From 92de0378838761f9492af1e174a91d5e0bb52b41 Mon Sep 17 00:00:00 2001 From: KonstantinKondrashov Date: Wed, 21 Dec 2022 19:31:27 +0800 Subject: [PATCH] efuse: Hides the FLASH_ENCRYPTION_MODE_RELEASE option when using EFUSE_VIRTUAL --- components/bootloader/Kconfig.projbuild | 5 +++++ components/efuse/Kconfig | 3 +++ 2 files changed, 8 insertions(+) diff --git a/components/bootloader/Kconfig.projbuild b/components/bootloader/Kconfig.projbuild index 4579fd41c9..38f5aa2ec9 100644 --- a/components/bootloader/Kconfig.projbuild +++ b/components/bootloader/Kconfig.projbuild @@ -811,6 +811,10 @@ menu "Security features" Release mode should always be selected for production or manufacturing. Once enabled it's no longer possible for the device in ROM Download Mode to use the flash encryption hardware. + When EFUSE_VIRTUAL is enabled, SECURE_FLASH_ENCRYPTION_MODE_RELEASE is not available. + For CI tests we use IDF_CI_BUILD to bypass it ("export IDF_CI_BUILD=1"). + We do not recommend bypassing it for other purposes. + Refer to the Flash Encryption section of the ESP-IDF Programmer's Guide for details. config SECURE_FLASH_ENCRYPTION_MODE_DEVELOPMENT @@ -820,6 +824,7 @@ menu "Security features" config SECURE_FLASH_ENCRYPTION_MODE_RELEASE bool "Release" select PARTITION_TABLE_MD5 if !APP_COMPATIBLE_PRE_V3_1_BOOTLOADERS + depends on !EFUSE_VIRTUAL || IDF_CI_BUILD endchoice diff --git a/components/efuse/Kconfig b/components/efuse/Kconfig index 744b359869..3e186556d2 100644 --- a/components/efuse/Kconfig +++ b/components/efuse/Kconfig @@ -23,6 +23,9 @@ menu "eFuse Bit Manager" to RAM instead of eFuse registers, all permanent changes (via eFuse) are disabled. Log output will state changes that would be applied, but they will not be. + If it is "y", then SECURE_FLASH_ENCRYPTION_MODE_RELEASE cannot be used. + Because the EFUSE VIRT mode is for testing only. + During startup, the eFuses are copied into RAM. This mode is useful for fast tests. config EFUSE_VIRTUAL_KEEP_IN_FLASH