From a84234c23f41e6664453642af4fc46b5ce60ba7a Mon Sep 17 00:00:00 2001 From: Aditya Patwardhan Date: Mon, 6 Nov 2023 18:54:22 +0530 Subject: [PATCH] feat(security): Enable Flash encryption for ESP32P4 --- .../bootloader_support/src/flash_encrypt.c | 18 ++++++------------ .../src/flash_encryption/flash_encrypt.c | 13 ++++++++++++- components/esp_system/port/cpu_start.c | 6 ++++++ .../spi_flash/test_apps/.build-test-rules.yml | 7 ++----- .../test_apps/flash_encryption/README.md | 4 ++-- docs/en/security/flash-encryption.rst | 1 + .../security/host-based-security-workflows.rst | 1 + examples/security/.build-test-rules.yml | 2 +- .../sdkconfig.ci.virt_sb_v2_and_fe.esp32p4 | 18 ++++++++++++++++++ 9 files changed, 49 insertions(+), 21 deletions(-) create mode 100644 examples/system/efuse/sdkconfig.ci.virt_sb_v2_and_fe.esp32p4 diff --git a/components/bootloader_support/src/flash_encrypt.c b/components/bootloader_support/src/flash_encrypt.c index 40f70a8658..27f10317cb 100644 --- a/components/bootloader_support/src/flash_encrypt.c +++ b/components/bootloader_support/src/flash_encrypt.c @@ -137,16 +137,14 @@ esp_flash_enc_mode_t esp_get_flash_encryption_mode(void) } #else if (esp_efuse_read_field_bit(ESP_EFUSE_DIS_DOWNLOAD_MANUAL_ENCRYPT) -#if CONFIG_IDF_TARGET_ESP32P4 - //TODO: IDF-7545 +#if SOC_EFUSE_DIS_DOWNLOAD_MSPI && esp_efuse_read_field_bit(ESP_EFUSE_SPI_DOWNLOAD_MSPI_DIS) -#else +#endif #if SOC_EFUSE_DIS_DOWNLOAD_ICACHE && esp_efuse_read_field_bit(ESP_EFUSE_DIS_DOWNLOAD_ICACHE) #endif #if SOC_EFUSE_DIS_DOWNLOAD_DCACHE && esp_efuse_read_field_bit(ESP_EFUSE_DIS_DOWNLOAD_DCACHE) -#endif #endif ) { mode = ESP_FLASH_ENC_MODE_RELEASE; @@ -192,17 +190,15 @@ void esp_flash_encryption_set_release_mode(void) esp_efuse_write_field_bit(ESP_EFUSE_DISABLE_DL_DECRYPT); #else esp_efuse_write_field_bit(ESP_EFUSE_DIS_DOWNLOAD_MANUAL_ENCRYPT); -#if CONFIG_IDF_TARGET_ESP32P4 - //TODO: IDF-7545 +#if SOC_EFUSE_DIS_DOWNLOAD_MSPI esp_efuse_write_field_bit(ESP_EFUSE_SPI_DOWNLOAD_MSPI_DIS); -#else +#endif #if SOC_EFUSE_DIS_DOWNLOAD_ICACHE esp_efuse_write_field_bit(ESP_EFUSE_DIS_DOWNLOAD_ICACHE); #endif #if SOC_EFUSE_DIS_DOWNLOAD_DCACHE esp_efuse_write_field_bit(ESP_EFUSE_DIS_DOWNLOAD_DCACHE); #endif -#endif #ifdef CONFIG_SOC_FLASH_ENCRYPTION_XTS_AES_128_DERIVED // For AES128_DERIVED, FE key is 16 bytes and XTS_KEY_LENGTH_256 is 0. // It is important to protect XTS_KEY_LENGTH_256 from further changing it to 1. Set write protection for this bit. @@ -345,14 +341,13 @@ bool esp_flash_encryption_cfg_verify_release_mode(void) } #endif -#if CONFIG_IDF_TARGET_ESP32P4 - //TODO: IDF-7545 +#if SOC_EFUSE_DIS_DOWNLOAD_MSPI secure = esp_efuse_read_field_bit(ESP_EFUSE_SPI_DOWNLOAD_MSPI_DIS); result &= secure; if (!secure) { ESP_LOGW(TAG, "Not disabled UART bootloader download mspi (set DIS_DOWNLOAD_MSPI->1)"); } -#else +#endif #if SOC_EFUSE_DIS_DOWNLOAD_ICACHE secure = esp_efuse_read_field_bit(ESP_EFUSE_DIS_DOWNLOAD_ICACHE); result &= secure; @@ -360,7 +355,6 @@ bool esp_flash_encryption_cfg_verify_release_mode(void) ESP_LOGW(TAG, "Not disabled UART bootloader cache (set DIS_DOWNLOAD_ICACHE->1)"); } #endif -#endif #if SOC_EFUSE_DIS_PAD_JTAG secure = esp_efuse_read_field_bit(ESP_EFUSE_DIS_PAD_JTAG); diff --git a/components/bootloader_support/src/flash_encryption/flash_encrypt.c b/components/bootloader_support/src/flash_encryption/flash_encrypt.c index daf920564a..145fb23e6d 100644 --- a/components/bootloader_support/src/flash_encryption/flash_encrypt.c +++ b/components/bootloader_support/src/flash_encryption/flash_encrypt.c @@ -1,5 +1,5 @@ /* - * SPDX-FileCopyrightText: 2015-2022 Espressif Systems (Shanghai) CO LTD + * SPDX-FileCopyrightText: 2015-2023 Espressif Systems (Shanghai) CO LTD * * SPDX-License-Identifier: Apache-2.0 */ @@ -15,6 +15,11 @@ #include "esp_efuse_table.h" #include "esp_log.h" #include "hal/wdt_hal.h" + +#if CONFIG_IDF_TARGET_ESP32P4 //TODO-IDF-7925 +#include "soc/keymng_reg.h" +#endif + #ifdef CONFIG_SOC_EFUSE_CONSISTS_OF_ONE_KEY_BLOCK #include "soc/sensitive_reg.h" #endif @@ -209,6 +214,12 @@ static esp_err_t check_and_generate_encryption_keys(void) } ESP_LOGI(TAG, "Using pre-loaded flash encryption key in efuse"); } + +#if CONFIG_IDF_TARGET_ESP32P4 //TODO - IDF-7925 + // Force Key Manager to use eFuse key for XTS-AES operation + REG_SET_FIELD(KEYMNG_STATIC_REG, KEYMNG_USE_EFUSE_KEY, 2); +#endif + return ESP_OK; } diff --git a/components/esp_system/port/cpu_start.c b/components/esp_system/port/cpu_start.c index 99d6e8b42d..09fde98aed 100644 --- a/components/esp_system/port/cpu_start.c +++ b/components/esp_system/port/cpu_start.c @@ -66,6 +66,7 @@ #include "soc/hp_sys_clkrst_reg.h" #include "soc/interrupt_core0_reg.h" #include "soc/interrupt_core1_reg.h" +#include "soc/keymng_reg.h" #endif #include "esp_private/esp_mmu_map_private.h" @@ -299,6 +300,11 @@ static void start_other_core(void) if(REG_GET_BIT(HP_SYS_CLKRST_HP_RST_EN0_REG, HP_SYS_CLKRST_REG_RST_EN_CORE1_GLOBAL)){ REG_CLR_BIT(HP_SYS_CLKRST_HP_RST_EN0_REG, HP_SYS_CLKRST_REG_RST_EN_CORE1_GLOBAL); } + // The following operation makes the Key Manager to use eFuse key for ECDSA and XTS-AES operation by default + // This is to keep the default behavior same as the other chips + // If the Key Manager configuration is already locked then following operation does not have any effect + // TODO-IDF 7925 (Move this under SOC_KEY_MANAGER_SUPPORTED) + REG_SET_FIELD(KEYMNG_STATIC_REG, KEYMNG_USE_EFUSE_KEY, 3); #endif ets_set_appcpu_boot_addr((uint32_t)call_start_cpu1); diff --git a/components/spi_flash/test_apps/.build-test-rules.yml b/components/spi_flash/test_apps/.build-test-rules.yml index eb48921719..873efbdf70 100644 --- a/components/spi_flash/test_apps/.build-test-rules.yml +++ b/components/spi_flash/test_apps/.build-test-rules.yml @@ -17,13 +17,10 @@ components/spi_flash/test_apps/esp_flash: components/spi_flash/test_apps/flash_encryption: disable_test: - - if: IDF_TARGET in ["esp32c2", "esp32s2", "esp32c6", "esp32h2"] + - if: IDF_TARGET in ["esp32c2", "esp32s2", "esp32c6", "esp32h2", "esp32p4"] temporary: true reason: No runners # IDF-5634 - disable: - - if: IDF_TARGET == "esp32p4" - temporary: true - reason: target esp32p4 is not supported yet # TODO: IDF-7545 + depends_components: - esp_mm - spi_flash diff --git a/components/spi_flash/test_apps/flash_encryption/README.md b/components/spi_flash/test_apps/flash_encryption/README.md index 304c4d955a..5e87c92c2a 100644 --- a/components/spi_flash/test_apps/flash_encryption/README.md +++ b/components/spi_flash/test_apps/flash_encryption/README.md @@ -1,5 +1,5 @@ -| Supported Targets | ESP32 | ESP32-C2 | ESP32-C3 | ESP32-C6 | ESP32-H2 | ESP32-S2 | ESP32-S3 | -| ----------------- | ----- | -------- | -------- | -------- | -------- | -------- | -------- | +| Supported Targets | ESP32 | ESP32-C2 | ESP32-C3 | ESP32-C6 | ESP32-H2 | ESP32-P4 | ESP32-S2 | ESP32-S3 | +| ----------------- | ----- | -------- | -------- | -------- | -------- | -------- | -------- | -------- | ## Prepare runner diff --git a/docs/en/security/flash-encryption.rst b/docs/en/security/flash-encryption.rst index f8f93249f1..22db63990e 100644 --- a/docs/en/security/flash-encryption.rst +++ b/docs/en/security/flash-encryption.rst @@ -929,6 +929,7 @@ On the first boot, the flash encryption process burns by default the following e :SOC_EFUSE_DIS_PAD_JTAG and SOC_EFUSE_DIS_USB_JTAG: - ``DIS_PAD_JTAG`` and ``DIS_USB_JTAG`` which disables JTAG. :SOC_EFUSE_HARD_DIS_JTAG and SOC_EFUSE_DIS_USB_JTAG: - ``HARD_DIS_JTAG`` and ``DIS_USB_JTAG`` which disables JTAG. - ``DIS_DIRECT_BOOT`` (old name ``DIS_LEGACY_SPI_BOOT``) which disables direct boot mode + :SOC_EFUSE_DIS_DOWNLOAD_MSPI: - ``DIS_DOWNLOAD_MSPI`` which disables the MSPI access in download mode. However, before the first boot you can choose to keep any of these features enabled by burning only selected eFuses and write-protect the rest of eFuses with unset value 0. For example: diff --git a/docs/en/security/host-based-security-workflows.rst b/docs/en/security/host-based-security-workflows.rst index 5753572f92..96855700d3 100644 --- a/docs/en/security/host-based-security-workflows.rst +++ b/docs/en/security/host-based-security-workflows.rst @@ -290,6 +290,7 @@ In this case, all the eFuses related to flash encryption are written with help o :SOC_EFUSE_DIS_USB_JTAG: - ``DIS_USB_JTAG``: Disable USB switch to JTAG :SOC_EFUSE_DIS_PAD_JTAG: - ``DIS_PAD_JTAG``: Disable JTAG permanently :not esp32: - ``DIS_DOWNLOAD_MANUAL_ENCRYPT``: Disable UART bootloader encryption access + :SOC_EFUSE_DIS_DOWNLOAD_MSPI: - ``DIS_DOWNLOAD_MSPI``: Disable the MSPI access in download mode The respective eFuses can be burned by running: diff --git a/examples/security/.build-test-rules.yml b/examples/security/.build-test-rules.yml index 084469e45f..e24e449691 100644 --- a/examples/security/.build-test-rules.yml +++ b/examples/security/.build-test-rules.yml @@ -2,7 +2,7 @@ examples/security/flash_encryption: disable_test: - - if: IDF_TARGET in ["esp32s2", "esp32s3", "esp32c6", "esp32h2", "esp32c2"] + - if: IDF_TARGET in ["esp32s2", "esp32s3", "esp32c6", "esp32h2", "esp32c2", "esp32p4"] temporary: true reason: lack of runners diff --git a/examples/system/efuse/sdkconfig.ci.virt_sb_v2_and_fe.esp32p4 b/examples/system/efuse/sdkconfig.ci.virt_sb_v2_and_fe.esp32p4 new file mode 100644 index 0000000000..8df40e73f4 --- /dev/null +++ b/examples/system/efuse/sdkconfig.ci.virt_sb_v2_and_fe.esp32p4 @@ -0,0 +1,18 @@ +# FLASH_ENCRYPTION & SECURE_BOOT_V2 with EFUSE_VIRTUAL_KEEP_IN_FLASH + +CONFIG_IDF_TARGET="esp32p4" + +CONFIG_PARTITION_TABLE_OFFSET=0xD000 +CONFIG_PARTITION_TABLE_CUSTOM=y +CONFIG_PARTITION_TABLE_CUSTOM_FILENAME="test/partitions_efuse_emul.csv" + +CONFIG_SECURE_BOOT=y +CONFIG_SECURE_BOOT_V2_ENABLED=y +CONFIG_SECURE_BOOT_SIGNING_KEY="test/secure_boot_signing_key.pem" +CONFIG_SECURE_ENABLE_SECURE_ROM_DL_MODE=y + +CONFIG_SECURE_FLASH_ENC_ENABLED=y + +# IMPORTANT: ONLY VIRTUAL eFuse MODE! +CONFIG_EFUSE_VIRTUAL=y +CONFIG_EFUSE_VIRTUAL_KEEP_IN_FLASH=y