Merge branch 'feature/disable_rom_console' into 'master'

esp32: Add KConfig option to disable BASIC ROM Console fallback on first boot See merge request !1134
2017-08-30 07:56:00 +08:00 · 2017-08-30 07:56:00 +08:00 · b4eda4c4f7
commit b4eda4c4f7
--- a/components/bootloader/Kconfig.projbuild
+++ b/components/bootloader/Kconfig.projbuild
@ -168,12 +168,17 @@ menu "Potentially insecure options"

 config SECURE_BOOT_ALLOW_ROM_BASIC
       bool "Leave ROM BASIC Interpreter available on reset"
-       depends on SECURE_BOOT_INSECURE
+       depends on SECURE_BOOT_INSECURE || FLASH_ENCRYPTION_INSECURE
       default N
       help
-          If not set (default), bootloader permanently disables ROM BASIC (on UART console) as a fallback if the bootloader image becomes invalid. This happens on first boot.
+          By default, the BASIC ROM Console starts on reset if no valid bootloader is
+          read from the flash.

-          Only set this option in testing environments.
+          When either flash encryption or secure boot are enabled, the default is to
+          disable this BASIC fallback mode permanently via efuse.
+
+          If this option is set, this efuse is not burned and the BASIC ROM Console may
+          remain accessible.  Only set this option in testing environments.

 config SECURE_BOOT_ALLOW_JTAG
       bool "Allow JTAG Debugging"
--- a/components/bootloader_support/include/esp_efuse.h
+++ b/components/bootloader_support/include/esp_efuse.h
@ -48,6 +48,16 @@ void esp_efuse_burn_new_values(void);
 */
 void esp_efuse_reset(void);

+/* @brief Disable BASIC ROM Console via efuse
+ *
+ * By default, if booting from flash fails the ESP32 will boot a
+ * BASIC console in ROM.
+ *
+ * Call this function (from bootloader or app) to permanently
+ * disable the console on this chip.
+ */
+void esp_efuse_disable_basic_rom_console(void);
+
 #ifdef __cplusplus
 }
 #endif
--- a/components/bootloader_support/src/efuse.c
+++ b/components/bootloader_support/src/efuse.c
@ -12,6 +12,7 @@
 // See the License for the specific language governing permissions and
 // limitations under the License.
 #include "esp_efuse.h"
+#include "esp_log.h"

 #define EFUSE_CONF_WRITE 0x5A5A /* efuse_pgm_op_ena, force no rd/wr disable */
 #define EFUSE_CONF_READ 0x5AA5 /* efuse_read_op_ena, release force */
@ -19,6 +20,8 @@
 #define EFUSE_CMD_PGM 0x02
 #define EFUSE_CMD_READ 0x01

+static const char *TAG = "efuse";
+
 void esp_efuse_burn_new_values(void)
 {
    REG_WRITE(EFUSE_CONF_REG, EFUSE_CONF_WRITE);
@ -45,3 +48,13 @@ void esp_efuse_reset(void)
      }
    }
 }
+
+void esp_efuse_disable_basic_rom_console(void)
+{
+    if ((REG_READ(EFUSE_BLK0_RDATA6_REG) & EFUSE_RD_CONSOLE_DEBUG_DISABLE) == 0) {
+        ESP_EARLY_LOGI(TAG, "Disable BASIC ROM Console fallback via efuse...");
+        esp_efuse_reset();
+        REG_WRITE(EFUSE_BLK0_WDATA6_REG, EFUSE_RD_CONSOLE_DEBUG_DISABLE);
+        esp_efuse_burn_new_values();
+    }
+}
--- a/components/bootloader_support/src/flash_encrypt.c
+++ b/components/bootloader_support/src/flash_encrypt.c
@ -139,6 +139,12 @@ static esp_err_t initialise_flash_encryption(void)
 #else
    ESP_LOGW(TAG, "Not disabling JTAG - SECURITY COMPROMISED");
 #endif
+#ifndef CONFIG_SECURE_BOOT_ALLOW_ROM_BASIC
+    ESP_LOGI(TAG, "Disable ROM BASIC interpreter fallback...");
+    new_wdata6 |= EFUSE_RD_CONSOLE_DEBUG_DISABLE;
+#else
+    ESP_LOGW(TAG, "Not disabling ROM BASIC fallback - SECURITY COMPROMISED");
+#endif

    if (new_wdata6 != 0) {
        REG_WRITE(EFUSE_BLK0_WDATA6_REG, new_wdata6);
--- a/components/esp32/Kconfig
+++ b/components/esp32/Kconfig
@ -604,6 +604,18 @@ config ESP32_XTAL_FREQ
    default 40 if ESP32_XTAL_FREQ_40
    default 26 if ESP32_XTAL_FREQ_26

+config DISABLE_BASIC_ROM_CONSOLE
+    bool "Permanently disable BASIC ROM Console"
+    default n
+    help
+        If set, the first time the app boots it will disable the BASIC ROM Console
+        permanently (by burning an efuse).
+
+        Otherwise, the BASIC ROM Console starts on reset if no valid bootloader is
+        read from the flash.
+
+        (Enabling secure boot also disables the BASIC ROM Console by default.)
+
 config NO_BLOBS
    bool "No Binary Blobs"
    depends on !BT_ENABLED
@ -624,7 +636,7 @@ config ESP_TIMER_PROFILING
 		used for timer storage, and should only be used for debugging/testing
 		purposes.

-endmenu
+endmenu  # ESP32-Specific

 menu Wi-Fi

@ -748,10 +760,10 @@ config ESP32_WIFI_NVS_ENABLED
    help
        Select this option to enable WiFi NVS flash

-endmenu
+endmenu  # Wi-Fi

 menu Phy
-	
+
 config ESP32_PHY_CALIBRATION_AND_DATA_STORAGE
    bool "Do phy calibration and store calibration data in NVS"
    default y
@ -790,4 +802,4 @@ config ESP32_PHY_MAX_TX_POWER
 	int
 	default ESP32_PHY_MAX_WIFI_TX_POWER

-endmenu
+endmenu  # PHY
--- a/components/esp32/cpu_start.c
+++ b/components/esp32/cpu_start.c
@ -62,6 +62,7 @@
 #include "esp_panic.h"
 #include "esp_core_dump.h"
 #include "esp_app_trace.h"
+#include "esp_efuse.h"
 #include "esp_clk.h"
 #include "esp_timer.h"
 #include "trax.h"
@ -244,6 +245,9 @@ void start_cpu0_default(void)
 #endif
 #if CONFIG_BROWNOUT_DET
    esp_brownout_init();
+#endif
+#if CONFIG_DISABLE_BASIC_ROM_CONSOLE
+    esp_efuse_disable_basic_rom_console();
 #endif
    rtc_gpio_force_hold_dis_all();
    esp_vfs_dev_uart_register();