7495a0467185045022dd0e01b96d561e9cf0 Mon Sep 17 00:00:00 2001 From: KonstantinKondrashov Date: Fri, 12 Aug 2022 17:05:39 +0800 Subject: [PATCH 1/3] security: Adds new APIs to check that all eFuse security features are enabled correctly --- .../include/esp_flash_encrypt.h | 14 ++ .../include/esp_secure_boot.h | 13 ++ .../bootloader_support/src/flash_encrypt.c | 203 ++++++++++++++++ .../bootloader_support/src/secure_boot.c | 217 ++++++++++++++++++ .../esp32c2/include/soc/Kconfig.soc_caps.in | 8 + components/soc/esp32c2/include/soc/soc_caps.h | 4 + .../esp32c3/include/soc/Kconfig.soc_caps.in | 16 ++ components/soc/esp32c3/include/soc/soc_caps.h | 6 + .../esp32c6/include/soc/Kconfig.soc_caps.in | 16 ++ components/soc/esp32c6/include/soc/soc_caps.h | 8 +- .../esp32h2/include/soc/Kconfig.soc_caps.in | 16 ++ components/soc/esp32h2/include/soc/soc_caps.h | 8 +- .../esp32h4/include/soc/Kconfig.soc_caps.in | 16 ++ components/soc/esp32h4/include/soc/soc_caps.h | 6 + .../esp32s2/include/soc/Kconfig.soc_caps.in | 20 ++ components/soc/esp32s2/include/soc/soc_caps.h | 7 + .../esp32s3/include/soc/Kconfig.soc_caps.in | 20 ++ components/soc/esp32s3/include/soc/soc_caps.h | 7 + examples/system/efuse/main/efuse_main.c | 17 +- .../efuse/pytest_system_efuse_example.py | 9 +- 20 files changed, 626 insertions(+), 5 deletions(-) diff --git a/components/bootloader_support/include/esp_flash_encrypt.h b/components/bootloader_support/include/esp_flash_encrypt.h index 35129c8b97a..d6b0a54c5a9 100644 --- a/components/bootloader_support/include/esp_flash_encrypt.h +++ b/components/bootloader_support/include/esp_flash_encrypt.h @@ -8,6 +8,7 @@ #include #include "esp_attr.h" #include "esp_err.h" +#include "soc/soc_caps.h" #ifndef BOOTLOADER_BUILD #include "spi_flash_mmap.h" #endif @@ -184,6 +185,19 @@ void esp_flash_encryption_init_checks(void); */ esp_err_t esp_flash_encryption_enable_secure_features(void); +/** @brief Returns the verification status for all physical security features of flash encryption in release mode + * + * If the device has flash encryption feature configured in the release mode, + * then it is highly recommended to call this API in the application startup code. + * This API verifies the sanity of the eFuse configuration against + * the release (production) mode of the flash encryption feature. + * + * @return + * - True - all eFuses are configured correctly + * - False - not all eFuses are configured correctly. + */ +bool esp_flash_encryption_cfg_verify_release_mode(void); + /** @brief Switches Flash Encryption from "Development" to "Release" * * If already in "Release" mode, the function will do nothing. diff --git a/components/bootloader_support/include/esp_secure_boot.h b/components/bootloader_support/include/esp_secure_boot.h index 95ccf39000e..fa5c13e25ff 100644 --- a/components/bootloader_support/include/esp_secure_boot.h +++ b/components/bootloader_support/include/esp_secure_boot.h @@ -269,6 +269,19 @@ esp_err_t esp_secure_boot_get_signature_blocks_for_running_app(bool digest_publi */ esp_err_t esp_secure_boot_enable_secure_features(void); +/** @brief Returns the verification status for all physical security features of secure boot in release mode + * + * If the device has secure boot feature configured in the release mode, + * then it is highly recommended to call this API in the application startup code. + * This API verifies the sanity of the eFuse configuration against + * the release (production) mode of the secure boot feature. + * + * @return + * - True - all eFuses are configured correctly + * - False - not all eFuses are configured correctly. + */ +bool esp_secure_boot_cfg_verify_release_mode(void); + #ifdef __cplusplus } #endif diff --git a/components/bootloader_support/src/flash_encrypt.c b/components/bootloader_support/src/flash_encrypt.c index 9fe6be6bf35..50eebed9b76 100644 --- a/components/bootloader_support/src/flash_encrypt.c +++ b/components/bootloader_support/src/flash_encrypt.c @@ -218,3 +218,206 @@ void esp_flash_encryption_set_release_mode(void) } ESP_LOGI(TAG, "Flash encryption mode is RELEASE"); } + +#ifdef CONFIG_IDF_TARGET_ESP32 +bool esp_flash_encryption_cfg_verify_release_mode(void) +{ + bool result = false; + bool secure; + + secure = esp_flash_encryption_enabled(); + result = secure; + if (!secure) { + ESP_LOGW(TAG, "Not enabled Flash Encryption (FLASH_CRYPT_CNT->1 or max)"); + } + + uint8_t crypt_config = 0; + esp_efuse_read_field_blob(ESP_EFUSE_ENCRYPT_CONFIG, &crypt_config, 4); + if (crypt_config != EFUSE_FLASH_CRYPT_CONFIG) { + result &= false; + ESP_LOGW(TAG, "ENCRYPT_CONFIG must be set 0xF (set ENCRYPT_CONFIG->0xF)"); + } + + uint8_t flash_crypt_cnt = 0; + esp_efuse_read_field_blob(ESP_EFUSE_FLASH_CRYPT_CNT, &flash_crypt_cnt, ESP_EFUSE_FLASH_CRYPT_CNT[0]->bit_count); + if (flash_crypt_cnt != (1 << (ESP_EFUSE_FLASH_CRYPT_CNT[0]->bit_count)) - 1) { + if (!esp_efuse_read_field_bit(ESP_EFUSE_WR_DIS_FLASH_CRYPT_CNT)) { + result &= false; + ESP_LOGW(TAG, "Not release mode of Flash Encryption (set FLASH_CRYPT_CNT->max or WR_DIS_FLASH_CRYPT_CNT->1)"); + } + } + + secure = esp_efuse_read_field_bit(ESP_EFUSE_DISABLE_DL_ENCRYPT); + result &= secure; + if (!secure) { + ESP_LOGW(TAG, "Not disabled UART bootloader encryption (set DISABLE_DL_ENCRYPT->1)"); + } + + secure = esp_efuse_read_field_bit(ESP_EFUSE_DISABLE_DL_DECRYPT); + result &= secure; + if (!secure) { + ESP_LOGW(TAG, "Not disabled UART bootloader decryption (set DISABLE_DL_DECRYPT->1)"); + } + + secure = esp_efuse_read_field_bit(ESP_EFUSE_DISABLE_DL_CACHE); + result &= secure; + if (!secure) { + ESP_LOGW(TAG, "Not disabled UART bootloader MMU cache (set DISABLE_DL_CACHE->1)"); + } + + secure = esp_efuse_read_field_bit(ESP_EFUSE_DISABLE_JTAG); + result &= secure; + if (!secure) { + ESP_LOGW(TAG, "Not disabled JTAG (set DISABLE_JTAG->1)"); + } + + secure = esp_efuse_read_field_bit(ESP_EFUSE_CONSOLE_DEBUG_DISABLE); + result &= secure; + if (!secure) { + ESP_LOGW(TAG, "Not disabled ROM BASIC interpreter fallback (set CONSOLE_DEBUG_DISABLE->1)"); + } + + secure = esp_efuse_read_field_bit(ESP_EFUSE_RD_DIS_BLK1); + result &= secure; + if (!secure) { + ESP_LOGW(TAG, "Not read-protected flash ecnryption key (set RD_DIS_BLK1->1)"); + } + + secure = esp_efuse_read_field_bit(ESP_EFUSE_WR_DIS_BLK1); + result &= secure; + if (!secure) { + ESP_LOGW(TAG, "Not write-protected flash ecnryption key (set WR_DIS_BLK1->1)"); + } + return result; +} +#else // not CONFIG_IDF_TARGET_ESP32 +bool esp_flash_encryption_cfg_verify_release_mode(void) +{ + bool result = false; + bool secure; + + secure = esp_flash_encryption_enabled(); + result = secure; + if (!secure) { + ESP_LOGW(TAG, "Not enabled Flash Encryption (SPI_BOOT_CRYPT_CNT->1 or max)"); + } + + uint8_t flash_crypt_cnt = 0; + esp_efuse_read_field_blob(ESP_EFUSE_SPI_BOOT_CRYPT_CNT, &flash_crypt_cnt, ESP_EFUSE_SPI_BOOT_CRYPT_CNT[0]->bit_count); + if (flash_crypt_cnt != (1 << (ESP_EFUSE_SPI_BOOT_CRYPT_CNT[0]->bit_count)) - 1) { + if (!esp_efuse_read_field_bit(ESP_EFUSE_WR_DIS_SPI_BOOT_CRYPT_CNT)) { + result &= false; + ESP_LOGW(TAG, "Not release mode of Flash Encryption (set SPI_BOOT_CRYPT_CNT->max or WR_DIS_SPI_BOOT_CRYPT_CNT->1)"); + } + } + + secure = esp_efuse_read_field_bit(ESP_EFUSE_DIS_DOWNLOAD_MANUAL_ENCRYPT); + result &= secure; + if (!secure) { + ESP_LOGW(TAG, "Not disabled UART bootloader encryption (set DIS_DOWNLOAD_MANUAL_ENCRYPT->1)"); + } + +#if SOC_EFUSE_DIS_DOWNLOAD_DCACHE + secure = esp_efuse_read_field_bit(ESP_EFUSE_DIS_DOWNLOAD_DCACHE); + result &= secure; + if (!secure) { + ESP_LOGW(TAG, "Not disabled UART bootloader Dcache (set DIS_DOWNLOAD_DCACHE->1)"); + } +#endif + + secure = esp_efuse_read_field_bit(ESP_EFUSE_DIS_DOWNLOAD_ICACHE); + result &= secure; + if (!secure) { + ESP_LOGW(TAG, "Not disabled UART bootloader cache (set DIS_DOWNLOAD_ICACHE->1)"); + } + +#if SOC_EFUSE_DIS_PAD_JTAG + secure = esp_efuse_read_field_bit(ESP_EFUSE_DIS_PAD_JTAG); + result &= secure; + if (!secure) { + ESP_LOGW(TAG, "Not disabled JTAG PADs (set DIS_PAD_JTAG->1)"); + } +#endif + +#if SOC_EFUSE_DIS_USB_JTAG + secure = esp_efuse_read_field_bit(ESP_EFUSE_DIS_USB_JTAG); + result &= secure; + if (!secure) { + ESP_LOGW(TAG, "Not disabled USB JTAG (set DIS_USB_JTAG->1)"); + } +#endif + +#if SOC_EFUSE_DIS_DIRECT_BOOT + secure = esp_efuse_read_field_bit(ESP_EFUSE_DIS_DIRECT_BOOT); + result &= secure; + if (!secure) { + ESP_LOGW(TAG, "Not disabled direct boot mode (set DIS_DIRECT_BOOT->1)"); + } +#endif + +#if SOC_EFUSE_HARD_DIS_JTAG + secure = esp_efuse_read_field_bit(ESP_EFUSE_HARD_DIS_JTAG); + result &= secure; + if (!secure) { + ESP_LOGW(TAG, "Not disabled JTAG (set HARD_DIS_JTAG->1)"); + } +#endif + +#if SOC_EFUSE_DIS_BOOT_REMAP + secure = esp_efuse_read_field_bit(ESP_EFUSE_DIS_BOOT_REMAP); + result &= secure; + if (!secure) { + ESP_LOGW(TAG, "Not disabled boot from RAM (set DIS_BOOT_REMAP->1)"); + } +#endif + +#if SOC_EFUSE_DIS_LEGACY_SPI_BOOT + secure = esp_efuse_read_field_bit(ESP_EFUSE_DIS_LEGACY_SPI_BOOT); + result &= secure; + if (!secure) { + ESP_LOGW(TAG, "Not disabled Legcy SPI boot (set DIS_LEGACY_SPI_BOOT->1)"); + } +#endif + + esp_efuse_purpose_t purposes[] = { +#if SOC_FLASH_ENCRYPTION_XTS_AES_256 + ESP_EFUSE_KEY_PURPOSE_XTS_AES_256_KEY_1, + ESP_EFUSE_KEY_PURPOSE_XTS_AES_256_KEY_2, +#endif +#if SOC_FLASH_ENCRYPTION_XTS_AES_128 + ESP_EFUSE_KEY_PURPOSE_XTS_AES_128_KEY, +#endif + }; + // S2 and S3 chips have both XTS_AES_128_KEY and XTS_AES_256_KEY_1/2. + // The check below does not take into account that XTS_AES_128_KEY and XTS_AES_256_KEY_1/2 + // are mutually exclusive because this will make the chip not functional. + // Only one type key must be configured in eFuses. + secure = false; + for (unsigned i = 0; i < sizeof(purposes) / sizeof(esp_efuse_purpose_t); i++) { + esp_efuse_block_t block; + if (esp_efuse_find_purpose(purposes[i], &block)) { + secure = esp_efuse_get_key_dis_read(block); + result &= secure; + if (!secure) { + ESP_LOGW(TAG, "Not read-protected Flash encryption key in BLOCK%d (set RD_DIS_KEY%d->1)", block, block - EFUSE_BLK_KEY0); + } + secure = esp_efuse_get_key_dis_write(block); + result &= secure; + if (!secure) { + ESP_LOGW(TAG, "Not write-protected Flash encryption key in BLOCK%d (set WR_DIS_KEY%d->1)", block, block - EFUSE_BLK_KEY0); + } + +#if SOC_EFUSE_KEY_PURPOSE_FIELD + secure = esp_efuse_get_keypurpose_dis_write(block); + result &= secure; + if (!secure) { + ESP_LOGW(TAG, "Not write-protected KEY_PURPOSE for BLOCK%d (set WR_DIS_KEY_PURPOSE%d->1)", block, block - EFUSE_BLK_KEY0); + } +#endif + } + } + result &= secure; + + return result; +} +#endif // not CONFIG_IDF_TARGET_ESP32 diff --git a/components/bootloader_support/src/secure_boot.c b/components/bootloader_support/src/secure_boot.c index 524e15f9627..0b5bab46fcb 100644 --- a/components/bootloader_support/src/secure_boot.c +++ b/components/bootloader_support/src/secure_boot.c @@ -10,6 +10,7 @@ #include "esp_efuse.h" #include "esp_efuse_table.h" #include "esp_secure_boot.h" +#include "hal/efuse_hal.h" #ifndef BOOTLOADER_BUILD static __attribute__((unused)) const char *TAG = "secure_boot"; @@ -188,4 +189,220 @@ void esp_secure_boot_init_checks(void) #endif // CONFIG_SECURE_SIGNED_APPS_RSA_SCHEME && CONFIG_SECURE_SIGNED_ON_UPDATE_NO_SECURE_BOOT } + +#ifdef CONFIG_IDF_TARGET_ESP32 +bool esp_secure_boot_cfg_verify_release_mode(void) +{ + bool result = false; + bool secure; + + bool secure_boot_v1 = esp_efuse_read_field_bit(ESP_EFUSE_ABS_DONE_0); + bool chip_supports_sbv2 = efuse_hal_chip_revision() >= 300; + bool secure_boot_v2 = (chip_supports_sbv2) ? esp_efuse_read_field_bit(ESP_EFUSE_ABS_DONE_1) : false; + result = secure_boot_v1 || secure_boot_v2; + if (secure_boot_v1 && secure_boot_v2) { + ESP_LOGI(TAG, "ABS_DONE_0=1 (V1) and ABS_DONE_1=1 (V2)"); + ESP_LOGI(TAG, "Secure boot V2 shall take the precedence"); + } else if (!secure_boot_v1 && !secure_boot_v2) { + result = false; + ESP_LOGE(TAG, "Not enabled Secure Boot V1 (set ABS_DONE_0->1)"); + if (chip_supports_sbv2) { + ESP_LOGE(TAG, "Not enabled Secure Boot V2 (set ABS_DONE_1->1)"); + } + } + + if (secure_boot_v1 && !secure_boot_v2) { + secure = esp_efuse_read_field_bit(ESP_EFUSE_RD_DIS_BLK2); + result &= secure; + if (!secure) { + ESP_LOGW(TAG, "Not read-protected secure boot key (set RD_DIS_BLK2->1)"); + } + } + + secure = esp_efuse_read_field_bit(ESP_EFUSE_WR_DIS_BLK2); + result &= secure; + if (!secure) { + ESP_LOGW(TAG, "Not write-protected secure boot key (set WR_DIS_BLK2->1)"); + } + + secure = esp_efuse_read_field_bit(ESP_EFUSE_DISABLE_JTAG); + result &= secure; + if (!secure) { + ESP_LOGW(TAG, "Not disabled JTAG (set DISABLE_JTAG->1)"); + } + + secure = esp_efuse_read_field_bit(ESP_EFUSE_CONSOLE_DEBUG_DISABLE); + result &= secure; + if (!secure) { + ESP_LOGW(TAG, "Not disabled ROM BASIC interpreter fallback (set CONSOLE_DEBUG_DISABLE->1)"); + } + + if (secure_boot_v2) { + secure = esp_efuse_read_field_bit(ESP_EFUSE_UART_DOWNLOAD_DIS); + result &= secure; + if (!secure) { + ESP_LOGW(TAG, "Not disabled UART ROM Download mode (set UART_DOWNLOAD_DIS->1)"); + } + + secure = esp_efuse_read_field_bit(ESP_EFUSE_WR_DIS_EFUSE_RD_DISABLE); + result &= secure; + if (!secure) { + ESP_LOGW(TAG, "Not disabled write-protection for read-protection (set WR_DIS_EFUSE_RD_DISABLE->1)"); + } + } + + return result; +} +#else // not CONFIG_IDF_TARGET_ESP32 +bool esp_secure_boot_cfg_verify_release_mode(void) +{ + bool result = false; + bool secure; + + secure = esp_secure_boot_enabled(); + result = secure; + if (!secure) { + ESP_LOGW(TAG, "Not enabled Secure Boot (SECURE_BOOT_EN->1)"); + } + + secure = esp_efuse_read_field_bit(ESP_EFUSE_DIS_DOWNLOAD_MODE); + bool en_secure_download = esp_efuse_read_field_bit(ESP_EFUSE_ENABLE_SECURITY_DOWNLOAD); + if (!secure && !en_secure_download) { + result &= false; + ESP_LOGW(TAG, "Download mode has not been changed, disable it or set security mode:"); + ESP_LOGW(TAG, "Not disabled ROM Download mode (DIS_DOWNLOAD_MODE->1)"); + ESP_LOGW(TAG, "Not enabled Security download mode (ENABLE_SECURITY_DOWNLOAD->1)"); + } + +#if SOC_EFUSE_DIS_BOOT_REMAP + secure = esp_efuse_read_field_bit(ESP_EFUSE_DIS_BOOT_REMAP); + result &= secure; + if (!secure) { + ESP_LOGW(TAG, "Not disabled boot from RAM (set DIS_BOOT_REMAP->1)"); + } +#endif + +#if SOC_EFUSE_DIS_LEGACY_SPI_BOOT + secure = esp_efuse_read_field_bit(ESP_EFUSE_DIS_LEGACY_SPI_BOOT); + result &= secure; + if (!secure) { + ESP_LOGW(TAG, "Not disabled Legcy SPI boot (set DIS_LEGACY_SPI_BOOT->1)"); + } +#endif + +#if SOC_EFUSE_DIS_DIRECT_BOOT + secure = esp_efuse_read_field_bit(ESP_EFUSE_DIS_DIRECT_BOOT); + result &= secure; + if (!secure) { + ESP_LOGW(TAG, "Not disabled direct boot mode (set DIS_DIRECT_BOOT->1)"); + } +#endif + +#if SOC_EFUSE_HARD_DIS_JTAG + secure = esp_efuse_read_field_bit(ESP_EFUSE_HARD_DIS_JTAG); + result &= secure; + if (!secure) { + ESP_LOGW(TAG, "Not disabled JTAG (set HARD_DIS_JTAG->1)"); + } +#endif + +#if SOC_EFUSE_SOFT_DIS_JTAG + size_t soft_dis_jtag_cnt_val = 0; + esp_efuse_read_field_cnt(ESP_EFUSE_SOFT_DIS_JTAG, &soft_dis_jtag_cnt_val); + if (soft_dis_jtag_cnt_val != ESP_EFUSE_SOFT_DIS_JTAG[0]->bit_count) { + result &= secure; + ESP_LOGW(TAG, "Not disabled JTAG in the soft way (set SOFT_DIS_JTAG->max)"); + } +#endif + +#if SOC_EFUSE_DIS_PAD_JTAG + secure = esp_efuse_read_field_bit(ESP_EFUSE_DIS_PAD_JTAG); + result &= secure; + if (!secure) { + ESP_LOGW(TAG, "Not disabled JTAG PADs (set DIS_PAD_JTAG->1)"); + } +#endif + +#if SOC_EFUSE_DIS_USB_JTAG + secure = esp_efuse_read_field_bit(ESP_EFUSE_DIS_USB_JTAG); + result &= secure; + if (!secure) { + ESP_LOGW(TAG, "Not disabled USB JTAG (set DIS_USB_JTAG->1)"); + } +#endif + +#ifdef CONFIG_SECURE_BOOT_ENABLE_AGGRESSIVE_KEY_REVOKE + secure = esp_efuse_read_field_bit(ESP_EFUSE_SECURE_BOOT_AGGRESSIVE_REVOKE); + result &= secure; + if (!secure) { + ESP_LOGW(TAG, "Not enabled AGGRESSIVE KEY REVOKE (set SECURE_BOOT_AGGRESSIVE_REVOKE->1)"); + } +#endif + + secure = esp_efuse_read_field_bit(ESP_EFUSE_WR_DIS_RD_DIS); + result &= secure; + if (!secure) { + ESP_LOGW(TAG, "Not disabled write-protection for read-protection (set WR_DIS_RD_DIS->1)"); + } + +#if SOC_EFUSE_SECURE_BOOT_KEY_DIGESTS == 1 + unsigned purpose = ESP_EFUSE_KEY_PURPOSE_SECURE_BOOT_V2; +#else + unsigned purpose = ESP_EFUSE_KEY_PURPOSE_SECURE_BOOT_DIGEST0; // DIGEST0, DIGEST1 and DIGEST2 +#endif + secure = false; + unsigned num_keys = 0; + for (unsigned i = 0; i < SOC_EFUSE_SECURE_BOOT_KEY_DIGESTS; ++i) { + esp_efuse_block_t block; + if (esp_efuse_find_purpose(purpose + i, &block)) { + // if chip has a few secure boot slots then we check all +#if SOC_SUPPORT_SECURE_BOOT_REVOKE_KEY + bool revoke = esp_efuse_get_digest_revoke(i); + if (revoke) { + continue; + } +#endif + ++num_keys; + secure = !esp_efuse_get_key_dis_read(block); + result &= secure; + if (!secure) { + ESP_LOGE(TAG, "Secure boot key in BLOCK%d must NOT be read-protected (can not be used)", block); +#if SOC_SUPPORT_SECURE_BOOT_REVOKE_KEY + ESP_LOGE(TAG, "Revoke this secure boot key (set SECURE_BOOT_KEY_REVOKE%d->1)", i); +#endif + } + secure = !esp_efuse_block_is_empty(block); + result &= secure; + if (!secure) { + ESP_LOGE(TAG, "Secure boot key in BLOCK%d must NOT be empty (can not be used)", block); +#if SOC_SUPPORT_SECURE_BOOT_REVOKE_KEY + ESP_LOGE(TAG, "Revoke this secure boot key (set SECURE_BOOT_KEY_REVOKE%d->1)", i); +#endif + } + secure = esp_efuse_get_key_dis_write(block); + result &= secure; + if (!secure) { + ESP_LOGW(TAG, "Not write-protected secure boot key in BLOCK%d (set WR_DIS_KEY%d->1)", block, block - EFUSE_BLK_KEY0); + } +#if SOC_EFUSE_KEY_PURPOSE_FIELD + secure = esp_efuse_get_keypurpose_dis_write(block); + result &= secure; + if (!secure) { + ESP_LOGW(TAG, "Not write-protected KEY_PURPOSE for BLOCK%d (set WR_DIS_KEY_PURPOSE%d->1)", block, block - EFUSE_BLK_KEY0); + } +#endif + } + } + result &= secure; + + secure = (num_keys != 0); + result &= secure; + if (!secure) { + ESP_LOGE(TAG, "No secure boot key found"); + } + + return result; +} +#endif // not CONFIG_IDF_TARGET_ESP32 + #endif // not BOOTLOADER_BUILD diff --git a/components/soc/esp32c2/include/soc/Kconfig.soc_caps.in b/components/soc/esp32c2/include/soc/Kconfig.soc_caps.in index adcf5f6602e..1b7f6fbf28b 100644 --- a/components/soc/esp32c2/include/soc/Kconfig.soc_caps.in +++ b/components/soc/esp32c2/include/soc/Kconfig.soc_caps.in @@ -479,6 +479,14 @@ config SOC_TIMER_GROUP_TOTAL_TIMERS int default 1 +config SOC_EFUSE_DIS_PAD_JTAG + bool + default y + +config SOC_EFUSE_DIS_DIRECT_BOOT + bool + default y + config SOC_SECURE_BOOT_V2_ECC bool default y diff --git a/components/soc/esp32c2/include/soc/soc_caps.h b/components/soc/esp32c2/include/soc/soc_caps.h index ba571b18107..f0c5b4a6688 100644 --- a/components/soc/esp32c2/include/soc/soc_caps.h +++ b/components/soc/esp32c2/include/soc/soc_caps.h @@ -237,6 +237,10 @@ #define SOC_TIMER_GROUP_SUPPORT_PLL_F40M (1) #define SOC_TIMER_GROUP_TOTAL_TIMERS (1U) +/*-------------------------- eFuse CAPS----------------------------*/ +#define SOC_EFUSE_DIS_PAD_JTAG 1 +#define SOC_EFUSE_DIS_DIRECT_BOOT 1 + /*-------------------------- Secure Boot CAPS----------------------------*/ #define SOC_SECURE_BOOT_V2_ECC 1 #define SOC_EFUSE_SECURE_BOOT_KEY_DIGESTS (1U) diff --git a/components/soc/esp32c3/include/soc/Kconfig.soc_caps.in b/components/soc/esp32c3/include/soc/Kconfig.soc_caps.in index cfb7b79d421..209d6756e0f 100644 --- a/components/soc/esp32c3/include/soc/Kconfig.soc_caps.in +++ b/components/soc/esp32c3/include/soc/Kconfig.soc_caps.in @@ -711,6 +711,22 @@ config SOC_TWAI_SUPPORTS_RX_STATUS bool default y +config SOC_EFUSE_DIS_PAD_JTAG + bool + default y + +config SOC_EFUSE_DIS_USB_JTAG + bool + default y + +config SOC_EFUSE_DIS_DIRECT_BOOT + bool + default y + +config SOC_EFUSE_SOFT_DIS_JTAG + bool + default y + config SOC_SECURE_BOOT_V2_RSA bool default y diff --git a/components/soc/esp32c3/include/soc/soc_caps.h b/components/soc/esp32c3/include/soc/soc_caps.h index c91f707d081..9b319001ecf 100644 --- a/components/soc/esp32c3/include/soc/soc_caps.h +++ b/components/soc/esp32c3/include/soc/soc_caps.h @@ -324,6 +324,12 @@ #define SOC_TWAI_BRP_MAX 16384 #define SOC_TWAI_SUPPORTS_RX_STATUS 1 +/*-------------------------- eFuse CAPS----------------------------*/ +#define SOC_EFUSE_DIS_PAD_JTAG 1 +#define SOC_EFUSE_DIS_USB_JTAG 1 +#define SOC_EFUSE_DIS_DIRECT_BOOT 1 +#define SOC_EFUSE_SOFT_DIS_JTAG 1 + /*-------------------------- Secure Boot CAPS----------------------------*/ #define SOC_SECURE_BOOT_V2_RSA 1 #define SOC_EFUSE_SECURE_BOOT_KEY_DIGESTS 3 diff --git a/components/soc/esp32c6/include/soc/Kconfig.soc_caps.in b/components/soc/esp32c6/include/soc/Kconfig.soc_caps.in index c5b217ac7d8..558b5e5b876 100644 --- a/components/soc/esp32c6/include/soc/Kconfig.soc_caps.in +++ b/components/soc/esp32c6/include/soc/Kconfig.soc_caps.in @@ -799,6 +799,22 @@ config SOC_TWAI_SUPPORTS_RX_STATUS bool default y +config SOC_EFUSE_DIS_PAD_JTAG + bool + default y + +config SOC_EFUSE_DIS_USB_JTAG + bool + default y + +config SOC_EFUSE_DIS_DIRECT_BOOT + bool + default y + +config SOC_EFUSE_SOFT_DIS_JTAG + bool + default y + config SOC_SECURE_BOOT_V2_RSA bool default y diff --git a/components/soc/esp32c6/include/soc/soc_caps.h b/components/soc/esp32c6/include/soc/soc_caps.h index 942e17be30e..0bc33180898 100644 --- a/components/soc/esp32c6/include/soc/soc_caps.h +++ b/components/soc/esp32c6/include/soc/soc_caps.h @@ -1,5 +1,5 @@ /* - * SPDX-FileCopyrightText: 2022 Espressif Systems (Shanghai) CO LTD + * SPDX-FileCopyrightText: 2022-2023 Espressif Systems (Shanghai) CO LTD * * SPDX-License-Identifier: Apache-2.0 */ @@ -369,6 +369,12 @@ #define SOC_TWAI_BRP_MAX 32768 #define SOC_TWAI_SUPPORTS_RX_STATUS 1 +/*-------------------------- eFuse CAPS----------------------------*/ +#define SOC_EFUSE_DIS_PAD_JTAG 1 +#define SOC_EFUSE_DIS_USB_JTAG 1 +#define SOC_EFUSE_DIS_DIRECT_BOOT 1 +#define SOC_EFUSE_SOFT_DIS_JTAG 1 + // TODO: IDF-5357 (Copy from esp32c3, need check) /*-------------------------- Secure Boot CAPS----------------------------*/ #define SOC_SECURE_BOOT_V2_RSA 1 diff --git a/components/soc/esp32h2/include/soc/Kconfig.soc_caps.in b/components/soc/esp32h2/include/soc/Kconfig.soc_caps.in index 361403d3d48..be7da9fb8e8 100644 --- a/components/soc/esp32h2/include/soc/Kconfig.soc_caps.in +++ b/components/soc/esp32h2/include/soc/Kconfig.soc_caps.in @@ -647,6 +647,22 @@ config SOC_TWAI_SUPPORTS_RX_STATUS bool default y +config SOC_EFUSE_DIS_PAD_JTAG + bool + default y + +config SOC_EFUSE_DIS_USB_JTAG + bool + default y + +config SOC_EFUSE_DIS_DIRECT_BOOT + bool + default y + +config SOC_EFUSE_SOFT_DIS_JTAG + bool + default y + config SOC_SECURE_BOOT_V2_RSA bool default y diff --git a/components/soc/esp32h2/include/soc/soc_caps.h b/components/soc/esp32h2/include/soc/soc_caps.h index b7045938986..8c38d5127df 100644 --- a/components/soc/esp32h2/include/soc/soc_caps.h +++ b/components/soc/esp32h2/include/soc/soc_caps.h @@ -1,5 +1,5 @@ /* - * SPDX-FileCopyrightText: 2022 Espressif Systems (Shanghai) CO LTD + * SPDX-FileCopyrightText: 2022-2023 Espressif Systems (Shanghai) CO LTD * * SPDX-License-Identifier: Apache-2.0 */ @@ -353,6 +353,12 @@ #define SOC_TWAI_BRP_MAX 32768 #define SOC_TWAI_SUPPORTS_RX_STATUS 1 +/*-------------------------- eFuse CAPS----------------------------*/ +#define SOC_EFUSE_DIS_PAD_JTAG 1 +#define SOC_EFUSE_DIS_USB_JTAG 1 +#define SOC_EFUSE_DIS_DIRECT_BOOT 1 +#define SOC_EFUSE_SOFT_DIS_JTAG 1 + // TODO: IDF-6281 (Copy from esp32c6, need check) /*-------------------------- Secure Boot CAPS----------------------------*/ #define SOC_SECURE_BOOT_V2_RSA 1 diff --git a/components/soc/esp32h4/include/soc/Kconfig.soc_caps.in b/components/soc/esp32h4/include/soc/Kconfig.soc_caps.in index ad28130f484..2d33b2bbcf4 100644 --- a/components/soc/esp32h4/include/soc/Kconfig.soc_caps.in +++ b/components/soc/esp32h4/include/soc/Kconfig.soc_caps.in @@ -687,6 +687,22 @@ config SOC_TWAI_SUPPORTS_RX_STATUS bool default y +config SOC_EFUSE_DIS_PAD_JTAG + bool + default y + +config SOC_EFUSE_DIS_USB_JTAG + bool + default y + +config SOC_EFUSE_DIS_DIRECT_BOOT + bool + default y + +config SOC_EFUSE_SOFT_DIS_JTAG + bool + default y + config SOC_SECURE_BOOT_V2_RSA bool default y diff --git a/components/soc/esp32h4/include/soc/soc_caps.h b/components/soc/esp32h4/include/soc/soc_caps.h index c56443a7f1c..5d0fe174160 100644 --- a/components/soc/esp32h4/include/soc/soc_caps.h +++ b/components/soc/esp32h4/include/soc/soc_caps.h @@ -331,6 +331,12 @@ #define SOC_TWAI_BRP_MAX 16384 #define SOC_TWAI_SUPPORTS_RX_STATUS 1 +/*-------------------------- eFuse CAPS----------------------------*/ +#define SOC_EFUSE_DIS_PAD_JTAG 1 +#define SOC_EFUSE_DIS_USB_JTAG 1 +#define SOC_EFUSE_DIS_DIRECT_BOOT 1 +#define SOC_EFUSE_SOFT_DIS_JTAG 1 + /*-------------------------- Secure Boot CAPS----------------------------*/ #define SOC_SECURE_BOOT_V2_RSA 1 #define SOC_EFUSE_SECURE_BOOT_KEY_DIGESTS 3 diff --git a/components/soc/esp32s2/include/soc/Kconfig.soc_caps.in b/components/soc/esp32s2/include/soc/Kconfig.soc_caps.in index 469453abce5..b5d22fdadab 100644 --- a/components/soc/esp32s2/include/soc/Kconfig.soc_caps.in +++ b/components/soc/esp32s2/include/soc/Kconfig.soc_caps.in @@ -795,6 +795,26 @@ config SOC_AES_SUPPORT_GCM bool default y +config SOC_EFUSE_DIS_DOWNLOAD_DCACHE + bool + default y + +config SOC_EFUSE_HARD_DIS_JTAG + bool + default y + +config SOC_EFUSE_SOFT_DIS_JTAG + bool + default y + +config SOC_EFUSE_DIS_BOOT_REMAP + bool + default y + +config SOC_EFUSE_DIS_LEGACY_SPI_BOOT + bool + default y + config SOC_SECURE_BOOT_V2_RSA bool default y diff --git a/components/soc/esp32s2/include/soc/soc_caps.h b/components/soc/esp32s2/include/soc/soc_caps.h index 40649f2a2b8..7922e055e99 100644 --- a/components/soc/esp32s2/include/soc/soc_caps.h +++ b/components/soc/esp32s2/include/soc/soc_caps.h @@ -357,6 +357,13 @@ #define SOC_AES_SUPPORT_DMA (1) #define SOC_AES_SUPPORT_GCM (1) +/*-------------------------- eFuse CAPS----------------------------*/ +#define SOC_EFUSE_DIS_DOWNLOAD_DCACHE 1 +#define SOC_EFUSE_HARD_DIS_JTAG 1 +#define SOC_EFUSE_SOFT_DIS_JTAG 1 +#define SOC_EFUSE_DIS_BOOT_REMAP 1 +#define SOC_EFUSE_DIS_LEGACY_SPI_BOOT 1 + /*-------------------------- Secure Boot CAPS----------------------------*/ #define SOC_SECURE_BOOT_V2_RSA 1 #define SOC_EFUSE_SECURE_BOOT_KEY_DIGESTS 3 diff --git a/components/soc/esp32s3/include/soc/Kconfig.soc_caps.in b/components/soc/esp32s3/include/soc/Kconfig.soc_caps.in index 181410cdbb8..c56d2d4218a 100644 --- a/components/soc/esp32s3/include/soc/Kconfig.soc_caps.in +++ b/components/soc/esp32s3/include/soc/Kconfig.soc_caps.in @@ -987,6 +987,26 @@ config SOC_CLK_RC_FAST_SUPPORT_CALIBRATION bool default y +config SOC_EFUSE_DIS_DOWNLOAD_DCACHE + bool + default y + +config SOC_EFUSE_HARD_DIS_JTAG + bool + default y + +config SOC_EFUSE_DIS_USB_JTAG + bool + default y + +config SOC_EFUSE_SOFT_DIS_JTAG + bool + default y + +config SOC_EFUSE_DIS_DIRECT_BOOT + bool + default y + config SOC_SECURE_BOOT_V2_RSA bool default y diff --git a/components/soc/esp32s3/include/soc/soc_caps.h b/components/soc/esp32s3/include/soc/soc_caps.h index c96703d5a81..d7ce61e3ee6 100644 --- a/components/soc/esp32s3/include/soc/soc_caps.h +++ b/components/soc/esp32s3/include/soc/soc_caps.h @@ -416,6 +416,13 @@ #define SOC_RTC_SLOW_CLK_SUPPORT_RC_FAST_D256 (1) #define SOC_CLK_RC_FAST_SUPPORT_CALIBRATION (1) +/*-------------------------- eFuse CAPS----------------------------*/ +#define SOC_EFUSE_DIS_DOWNLOAD_DCACHE 1 +#define SOC_EFUSE_HARD_DIS_JTAG 1 +#define SOC_EFUSE_DIS_USB_JTAG 1 +#define SOC_EFUSE_SOFT_DIS_JTAG 1 +#define SOC_EFUSE_DIS_DIRECT_BOOT 1 + /*-------------------------- Secure Boot CAPS----------------------------*/ #define SOC_SECURE_BOOT_V2_RSA 1 #define SOC_EFUSE_SECURE_BOOT_KEY_DIGESTS 3 diff --git a/examples/system/efuse/main/efuse_main.c b/examples/system/efuse/main/efuse_main.c index 8c24a407d92..53afd94600d 100644 --- a/examples/system/efuse/main/efuse_main.c +++ b/examples/system/efuse/main/efuse_main.c @@ -15,10 +15,8 @@ #include "esp_efuse.h" #include "esp_efuse_table.h" #include "esp_efuse_custom_table.h" -#if CONFIG_IDF_TARGET_ESP32C2 #include "esp_secure_boot.h" #include "esp_flash_encrypt.h" -#endif #include "sdkconfig.h" static const char* TAG = "example"; @@ -135,6 +133,21 @@ void app_main(void) { ESP_LOGI(TAG, "Start eFuse example"); +#ifdef CONFIG_SECURE_FLASH_ENC_ENABLED + if (esp_flash_encryption_cfg_verify_release_mode()) { + ESP_LOGI(TAG, "Flash Encryption is in RELEASE mode"); + } else { + ESP_LOGW(TAG, "Flash Encryption is NOT in RELEASE mode"); + } +#endif +#ifdef CONFIG_SECURE_BOOT + if (esp_secure_boot_cfg_verify_release_mode()) { + ESP_LOGI(TAG, "Secure Boot is in RELEASE mode"); + } else { + ESP_LOGW(TAG, "Secure Boot is NOT in RELEASE mode"); + } +#endif + esp_efuse_coding_scheme_t coding_scheme = get_coding_scheme(); (void) coding_scheme; diff --git a/examples/system/efuse/pytest_system_efuse_example.py b/examples/system/efuse/pytest_system_efuse_example.py index 2f52f56e39b..327355e95c2 100644 --- a/examples/system/efuse/pytest_system_efuse_example.py +++ b/examples/system/efuse/pytest_system_efuse_example.py @@ -1,4 +1,4 @@ -# SPDX-FileCopyrightText: 2022 Espressif Systems (Shanghai) CO LTD +# SPDX-FileCopyrightText: 2022-2023 Espressif Systems (Shanghai) CO LTD # SPDX-License-Identifier: Unlicense OR CC0-1.0 from __future__ import unicode_literals @@ -248,6 +248,7 @@ def test_examples_efuse_with_virt_flash_enc_release(dut: Dut) -> None: dut.expect_exact('flash encryption is enabled (0 plaintext flashes left)', timeout=5) dut.expect('Flash encryption mode is RELEASE') dut.expect('Start eFuse example') + dut.expect('Flash Encryption is in RELEASE mode') dut.expect('example: Done') @@ -772,6 +773,8 @@ def test_examples_efuse_with_virt_sb_v1_and_fe(dut: Dut) -> None: dut.expect_exact('flash_encrypt: Flash encryption mode is DEVELOPMENT (not secure)') dut.expect('main_task: Calling app_main()') dut.expect('Start eFuse example') + dut.expect('example: Flash Encryption is NOT in RELEASE mode') + dut.expect('example: Secure Boot is in RELEASE mode') dut.expect('example: Done') @@ -851,6 +854,8 @@ def test_examples_efuse_with_virt_sb_v2_and_fe(dut: Dut) -> None: dut.expect_exact('flash_encrypt: Flash encryption mode is DEVELOPMENT (not secure)') dut.expect('main_task: Calling app_main()') dut.expect('Start eFuse example') + dut.expect('example: Flash Encryption is NOT in RELEASE mode') + dut.expect('example: Secure Boot is in RELEASE mode') dut.expect('example: Done') @@ -938,6 +943,8 @@ def test_examples_efuse_with_virt_sb_v2_and_fe_esp32xx(dut: Dut) -> None: dut.expect_exact('flash_encrypt: Flash encryption mode is DEVELOPMENT (not secure)') dut.expect('main_task: Calling app_main()') dut.expect('Start eFuse example') + dut.expect('example: Flash Encryption is NOT in RELEASE mode') + dut.expect('example: Secure Boot is in RELEASE mode') dut.expect('example: Done') From b7c28e92f15612ac2b516528384aabe1402e774d Mon Sep 17 00:00:00 2001 From: KonstantinKondrashov Date: Tue, 3 Jan 2023 23:30:36 +0800 Subject: [PATCH 2/3] doc: Update hmac article --- docs/en/api-reference/peripherals/hmac.rst | 8 ++++++++ 1 file changed, 8 insertions(+) diff --git a/docs/en/api-reference/peripherals/hmac.rst b/docs/en/api-reference/peripherals/hmac.rst index fb9bdc0a0e1..a09962e32a3 100644 --- a/docs/en/api-reference/peripherals/hmac.rst +++ b/docs/en/api-reference/peripherals/hmac.rst @@ -106,6 +106,14 @@ Setup .. note:: The API *esp_efuse_write_field_cnt(ESP_EFUSE_SOFT_DIS_JTAG, ESP_EFUSE_SOFT_DIS_JTAG[0]->bit_count)* can be used to burn "soft JTAG disable" bits on {IDF_TARGET_NAME}. +.. only:: esp32s2 or esp32s3 + + .. note:: If ``HARD_DIS_JTAG`` eFuse is set, then ``SOFT_DIS_JTAG`` functionality does not work because JTAG is permanently disabled. + +.. only:: not esp32s2 and not esp32s3 + + .. note:: If ``DIS_PAD_JTAG`` eFuse is set, then ``SOFT_DIS_JTAG`` functionality does not work because JTAG is permanently disabled. + JTAG enable 1. The key to re-enable JTAG is the output of the HMAC-SHA256 function using the secret key in eFuse and 32 0x00 bytes as the message. From df662c30e4a99fceed31a19a226db7955be5afd5 Mon Sep 17 00:00:00 2001 From: KonstantinKondrashov Date: Fri, 6 Jan 2023 00:44:46 +0800 Subject: [PATCH 3/3] bootloader_support(esp32c2): Fix WR_DIS_RD_DIS burn for secure boot key SB key is left readable, the corresponding bit in RD_DIS is unset. We set write-protection for RD_DIS to ensure that the SB key is always readable. --- .../src/esp32c2/secure_boot_secure_features.c | 12 ++++++++++++ components/efuse/esp32c2/esp_efuse_table.c | 12 ++++++------ components/efuse/esp32c2/esp_efuse_table.csv | 2 +- components/efuse/esp32c2/include/esp_efuse_table.h | 6 +++--- 4 files changed, 22 insertions(+), 10 deletions(-) diff --git a/components/bootloader_support/src/esp32c2/secure_boot_secure_features.c b/components/bootloader_support/src/esp32c2/secure_boot_secure_features.c index 20f93195892..ec6d6e7ef9f 100644 --- a/components/bootloader_support/src/esp32c2/secure_boot_secure_features.c +++ b/components/bootloader_support/src/esp32c2/secure_boot_secure_features.c @@ -45,5 +45,17 @@ esp_err_t esp_secure_boot_enable_secure_features(void) esp_efuse_write_field_bit(ESP_EFUSE_SECURE_BOOT_EN); +#ifndef CONFIG_SECURE_BOOT_V2_ALLOW_EFUSE_RD_DIS + // Secure boot and Flash encryption share one eFuse key block so they can not be set separately. + // CONFIG_SECURE_BOOT_FLASH_ENC_KEYS_BURN_TOGETHER option is used to burn SB and FE at the same time. + // SB key is readable, the corresponding bit in RD_DIS is unset. + // We set write-protection for RD_DIS to ensure that the SB key is always readable. + // FE key is read-protected, the corresponding bit in RD_DIS is set. + ESP_LOGI(TAG, "Prevent read disabling of additional efuses..."); + esp_efuse_write_field_bit(ESP_EFUSE_WR_DIS_RD_DIS); +#else + ESP_LOGW(TAG, "Allowing read disabling of additional efuses - SECURITY COMPROMISED"); +#endif + return ESP_OK; } diff --git a/components/efuse/esp32c2/esp_efuse_table.c b/components/efuse/esp32c2/esp_efuse_table.c index c1d712e1483..a5180742391 100644 --- a/components/efuse/esp32c2/esp_efuse_table.c +++ b/components/efuse/esp32c2/esp_efuse_table.c @@ -1,5 +1,5 @@ /* - * SPDX-FileCopyrightText: 2017-2022 Espressif Systems (Shanghai) CO LTD + * SPDX-FileCopyrightText: 2017-2023 Espressif Systems (Shanghai) CO LTD * * SPDX-License-Identifier: Apache-2.0 */ @@ -9,7 +9,7 @@ #include #include "esp_efuse_table.h" -// md5_digest_table ceedae45d1a885ced865a05eeca7d7ee +// md5_digest_table 2216d0ff3e0f4e8803f85711b5cc2829 // This file was generated from the file esp_efuse_table.csv. DO NOT CHANGE THIS FILE MANUALLY. // If you want to change some fields, you need to change esp_efuse_table.csv file // then run `efuse_common_table` or `efuse_custom_table` command it will generate this file. @@ -19,8 +19,8 @@ static const esp_efuse_desc_t WR_DIS[] = { {EFUSE_BLK0, 0, 8}, // Write protection, }; -static const esp_efuse_desc_t WR_DIS_KEY0_RD_DIS[] = { - {EFUSE_BLK0, 0, 1}, // Write protection for KEY0_RD_DIS, +static const esp_efuse_desc_t WR_DIS_RD_DIS[] = { + {EFUSE_BLK0, 0, 1}, // Write protection for RD_DIS, }; static const esp_efuse_desc_t WR_DIS_GROUP_1[] = { @@ -265,8 +265,8 @@ const esp_efuse_desc_t* ESP_EFUSE_WR_DIS[] = { NULL }; -const esp_efuse_desc_t* ESP_EFUSE_WR_DIS_KEY0_RD_DIS[] = { - &WR_DIS_KEY0_RD_DIS[0], // Write protection for KEY0_RD_DIS +const esp_efuse_desc_t* ESP_EFUSE_WR_DIS_RD_DIS[] = { + &WR_DIS_RD_DIS[0], // Write protection for RD_DIS NULL }; diff --git a/components/efuse/esp32c2/esp_efuse_table.csv b/components/efuse/esp32c2/esp_efuse_table.csv index ee34254c171..7334923b2e7 100644 --- a/components/efuse/esp32c2/esp_efuse_table.csv +++ b/components/efuse/esp32c2/esp_efuse_table.csv @@ -12,7 +12,7 @@ ############################## # EFUSE_RD_WR_DIS_REG # WR_DIS, EFUSE_BLK0, 0, 8, Write protection - WR_DIS.KEY0_RD_DIS, EFUSE_BLK0, 0, 1, Write protection for KEY0_RD_DIS + WR_DIS.RD_DIS, EFUSE_BLK0, 0, 1, Write protection for RD_DIS WR_DIS.GROUP_1, EFUSE_BLK0, 1, 1, Write protection for WDT_DELAY DIS_PAD_JTAG DIS_DOWNLOAD_ICACHE WR_DIS.GROUP_2, EFUSE_BLK0, 2, 1, Write protection for DOWNLOAD_DIS_MANUAL_ENCRYPT SPI_BOOT_CRYPT_CNT XTS_KEY_LENGTH_256 SECURE_BOOT_EN WR_DIS.SPI_BOOT_CRYPT_CNT, EFUSE_BLK0, 2, 1, Write protection for DOWNLOAD_DIS_MANUAL_ENCRYPT [SPI_BOOT_CRYPT_CNT] XTS_KEY_LENGTH_256 SECURE_BOOT_EN diff --git a/components/efuse/esp32c2/include/esp_efuse_table.h b/components/efuse/esp32c2/include/esp_efuse_table.h index 23f580c7d4a..7cac756bcfd 100644 --- a/components/efuse/esp32c2/include/esp_efuse_table.h +++ b/components/efuse/esp32c2/include/esp_efuse_table.h @@ -1,5 +1,5 @@ /* - * SPDX-FileCopyrightText: 2017-2022 Espressif Systems (Shanghai) CO LTD + * SPDX-FileCopyrightText: 2017-2023 Espressif Systems (Shanghai) CO LTD * * SPDX-License-Identifier: Apache-2.0 */ @@ -10,7 +10,7 @@ extern "C" { #include "esp_efuse.h" -// md5_digest_table ceedae45d1a885ced865a05eeca7d7ee +// md5_digest_table 2216d0ff3e0f4e8803f85711b5cc2829 // This file was generated from the file esp_efuse_table.csv. DO NOT CHANGE THIS FILE MANUALLY. // If you want to change some fields, you need to change esp_efuse_table.csv file // then run `efuse_common_table` or `efuse_custom_table` command it will generate this file. @@ -18,7 +18,7 @@ extern "C" { extern const esp_efuse_desc_t* ESP_EFUSE_WR_DIS[]; -extern const esp_efuse_desc_t* ESP_EFUSE_WR_DIS_KEY0_RD_DIS[]; +extern const esp_efuse_desc_t* ESP_EFUSE_WR_DIS_RD_DIS[]; extern const esp_efuse_desc_t* ESP_EFUSE_WR_DIS_GROUP_1[]; extern const esp_efuse_desc_t* ESP_EFUSE_WR_DIS_GROUP_2[]; extern const esp_efuse_desc_t* ESP_EFUSE_WR_DIS_SPI_BOOT_CRYPT_CNT[];