From 11a2f2acd33b2b3d048263eb812b6b7c093af6e3 Mon Sep 17 00:00:00 2001 From: KonstantinKondrashov Date: Thu, 11 Feb 2021 21:19:29 +0800 Subject: [PATCH] bootloader: Adds a check that app is run under FE --- components/bootloader/Kconfig.projbuild | 11 +++++++++++ components/bootloader_support/src/flash_encrypt.c | 15 ++++++++------- 2 files changed, 19 insertions(+), 7 deletions(-) diff --git a/components/bootloader/Kconfig.projbuild b/components/bootloader/Kconfig.projbuild index 199ab99b9a..9fb1edaa8e 100644 --- a/components/bootloader/Kconfig.projbuild +++ b/components/bootloader/Kconfig.projbuild @@ -794,5 +794,16 @@ menu "Security features" It is also possible to enable secure download mode at runtime by calling esp_efuse_enable_rom_secure_download_mode() + config SECURE_FLASH_CHECK_ENC_EN_IN_APP + bool "Check Flash Encryption enabled on app startup" + depends on SECURE_FLASH_ENC_ENABLED + default y + help + If set (default), in an app during startup code, + there is a check of the flash encryption eFuse bit is on + (as the bootloader should already have set it). + The app requires this bit is on to continue work otherwise abort. + + If not set, the app does not care if the flash encryption eFuse bit is set or not. endmenu # Security features diff --git a/components/bootloader_support/src/flash_encrypt.c b/components/bootloader_support/src/flash_encrypt.c index 8d64bf4bf3..e869ef2d16 100644 --- a/components/bootloader_support/src/flash_encrypt.c +++ b/components/bootloader_support/src/flash_encrypt.c @@ -23,13 +23,7 @@ #if CONFIG_IDF_TARGET_ESP32 #define CRYPT_CNT ESP_EFUSE_FLASH_CRYPT_CNT #define WR_DIS_CRYPT_CNT ESP_EFUSE_WR_DIS_FLASH_CRYPT_CNT -#elif CONFIG_IDF_TARGET_ESP32S2 -#define CRYPT_CNT ESP_EFUSE_SPI_BOOT_CRYPT_CNT -#define WR_DIS_CRYPT_CNT ESP_EFUSE_WR_DIS_SPI_BOOT_CRYPT_CNT -#elif CONFIG_IDF_TARGET_ESP32S3 -#define CRYPT_CNT ESP_EFUSE_SPI_BOOT_CRYPT_CNT -#define WR_DIS_CRYPT_CNT ESP_EFUSE_WR_DIS_SPI_BOOT_CRYPT_CNT -#elif CONFIG_IDF_TARGET_ESP32C3 +#else #define CRYPT_CNT ESP_EFUSE_SPI_BOOT_CRYPT_CNT #define WR_DIS_CRYPT_CNT ESP_EFUSE_WR_DIS_SPI_BOOT_CRYPT_CNT #endif @@ -41,6 +35,13 @@ void esp_flash_encryption_init_checks() { esp_flash_enc_mode_t mode; +#ifdef CONFIG_SECURE_FLASH_CHECK_ENC_EN_IN_APP + if (!esp_flash_encryption_enabled()) { + ESP_LOGE(TAG, "Flash encryption eFuse bit was not enabled in bootloader but CONFIG_SECURE_FLASH_ENC_ENABLED is on"); + abort(); + } +#endif + // First check is: if Release mode flash encryption & secure boot are enabled then // FLASH_CRYPT_CNT *must* be write protected. This will have happened automatically // if bootloader is IDF V4.0 or newer but may not have happened for previous ESP-IDF bootloaders.