From 1e22bcdfde262892e47cb3f182eafbe61e28ae4e Mon Sep 17 00:00:00 2001 From: Angus Gratton Date: Tue, 22 Aug 2017 14:55:23 +1000 Subject: [PATCH 1/2] esp32: Add KConfig option to disable ROM Console fallback on first boot --- .../bootloader_support/include/esp_efuse.h | 10 ++++++++++ components/bootloader_support/src/efuse.c | 13 ++++++++++++ components/esp32/Kconfig | 20 +++++++++++++++---- components/esp32/cpu_start.c | 4 ++++ 4 files changed, 43 insertions(+), 4 deletions(-) diff --git a/components/bootloader_support/include/esp_efuse.h b/components/bootloader_support/include/esp_efuse.h index 41588396c4..2f33b05a98 100644 --- a/components/bootloader_support/include/esp_efuse.h +++ b/components/bootloader_support/include/esp_efuse.h @@ -48,6 +48,16 @@ void esp_efuse_burn_new_values(void); */ void esp_efuse_reset(void); +/* @brief Disable BASIC ROM Console via efuse + * + * By default, if booting from flash fails the ESP32 will boot a + * BASIC console in ROM. + * + * Call this function (from bootloader or app) to permanently + * disable the console on this chip. + */ +void esp_efuse_disable_basic_rom_console(void); + #ifdef __cplusplus } #endif diff --git a/components/bootloader_support/src/efuse.c b/components/bootloader_support/src/efuse.c index e90ba1b7f6..40bb6d451e 100644 --- a/components/bootloader_support/src/efuse.c +++ b/components/bootloader_support/src/efuse.c @@ -12,6 +12,7 @@ // See the License for the specific language governing permissions and // limitations under the License. #include "esp_efuse.h" +#include "esp_log.h" #define EFUSE_CONF_WRITE 0x5A5A /* efuse_pgm_op_ena, force no rd/wr disable */ #define EFUSE_CONF_READ 0x5AA5 /* efuse_read_op_ena, release force */ @@ -19,6 +20,8 @@ #define EFUSE_CMD_PGM 0x02 #define EFUSE_CMD_READ 0x01 +static const char *TAG = "efuse"; + void esp_efuse_burn_new_values(void) { REG_WRITE(EFUSE_CONF_REG, EFUSE_CONF_WRITE); @@ -45,3 +48,13 @@ void esp_efuse_reset(void) } } } + +void esp_efuse_disable_basic_rom_console(void) +{ + if ((REG_READ(EFUSE_BLK0_RDATA6_REG) & EFUSE_RD_CONSOLE_DEBUG_DISABLE) == 0) { + ESP_EARLY_LOGI(TAG, "Disable BASIC ROM Console fallback via efuse..."); + esp_efuse_reset(); + REG_WRITE(EFUSE_BLK0_WDATA6_REG, EFUSE_RD_CONSOLE_DEBUG_DISABLE); + esp_efuse_burn_new_values(); + } +} diff --git a/components/esp32/Kconfig b/components/esp32/Kconfig index dca22d039a..9c554f9ed9 100644 --- a/components/esp32/Kconfig +++ b/components/esp32/Kconfig @@ -604,6 +604,18 @@ config ESP32_XTAL_FREQ default 40 if ESP32_XTAL_FREQ_40 default 26 if ESP32_XTAL_FREQ_26 +config DISABLE_BASIC_ROM_CONSOLE + bool "Permanently disable BASIC ROM Console" + default n + help + If set, the first time the app boots it will disable the BASIC ROM Console + permanently (by burning an efuse). + + Otherwise, the BASIC ROM Console starts on reset if no valid bootloader is + read from the flash. + + (Enabling secure boot also disables the BASIC ROM Console by default.) + config NO_BLOBS bool "No Binary Blobs" depends on !BT_ENABLED @@ -624,7 +636,7 @@ config ESP_TIMER_PROFILING used for timer storage, and should only be used for debugging/testing purposes. -endmenu +endmenu # ESP32-Specific menu Wi-Fi @@ -748,10 +760,10 @@ config ESP32_WIFI_NVS_ENABLED help Select this option to enable WiFi NVS flash -endmenu +endmenu # Wi-Fi menu Phy - + config ESP32_PHY_CALIBRATION_AND_DATA_STORAGE bool "Do phy calibration and store calibration data in NVS" default y @@ -790,4 +802,4 @@ config ESP32_PHY_MAX_TX_POWER int default ESP32_PHY_MAX_WIFI_TX_POWER -endmenu +endmenu # PHY diff --git a/components/esp32/cpu_start.c b/components/esp32/cpu_start.c index 7fec14f3c3..02745f3c11 100644 --- a/components/esp32/cpu_start.c +++ b/components/esp32/cpu_start.c @@ -62,6 +62,7 @@ #include "esp_panic.h" #include "esp_core_dump.h" #include "esp_app_trace.h" +#include "esp_efuse.h" #include "esp_clk.h" #include "esp_timer.h" #include "trax.h" @@ -244,6 +245,9 @@ void start_cpu0_default(void) #endif #if CONFIG_BROWNOUT_DET esp_brownout_init(); +#endif +#if CONFIG_DISABLE_BASIC_ROM_CONSOLE + esp_efuse_disable_basic_rom_console(); #endif rtc_gpio_force_hold_dis_all(); esp_vfs_dev_uart_register(); From 7a18575af8b3160e196518586621be4d3ea4cf98 Mon Sep 17 00:00:00 2001 From: Angus Gratton Date: Tue, 22 Aug 2017 15:40:53 +1000 Subject: [PATCH 2/2] flash encryption: Also always disable ROM BASIC console when enabling flash encryption --- components/bootloader/Kconfig.projbuild | 11 ++++++++--- components/bootloader_support/src/flash_encrypt.c | 6 ++++++ 2 files changed, 14 insertions(+), 3 deletions(-) diff --git a/components/bootloader/Kconfig.projbuild b/components/bootloader/Kconfig.projbuild index 5af223c0ad..d494cb0559 100644 --- a/components/bootloader/Kconfig.projbuild +++ b/components/bootloader/Kconfig.projbuild @@ -168,12 +168,17 @@ menu "Potentially insecure options" config SECURE_BOOT_ALLOW_ROM_BASIC bool "Leave ROM BASIC Interpreter available on reset" - depends on SECURE_BOOT_INSECURE + depends on SECURE_BOOT_INSECURE || FLASH_ENCRYPTION_INSECURE default N help - If not set (default), bootloader permanently disables ROM BASIC (on UART console) as a fallback if the bootloader image becomes invalid. This happens on first boot. + By default, the BASIC ROM Console starts on reset if no valid bootloader is + read from the flash. - Only set this option in testing environments. + When either flash encryption or secure boot are enabled, the default is to + disable this BASIC fallback mode permanently via efuse. + + If this option is set, this efuse is not burned and the BASIC ROM Console may + remain accessible. Only set this option in testing environments. config SECURE_BOOT_ALLOW_JTAG bool "Allow JTAG Debugging" diff --git a/components/bootloader_support/src/flash_encrypt.c b/components/bootloader_support/src/flash_encrypt.c index eff15b7ca4..290a02a911 100644 --- a/components/bootloader_support/src/flash_encrypt.c +++ b/components/bootloader_support/src/flash_encrypt.c @@ -139,6 +139,12 @@ static esp_err_t initialise_flash_encryption(void) #else ESP_LOGW(TAG, "Not disabling JTAG - SECURITY COMPROMISED"); #endif +#ifndef CONFIG_SECURE_BOOT_ALLOW_ROM_BASIC + ESP_LOGI(TAG, "Disable ROM BASIC interpreter fallback..."); + new_wdata6 |= EFUSE_RD_CONSOLE_DEBUG_DISABLE; +#else + ESP_LOGW(TAG, "Not disabling ROM BASIC fallback - SECURITY COMPROMISED"); +#endif if (new_wdata6 != 0) { REG_WRITE(EFUSE_BLK0_WDATA6_REG, new_wdata6);