1menu "Bootloader config" 2 3 config BOOTLOADER_OFFSET_IN_FLASH 4 hex 5 default 0x1000 if IDF_TARGET_ESP32 || IDF_TARGET_ESP32S2 6 default 0x0 7 help 8 Offset address that 2nd bootloader will be flashed to. 9 The value is determined by the ROM bootloader. 10 It's not configurable in ESP-IDF. 11 12 choice BOOTLOADER_COMPILER_OPTIMIZATION 13 prompt "Bootloader optimization Level" 14 default BOOTLOADER_COMPILER_OPTIMIZATION_SIZE 15 help 16 This option sets compiler optimization level (gcc -O argument) 17 for the bootloader. 18 19 - The default "Size" setting will add the -0s flag to CFLAGS. 20 - The "Debug" setting will add the -Og flag to CFLAGS. 21 - The "Performance" setting will add the -O2 flag to CFLAGS. 22 - The "None" setting will add the -O0 flag to CFLAGS. 23 24 Note that custom optimization levels may be unsupported. 25 26 config BOOTLOADER_COMPILER_OPTIMIZATION_SIZE 27 bool "Size (-Os)" 28 config BOOTLOADER_COMPILER_OPTIMIZATION_DEBUG 29 bool "Debug (-Og)" 30 config BOOTLOADER_COMPILER_OPTIMIZATION_PERF 31 bool "Optimize for performance (-O2)" 32 config BOOTLOADER_COMPILER_OPTIMIZATION_NONE 33 bool "Debug without optimization (-O0)" 34 endchoice 35 36 choice BOOTLOADER_LOG_LEVEL 37 bool "Bootloader log verbosity" 38 default BOOTLOADER_LOG_LEVEL_INFO 39 help 40 Specify how much output to see in bootloader logs. 41 42 config BOOTLOADER_LOG_LEVEL_NONE 43 bool "No output" 44 config BOOTLOADER_LOG_LEVEL_ERROR 45 bool "Error" 46 config BOOTLOADER_LOG_LEVEL_WARN 47 bool "Warning" 48 config BOOTLOADER_LOG_LEVEL_INFO 49 bool "Info" 50 config BOOTLOADER_LOG_LEVEL_DEBUG 51 bool "Debug" 52 config BOOTLOADER_LOG_LEVEL_VERBOSE 53 bool "Verbose" 54 endchoice 55 56 config BOOTLOADER_LOG_LEVEL 57 int 58 default 0 if BOOTLOADER_LOG_LEVEL_NONE 59 default 1 if BOOTLOADER_LOG_LEVEL_ERROR 60 default 2 if BOOTLOADER_LOG_LEVEL_WARN 61 default 3 if BOOTLOADER_LOG_LEVEL_INFO 62 default 4 if BOOTLOADER_LOG_LEVEL_DEBUG 63 default 5 if BOOTLOADER_LOG_LEVEL_VERBOSE 64 65 menu "Serial Flash Configurations" 66 config BOOTLOADER_SPI_CUSTOM_WP_PIN 67 bool "Use custom SPI Flash WP Pin when flash pins set in eFuse (read help)" 68 depends on IDF_TARGET_ESP32 && (ESPTOOLPY_FLASHMODE_QIO || ESPTOOLPY_FLASHMODE_QOUT) 69 default y if BOOTLOADER_SPI_WP_PIN != 7 # backwards compatibility, can remove in IDF 5 70 default n 71 help 72 This setting is only used if the SPI flash pins have been overridden by setting the eFuses 73 SPI_PAD_CONFIG_xxx, and the SPI flash mode is QIO or QOUT. 74 75 When this is the case, the eFuse config only defines 3 of the 4 Quad I/O data pins. The WP pin (aka 76 ESP32 pin "SD_DATA_3" or SPI flash pin "IO2") is not specified in eFuse. The same pin is also used 77 for external SPIRAM if it is enabled. 78 79 If this config item is set to N (default), the correct WP pin will be automatically used for any 80 Espressif chip or module with integrated flash. If a custom setting is needed, set this config item to 81 Y and specify the GPIO number connected to the WP. 82 83 config BOOTLOADER_SPI_WP_PIN 84 int "Custom SPI Flash WP Pin" 85 range 0 33 86 default 7 87 depends on IDF_TARGET_ESP32 && (ESPTOOLPY_FLASHMODE_QIO || ESPTOOLPY_FLASHMODE_QOUT) 88 #depends on BOOTLOADER_SPI_CUSTOM_WP_PIN # backwards compatibility, can uncomment in IDF 5 89 help 90 The option "Use custom SPI Flash WP Pin" must be set or this value is ignored 91 92 If burning a customized set of SPI flash pins in eFuse and using QIO or QOUT mode for flash, set this 93 value to the GPIO number of the SPI flash WP pin. 94 95 config BOOTLOADER_FLASH_DC_AWARE 96 bool "Allow app adjust Dummy Cycle bits in SPI Flash for higher frequency (READ HELP FIRST)" 97 help 98 This will force 2nd bootloader to be loaded by DOUT mode, and will restore Dummy Cycle setting by 99 resetting the Flash 100 101 config BOOTLOADER_FLASH_XMC_SUPPORT 102 bool "Enable the support for flash chips of XMC (READ DOCS FIRST)" 103 default y 104 help 105 Perform the startup flow recommended by XMC. Please consult XMC for the details of this flow. 106 XMC chips will be forbidden to be used, when this option is disabled. 107 108 DON'T DISABLE THIS UNLESS YOU KNOW WHAT YOU ARE DOING. 109 110 comment "Features below require specific hardware (READ DOCS FIRST!)" 111 112 config BOOTLOADER_FLASH_32BIT_ADDR 113 bool 114 default y if ESPTOOLPY_FLASHSIZE_32MB || ESPTOOLPY_FLASHSIZE_64MB || ESPTOOLPY_FLASHSIZE_128MB 115 default n 116 help 117 This is a helper config for 32bits address flash. Invisible for users. 118 119 config BOOTLOADER_CACHE_32BIT_ADDR_OCTAL_FLASH 120 bool 121 default y if ESPTOOLPY_OCT_FLASH && BOOTLOADER_FLASH_32BIT_ADDR 122 default n 123 124 endmenu 125 126 choice BOOTLOADER_VDDSDIO_BOOST 127 bool "VDDSDIO LDO voltage" 128 default BOOTLOADER_VDDSDIO_BOOST_1_9V 129 depends on SOC_CONFIGURABLE_VDDSDIO_SUPPORTED 130 help 131 If this option is enabled, and VDDSDIO LDO is set to 1.8V (using eFuse 132 or MTDI bootstrapping pin), bootloader will change LDO settings to 133 output 1.9V instead. This helps prevent flash chip from browning out 134 during flash programming operations. 135 136 This option has no effect if VDDSDIO is set to 3.3V, or if the internal 137 VDDSDIO regulator is disabled via eFuse. 138 139 config BOOTLOADER_VDDSDIO_BOOST_1_8V 140 bool "1.8V" 141 depends on !ESPTOOLPY_FLASHFREQ_80M 142 config BOOTLOADER_VDDSDIO_BOOST_1_9V 143 bool "1.9V" 144 endchoice 145 146 config BOOTLOADER_FACTORY_RESET 147 bool "GPIO triggers factory reset" 148 default N 149 select BOOTLOADER_RESERVE_RTC_MEM if SOC_RTC_FAST_MEM_SUPPORTED 150 help 151 Allows to reset the device to factory settings: 152 - clear one or more data partitions; 153 - boot from "factory" partition. 154 The factory reset will occur if there is a GPIO input held at the configured level while 155 device starts up. See settings below. 156 157 config BOOTLOADER_NUM_PIN_FACTORY_RESET 158 int "Number of the GPIO input for factory reset" 159 depends on BOOTLOADER_FACTORY_RESET 160 range 0 39 if IDF_TARGET_ESP32 161 range 0 44 if IDF_TARGET_ESP32S2 162 default 4 163 help 164 The selected GPIO will be configured as an input with internal pull-up enabled (note that on some SoCs. 165 not all pins have an internal pull-up, consult the hardware datasheet for details.) To trigger a factory 166 reset, this GPIO must be held high or low (as configured) on startup. 167 168 choice BOOTLOADER_FACTORY_RESET_PIN_LEVEL 169 bool "Factory reset GPIO level" 170 depends on BOOTLOADER_FACTORY_RESET 171 default BOOTLOADER_FACTORY_RESET_PIN_LOW 172 help 173 Pin level for factory reset, can be triggered on low or high. 174 175 config BOOTLOADER_FACTORY_RESET_PIN_LOW 176 bool "Reset on GPIO low" 177 178 config BOOTLOADER_FACTORY_RESET_PIN_HIGH 179 bool "Reset on GPIO high" 180 endchoice 181 182 config BOOTLOADER_OTA_DATA_ERASE 183 bool "Clear OTA data on factory reset (select factory partition)" 184 depends on BOOTLOADER_FACTORY_RESET 185 help 186 The device will boot from "factory" partition (or OTA slot 0 if no factory partition is present) after a 187 factory reset. 188 189 config BOOTLOADER_DATA_FACTORY_RESET 190 string "Comma-separated names of partitions to clear on factory reset" 191 depends on BOOTLOADER_FACTORY_RESET 192 default "nvs" 193 help 194 Allows customers to select which data partitions will be erased while factory reset. 195 196 Specify the names of partitions as a comma-delimited with optional spaces for readability. (Like this: 197 "nvs, phy_init, ...") 198 Make sure that the name specified in the partition table and here are the same. 199 Partitions of type "app" cannot be specified here. 200 201 config BOOTLOADER_APP_TEST 202 bool "GPIO triggers boot from test app partition" 203 default N 204 depends on !BOOTLOADER_APP_ANTI_ROLLBACK 205 help 206 Allows to run the test app from "TEST" partition. 207 A boot from "test" partition will occur if there is a GPIO input pulled low while device starts up. 208 See settings below. 209 210 config BOOTLOADER_NUM_PIN_APP_TEST 211 int "Number of the GPIO input to boot TEST partition" 212 depends on BOOTLOADER_APP_TEST 213 range 0 39 214 default 18 215 help 216 The selected GPIO will be configured as an input with internal pull-up enabled. 217 To trigger a test app, this GPIO must be pulled low on reset. 218 After the GPIO input is deactivated and the device reboots, the old application will boot. 219 (factory or OTA[x]). 220 Note that GPIO34-39 do not have an internal pullup and an external one must be provided. 221 222 choice BOOTLOADER_APP_TEST_PIN_LEVEL 223 bool "App test GPIO level" 224 depends on BOOTLOADER_APP_TEST 225 default BOOTLOADER_APP_TEST_PIN_LOW 226 help 227 Pin level for app test, can be triggered on low or high. 228 229 config BOOTLOADER_APP_TEST_PIN_LOW 230 bool "Enter test app on GPIO low" 231 232 config BOOTLOADER_APP_TEST_PIN_HIGH 233 bool "Enter test app on GPIO high" 234 endchoice 235 236 config BOOTLOADER_HOLD_TIME_GPIO 237 int "Hold time of GPIO for reset/test mode (seconds)" 238 depends on BOOTLOADER_FACTORY_RESET || BOOTLOADER_APP_TEST 239 default 5 240 help 241 The GPIO must be held low continuously for this period of time after reset 242 before a factory reset or test partition boot (as applicable) is performed. 243 244 config BOOTLOADER_REGION_PROTECTION_ENABLE 245 bool "Enable protection for unmapped memory regions" 246 default y 247 help 248 Protects the unmapped memory regions of the entire address space from unintended accesses. 249 This will ensure that an exception will be triggered whenever the CPU performs a memory 250 operation on unmapped regions of the address space. 251 252 config BOOTLOADER_WDT_ENABLE 253 bool "Use RTC watchdog in start code" 254 default y 255 help 256 Tracks the execution time of startup code. 257 If the execution time is exceeded, the RTC_WDT will restart system. 258 It is also useful to prevent a lock up in start code caused by an unstable power source. 259 NOTE: Tracks the execution time starts from the bootloader code - re-set timeout, while selecting the 260 source for slow_clk - and ends calling app_main. 261 Re-set timeout is needed due to WDT uses a SLOW_CLK clock source. After changing a frequency slow_clk a 262 time of WDT needs to re-set for new frequency. 263 slow_clk depends on RTC_CLK_SRC (INTERNAL_RC or EXTERNAL_CRYSTAL). 264 265 config BOOTLOADER_WDT_DISABLE_IN_USER_CODE 266 bool "Allows RTC watchdog disable in user code" 267 depends on BOOTLOADER_WDT_ENABLE 268 default n 269 help 270 If this option is set, the ESP-IDF app must explicitly reset, feed, or disable the rtc_wdt in 271 the app's own code. 272 If this option is not set (default), then rtc_wdt will be disabled by ESP-IDF before calling 273 the app_main() function. 274 275 Use function rtc_wdt_feed() for resetting counter of rtc_wdt. 276 Use function rtc_wdt_disable() for disabling rtc_wdt. 277 278 config BOOTLOADER_WDT_TIME_MS 279 int "Timeout for RTC watchdog (ms)" 280 depends on BOOTLOADER_WDT_ENABLE 281 default 9000 282 range 0 120000 283 help 284 Verify that this parameter is correct and more then the execution time. 285 Pay attention to options such as reset to factory, trigger test partition and encryption on boot 286 - these options can increase the execution time. 287 Note: RTC_WDT will reset while encryption operations will be performed. 288 289 config BOOTLOADER_APP_ROLLBACK_ENABLE 290 bool "Enable app rollback support" 291 default n 292 help 293 After updating the app, the bootloader runs a new app with the "ESP_OTA_IMG_PENDING_VERIFY" state set. 294 This state prevents the re-run of this app. After the first boot of the new app in the user code, the 295 function should be called to confirm the operability of the app or vice versa about its non-operability. 296 If the app is working, then it is marked as valid. Otherwise, it is marked as not valid and rolls back to 297 the previous working app. A reboot is performed, and the app is booted before the software update. 298 Note: If during the first boot a new app the power goes out or the WDT works, then roll back will happen. 299 Rollback is possible only between the apps with the same security versions. 300 301 config BOOTLOADER_APP_ANTI_ROLLBACK 302 bool "Enable app anti-rollback support" 303 depends on BOOTLOADER_APP_ROLLBACK_ENABLE 304 default n 305 help 306 This option prevents rollback to previous firmware/application image with lower security version. 307 308 config BOOTLOADER_APP_SECURE_VERSION 309 int "eFuse secure version of app" 310 depends on BOOTLOADER_APP_ANTI_ROLLBACK 311 default 0 312 help 313 The secure version is the sequence number stored in the header of each firmware. 314 The security version is set in the bootloader, version is recorded in the eFuse field 315 as the number of set ones. The allocated number of bits in the efuse field 316 for storing the security version is limited (see BOOTLOADER_APP_SEC_VER_SIZE_EFUSE_FIELD option). 317 318 Bootloader: When bootloader selects an app to boot, an app is selected that has 319 a security version greater or equal that recorded in eFuse field. 320 The app is booted with a higher (or equal) secure version. 321 322 The security version is worth increasing if in previous versions there is 323 a significant vulnerability and their use is not acceptable. 324 325 Your partition table should has a scheme with ota_0 + ota_1 (without factory). 326 327 config BOOTLOADER_APP_SEC_VER_SIZE_EFUSE_FIELD 328 int "Size of the efuse secure version field" 329 depends on BOOTLOADER_APP_ANTI_ROLLBACK 330 range 1 32 if IDF_TARGET_ESP32 331 default 32 if IDF_TARGET_ESP32 332 range 1 4 if IDF_TARGET_ESP32C2 333 default 4 if IDF_TARGET_ESP32C2 334 range 1 16 335 default 16 336 help 337 The size of the efuse secure version field. 338 Its length is limited to 32 bits for ESP32 and 16 bits for ESP32-S2. 339 This determines how many times the security version can be increased. 340 341 config BOOTLOADER_EFUSE_SECURE_VERSION_EMULATE 342 bool "Emulate operations with efuse secure version(only test)" 343 default n 344 depends on BOOTLOADER_APP_ANTI_ROLLBACK 345 select EFUSE_VIRTUAL 346 select EFUSE_VIRTUAL_KEEP_IN_FLASH 347 help 348 This option allows to emulate read/write operations with all eFuses and efuse secure version. 349 It allows to test anti-rollback implemention without permanent write eFuse bits. 350 There should be an entry in partition table with following details: `emul_efuse, data, efuse, , 0x2000`. 351 352 This option enables: EFUSE_VIRTUAL and EFUSE_VIRTUAL_KEEP_IN_FLASH. 353 354 config BOOTLOADER_SKIP_VALIDATE_IN_DEEP_SLEEP 355 bool "Skip image validation when exiting deep sleep" 356 # note: dependencies for this config item are different to other "skip image validation" 357 # options, allowing to turn on "allow insecure options" and have secure boot with 358 # "skip validation when existing deep sleep". Keeping this to avoid a breaking change, 359 # but - as noted in help - it invalidates the integrity of Secure Boot checks 360 depends on SOC_RTC_FAST_MEM_SUPPORTED && ((SECURE_BOOT && SECURE_BOOT_INSECURE) || !SECURE_BOOT) 361 default n 362 select BOOTLOADER_RESERVE_RTC_MEM 363 help 364 This option disables the normal validation of an image coming out of 365 deep sleep (checksums, SHA256, and signature). This is a trade-off 366 between wakeup performance from deep sleep, and image integrity checks. 367 368 Only enable this if you know what you are doing. It should not be used 369 in conjunction with using deep_sleep() entry and changing the active OTA 370 partition as this would skip the validation upon first load of the new 371 OTA partition. 372 373 It is possible to enable this option with Secure Boot if "allow insecure 374 options" is enabled, however it's strongly recommended to NOT enable it as 375 it may allow a Secure Boot bypass. 376 377 config BOOTLOADER_SKIP_VALIDATE_ON_POWER_ON 378 bool "Skip image validation from power on reset (READ HELP FIRST)" 379 # only available if both Secure Boot and Check Signature on Boot are disabled 380 depends on !SECURE_SIGNED_ON_BOOT 381 default n 382 help 383 Some applications need to boot very quickly from power on. By default, the entire app binary 384 is read from flash and verified which takes up a significant portion of the boot time. 385 386 Enabling this option will skip validation of the app when the SoC boots from power on. 387 Note that in this case it's not possible for the bootloader to detect if an app image is 388 corrupted in the flash, therefore it's not possible to safely fall back to a different app 389 partition. Flash corruption of this kind is unlikely but can happen if there is a serious 390 firmware bug or physical damage. 391 392 Following other reset types, the bootloader will still validate the app image. This increases 393 the chances that flash corruption resulting in a crash can be detected following soft reset, and 394 the bootloader will fall back to a valid app image. To increase the chances of successfully recovering 395 from a flash corruption event, keep the option BOOTLOADER_WDT_ENABLE enabled and consider also enabling 396 BOOTLOADER_WDT_DISABLE_IN_USER_CODE - then manually disable the RTC Watchdog once the app is running. 397 In addition, enable both the Task and Interrupt watchdog timers with reset options set. 398 399 config BOOTLOADER_SKIP_VALIDATE_ALWAYS 400 bool "Skip image validation always (READ HELP FIRST)" 401 # only available if both Secure Boot and Check Signature on Boot are disabled 402 depends on !SECURE_SIGNED_ON_BOOT 403 default n 404 select BOOTLOADER_SKIP_VALIDATE_IN_DEEP_SLEEP if SOC_RTC_FAST_MEM_SUPPORTED 405 select BOOTLOADER_SKIP_VALIDATE_ON_POWER_ON 406 help 407 Selecting this option prevents the bootloader from ever validating the app image before 408 booting it. Any flash corruption of the selected app partition will make the entire SoC 409 unbootable. 410 411 Although flash corruption is a very rare case, it is not recommended to select this option. 412 Consider selecting "Skip image validation from power on reset" instead. However, if boot time 413 is the only important factor then it can be enabled. 414 415 config BOOTLOADER_RESERVE_RTC_SIZE 416 hex 417 depends on SOC_RTC_FAST_MEM_SUPPORTED 418 default 0x10 if BOOTLOADER_RESERVE_RTC_MEM 419 default 0 420 help 421 Reserve RTC FAST memory for Skip image validation. This option in bytes. 422 This option reserves an area in the RTC FAST memory (access only PRO_CPU). 423 Used to save the addresses of the selected application. 424 When a wakeup occurs (from Deep sleep), the bootloader retrieves it and 425 loads the application without validation. 426 427 config BOOTLOADER_CUSTOM_RESERVE_RTC 428 bool "Reserve RTC FAST memory for custom purposes" 429 depends on SOC_RTC_FAST_MEM_SUPPORTED 430 select BOOTLOADER_RESERVE_RTC_MEM 431 default n 432 help 433 This option allows the customer to place data in the RTC FAST memory, 434 this area remains valid when rebooted, except for power loss. 435 This memory is located at a fixed address and is available 436 for both the bootloader and the application. 437 (The application and bootoloader must be compiled with the same option). 438 The RTC FAST memory has access only through PRO_CPU. 439 440 config BOOTLOADER_CUSTOM_RESERVE_RTC_IN_CRC 441 bool "Include custom memory in the CRC calculation" 442 depends on BOOTLOADER_CUSTOM_RESERVE_RTC 443 default n 444 help 445 This option allows the customer to use the legacy bootloader behavior when the 446 RTC FAST memory CRC calculation takes place. When this option is enabled, the 447 allocated user custom data will be taken into account in the CRC calculcation. 448 This means that any change to the custom data would need a CRC update to prevent 449 the bootloader from marking this data as corrupted. 450 If this option is disabled, the custom data will not be taken into account when 451 calculating the RTC FAST memory CRC. The user custom data can be changed freely, 452 without the need to update the CRC. 453 THIS OPTION MUST BE THE SAME FOR BOTH THE BOOTLOADER AND THE APPLICATION BUILDS. 454 455 config BOOTLOADER_CUSTOM_RESERVE_RTC_SIZE 456 hex "Size in bytes for custom purposes" 457 default 0 458 depends on BOOTLOADER_CUSTOM_RESERVE_RTC 459 help 460 This option reserves in RTC FAST memory the area for custom purposes. 461 If you want to create your own bootloader and save more information 462 in this area of memory, you can increase it. It must be a multiple of 4 bytes. 463 This area (rtc_retain_mem_t) is reserved and has access from the bootloader and an application. 464 465 config BOOTLOADER_RESERVE_RTC_MEM 466 bool 467 depends on SOC_RTC_FAST_MEM_SUPPORTED 468 help 469 This option reserves an area in RTC FAST memory for the following features: 470 - "Skip image validation when exiting deep sleep" 471 - "Reserve RTC FAST memory for custom purposes" 472 - "GPIO triggers factory reset" 473 474endmenu # Bootloader 475 476 477menu "Security features" 478 479 # These three are the actual options to check in code, 480 # selected by the displayed options 481 config SECURE_SIGNED_ON_BOOT 482 bool 483 default y 484 depends on SECURE_BOOT || SECURE_SIGNED_ON_BOOT_NO_SECURE_BOOT 485 486 config SECURE_SIGNED_ON_UPDATE 487 bool 488 default y 489 depends on SECURE_BOOT || SECURE_SIGNED_ON_UPDATE_NO_SECURE_BOOT 490 491 config SECURE_SIGNED_APPS 492 bool 493 default y 494 select MBEDTLS_ECP_DP_SECP256R1_ENABLED 495 select MBEDTLS_ECP_C 496 select MBEDTLS_ECDH_C 497 select MBEDTLS_ECDSA_C 498 depends on SECURE_SIGNED_ON_BOOT || SECURE_SIGNED_ON_UPDATE 499 500 config SECURE_BOOT_V2_RSA_SUPPORTED 501 bool 502 default y 503 # RSA secure boot is supported in ESP32 revision >= v3.0 504 depends on (IDF_TARGET_ESP32 && ESP32_REV_MIN_FULL >= 300) || SOC_SECURE_BOOT_V2_RSA 505 506 config SECURE_BOOT_V2_ECC_SUPPORTED 507 bool 508 default y 509 depends on SOC_SECURE_BOOT_V2_ECC 510 511 config SECURE_BOOT_V1_SUPPORTED 512 bool 513 default y 514 depends on SOC_SECURE_BOOT_V1 515 516 config SECURE_BOOT_V2_PREFERRED 517 bool 518 default y 519 depends on ESP32_REV_MIN_FULL >= 300 520 521 config SECURE_BOOT_V2_ECDSA_ENABLED 522 bool 523 default y if SECURE_BOOT_V2_ENABLED && SECURE_BOOT_V2_ECC_SUPPORTED 524 525 config SECURE_BOOT_V2_RSA_ENABLED 526 bool 527 default y if SECURE_BOOT_V2_ENABLED && SECURE_BOOT_V2_RSA_SUPPORTED 528 529 config SECURE_BOOT_FLASH_ENC_KEYS_BURN_TOGETHER 530 bool 531 default y if SOC_EFUSE_CONSISTS_OF_ONE_KEY_BLOCK && SECURE_BOOT && SECURE_FLASH_ENC_ENABLED 532 # ESP32-C2 has one key block for SB and FE keys. These keys must be burned at the same time. 533 534 config SECURE_SIGNED_APPS_NO_SECURE_BOOT 535 bool "Require signed app images" 536 depends on !SECURE_BOOT 537 help 538 Require apps to be signed to verify their integrity. 539 540 This option uses the same app signature scheme as hardware secure boot, but unlike hardware secure boot it 541 does not prevent the bootloader from being physically updated. This means that the device can be secured 542 against remote network access, but not physical access. Compared to using hardware Secure Boot this option 543 is much simpler to implement. 544 545 choice SECURE_SIGNED_APPS_SCHEME 546 bool "App Signing Scheme" 547 depends on SECURE_BOOT || SECURE_SIGNED_APPS_NO_SECURE_BOOT 548 default SECURE_SIGNED_APPS_ECDSA_SCHEME if SECURE_BOOT_V1_ENABLED 549 default SECURE_SIGNED_APPS_RSA_SCHEME if SECURE_BOOT_V2_RSA_SUPPORTED 550 default SECURE_SIGNED_APPS_ECDSA_V2_SCHEME if SECURE_BOOT_V2_ECC_SUPPORTED 551 help 552 Select the Secure App signing scheme. Depends on the Chip Revision. 553 There are two secure boot versions: 554 555 1. Secure boot V1 556 - Legacy custom secure boot scheme. Supported in ESP32 SoC. 557 558 2. Secure boot V2 559 - RSA based secure boot scheme. 560 Supported in ESP32-ECO3 (ESP32 Chip Revision 3 onwards), ESP32-S2, ESP32-C3, ESP32-S3 SoCs. 561 562 - ECDSA based secure boot scheme. Supported in ESP32-C2 SoC. 563 564 config SECURE_SIGNED_APPS_ECDSA_SCHEME 565 bool "ECDSA" 566 depends on SECURE_BOOT_V1_SUPPORTED && (SECURE_SIGNED_APPS_NO_SECURE_BOOT || SECURE_BOOT_V1_ENABLED) 567 help 568 Embeds the ECDSA public key in the bootloader and signs the application with an ECDSA key. 569 Refer to the documentation before enabling. 570 571 config SECURE_SIGNED_APPS_RSA_SCHEME 572 bool "RSA" 573 depends on SECURE_BOOT_V2_RSA_SUPPORTED && (SECURE_SIGNED_APPS_NO_SECURE_BOOT || SECURE_BOOT_V2_ENABLED) 574 help 575 Appends the RSA-3072 based Signature block to the application. 576 Refer to <Secure Boot Version 2 documentation link> before enabling. 577 578 config SECURE_SIGNED_APPS_ECDSA_V2_SCHEME 579 bool "ECDSA (V2)" 580 depends on SECURE_BOOT_V2_ECC_SUPPORTED && (SECURE_SIGNED_APPS_NO_SECURE_BOOT || SECURE_BOOT_V2_ENABLED) 581 help 582 For Secure boot V2 (e.g., ESP32-C2 SoC), appends ECDSA based signature block to the application. 583 Refer to documentation before enabling. 584 585 endchoice 586 587 choice SECURE_BOOT_ECDSA_KEY_LEN_SIZE 588 bool "ECDSA key size" 589 depends on SECURE_SIGNED_APPS_ECDSA_V2_SCHEME 590 default SECURE_BOOT_ECDSA_KEY_LEN_256_BITS 591 help 592 Select the ECDSA key size. Two key sizes are supported 593 594 - 192 bit key using NISTP192 curve 595 - 256 bit key using NISTP256 curve (Recommended) 596 597 The advantage of using 256 bit key is the extra randomness which makes it difficult to be 598 bruteforced compared to 192 bit key. 599 At present, both key sizes are practically implausible to bruteforce. 600 601 config SECURE_BOOT_ECDSA_KEY_LEN_192_BITS 602 bool "Using ECC curve NISTP192" 603 depends on SECURE_SIGNED_APPS_ECDSA_V2_SCHEME 604 605 config SECURE_BOOT_ECDSA_KEY_LEN_256_BITS 606 bool "Using ECC curve NISTP256 (Recommended)" 607 depends on SECURE_SIGNED_APPS_ECDSA_V2_SCHEME 608 609 endchoice 610 611 config SECURE_SIGNED_ON_BOOT_NO_SECURE_BOOT 612 bool "Bootloader verifies app signatures" 613 default n 614 depends on SECURE_SIGNED_APPS_NO_SECURE_BOOT && SECURE_SIGNED_APPS_ECDSA_SCHEME 615 help 616 If this option is set, the bootloader will be compiled with code to verify that an app is signed before 617 booting it. 618 619 If hardware secure boot is enabled, this option is always enabled and cannot be disabled. 620 If hardware secure boot is not enabled, this option doesn't add significant security by itself so most 621 users will want to leave it disabled. 622 623 config SECURE_SIGNED_ON_UPDATE_NO_SECURE_BOOT 624 bool "Verify app signature on update" 625 default y 626 depends on SECURE_SIGNED_APPS_NO_SECURE_BOOT 627 help 628 If this option is set, any OTA updated apps will have the signature verified before being considered valid. 629 630 When enabled, the signature is automatically checked whenever the esp_ota_ops.h APIs are used for OTA 631 updates, or esp_image_format.h APIs are used to verify apps. 632 633 If hardware secure boot is enabled, this option is always enabled and cannot be disabled. 634 If hardware secure boot is not enabled, this option still adds significant security against network-based 635 attackers by preventing spoofing of OTA updates. 636 637 config SECURE_BOOT 638 bool "Enable hardware Secure Boot in bootloader (READ DOCS FIRST)" 639 default n 640 # Secure boot is not supported for ESP32-C3 revision < v0.3 641 depends on SOC_SECURE_BOOT_SUPPORTED && !(IDF_TARGET_ESP32C3 && ESP32C3_REV_MIN_FULL < 3) 642 select ESPTOOLPY_NO_STUB if !IDF_TARGET_ESP32 && !IDF_TARGET_ESP32S2 643 help 644 Build a bootloader which enables Secure Boot on first boot. 645 646 Once enabled, Secure Boot will not boot a modified bootloader. The bootloader will only load a partition 647 table or boot an app if the data has a verified digital signature. There are implications for reflashing 648 updated apps once secure boot is enabled. 649 650 When enabling secure boot, JTAG and ROM BASIC Interpreter are permanently disabled by default. 651 652 choice SECURE_BOOT_VERSION 653 bool "Select secure boot version" 654 default SECURE_BOOT_V2_ENABLED if SECURE_BOOT_V2_PREFERRED 655 depends on SECURE_BOOT 656 help 657 Select the Secure Boot Version. Depends on the Chip Revision. 658 Secure Boot V2 is the new RSA / ECDSA based secure boot scheme. 659 660 - RSA based scheme is supported in ESP32 (Revision 3 onwards), ESP32-S2, ESP32-C3 (ECO3), ESP32-S3. 661 - ECDSA based scheme is supported in ESP32-C2 SoC. 662 663 Please note that, RSA or ECDSA secure boot is property of specific SoC based on its HW design, supported 664 crypto accelerators, die-size, cost and similar parameters. Please note that RSA scheme has requirement 665 for bigger key sizes but at the same time it is comparatively faster than ECDSA verification. 666 667 Secure Boot V1 is the AES based (custom) secure boot scheme supported in ESP32 SoC. 668 669 config SECURE_BOOT_V1_ENABLED 670 bool "Enable Secure Boot version 1" 671 depends on SECURE_BOOT_V1_SUPPORTED 672 help 673 Build a bootloader which enables secure boot version 1 on first boot. 674 Refer to the Secure Boot section of the ESP-IDF Programmer's Guide for this version before enabling. 675 676 config SECURE_BOOT_V2_ENABLED 677 bool "Enable Secure Boot version 2" 678 depends on SECURE_BOOT_V2_RSA_SUPPORTED || SECURE_BOOT_V2_ECC_SUPPORTED 679 help 680 Build a bootloader which enables Secure Boot version 2 on first boot. 681 Refer to Secure Boot V2 section of the ESP-IDF Programmer's Guide for this version before enabling. 682 683 endchoice 684 685 choice SECURE_BOOTLOADER_MODE 686 bool "Secure bootloader mode" 687 depends on SECURE_BOOT_V1_ENABLED 688 default SECURE_BOOTLOADER_ONE_TIME_FLASH 689 690 config SECURE_BOOTLOADER_ONE_TIME_FLASH 691 bool "One-time flash" 692 help 693 On first boot, the bootloader will generate a key which is not readable externally or by software. A 694 digest is generated from the bootloader image itself. This digest will be verified on each subsequent 695 boot. 696 697 Enabling this option means that the bootloader cannot be changed after the first time it is booted. 698 699 config SECURE_BOOTLOADER_REFLASHABLE 700 bool "Reflashable" 701 help 702 Generate a reusable secure bootloader key, derived (via SHA-256) from the secure boot signing key. 703 704 This allows the secure bootloader to be re-flashed by anyone with access to the secure boot signing 705 key. 706 707 This option is less secure than one-time flash, because a leak of the digest key from one device 708 allows reflashing of any device that uses it. 709 710 endchoice 711 712 config SECURE_BOOT_BUILD_SIGNED_BINARIES 713 bool "Sign binaries during build" 714 depends on SECURE_SIGNED_APPS 715 default y 716 help 717 Once secure boot or signed app requirement is enabled, app images are required to be signed. 718 719 If enabled (default), these binary files are signed as part of the build process. The file named in 720 "Secure boot private signing key" will be used to sign the image. 721 722 If disabled, unsigned app/partition data will be built. They must be signed manually using espsecure.py. 723 Version 1 to enable ECDSA Based Secure Boot and Version 2 to enable RSA based Secure Boot. 724 (for example, on a remote signing server.) 725 726 config SECURE_BOOT_SIGNING_KEY 727 string "Secure boot private signing key" 728 depends on SECURE_BOOT_BUILD_SIGNED_BINARIES 729 default "secure_boot_signing_key.pem" 730 help 731 Path to the key file used to sign app images. 732 733 Key file is an ECDSA private key (NIST256p curve) in PEM format for Secure Boot V1. 734 Key file is an RSA private key in PEM format for Secure Boot V2. 735 736 Path is evaluated relative to the project directory. 737 738 You can generate a new signing key by running the following command: 739 espsecure.py generate_signing_key secure_boot_signing_key.pem 740 741 See the Secure Boot section of the ESP-IDF Programmer's Guide for this version for details. 742 743 config SECURE_BOOT_VERIFICATION_KEY 744 string "Secure boot public signature verification key" 745 depends on SECURE_SIGNED_APPS && SECURE_SIGNED_APPS_ECDSA_SCHEME && !SECURE_BOOT_BUILD_SIGNED_BINARIES 746 default "signature_verification_key.bin" 747 help 748 Path to a public key file used to verify signed images. 749 Secure Boot V1: This ECDSA public key is compiled into the bootloader and/or 750 app, to verify app images. 751 752 Key file is in raw binary format, and can be extracted from a 753 PEM formatted private key using the espsecure.py 754 extract_public_key command. 755 756 Refer to the Secure Boot section of the ESP-IDF Programmer's Guide for this version before enabling. 757 758 config SECURE_BOOT_ENABLE_AGGRESSIVE_KEY_REVOKE 759 bool "Enable Aggressive key revoke strategy" 760 depends on SECURE_BOOT && SOC_SUPPORT_SECURE_BOOT_REVOKE_KEY 761 default N 762 help 763 If this option is set, ROM bootloader will revoke the public key digest burned in efuse block 764 if it fails to verify the signature of software bootloader with it. 765 Revocation of keys does not happen when enabling secure boot. Once secure boot is enabled, 766 key revocation checks will be done on subsequent boot-up, while verifying the software bootloader 767 768 This feature provides a strong resistance against physical attacks on the device. 769 770 NOTE: Once a digest slot is revoked, it can never be used again to verify an image 771 This can lead to permanent bricking of the device, in case all keys are revoked 772 because of signature verification failure. 773 774 choice SECURE_BOOTLOADER_KEY_ENCODING 775 bool "Hardware Key Encoding" 776 depends on SECURE_BOOTLOADER_REFLASHABLE 777 default SECURE_BOOTLOADER_KEY_ENCODING_256BIT 778 help 779 780 In reflashable secure bootloader mode, a hardware key is derived from the signing key (with SHA-256) and 781 can be written to eFuse with espefuse.py. 782 783 Normally this is a 256-bit key, but if 3/4 Coding Scheme is used on the device then the eFuse key is 784 truncated to 192 bits. 785 786 This configuration item doesn't change any firmware code, it only changes the size of key binary which is 787 generated at build time. 788 789 config SECURE_BOOTLOADER_KEY_ENCODING_256BIT 790 bool "No encoding (256 bit key)" 791 792 config SECURE_BOOTLOADER_KEY_ENCODING_192BIT 793 bool "3/4 encoding (192 bit key)" 794 795 endchoice 796 797 config SECURE_BOOT_INSECURE 798 bool "Allow potentially insecure options" 799 depends on SECURE_BOOT 800 default N 801 help 802 You can disable some of the default protections offered by secure boot, in order to enable testing or a 803 custom combination of security features. 804 805 Only enable these options if you are very sure. 806 807 Refer to the Secure Boot section of the ESP-IDF Programmer's Guide for this version before enabling. 808 809 config SECURE_FLASH_ENC_ENABLED 810 bool "Enable flash encryption on boot (READ DOCS FIRST)" 811 default N 812 select SPI_FLASH_ENABLE_ENCRYPTED_READ_WRITE 813 help 814 If this option is set, flash contents will be encrypted by the bootloader on first boot. 815 816 Note: After first boot, the system will be permanently encrypted. Re-flashing an encrypted 817 system is complicated and not always possible. 818 819 Read https://docs.espressif.com/projects/esp-idf/en/latest/security/flash-encryption.html 820 before enabling. 821 822 choice SECURE_FLASH_ENCRYPTION_KEYSIZE 823 bool "Size of generated AES-XTS key" 824 default SECURE_FLASH_ENCRYPTION_AES128 825 depends on SOC_FLASH_ENCRYPTION_XTS_AES_OPTIONS && SECURE_FLASH_ENC_ENABLED 826 help 827 Size of generated AES-XTS key. 828 829 - AES-128 uses a 256-bit key (32 bytes) derived from 128 bits (16 bytes) burned in half Efuse key block. 830 Internally, it calculates SHA256(128 bits) 831 - AES-128 uses a 256-bit key (32 bytes) which occupies one Efuse key block. 832 - AES-256 uses a 512-bit key (64 bytes) which occupies two Efuse key blocks. 833 834 This setting is ignored if either type of key is already burned to Efuse before the first boot. 835 In this case, the pre-burned key is used and no new key is generated. 836 837 config SECURE_FLASH_ENCRYPTION_AES128_DERIVED 838 bool "AES-128 key derived from 128 bits (SHA256(128 bits))" 839 depends on SOC_FLASH_ENCRYPTION_XTS_AES_128_DERIVED 840 841 config SECURE_FLASH_ENCRYPTION_AES128 842 bool "AES-128 (256-bit key)" 843 depends on SOC_FLASH_ENCRYPTION_XTS_AES_128 && !(IDF_TARGET_ESP32C2 && SECURE_BOOT) 844 845 config SECURE_FLASH_ENCRYPTION_AES256 846 bool "AES-256 (512-bit key)" 847 depends on SOC_FLASH_ENCRYPTION_XTS_AES_256 848 endchoice 849 850 choice SECURE_FLASH_ENCRYPTION_MODE 851 bool "Enable usage mode" 852 depends on SECURE_FLASH_ENC_ENABLED 853 default SECURE_FLASH_ENCRYPTION_MODE_DEVELOPMENT 854 help 855 By default Development mode is enabled which allows ROM download mode to perform flash encryption 856 operations (plaintext is sent to the device, and it encrypts it internally and writes ciphertext 857 to flash.) This mode is not secure, it's possible for an attacker to write their own chosen plaintext 858 to flash. 859 860 Release mode should always be selected for production or manufacturing. Once enabled it's no longer 861 possible for the device in ROM Download Mode to use the flash encryption hardware. 862 863 When EFUSE_VIRTUAL is enabled, SECURE_FLASH_ENCRYPTION_MODE_RELEASE is not available. 864 For CI tests we use IDF_CI_BUILD to bypass it ("export IDF_CI_BUILD=1"). 865 We do not recommend bypassing it for other purposes. 866 867 Refer to the Flash Encryption section of the ESP-IDF Programmer's Guide for details. 868 869 config SECURE_FLASH_ENCRYPTION_MODE_DEVELOPMENT 870 bool "Development (NOT SECURE)" 871 select SECURE_FLASH_UART_BOOTLOADER_ALLOW_ENC 872 873 config SECURE_FLASH_ENCRYPTION_MODE_RELEASE 874 bool "Release" 875 select PARTITION_TABLE_MD5 if !APP_COMPATIBLE_PRE_V3_1_BOOTLOADERS 876 depends on !EFUSE_VIRTUAL || IDF_CI_BUILD 877 878 endchoice 879 880 config SECURE_FLASH_HAS_WRITE_PROTECTION_CACHE 881 bool 882 default y if (SOC_EFUSE_DIS_ICACHE || IDF_TARGET_ESP32) && SECURE_FLASH_ENC_ENABLED 883 884 menu "Potentially insecure options" 885 visible if SECURE_FLASH_ENCRYPTION_MODE_DEVELOPMENT || SECURE_BOOT_INSECURE || SECURE_SIGNED_ON_UPDATE_NO_SECURE_BOOT # NOERROR 886 887 # NOTE: Options in this menu NEED to have SECURE_BOOT_INSECURE 888 # and/or SECURE_FLASH_ENCRYPTION_MODE_DEVELOPMENT in "depends on", as the menu 889 # itself doesn't enable/disable its children (if it's not set, 890 # it's possible for the insecure menu to be disabled but the insecure option 891 # to remain on which is very bad.) 892 893 config SECURE_BOOT_ALLOW_ROM_BASIC 894 bool "Leave ROM BASIC Interpreter available on reset" 895 depends on (SECURE_BOOT_INSECURE || SECURE_FLASH_ENCRYPTION_MODE_DEVELOPMENT) && IDF_TARGET_ESP32 896 default N 897 help 898 By default, the BASIC ROM Console starts on reset if no valid bootloader is 899 read from the flash. 900 901 When either flash encryption or secure boot are enabled, the default is to 902 disable this BASIC fallback mode permanently via eFuse. 903 904 If this option is set, this eFuse is not burned and the BASIC ROM Console may 905 remain accessible. Only set this option in testing environments. 906 907 config SECURE_BOOT_ALLOW_JTAG 908 bool "Allow JTAG Debugging" 909 depends on SECURE_BOOT_INSECURE || SECURE_FLASH_ENCRYPTION_MODE_DEVELOPMENT 910 select SECURE_FLASH_SKIP_WRITE_PROTECTION_CACHE if SECURE_FLASH_HAS_WRITE_PROTECTION_CACHE 911 default N 912 help 913 If not set (default), the bootloader will permanently disable JTAG (across entire chip) on first boot 914 when either secure boot or flash encryption is enabled. 915 916 Setting this option leaves JTAG on for debugging, which negates all protections of flash encryption 917 and some of the protections of secure boot. 918 919 Only set this option in testing environments. 920 921 config SECURE_BOOT_ALLOW_SHORT_APP_PARTITION 922 bool "Allow app partition length not 64KB aligned" 923 depends on SECURE_BOOT_INSECURE || SECURE_SIGNED_ON_UPDATE_NO_SECURE_BOOT 924 help 925 If not set (default), app partition size must be a multiple of 64KB. App images are padded to 64KB 926 length, and the bootloader checks any trailing bytes after the signature (before the next 64KB 927 boundary) have not been written. This is because flash cache maps entire 64KB pages into the address 928 space. This prevents an attacker from appending unverified data after the app image in the flash, 929 causing it to be mapped into the address space. 930 931 Setting this option allows the app partition length to be unaligned, and disables padding of the app 932 image to this length. It is generally not recommended to set this option, unless you have a legacy 933 partitioning scheme which doesn't support 64KB aligned partition lengths. 934 935 config SECURE_BOOT_V2_ALLOW_EFUSE_RD_DIS 936 bool "Allow additional read protecting of efuses" 937 depends on SECURE_BOOT_INSECURE && SECURE_BOOT_V2_ENABLED 938 help 939 If not set (default, recommended), on first boot the bootloader will burn the WR_DIS_RD_DIS 940 efuse when Secure Boot is enabled. This prevents any more efuses from being read protected. 941 942 If this option is set, it will remain possible to write the EFUSE_RD_DIS efuse field after Secure 943 Boot is enabled. This may allow an attacker to read-protect the BLK2 efuse (for ESP32) and 944 BLOCK4-BLOCK10 (i.e. BLOCK_KEY0-BLOCK_KEY5)(for other chips) holding the public key digest, causing an 945 immediate denial of service and possibly allowing an additional fault injection attack to 946 bypass the signature protection. 947 948 NOTE: Once a BLOCK is read-protected, the application will read all zeros from that block 949 950 NOTE: If "UART ROM download mode (Permanently disabled (recommended))" or 951 "UART ROM download mode (Permanently switch to Secure mode (recommended))" is set, 952 then it is __NOT__ possible to read/write efuses using espefuse.py utility. 953 However, efuse can be read/written from the application 954 955 config SECURE_BOOT_ALLOW_UNUSED_DIGEST_SLOTS 956 bool "Leave unused digest slots available (not revoke)" 957 depends on SECURE_BOOT_INSECURE && SOC_EFUSE_REVOKE_BOOT_KEY_DIGESTS 958 default N 959 help 960 If not set (default), during startup in the app all unused digest slots will be revoked. 961 To revoke unused slot will be called esp_efuse_set_digest_revoke(num_digest) for each digest. 962 Revoking unused digest slots makes ensures that no trusted keys can be added later by an attacker. 963 If set, it means that you have a plan to use unused digests slots later. 964 965 config SECURE_FLASH_UART_BOOTLOADER_ALLOW_ENC 966 bool "Leave UART bootloader encryption enabled" 967 depends on SECURE_FLASH_ENCRYPTION_MODE_DEVELOPMENT 968 select SECURE_FLASH_SKIP_WRITE_PROTECTION_CACHE if SECURE_FLASH_HAS_WRITE_PROTECTION_CACHE 969 default N 970 help 971 If not set (default), the bootloader will permanently disable UART bootloader encryption access on 972 first boot. If set, the UART bootloader will still be able to access hardware encryption. 973 974 It is recommended to only set this option in testing environments. 975 976 config SECURE_FLASH_UART_BOOTLOADER_ALLOW_DEC 977 bool "Leave UART bootloader decryption enabled" 978 depends on SECURE_FLASH_ENCRYPTION_MODE_DEVELOPMENT && IDF_TARGET_ESP32 979 default N 980 help 981 If not set (default), the bootloader will permanently disable UART bootloader decryption access on 982 first boot. If set, the UART bootloader will still be able to access hardware decryption. 983 984 Only set this option in testing environments. Setting this option allows complete bypass of flash 985 encryption. 986 987 config SECURE_FLASH_UART_BOOTLOADER_ALLOW_CACHE 988 bool "Leave UART bootloader flash cache enabled" 989 depends on SECURE_FLASH_ENCRYPTION_MODE_DEVELOPMENT && (IDF_TARGET_ESP32 || SOC_EFUSE_DIS_DOWNLOAD_ICACHE || SOC_EFUSE_DIS_DOWNLOAD_DCACHE) # NOERROR 990 default N 991 select SECURE_FLASH_SKIP_WRITE_PROTECTION_CACHE if SECURE_FLASH_HAS_WRITE_PROTECTION_CACHE 992 help 993 If not set (default), the bootloader will permanently disable UART bootloader flash cache access on 994 first boot. If set, the UART bootloader will still be able to access the flash cache. 995 996 Only set this option in testing environments. 997 998 config SECURE_FLASH_REQUIRE_ALREADY_ENABLED 999 bool "Require flash encryption to be already enabled" 1000 depends on SECURE_FLASH_ENCRYPTION_MODE_DEVELOPMENT 1001 default N 1002 help 1003 If not set (default), and flash encryption is not yet enabled in eFuses, the 2nd stage bootloader 1004 will enable flash encryption: generate the flash encryption key and program eFuses. 1005 If this option is set, and flash encryption is not yet enabled, the bootloader will error out and 1006 reboot. 1007 If flash encryption is enabled in eFuses, this option does not change the bootloader behavior. 1008 1009 Only use this option in testing environments, to avoid accidentally enabling flash encryption on 1010 the wrong device. The device needs to have flash encryption already enabled using espefuse.py. 1011 1012 config SECURE_FLASH_SKIP_WRITE_PROTECTION_CACHE 1013 bool "Skip write-protection of DIS_CACHE (DIS_ICACHE, DIS_DCACHE)" 1014 default n 1015 depends on SECURE_FLASH_HAS_WRITE_PROTECTION_CACHE 1016 help 1017 If not set (default, recommended), on the first boot the bootloader will burn the write-protection of 1018 DIS_CACHE(for ESP32) or DIS_ICACHE/DIS_DCACHE(for other chips) eFuse when Flash Encryption is enabled. 1019 Write protection for cache disable efuse prevents the chip from being blocked if it is set by accident. 1020 App and bootloader use cache so disabling it makes the chip useless for IDF. 1021 Due to other eFuses are linked with the same write protection bit (see the list below) then 1022 write-protection will not be done if these SECURE_FLASH_UART_BOOTLOADER_ALLOW_ENC, 1023 SECURE_BOOT_ALLOW_JTAG or SECURE_FLASH_UART_BOOTLOADER_ALLOW_CACHE options are selected 1024 to give a chance to turn on the chip into the release mode later. 1025 1026 List of eFuses with the same write protection bit: 1027 ESP32: MAC, MAC_CRC, DISABLE_APP_CPU, DISABLE_BT, DIS_CACHE, VOL_LEVEL_HP_INV. 1028 1029 ESP32-C3: DIS_ICACHE, DIS_USB_JTAG, DIS_DOWNLOAD_ICACHE, DIS_USB_SERIAL_JTAG, 1030 DIS_FORCE_DOWNLOAD, DIS_TWAI, JTAG_SEL_ENABLE, DIS_PAD_JTAG, DIS_DOWNLOAD_MANUAL_ENCRYPT. 1031 1032 ESP32-C6: SWAP_UART_SDIO_EN, DIS_ICACHE, DIS_USB_JTAG, DIS_DOWNLOAD_ICACHE, 1033 DIS_USB_SERIAL_JTAG, DIS_FORCE_DOWNLOAD, DIS_TWAI, JTAG_SEL_ENABLE, 1034 DIS_PAD_JTAG, DIS_DOWNLOAD_MANUAL_ENCRYPT. 1035 1036 ESP32-H2: DIS_ICACHE, DIS_USB_JTAG, POWERGLITCH_EN, DIS_FORCE_DOWNLOAD, SPI_DOWNLOAD_MSPI_DIS, 1037 DIS_TWAI, JTAG_SEL_ENABLE, DIS_PAD_JTAG, DIS_DOWNLOAD_MANUAL_ENCRYPT. 1038 1039 ESP32-S2: DIS_ICACHE, DIS_DCACHE, DIS_DOWNLOAD_ICACHE, DIS_DOWNLOAD_DCACHE, 1040 DIS_FORCE_DOWNLOAD, DIS_USB, DIS_TWAI, DIS_BOOT_REMAP, SOFT_DIS_JTAG, 1041 HARD_DIS_JTAG, DIS_DOWNLOAD_MANUAL_ENCRYPT. 1042 1043 ESP32-S3: DIS_ICACHE, DIS_DCACHE, DIS_DOWNLOAD_ICACHE, DIS_DOWNLOAD_DCACHE, 1044 DIS_FORCE_DOWNLOAD, DIS_USB_OTG, DIS_TWAI, DIS_APP_CPU, DIS_PAD_JTAG, 1045 DIS_DOWNLOAD_MANUAL_ENCRYPT, DIS_USB_JTAG, DIS_USB_SERIAL_JTAG, STRAP_JTAG_SEL, USB_PHY_SEL. 1046 endmenu # Potentially Insecure 1047 1048 config SECURE_FLASH_ENCRYPT_ONLY_IMAGE_LEN_IN_APP_PART 1049 bool "Encrypt only the app image that is present in the partition of type app" 1050 depends on SECURE_FLASH_ENC_ENABLED && !SECURE_FLASH_REQUIRE_ALREADY_ENABLED 1051 default n 1052 help 1053 If set, optimise encryption time for the partition of type APP, 1054 by only encrypting the app image that is present in the partition, 1055 instead of the whole partition. 1056 The image length used for encryption is derived from the image metadata, which 1057 includes the size of the app image, checksum, hash and also the signature sector 1058 when secure boot is enabled. 1059 1060 If not set (default), the whole partition of type APP would be encrypted, 1061 which increases the encryption time but might be useful if there 1062 is any custom data appended to the firmware image. 1063 1064 config SECURE_FLASH_CHECK_ENC_EN_IN_APP 1065 bool "Check Flash Encryption enabled on app startup" 1066 depends on SECURE_FLASH_ENC_ENABLED 1067 default y 1068 help 1069 If set (default), in an app during startup code, 1070 there is a check of the flash encryption eFuse bit is on 1071 (as the bootloader should already have set it). 1072 The app requires this bit is on to continue work otherwise abort. 1073 1074 If not set, the app does not care if the flash encryption eFuse bit is set or not. 1075 1076 config SECURE_ROM_DL_MODE_ENABLED 1077 bool 1078 default y if SOC_SUPPORTS_SECURE_DL_MODE && !SECURE_FLASH_ENCRYPTION_MODE_DEVELOPMENT 1079 1080 choice SECURE_UART_ROM_DL_MODE 1081 bool "UART ROM download mode" 1082 default SECURE_ENABLE_SECURE_ROM_DL_MODE if SECURE_ROM_DL_MODE_ENABLED # NOERROR 1083 default SECURE_INSECURE_ALLOW_DL_MODE 1084 depends on SECURE_BOOT_V2_ENABLED || SECURE_FLASH_ENC_ENABLED 1085 depends on !(IDF_TARGET_ESP32 && ESP32_REV_MIN_FULL < 300) 1086 1087 config SECURE_DISABLE_ROM_DL_MODE 1088 bool "UART ROM download mode (Permanently disabled (recommended))" 1089 help 1090 If set, during startup the app will burn an eFuse bit to permanently disable the UART ROM 1091 Download Mode. This prevents any future use of esptool.py, espefuse.py and similar tools. 1092 1093 Once disabled, if the SoC is booted with strapping pins set for ROM Download Mode 1094 then an error is printed instead. 1095 1096 It is recommended to enable this option in any production application where Flash 1097 Encryption and/or Secure Boot is enabled and access to Download Mode is not required. 1098 1099 It is also possible to permanently disable Download Mode by calling 1100 esp_efuse_disable_rom_download_mode() at runtime. 1101 1102 config SECURE_ENABLE_SECURE_ROM_DL_MODE 1103 bool "UART ROM download mode (Permanently switch to Secure mode (recommended))" 1104 depends on SOC_SUPPORTS_SECURE_DL_MODE 1105 select ESPTOOLPY_NO_STUB 1106 help 1107 If set, during startup the app will burn an eFuse bit to permanently switch the UART ROM 1108 Download Mode into a separate Secure Download mode. This option can only work if 1109 Download Mode is not already disabled by eFuse. 1110 1111 Secure Download mode limits the use of Download Mode functions to update SPI config, 1112 changing baud rate, basic flash write and a command to return a summary of currently 1113 enabled security features (`get_security_info`). 1114 1115 Secure Download mode is not compatible with the esptool.py flasher stub feature, 1116 espefuse.py, read/writing memory or registers, encrypted download, or any other 1117 features that interact with unsupported Download Mode commands. 1118 1119 Secure Download mode should be enabled in any application where Flash Encryption 1120 and/or Secure Boot is enabled. Disabling this option does not immediately cancel 1121 the benefits of the security features, but it increases the potential "attack 1122 surface" for an attacker to try and bypass them with a successful physical attack. 1123 1124 It is also possible to enable secure download mode at runtime by calling 1125 esp_efuse_enable_rom_secure_download_mode() 1126 1127 Note: Secure Download mode is not available for ESP32 (includes revisions till ECO3). 1128 1129 config SECURE_INSECURE_ALLOW_DL_MODE 1130 bool "UART ROM download mode (Enabled (not recommended))" 1131 help 1132 This is a potentially insecure option. 1133 Enabling this option will allow the full UART download mode to stay enabled. 1134 This option SHOULD NOT BE ENABLED for production use cases. 1135 endchoice 1136endmenu # Security features 1137
