1menu "Bootloader config" 2 3 config BOOTLOADER_OFFSET_IN_FLASH 4 hex 5 default 0x1000 if IDF_TARGET_ESP32 || IDF_TARGET_ESP32S2 6 default 0x0 7 help 8 Offset address that 2nd bootloader will be flashed to. 9 The value is determined by the ROM bootloader. 10 It's not configurable in ESP-IDF. 11 12 choice BOOTLOADER_COMPILER_OPTIMIZATION 13 prompt "Bootloader optimization Level" 14 default BOOTLOADER_COMPILER_OPTIMIZATION_SIZE 15 help 16 This option sets compiler optimization level (gcc -O argument) 17 for the bootloader. 18 19 - The default "Size" setting will add the -0s flag to CFLAGS. 20 - The "Debug" setting will add the -Og flag to CFLAGS. 21 - The "Performance" setting will add the -O2 flag to CFLAGS. 22 - The "None" setting will add the -O0 flag to CFLAGS. 23 24 Note that custom optimization levels may be unsupported. 25 26 config BOOTLOADER_COMPILER_OPTIMIZATION_SIZE 27 bool "Size (-Os)" 28 config BOOTLOADER_COMPILER_OPTIMIZATION_DEBUG 29 bool "Debug (-Og)" 30 config BOOTLOADER_COMPILER_OPTIMIZATION_PERF 31 bool "Optimize for performance (-O2)" 32 config BOOTLOADER_COMPILER_OPTIMIZATION_NONE 33 bool "Debug without optimization (-O0)" 34 endchoice 35 36 choice BOOTLOADER_LOG_LEVEL 37 bool "Bootloader log verbosity" 38 default BOOTLOADER_LOG_LEVEL_INFO 39 help 40 Specify how much output to see in bootloader logs. 41 42 config BOOTLOADER_LOG_LEVEL_NONE 43 bool "No output" 44 config BOOTLOADER_LOG_LEVEL_ERROR 45 bool "Error" 46 config BOOTLOADER_LOG_LEVEL_WARN 47 bool "Warning" 48 config BOOTLOADER_LOG_LEVEL_INFO 49 bool "Info" 50 config BOOTLOADER_LOG_LEVEL_DEBUG 51 bool "Debug" 52 config BOOTLOADER_LOG_LEVEL_VERBOSE 53 bool "Verbose" 54 endchoice 55 56 config BOOTLOADER_LOG_LEVEL 57 int 58 default 0 if BOOTLOADER_LOG_LEVEL_NONE 59 default 1 if BOOTLOADER_LOG_LEVEL_ERROR 60 default 2 if BOOTLOADER_LOG_LEVEL_WARN 61 default 3 if BOOTLOADER_LOG_LEVEL_INFO 62 default 4 if BOOTLOADER_LOG_LEVEL_DEBUG 63 default 5 if BOOTLOADER_LOG_LEVEL_VERBOSE 64 65 config BOOTLOADER_SPI_CUSTOM_WP_PIN 66 bool "Use custom SPI Flash WP Pin when flash pins set in eFuse (read help)" 67 depends on IDF_TARGET_ESP32 && (ESPTOOLPY_FLASHMODE_QIO || ESPTOOLPY_FLASHMODE_QOUT) 68 default y if BOOTLOADER_SPI_WP_PIN != 7 # backwards compatibility, can remove in IDF 5 69 default n 70 help 71 This setting is only used if the SPI flash pins have been overridden by setting the eFuses 72 SPI_PAD_CONFIG_xxx, and the SPI flash mode is QIO or QOUT. 73 74 When this is the case, the eFuse config only defines 3 of the 4 Quad I/O data pins. The WP pin (aka 75 ESP32 pin "SD_DATA_3" or SPI flash pin "IO2") is not specified in eFuse. The same pin is also used 76 for external SPIRAM if it is enabled. 77 78 If this config item is set to N (default), the correct WP pin will be automatically used for any 79 Espressif chip or module with integrated flash. If a custom setting is needed, set this config item to 80 Y and specify the GPIO number connected to the WP. 81 82 config BOOTLOADER_SPI_WP_PIN 83 int "Custom SPI Flash WP Pin" 84 range 0 33 85 default 7 86 depends on IDF_TARGET_ESP32 && (ESPTOOLPY_FLASHMODE_QIO || ESPTOOLPY_FLASHMODE_QOUT) 87 #depends on BOOTLOADER_SPI_CUSTOM_WP_PIN # backwards compatibility, can uncomment in IDF 5 88 help 89 The option "Use custom SPI Flash WP Pin" must be set or this value is ignored 90 91 If burning a customized set of SPI flash pins in eFuse and using QIO or QOUT mode for flash, set this 92 value to the GPIO number of the SPI flash WP pin. 93 94 choice BOOTLOADER_VDDSDIO_BOOST 95 bool "VDDSDIO LDO voltage" 96 default BOOTLOADER_VDDSDIO_BOOST_1_9V 97 depends on SOC_CONFIGURABLE_VDDSDIO_SUPPORTED 98 help 99 If this option is enabled, and VDDSDIO LDO is set to 1.8V (using eFuse 100 or MTDI bootstrapping pin), bootloader will change LDO settings to 101 output 1.9V instead. This helps prevent flash chip from browning out 102 during flash programming operations. 103 104 This option has no effect if VDDSDIO is set to 3.3V, or if the internal 105 VDDSDIO regulator is disabled via eFuse. 106 107 config BOOTLOADER_VDDSDIO_BOOST_1_8V 108 bool "1.8V" 109 depends on !ESPTOOLPY_FLASHFREQ_80M 110 config BOOTLOADER_VDDSDIO_BOOST_1_9V 111 bool "1.9V" 112 endchoice 113 114 config BOOTLOADER_FACTORY_RESET 115 bool "GPIO triggers factory reset" 116 default N 117 select BOOTLOADER_RESERVE_RTC_MEM if SOC_RTC_FAST_MEM_SUPPORTED 118 help 119 Allows to reset the device to factory settings: 120 - clear one or more data partitions; 121 - boot from "factory" partition. 122 The factory reset will occur if there is a GPIO input held at the configured level while 123 device starts up. See settings below. 124 125 config BOOTLOADER_NUM_PIN_FACTORY_RESET 126 int "Number of the GPIO input for factory reset" 127 depends on BOOTLOADER_FACTORY_RESET 128 range 0 39 if IDF_TARGET_ESP32 129 range 0 44 if IDF_TARGET_ESP32S2 130 default 4 131 help 132 The selected GPIO will be configured as an input with internal pull-up enabled (note that on some SoCs. 133 not all pins have an internal pull-up, consult the hardware datasheet for details.) To trigger a factory 134 reset, this GPIO must be held high or low (as configured) on startup. 135 136 choice BOOTLOADER_FACTORY_RESET_PIN_LEVEL 137 bool "Factory reset GPIO level" 138 depends on BOOTLOADER_FACTORY_RESET 139 default BOOTLOADER_FACTORY_RESET_PIN_LOW 140 help 141 Pin level for factory reset, can be triggered on low or high. 142 143 config BOOTLOADER_FACTORY_RESET_PIN_LOW 144 bool "Reset on GPIO low" 145 146 config BOOTLOADER_FACTORY_RESET_PIN_HIGH 147 bool "Reset on GPIO high" 148 endchoice 149 150 config BOOTLOADER_OTA_DATA_ERASE 151 bool "Clear OTA data on factory reset (select factory partition)" 152 depends on BOOTLOADER_FACTORY_RESET 153 help 154 The device will boot from "factory" partition (or OTA slot 0 if no factory partition is present) after a 155 factory reset. 156 157 config BOOTLOADER_DATA_FACTORY_RESET 158 string "Comma-separated names of partitions to clear on factory reset" 159 depends on BOOTLOADER_FACTORY_RESET 160 default "nvs" 161 help 162 Allows customers to select which data partitions will be erased while factory reset. 163 164 Specify the names of partitions as a comma-delimited with optional spaces for readability. (Like this: 165 "nvs, phy_init, ...") 166 Make sure that the name specified in the partition table and here are the same. 167 Partitions of type "app" cannot be specified here. 168 169 config BOOTLOADER_APP_TEST 170 bool "GPIO triggers boot from test app partition" 171 default N 172 depends on !BOOTLOADER_APP_ANTI_ROLLBACK 173 help 174 Allows to run the test app from "TEST" partition. 175 A boot from "test" partition will occur if there is a GPIO input pulled low while device starts up. 176 See settings below. 177 178 config BOOTLOADER_NUM_PIN_APP_TEST 179 int "Number of the GPIO input to boot TEST partition" 180 depends on BOOTLOADER_APP_TEST 181 range 0 39 182 default 18 183 help 184 The selected GPIO will be configured as an input with internal pull-up enabled. 185 To trigger a test app, this GPIO must be pulled low on reset. 186 After the GPIO input is deactivated and the device reboots, the old application will boot. 187 (factory or OTA[x]). 188 Note that GPIO34-39 do not have an internal pullup and an external one must be provided. 189 190 choice BOOTLOADER_APP_TEST_PIN_LEVEL 191 bool "App test GPIO level" 192 depends on BOOTLOADER_APP_TEST 193 default BOOTLOADER_APP_TEST_PIN_LOW 194 help 195 Pin level for app test, can be triggered on low or high. 196 197 config BOOTLOADER_APP_TEST_PIN_LOW 198 bool "Enter test app on GPIO low" 199 200 config BOOTLOADER_APP_TEST_PIN_HIGH 201 bool "Enter test app on GPIO high" 202 endchoice 203 204 config BOOTLOADER_HOLD_TIME_GPIO 205 int "Hold time of GPIO for reset/test mode (seconds)" 206 depends on BOOTLOADER_FACTORY_RESET || BOOTLOADER_APP_TEST 207 default 5 208 help 209 The GPIO must be held low continuously for this period of time after reset 210 before a factory reset or test partition boot (as applicable) is performed. 211 212 config BOOTLOADER_REGION_PROTECTION_ENABLE 213 bool "Enable protection for unmapped memory regions" 214 default y 215 help 216 Protects the unmapped memory regions of the entire address space from unintended accesses. 217 This will ensure that an exception will be triggered whenever the CPU performs a memory 218 operation on unmapped regions of the address space. 219 220 config BOOTLOADER_WDT_ENABLE 221 bool "Use RTC watchdog in start code" 222 default y 223 help 224 Tracks the execution time of startup code. 225 If the execution time is exceeded, the RTC_WDT will restart system. 226 It is also useful to prevent a lock up in start code caused by an unstable power source. 227 NOTE: Tracks the execution time starts from the bootloader code - re-set timeout, while selecting the 228 source for slow_clk - and ends calling app_main. 229 Re-set timeout is needed due to WDT uses a SLOW_CLK clock source. After changing a frequency slow_clk a 230 time of WDT needs to re-set for new frequency. 231 slow_clk depends on RTC_CLK_SRC (INTERNAL_RC or EXTERNAL_CRYSTAL). 232 233 config BOOTLOADER_WDT_DISABLE_IN_USER_CODE 234 bool "Allows RTC watchdog disable in user code" 235 depends on BOOTLOADER_WDT_ENABLE 236 default n 237 help 238 If this option is set, the ESP-IDF app must explicitly reset, feed, or disable the rtc_wdt in 239 the app's own code. 240 If this option is not set (default), then rtc_wdt will be disabled by ESP-IDF before calling 241 the app_main() function. 242 243 Use function rtc_wdt_feed() for resetting counter of rtc_wdt. 244 Use function rtc_wdt_disable() for disabling rtc_wdt. 245 246 config BOOTLOADER_WDT_TIME_MS 247 int "Timeout for RTC watchdog (ms)" 248 depends on BOOTLOADER_WDT_ENABLE 249 default 9000 250 range 0 120000 251 help 252 Verify that this parameter is correct and more then the execution time. 253 Pay attention to options such as reset to factory, trigger test partition and encryption on boot 254 - these options can increase the execution time. 255 Note: RTC_WDT will reset while encryption operations will be performed. 256 257 config BOOTLOADER_APP_ROLLBACK_ENABLE 258 bool "Enable app rollback support" 259 default n 260 help 261 After updating the app, the bootloader runs a new app with the "ESP_OTA_IMG_PENDING_VERIFY" state set. 262 This state prevents the re-run of this app. After the first boot of the new app in the user code, the 263 function should be called to confirm the operability of the app or vice versa about its non-operability. 264 If the app is working, then it is marked as valid. Otherwise, it is marked as not valid and rolls back to 265 the previous working app. A reboot is performed, and the app is booted before the software update. 266 Note: If during the first boot a new app the power goes out or the WDT works, then roll back will happen. 267 Rollback is possible only between the apps with the same security versions. 268 269 config BOOTLOADER_APP_ANTI_ROLLBACK 270 bool "Enable app anti-rollback support" 271 depends on BOOTLOADER_APP_ROLLBACK_ENABLE 272 default n 273 help 274 This option prevents rollback to previous firmware/application image with lower security version. 275 276 config BOOTLOADER_APP_SECURE_VERSION 277 int "eFuse secure version of app" 278 depends on BOOTLOADER_APP_ANTI_ROLLBACK 279 default 0 280 help 281 The secure version is the sequence number stored in the header of each firmware. 282 The security version is set in the bootloader, version is recorded in the eFuse field 283 as the number of set ones. The allocated number of bits in the efuse field 284 for storing the security version is limited (see BOOTLOADER_APP_SEC_VER_SIZE_EFUSE_FIELD option). 285 286 Bootloader: When bootloader selects an app to boot, an app is selected that has 287 a security version greater or equal that recorded in eFuse field. 288 The app is booted with a higher (or equal) secure version. 289 290 The security version is worth increasing if in previous versions there is 291 a significant vulnerability and their use is not acceptable. 292 293 Your partition table should has a scheme with ota_0 + ota_1 (without factory). 294 295 config BOOTLOADER_APP_SEC_VER_SIZE_EFUSE_FIELD 296 int "Size of the efuse secure version field" 297 depends on BOOTLOADER_APP_ANTI_ROLLBACK 298 range 1 32 if IDF_TARGET_ESP32 299 default 32 if IDF_TARGET_ESP32 300 range 1 4 if IDF_TARGET_ESP32C2 301 default 4 if IDF_TARGET_ESP32C2 302 range 1 16 303 default 16 304 help 305 The size of the efuse secure version field. 306 Its length is limited to 32 bits for ESP32 and 16 bits for ESP32-S2. 307 This determines how many times the security version can be increased. 308 309 config BOOTLOADER_EFUSE_SECURE_VERSION_EMULATE 310 bool "Emulate operations with efuse secure version(only test)" 311 default n 312 depends on BOOTLOADER_APP_ANTI_ROLLBACK 313 select EFUSE_VIRTUAL 314 select EFUSE_VIRTUAL_KEEP_IN_FLASH 315 help 316 This option allows to emulate read/write operations with all eFuses and efuse secure version. 317 It allows to test anti-rollback implemention without permanent write eFuse bits. 318 There should be an entry in partition table with following details: `emul_efuse, data, efuse, , 0x2000`. 319 320 This option enables: EFUSE_VIRTUAL and EFUSE_VIRTUAL_KEEP_IN_FLASH. 321 322 config BOOTLOADER_SKIP_VALIDATE_IN_DEEP_SLEEP 323 bool "Skip image validation when exiting deep sleep" 324 # note: dependencies for this config item are different to other "skip image validation" 325 # options, allowing to turn on "allow insecure options" and have secure boot with 326 # "skip validation when existing deep sleep". Keeping this to avoid a breaking change, 327 # but - as noted in help - it invalidates the integrity of Secure Boot checks 328 depends on SOC_RTC_FAST_MEM_SUPPORTED && ((SECURE_BOOT && SECURE_BOOT_INSECURE) || !SECURE_BOOT) 329 default n 330 select BOOTLOADER_RESERVE_RTC_MEM 331 help 332 This option disables the normal validation of an image coming out of 333 deep sleep (checksums, SHA256, and signature). This is a trade-off 334 between wakeup performance from deep sleep, and image integrity checks. 335 336 Only enable this if you know what you are doing. It should not be used 337 in conjunction with using deep_sleep() entry and changing the active OTA 338 partition as this would skip the validation upon first load of the new 339 OTA partition. 340 341 It is possible to enable this option with Secure Boot if "allow insecure 342 options" is enabled, however it's strongly recommended to NOT enable it as 343 it may allow a Secure Boot bypass. 344 345 config BOOTLOADER_SKIP_VALIDATE_ON_POWER_ON 346 bool "Skip image validation from power on reset (READ HELP FIRST)" 347 # only available if both Secure Boot and Check Signature on Boot are disabled 348 depends on !SECURE_SIGNED_ON_BOOT 349 default n 350 help 351 Some applications need to boot very quickly from power on. By default, the entire app binary 352 is read from flash and verified which takes up a significant portion of the boot time. 353 354 Enabling this option will skip validation of the app when the SoC boots from power on. 355 Note that in this case it's not possible for the bootloader to detect if an app image is 356 corrupted in the flash, therefore it's not possible to safely fall back to a different app 357 partition. Flash corruption of this kind is unlikely but can happen if there is a serious 358 firmware bug or physical damage. 359 360 Following other reset types, the bootloader will still validate the app image. This increases 361 the chances that flash corruption resulting in a crash can be detected following soft reset, and 362 the bootloader will fall back to a valid app image. To increase the chances of successfully recovering 363 from a flash corruption event, keep the option BOOTLOADER_WDT_ENABLE enabled and consider also enabling 364 BOOTLOADER_WDT_DISABLE_IN_USER_CODE - then manually disable the RTC Watchdog once the app is running. 365 In addition, enable both the Task and Interrupt watchdog timers with reset options set. 366 367 config BOOTLOADER_SKIP_VALIDATE_ALWAYS 368 bool "Skip image validation always (READ HELP FIRST)" 369 # only available if both Secure Boot and Check Signature on Boot are disabled 370 depends on !SECURE_SIGNED_ON_BOOT 371 default n 372 select BOOTLOADER_SKIP_VALIDATE_IN_DEEP_SLEEP if SOC_RTC_FAST_MEM_SUPPORTED 373 select BOOTLOADER_SKIP_VALIDATE_ON_POWER_ON 374 help 375 Selecting this option prevents the bootloader from ever validating the app image before 376 booting it. Any flash corruption of the selected app partition will make the entire SoC 377 unbootable. 378 379 Although flash corruption is a very rare case, it is not recommended to select this option. 380 Consider selecting "Skip image validation from power on reset" instead. However, if boot time 381 is the only important factor then it can be enabled. 382 383 config BOOTLOADER_RESERVE_RTC_SIZE 384 hex 385 depends on SOC_RTC_FAST_MEM_SUPPORTED 386 default 0x10 if BOOTLOADER_RESERVE_RTC_MEM 387 default 0 388 help 389 Reserve RTC FAST memory for Skip image validation. This option in bytes. 390 This option reserves an area in the RTC FAST memory (access only PRO_CPU). 391 Used to save the addresses of the selected application. 392 When a wakeup occurs (from Deep sleep), the bootloader retrieves it and 393 loads the application without validation. 394 395 config BOOTLOADER_CUSTOM_RESERVE_RTC 396 bool "Reserve RTC FAST memory for custom purposes" 397 depends on SOC_RTC_FAST_MEM_SUPPORTED 398 select BOOTLOADER_RESERVE_RTC_MEM 399 default n 400 help 401 This option allows the customer to place data in the RTC FAST memory, 402 this area remains valid when rebooted, except for power loss. 403 This memory is located at a fixed address and is available 404 for both the bootloader and the application. 405 (The application and bootoloader must be compiled with the same option). 406 The RTC FAST memory has access only through PRO_CPU. 407 408 config BOOTLOADER_CUSTOM_RESERVE_RTC_SIZE 409 hex "Size in bytes for custom purposes" 410 default 0 411 depends on BOOTLOADER_CUSTOM_RESERVE_RTC 412 help 413 This option reserves in RTC FAST memory the area for custom purposes. 414 If you want to create your own bootloader and save more information 415 in this area of memory, you can increase it. It must be a multiple of 4 bytes. 416 This area (rtc_retain_mem_t) is reserved and has access from the bootloader and an application. 417 418 config BOOTLOADER_RESERVE_RTC_MEM 419 bool 420 depends on SOC_RTC_FAST_MEM_SUPPORTED 421 help 422 This option reserves an area in RTC FAST memory for the following features: 423 - "Skip image validation when exiting deep sleep" 424 - "Reserve RTC FAST memory for custom purposes" 425 - "GPIO triggers factory reset" 426 427 config BOOTLOADER_FLASH_XMC_SUPPORT 428 bool "Enable the support for flash chips of XMC (READ HELP FIRST)" 429 default y 430 help 431 Perform the startup flow recommended by XMC. Please consult XMC for the details of this flow. 432 XMC chips will be forbidden to be used, when this option is disabled. 433 434 DON'T DISABLE THIS UNLESS YOU KNOW WHAT YOU ARE DOING. 435 436endmenu # Bootloader 437 438 439menu "Security features" 440 441 # These three are the actual options to check in code, 442 # selected by the displayed options 443 config SECURE_SIGNED_ON_BOOT 444 bool 445 default y 446 depends on SECURE_BOOT || SECURE_SIGNED_ON_BOOT_NO_SECURE_BOOT 447 448 config SECURE_SIGNED_ON_UPDATE 449 bool 450 default y 451 depends on SECURE_BOOT || SECURE_SIGNED_ON_UPDATE_NO_SECURE_BOOT 452 453 config SECURE_SIGNED_APPS 454 bool 455 default y 456 select MBEDTLS_ECP_DP_SECP256R1_ENABLED 457 select MBEDTLS_ECP_C 458 select MBEDTLS_ECDH_C 459 select MBEDTLS_ECDSA_C 460 depends on SECURE_SIGNED_ON_BOOT || SECURE_SIGNED_ON_UPDATE 461 462 config SECURE_BOOT_V2_RSA_SUPPORTED 463 bool 464 default y 465 # RSA secure boot is supported in ESP32 revision >= v3.0 466 depends on (IDF_TARGET_ESP32 && ESP32_REV_MIN_FULL >= 300) || SOC_SECURE_BOOT_V2_RSA 467 468 config SECURE_BOOT_V2_ECC_SUPPORTED 469 bool 470 default y 471 depends on SOC_SECURE_BOOT_V2_ECC 472 473 config SECURE_BOOT_V1_SUPPORTED 474 bool 475 default y 476 depends on SOC_SECURE_BOOT_V1 477 478 config SECURE_BOOT_V2_PREFERRED 479 bool 480 default y 481 depends on ESP32_REV_MIN_FULL >= 300 482 483 config SECURE_BOOT_V2_ECDSA_ENABLED 484 bool 485 default y if SECURE_BOOT_V2_ENABLED && SECURE_BOOT_V2_ECC_SUPPORTED 486 487 config SECURE_BOOT_V2_RSA_ENABLED 488 bool 489 default y if SECURE_BOOT_V2_ENABLED && SECURE_BOOT_V2_RSA_SUPPORTED 490 491 config SECURE_BOOT_FLASH_ENC_KEYS_BURN_TOGETHER 492 bool 493 default y if SOC_EFUSE_CONSISTS_OF_ONE_KEY_BLOCK && SECURE_BOOT && SECURE_FLASH_ENC_ENABLED 494 # ESP32-C2 has one key block for SB and FE keys. These keys must be burned at the same time. 495 496 config SECURE_SIGNED_APPS_NO_SECURE_BOOT 497 bool "Require signed app images" 498 depends on !SECURE_BOOT 499 help 500 Require apps to be signed to verify their integrity. 501 502 This option uses the same app signature scheme as hardware secure boot, but unlike hardware secure boot it 503 does not prevent the bootloader from being physically updated. This means that the device can be secured 504 against remote network access, but not physical access. Compared to using hardware Secure Boot this option 505 is much simpler to implement. 506 507 choice SECURE_SIGNED_APPS_SCHEME 508 bool "App Signing Scheme" 509 depends on SECURE_BOOT || SECURE_SIGNED_APPS_NO_SECURE_BOOT 510 default SECURE_SIGNED_APPS_ECDSA_SCHEME if SECURE_BOOT_V1_ENABLED 511 default SECURE_SIGNED_APPS_RSA_SCHEME if SECURE_BOOT_V2_RSA_SUPPORTED 512 default SECURE_SIGNED_APPS_ECDSA_V2_SCHEME if SECURE_BOOT_V2_ECC_SUPPORTED 513 help 514 Select the Secure App signing scheme. Depends on the Chip Revision. 515 There are two secure boot versions: 516 517 1. Secure boot V1 518 - Legacy custom secure boot scheme. Supported in ESP32 SoC. 519 520 2. Secure boot V2 521 - RSA based secure boot scheme. 522 Supported in ESP32-ECO3 (ESP32 Chip Revision 3 onwards), ESP32-S2, ESP32-C3, ESP32-S3 SoCs. 523 524 - ECDSA based secure boot scheme. Supported in ESP32-C2 SoC. 525 526 config SECURE_SIGNED_APPS_ECDSA_SCHEME 527 bool "ECDSA" 528 depends on SECURE_BOOT_V1_SUPPORTED && (SECURE_SIGNED_APPS_NO_SECURE_BOOT || SECURE_BOOT_V1_ENABLED) 529 help 530 Embeds the ECDSA public key in the bootloader and signs the application with an ECDSA key. 531 Refer to the documentation before enabling. 532 533 config SECURE_SIGNED_APPS_RSA_SCHEME 534 bool "RSA" 535 depends on SECURE_BOOT_V2_RSA_SUPPORTED && (SECURE_SIGNED_APPS_NO_SECURE_BOOT || SECURE_BOOT_V2_ENABLED) 536 help 537 Appends the RSA-3072 based Signature block to the application. 538 Refer to <Secure Boot Version 2 documentation link> before enabling. 539 540 config SECURE_SIGNED_APPS_ECDSA_V2_SCHEME 541 bool "ECDSA (V2)" 542 depends on SECURE_BOOT_V2_ECC_SUPPORTED && (SECURE_SIGNED_APPS_NO_SECURE_BOOT || SECURE_BOOT_V2_ENABLED) 543 help 544 For Secure boot V2 (e.g., ESP32-C2 SoC), appends ECDSA based signature block to the application. 545 Refer to documentation before enabling. 546 547 endchoice 548 549 choice SECURE_BOOT_ECDSA_KEY_LEN_SIZE 550 bool "ECDSA key size" 551 depends on SECURE_SIGNED_APPS_ECDSA_V2_SCHEME 552 default SECURE_BOOT_ECDSA_KEY_LEN_256_BITS 553 help 554 Select the ECDSA key size. Two key sizes are supported 555 556 - 192 bit key using NISTP192 curve 557 - 256 bit key using NISTP256 curve (Recommended) 558 559 The advantage of using 256 bit key is the extra randomness which makes it difficult to be 560 bruteforced compared to 192 bit key. 561 At present, both key sizes are practically implausible to bruteforce. 562 563 config SECURE_BOOT_ECDSA_KEY_LEN_192_BITS 564 bool "Using ECC curve NISTP192" 565 depends on SECURE_SIGNED_APPS_ECDSA_V2_SCHEME 566 567 config SECURE_BOOT_ECDSA_KEY_LEN_256_BITS 568 bool "Using ECC curve NISTP256 (Recommended)" 569 depends on SECURE_SIGNED_APPS_ECDSA_V2_SCHEME 570 571 endchoice 572 573 config SECURE_SIGNED_ON_BOOT_NO_SECURE_BOOT 574 bool "Bootloader verifies app signatures" 575 default n 576 depends on SECURE_SIGNED_APPS_NO_SECURE_BOOT && SECURE_SIGNED_APPS_ECDSA_SCHEME 577 help 578 If this option is set, the bootloader will be compiled with code to verify that an app is signed before 579 booting it. 580 581 If hardware secure boot is enabled, this option is always enabled and cannot be disabled. 582 If hardware secure boot is not enabled, this option doesn't add significant security by itself so most 583 users will want to leave it disabled. 584 585 config SECURE_SIGNED_ON_UPDATE_NO_SECURE_BOOT 586 bool "Verify app signature on update" 587 default y 588 depends on SECURE_SIGNED_APPS_NO_SECURE_BOOT 589 help 590 If this option is set, any OTA updated apps will have the signature verified before being considered valid. 591 592 When enabled, the signature is automatically checked whenever the esp_ota_ops.h APIs are used for OTA 593 updates, or esp_image_format.h APIs are used to verify apps. 594 595 If hardware secure boot is enabled, this option is always enabled and cannot be disabled. 596 If hardware secure boot is not enabled, this option still adds significant security against network-based 597 attackers by preventing spoofing of OTA updates. 598 599 config SECURE_BOOT 600 bool "Enable hardware Secure Boot in bootloader (READ DOCS FIRST)" 601 default n 602 # Secure boot is not supported for ESP32-C3 revision < v0.3 603 depends on SOC_SECURE_BOOT_SUPPORTED && !(IDF_TARGET_ESP32C3 && ESP32C3_REV_MIN_FULL < 3) 604 select ESPTOOLPY_NO_STUB if !IDF_TARGET_ESP32 && !IDF_TARGET_ESP32S2 605 help 606 Build a bootloader which enables Secure Boot on first boot. 607 608 Once enabled, Secure Boot will not boot a modified bootloader. The bootloader will only load a partition 609 table or boot an app if the data has a verified digital signature. There are implications for reflashing 610 updated apps once secure boot is enabled. 611 612 When enabling secure boot, JTAG and ROM BASIC Interpreter are permanently disabled by default. 613 614 choice SECURE_BOOT_VERSION 615 bool "Select secure boot version" 616 default SECURE_BOOT_V2_ENABLED if SECURE_BOOT_V2_PREFERRED 617 depends on SECURE_BOOT 618 help 619 Select the Secure Boot Version. Depends on the Chip Revision. 620 Secure Boot V2 is the new RSA / ECDSA based secure boot scheme. 621 622 - RSA based scheme is supported in ESP32 (Revision 3 onwards), ESP32-S2, ESP32-C3 (ECO3), ESP32-S3. 623 - ECDSA based scheme is supported in ESP32-C2 SoC. 624 625 Please note that, RSA or ECDSA secure boot is property of specific SoC based on its HW design, supported 626 crypto accelerators, die-size, cost and similar parameters. Please note that RSA scheme has requirement 627 for bigger key sizes but at the same time it is comparatively faster than ECDSA verification. 628 629 Secure Boot V1 is the AES based (custom) secure boot scheme supported in ESP32 SoC. 630 631 config SECURE_BOOT_V1_ENABLED 632 bool "Enable Secure Boot version 1" 633 depends on SECURE_BOOT_V1_SUPPORTED 634 help 635 Build a bootloader which enables secure boot version 1 on first boot. 636 Refer to the Secure Boot section of the ESP-IDF Programmer's Guide for this version before enabling. 637 638 config SECURE_BOOT_V2_ENABLED 639 bool "Enable Secure Boot version 2" 640 depends on SECURE_BOOT_V2_RSA_SUPPORTED || SECURE_BOOT_V2_ECC_SUPPORTED 641 help 642 Build a bootloader which enables Secure Boot version 2 on first boot. 643 Refer to Secure Boot V2 section of the ESP-IDF Programmer's Guide for this version before enabling. 644 645 endchoice 646 647 choice SECURE_BOOTLOADER_MODE 648 bool "Secure bootloader mode" 649 depends on SECURE_BOOT_V1_ENABLED 650 default SECURE_BOOTLOADER_ONE_TIME_FLASH 651 652 config SECURE_BOOTLOADER_ONE_TIME_FLASH 653 bool "One-time flash" 654 help 655 On first boot, the bootloader will generate a key which is not readable externally or by software. A 656 digest is generated from the bootloader image itself. This digest will be verified on each subsequent 657 boot. 658 659 Enabling this option means that the bootloader cannot be changed after the first time it is booted. 660 661 config SECURE_BOOTLOADER_REFLASHABLE 662 bool "Reflashable" 663 help 664 Generate a reusable secure bootloader key, derived (via SHA-256) from the secure boot signing key. 665 666 This allows the secure bootloader to be re-flashed by anyone with access to the secure boot signing 667 key. 668 669 This option is less secure than one-time flash, because a leak of the digest key from one device 670 allows reflashing of any device that uses it. 671 672 endchoice 673 674 config SECURE_BOOT_BUILD_SIGNED_BINARIES 675 bool "Sign binaries during build" 676 depends on SECURE_SIGNED_APPS 677 default y 678 help 679 Once secure boot or signed app requirement is enabled, app images are required to be signed. 680 681 If enabled (default), these binary files are signed as part of the build process. The file named in 682 "Secure boot private signing key" will be used to sign the image. 683 684 If disabled, unsigned app/partition data will be built. They must be signed manually using espsecure.py. 685 Version 1 to enable ECDSA Based Secure Boot and Version 2 to enable RSA based Secure Boot. 686 (for example, on a remote signing server.) 687 688 config SECURE_BOOT_SIGNING_KEY 689 string "Secure boot private signing key" 690 depends on SECURE_BOOT_BUILD_SIGNED_BINARIES 691 default "secure_boot_signing_key.pem" 692 help 693 Path to the key file used to sign app images. 694 695 Key file is an ECDSA private key (NIST256p curve) in PEM format for Secure Boot V1. 696 Key file is an RSA private key in PEM format for Secure Boot V2. 697 698 Path is evaluated relative to the project directory. 699 700 You can generate a new signing key by running the following command: 701 espsecure.py generate_signing_key secure_boot_signing_key.pem 702 703 See the Secure Boot section of the ESP-IDF Programmer's Guide for this version for details. 704 705 config SECURE_BOOT_VERIFICATION_KEY 706 string "Secure boot public signature verification key" 707 depends on SECURE_SIGNED_APPS && !SECURE_BOOT_BUILD_SIGNED_BINARIES && !SECURE_SIGNED_APPS_RSA_SCHEME 708 default "signature_verification_key.bin" 709 help 710 Path to a public key file used to verify signed images. 711 Secure Boot V1: This ECDSA public key is compiled into the bootloader and/or 712 app, to verify app images. 713 Secure Boot V2: This RSA public key is compiled into the signature block at 714 the end of the bootloader/app. 715 716 Key file is in raw binary format, and can be extracted from a 717 PEM formatted private key using the espsecure.py 718 extract_public_key command. 719 720 Refer to the Secure Boot section of the ESP-IDF Programmer's Guide for this version before enabling. 721 722 config SECURE_BOOT_ENABLE_AGGRESSIVE_KEY_REVOKE 723 bool "Enable Aggressive key revoke strategy" 724 depends on SECURE_BOOT && SOC_SUPPORT_SECURE_BOOT_REVOKE_KEY 725 default N 726 help 727 If this option is set, ROM bootloader will revoke the public key digest burned in efuse block 728 if it fails to verify the signature of software bootloader with it. 729 Revocation of keys does not happen when enabling secure boot. Once secure boot is enabled, 730 key revocation checks will be done on subsequent boot-up, while verifying the software bootloader 731 732 This feature provides a strong resistance against physical attacks on the device. 733 734 NOTE: Once a digest slot is revoked, it can never be used again to verify an image 735 This can lead to permanent bricking of the device, in case all keys are revoked 736 because of signature verification failure. 737 738 choice SECURE_BOOTLOADER_KEY_ENCODING 739 bool "Hardware Key Encoding" 740 depends on SECURE_BOOTLOADER_REFLASHABLE 741 default SECURE_BOOTLOADER_KEY_ENCODING_256BIT 742 help 743 744 In reflashable secure bootloader mode, a hardware key is derived from the signing key (with SHA-256) and 745 can be written to eFuse with espefuse.py. 746 747 Normally this is a 256-bit key, but if 3/4 Coding Scheme is used on the device then the eFuse key is 748 truncated to 192 bits. 749 750 This configuration item doesn't change any firmware code, it only changes the size of key binary which is 751 generated at build time. 752 753 config SECURE_BOOTLOADER_KEY_ENCODING_256BIT 754 bool "No encoding (256 bit key)" 755 756 config SECURE_BOOTLOADER_KEY_ENCODING_192BIT 757 bool "3/4 encoding (192 bit key)" 758 759 endchoice 760 761 config SECURE_BOOT_INSECURE 762 bool "Allow potentially insecure options" 763 depends on SECURE_BOOT 764 default N 765 help 766 You can disable some of the default protections offered by secure boot, in order to enable testing or a 767 custom combination of security features. 768 769 Only enable these options if you are very sure. 770 771 Refer to the Secure Boot section of the ESP-IDF Programmer's Guide for this version before enabling. 772 773 config SECURE_FLASH_ENC_ENABLED 774 bool "Enable flash encryption on boot (READ DOCS FIRST)" 775 default N 776 select SPI_FLASH_ENABLE_ENCRYPTED_READ_WRITE 777 help 778 If this option is set, flash contents will be encrypted by the bootloader on first boot. 779 780 Note: After first boot, the system will be permanently encrypted. Re-flashing an encrypted 781 system is complicated and not always possible. 782 783 Read https://docs.espressif.com/projects/esp-idf/en/latest/security/flash-encryption.html 784 before enabling. 785 786 choice SECURE_FLASH_ENCRYPTION_KEYSIZE 787 bool "Size of generated AES-XTS key" 788 default SECURE_FLASH_ENCRYPTION_AES128 789 depends on SOC_FLASH_ENCRYPTION_XTS_AES_OPTIONS && SECURE_FLASH_ENC_ENABLED 790 help 791 Size of generated AES-XTS key. 792 793 - AES-128 uses a 256-bit key (32 bytes) derived from 128 bits (16 bytes) burned in half Efuse key block. 794 Internally, it calculates SHA256(128 bits) 795 - AES-128 uses a 256-bit key (32 bytes) which occupies one Efuse key block. 796 - AES-256 uses a 512-bit key (64 bytes) which occupies two Efuse key blocks. 797 798 This setting is ignored if either type of key is already burned to Efuse before the first boot. 799 In this case, the pre-burned key is used and no new key is generated. 800 801 config SECURE_FLASH_ENCRYPTION_AES128_DERIVED 802 bool "AES-128 key derived from 128 bits (SHA256(128 bits))" 803 depends on SOC_FLASH_ENCRYPTION_XTS_AES_128_DERIVED 804 805 config SECURE_FLASH_ENCRYPTION_AES128 806 bool "AES-128 (256-bit key)" 807 depends on SOC_FLASH_ENCRYPTION_XTS_AES_128 && !(IDF_TARGET_ESP32C2 && SECURE_BOOT) 808 809 config SECURE_FLASH_ENCRYPTION_AES256 810 bool "AES-256 (512-bit key)" 811 depends on SOC_FLASH_ENCRYPTION_XTS_AES_256 812 endchoice 813 814 choice SECURE_FLASH_ENCRYPTION_MODE 815 bool "Enable usage mode" 816 depends on SECURE_FLASH_ENC_ENABLED 817 default SECURE_FLASH_ENCRYPTION_MODE_DEVELOPMENT 818 help 819 By default Development mode is enabled which allows ROM download mode to perform flash encryption 820 operations (plaintext is sent to the device, and it encrypts it internally and writes ciphertext 821 to flash.) This mode is not secure, it's possible for an attacker to write their own chosen plaintext 822 to flash. 823 824 Release mode should always be selected for production or manufacturing. Once enabled it's no longer 825 possible for the device in ROM Download Mode to use the flash encryption hardware. 826 827 When EFUSE_VIRTUAL is enabled, SECURE_FLASH_ENCRYPTION_MODE_RELEASE is not available. 828 For CI tests we use IDF_CI_BUILD to bypass it ("export IDF_CI_BUILD=1"). 829 We do not recommend bypassing it for other purposes. 830 831 Refer to the Flash Encryption section of the ESP-IDF Programmer's Guide for details. 832 833 config SECURE_FLASH_ENCRYPTION_MODE_DEVELOPMENT 834 bool "Development (NOT SECURE)" 835 select SECURE_FLASH_UART_BOOTLOADER_ALLOW_ENC 836 837 config SECURE_FLASH_ENCRYPTION_MODE_RELEASE 838 bool "Release" 839 select PARTITION_TABLE_MD5 if !APP_COMPATIBLE_PRE_V3_1_BOOTLOADERS 840 depends on !EFUSE_VIRTUAL || IDF_CI_BUILD 841 842 endchoice 843 844 config SECURE_FLASH_HAS_WRITE_PROTECTION_CACHE 845 bool 846 default y if (SOC_EFUSE_DIS_ICACHE || IDF_TARGET_ESP32) && SECURE_FLASH_ENC_ENABLED 847 848 menu "Potentially insecure options" 849 visible if SECURE_FLASH_ENCRYPTION_MODE_DEVELOPMENT || SECURE_BOOT_INSECURE || SECURE_SIGNED_ON_UPDATE_NO_SECURE_BOOT # NOERROR 850 851 # NOTE: Options in this menu NEED to have SECURE_BOOT_INSECURE 852 # and/or SECURE_FLASH_ENCRYPTION_MODE_DEVELOPMENT in "depends on", as the menu 853 # itself doesn't enable/disable its children (if it's not set, 854 # it's possible for the insecure menu to be disabled but the insecure option 855 # to remain on which is very bad.) 856 857 config SECURE_BOOT_ALLOW_ROM_BASIC 858 bool "Leave ROM BASIC Interpreter available on reset" 859 depends on (SECURE_BOOT_INSECURE || SECURE_FLASH_ENCRYPTION_MODE_DEVELOPMENT) && IDF_TARGET_ESP32 860 default N 861 help 862 By default, the BASIC ROM Console starts on reset if no valid bootloader is 863 read from the flash. 864 865 When either flash encryption or secure boot are enabled, the default is to 866 disable this BASIC fallback mode permanently via eFuse. 867 868 If this option is set, this eFuse is not burned and the BASIC ROM Console may 869 remain accessible. Only set this option in testing environments. 870 871 config SECURE_BOOT_ALLOW_JTAG 872 bool "Allow JTAG Debugging" 873 depends on SECURE_BOOT_INSECURE || SECURE_FLASH_ENCRYPTION_MODE_DEVELOPMENT 874 select SECURE_FLASH_SKIP_WRITE_PROTECTION_CACHE if SECURE_FLASH_HAS_WRITE_PROTECTION_CACHE 875 default N 876 help 877 If not set (default), the bootloader will permanently disable JTAG (across entire chip) on first boot 878 when either secure boot or flash encryption is enabled. 879 880 Setting this option leaves JTAG on for debugging, which negates all protections of flash encryption 881 and some of the protections of secure boot. 882 883 Only set this option in testing environments. 884 885 config SECURE_BOOT_ALLOW_SHORT_APP_PARTITION 886 bool "Allow app partition length not 64KB aligned" 887 depends on SECURE_BOOT_INSECURE || SECURE_SIGNED_ON_UPDATE_NO_SECURE_BOOT 888 help 889 If not set (default), app partition size must be a multiple of 64KB. App images are padded to 64KB 890 length, and the bootloader checks any trailing bytes after the signature (before the next 64KB 891 boundary) have not been written. This is because flash cache maps entire 64KB pages into the address 892 space. This prevents an attacker from appending unverified data after the app image in the flash, 893 causing it to be mapped into the address space. 894 895 Setting this option allows the app partition length to be unaligned, and disables padding of the app 896 image to this length. It is generally not recommended to set this option, unless you have a legacy 897 partitioning scheme which doesn't support 64KB aligned partition lengths. 898 899 config SECURE_BOOT_V2_ALLOW_EFUSE_RD_DIS 900 bool "Allow additional read protecting of efuses" 901 depends on SECURE_BOOT_INSECURE && SECURE_BOOT_V2_ENABLED 902 help 903 If not set (default, recommended), on first boot the bootloader will burn the WR_DIS_RD_DIS 904 efuse when Secure Boot is enabled. This prevents any more efuses from being read protected. 905 906 If this option is set, it will remain possible to write the EFUSE_RD_DIS efuse field after Secure 907 Boot is enabled. This may allow an attacker to read-protect the BLK2 efuse (for ESP32) and 908 BLOCK4-BLOCK10 (i.e. BLOCK_KEY0-BLOCK_KEY5)(for other chips) holding the public key digest, causing an 909 immediate denial of service and possibly allowing an additional fault injection attack to 910 bypass the signature protection. 911 912 NOTE: Once a BLOCK is read-protected, the application will read all zeros from that block 913 914 NOTE: If "UART ROM download mode (Permanently disabled (recommended))" or 915 "UART ROM download mode (Permanently switch to Secure mode (recommended))" is set, 916 then it is __NOT__ possible to read/write efuses using espefuse.py utility. 917 However, efuse can be read/written from the application 918 919 config SECURE_BOOT_ALLOW_UNUSED_DIGEST_SLOTS 920 bool "Leave unused digest slots available (not revoke)" 921 depends on SECURE_BOOT_INSECURE && SOC_EFUSE_REVOKE_BOOT_KEY_DIGESTS 922 default N 923 help 924 If not set (default), during startup in the app all unused digest slots will be revoked. 925 To revoke unused slot will be called esp_efuse_set_digest_revoke(num_digest) for each digest. 926 Revoking unused digest slots makes ensures that no trusted keys can be added later by an attacker. 927 If set, it means that you have a plan to use unused digests slots later. 928 929 config SECURE_FLASH_UART_BOOTLOADER_ALLOW_ENC 930 bool "Leave UART bootloader encryption enabled" 931 depends on SECURE_FLASH_ENCRYPTION_MODE_DEVELOPMENT 932 select SECURE_FLASH_SKIP_WRITE_PROTECTION_CACHE if SECURE_FLASH_HAS_WRITE_PROTECTION_CACHE 933 default N 934 help 935 If not set (default), the bootloader will permanently disable UART bootloader encryption access on 936 first boot. If set, the UART bootloader will still be able to access hardware encryption. 937 938 It is recommended to only set this option in testing environments. 939 940 config SECURE_FLASH_UART_BOOTLOADER_ALLOW_DEC 941 bool "Leave UART bootloader decryption enabled" 942 depends on SECURE_FLASH_ENCRYPTION_MODE_DEVELOPMENT && IDF_TARGET_ESP32 943 default N 944 help 945 If not set (default), the bootloader will permanently disable UART bootloader decryption access on 946 first boot. If set, the UART bootloader will still be able to access hardware decryption. 947 948 Only set this option in testing environments. Setting this option allows complete bypass of flash 949 encryption. 950 951 config SECURE_FLASH_UART_BOOTLOADER_ALLOW_CACHE 952 bool "Leave UART bootloader flash cache enabled" 953 depends on SECURE_FLASH_ENCRYPTION_MODE_DEVELOPMENT && (IDF_TARGET_ESP32 || SOC_EFUSE_DIS_DOWNLOAD_ICACHE || SOC_EFUSE_DIS_DOWNLOAD_DCACHE) # NOERROR 954 default N 955 select SECURE_FLASH_SKIP_WRITE_PROTECTION_CACHE if SECURE_FLASH_HAS_WRITE_PROTECTION_CACHE 956 help 957 If not set (default), the bootloader will permanently disable UART bootloader flash cache access on 958 first boot. If set, the UART bootloader will still be able to access the flash cache. 959 960 Only set this option in testing environments. 961 962 config SECURE_FLASH_REQUIRE_ALREADY_ENABLED 963 bool "Require flash encryption to be already enabled" 964 depends on SECURE_FLASH_ENCRYPTION_MODE_DEVELOPMENT 965 default N 966 help 967 If not set (default), and flash encryption is not yet enabled in eFuses, the 2nd stage bootloader 968 will enable flash encryption: generate the flash encryption key and program eFuses. 969 If this option is set, and flash encryption is not yet enabled, the bootloader will error out and 970 reboot. 971 If flash encryption is enabled in eFuses, this option does not change the bootloader behavior. 972 973 Only use this option in testing environments, to avoid accidentally enabling flash encryption on 974 the wrong device. The device needs to have flash encryption already enabled using espefuse.py. 975 976 config SECURE_FLASH_SKIP_WRITE_PROTECTION_CACHE 977 bool "Skip write-protection of DIS_CACHE (DIS_ICACHE, DIS_DCACHE)" 978 default n 979 depends on SECURE_FLASH_HAS_WRITE_PROTECTION_CACHE 980 help 981 If not set (default, recommended), on the first boot the bootloader will burn the write-protection of 982 DIS_CACHE(for ESP32) or DIS_ICACHE/DIS_DCACHE(for other chips) eFuse when Flash Encryption is enabled. 983 Write protection for cache disable efuse prevents the chip from being blocked if it is set by accident. 984 App and bootloader use cache so disabling it makes the chip useless for IDF. 985 Due to other eFuses are linked with the same write protection bit (see the list below) then 986 write-protection will not be done if these SECURE_FLASH_UART_BOOTLOADER_ALLOW_ENC, 987 SECURE_BOOT_ALLOW_JTAG or SECURE_FLASH_UART_BOOTLOADER_ALLOW_CACHE options are selected 988 to give a chance to turn on the chip into the release mode later. 989 990 List of eFuses with the same write protection bit: 991 ESP32: MAC, MAC_CRC, DISABLE_APP_CPU, DISABLE_BT, DIS_CACHE, VOL_LEVEL_HP_INV. 992 993 ESP32-C3: DIS_ICACHE, DIS_USB_JTAG, DIS_DOWNLOAD_ICACHE, DIS_USB_SERIAL_JTAG, 994 DIS_FORCE_DOWNLOAD, DIS_TWAI, JTAG_SEL_ENABLE, DIS_PAD_JTAG, DIS_DOWNLOAD_MANUAL_ENCRYPT. 995 996 ESP32-C6: SWAP_UART_SDIO_EN, DIS_ICACHE, DIS_USB_JTAG, DIS_DOWNLOAD_ICACHE, 997 DIS_USB_SERIAL_JTAG, DIS_FORCE_DOWNLOAD, DIS_TWAI, JTAG_SEL_ENABLE, 998 DIS_PAD_JTAG, DIS_DOWNLOAD_MANUAL_ENCRYPT. 999 1000 ESP32-H2: DIS_ICACHE, DIS_USB_JTAG, POWERGLITCH_EN, DIS_FORCE_DOWNLOAD, SPI_DOWNLOAD_MSPI_DIS, 1001 DIS_TWAI, JTAG_SEL_ENABLE, DIS_PAD_JTAG, DIS_DOWNLOAD_MANUAL_ENCRYPT. 1002 1003 ESP32-S2: DIS_ICACHE, DIS_DCACHE, DIS_DOWNLOAD_ICACHE, DIS_DOWNLOAD_DCACHE, 1004 DIS_FORCE_DOWNLOAD, DIS_USB, DIS_TWAI, DIS_BOOT_REMAP, SOFT_DIS_JTAG, 1005 HARD_DIS_JTAG, DIS_DOWNLOAD_MANUAL_ENCRYPT. 1006 1007 ESP32-S3: DIS_ICACHE, DIS_DCACHE, DIS_DOWNLOAD_ICACHE, DIS_DOWNLOAD_DCACHE, 1008 DIS_FORCE_DOWNLOAD, DIS_USB_OTG, DIS_TWAI, DIS_APP_CPU, DIS_PAD_JTAG, 1009 DIS_DOWNLOAD_MANUAL_ENCRYPT, DIS_USB_JTAG, DIS_USB_SERIAL_JTAG, STRAP_JTAG_SEL, USB_PHY_SEL. 1010 endmenu # Potentially Insecure 1011 1012 config SECURE_FLASH_CHECK_ENC_EN_IN_APP 1013 bool "Check Flash Encryption enabled on app startup" 1014 depends on SECURE_FLASH_ENC_ENABLED 1015 default y 1016 help 1017 If set (default), in an app during startup code, 1018 there is a check of the flash encryption eFuse bit is on 1019 (as the bootloader should already have set it). 1020 The app requires this bit is on to continue work otherwise abort. 1021 1022 If not set, the app does not care if the flash encryption eFuse bit is set or not. 1023 1024 config SECURE_ROM_DL_MODE_ENABLED 1025 bool 1026 default y if SOC_SUPPORTS_SECURE_DL_MODE && !SECURE_FLASH_ENCRYPTION_MODE_DEVELOPMENT 1027 1028 choice SECURE_UART_ROM_DL_MODE 1029 bool "UART ROM download mode" 1030 default SECURE_ENABLE_SECURE_ROM_DL_MODE if SECURE_ROM_DL_MODE_ENABLED # NOERROR 1031 default SECURE_INSECURE_ALLOW_DL_MODE 1032 depends on SECURE_BOOT_V2_ENABLED || SECURE_FLASH_ENC_ENABLED 1033 depends on !(IDF_TARGET_ESP32 && ESP32_REV_MIN_FULL < 300) 1034 1035 config SECURE_DISABLE_ROM_DL_MODE 1036 bool "UART ROM download mode (Permanently disabled (recommended))" 1037 help 1038 If set, during startup the app will burn an eFuse bit to permanently disable the UART ROM 1039 Download Mode. This prevents any future use of esptool.py, espefuse.py and similar tools. 1040 1041 Once disabled, if the SoC is booted with strapping pins set for ROM Download Mode 1042 then an error is printed instead. 1043 1044 It is recommended to enable this option in any production application where Flash 1045 Encryption and/or Secure Boot is enabled and access to Download Mode is not required. 1046 1047 It is also possible to permanently disable Download Mode by calling 1048 esp_efuse_disable_rom_download_mode() at runtime. 1049 1050 config SECURE_ENABLE_SECURE_ROM_DL_MODE 1051 bool "UART ROM download mode (Permanently switch to Secure mode (recommended))" 1052 depends on SOC_SUPPORTS_SECURE_DL_MODE 1053 select ESPTOOLPY_NO_STUB 1054 help 1055 If set, during startup the app will burn an eFuse bit to permanently switch the UART ROM 1056 Download Mode into a separate Secure Download mode. This option can only work if 1057 Download Mode is not already disabled by eFuse. 1058 1059 Secure Download mode limits the use of Download Mode functions to update SPI config, 1060 changing baud rate, basic flash write and a command to return a summary of currently 1061 enabled security features (`get_security_info`). 1062 1063 Secure Download mode is not compatible with the esptool.py flasher stub feature, 1064 espefuse.py, read/writing memory or registers, encrypted download, or any other 1065 features that interact with unsupported Download Mode commands. 1066 1067 Secure Download mode should be enabled in any application where Flash Encryption 1068 and/or Secure Boot is enabled. Disabling this option does not immediately cancel 1069 the benefits of the security features, but it increases the potential "attack 1070 surface" for an attacker to try and bypass them with a successful physical attack. 1071 1072 It is also possible to enable secure download mode at runtime by calling 1073 esp_efuse_enable_rom_secure_download_mode() 1074 1075 Note: Secure Download mode is not available for ESP32 (includes revisions till ECO3). 1076 1077 config SECURE_INSECURE_ALLOW_DL_MODE 1078 bool "UART ROM download mode (Enabled (not recommended))" 1079 help 1080 This is a potentially insecure option. 1081 Enabling this option will allow the full UART download mode to stay enabled. 1082 This option SHOULD NOT BE ENABLED for production use cases. 1083 endchoice 1084endmenu # Security features 1085
