1 // Copyright 2015-2016 Espressif Systems (Shanghai) PTE LTD
2 //
3 // Licensed under the Apache License, Version 2.0 (the "License");
4 // you may not use this file except in compliance with the License.
5 // You may obtain a copy of the License at
6
7 // http://www.apache.org/licenses/LICENSE-2.0
8 //
9 // Unless required by applicable law or agreed to in writing, software
10 // distributed under the License is distributed on an "AS IS" BASIS,
11 // WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
12 // See the License for the specific language governing permissions and
13 // limitations under the License.
14
15 #include <strings.h>
16
17 #include "bootloader_flash_priv.h"
18 #include "esp_image_format.h"
19 #include "esp_flash_encrypt.h"
20 #include "esp_flash_partitions.h"
21 #include "esp_secure_boot.h"
22 #include "esp_efuse.h"
23 #include "esp_log.h"
24 #include "esp32/rom/secure_boot.h"
25 #include "hal/wdt_hal.h"
26
27 #include "esp32/rom/cache.h"
28 #include "esp32/rom/spi_flash.h" /* TODO: Remove this */
29
30 /* This file implements FLASH ENCRYPTION related APIs to perform
31 * various operations such as programming necessary flash encryption
32 * eFuses, detect whether flash encryption is enabled (by reading eFuse)
33 * and if required encrypt the partitions in flash memory
34 */
35
36 static const char *TAG = "flash_encrypt";
37
38 /* Static functions for stages of flash encryption */
39 static esp_err_t initialise_flash_encryption(void);
40 static esp_err_t encrypt_flash_contents(uint32_t flash_crypt_cnt, bool flash_crypt_wr_dis) __attribute__((unused));
41 static esp_err_t encrypt_bootloader(void);
42 static esp_err_t encrypt_and_load_partition_table(esp_partition_info_t *partition_table, int *num_partitions);
43 static esp_err_t encrypt_partition(int index, const esp_partition_info_t *partition);
44
esp_flash_encrypt_check_and_update(void)45 esp_err_t esp_flash_encrypt_check_and_update(void)
46 {
47 uint32_t efuse_blk0 = REG_READ(EFUSE_BLK0_RDATA0_REG);
48 ESP_LOGV(TAG, "efuse_blk0 raw value %08x", efuse_blk0);
49 uint32_t flash_crypt_cnt = (efuse_blk0 & EFUSE_RD_FLASH_CRYPT_CNT_M) >> EFUSE_RD_FLASH_CRYPT_CNT_S;
50 bool flash_crypt_wr_dis = efuse_blk0 & EFUSE_WR_DIS_FLASH_CRYPT_CNT;
51 ESP_LOGV(TAG, "efuse FLASH_CRYPT_CNT 0x%x WR_DIS_FLASH_CRYPT_CNT 0x%x", flash_crypt_cnt, flash_crypt_wr_dis);
52
53 if (__builtin_parity(flash_crypt_cnt) == 1) {
54 /* Flash is already encrypted */
55 int left = (7 - __builtin_popcount(flash_crypt_cnt)) / 2;
56 if (flash_crypt_wr_dis) {
57 left = 0; /* can't update FLASH_CRYPT_CNT, no more flashes */
58 }
59 ESP_LOGI(TAG, "flash encryption is enabled (%d plaintext flashes left)", left);
60 return ESP_OK;
61 }
62 else {
63 #ifndef CONFIG_SECURE_FLASH_REQUIRE_ALREADY_ENABLED
64 /* Flash is not encrypted, so encrypt it! */
65 return encrypt_flash_contents(flash_crypt_cnt, flash_crypt_wr_dis);
66 #else
67 ESP_LOGE(TAG, "flash encryption is not enabled, and SECURE_FLASH_REQUIRE_ALREADY_ENABLED "
68 "is set, refusing to boot.");
69 return ESP_ERR_INVALID_STATE;
70 #endif // CONFIG_SECURE_FLASH_REQUIRE_ALREADY_ENABLED
71 }
72 }
73
initialise_flash_encryption(void)74 static esp_err_t initialise_flash_encryption(void)
75 {
76 uint32_t new_wdata0 = 0;
77 uint32_t new_wdata5 = 0;
78 uint32_t new_wdata6 = 0;
79
80 uint32_t coding_scheme = REG_GET_FIELD(EFUSE_BLK0_RDATA6_REG, EFUSE_CODING_SCHEME);
81 if (coding_scheme != EFUSE_CODING_SCHEME_VAL_NONE && coding_scheme != EFUSE_CODING_SCHEME_VAL_34) {
82 ESP_LOGE(TAG, "Unknown/unsupported CODING_SCHEME value 0x%x", coding_scheme);
83 return ESP_ERR_NOT_SUPPORTED;
84 }
85
86 /* Before first flash encryption pass, need to initialise key & crypto config */
87
88 /* Generate key */
89 uint32_t dis_reg = REG_READ(EFUSE_BLK0_RDATA0_REG);
90 bool efuse_key_read_protected = dis_reg & EFUSE_RD_DIS_BLK1;
91 bool efuse_key_write_protected = dis_reg & EFUSE_WR_DIS_BLK1;
92 if (efuse_key_read_protected == false
93 && efuse_key_write_protected == false
94 && REG_READ(EFUSE_BLK1_RDATA0_REG) == 0
95 && REG_READ(EFUSE_BLK1_RDATA1_REG) == 0
96 && REG_READ(EFUSE_BLK1_RDATA2_REG) == 0
97 && REG_READ(EFUSE_BLK1_RDATA3_REG) == 0
98 && REG_READ(EFUSE_BLK1_RDATA4_REG) == 0
99 && REG_READ(EFUSE_BLK1_RDATA5_REG) == 0
100 && REG_READ(EFUSE_BLK1_RDATA6_REG) == 0
101 && REG_READ(EFUSE_BLK1_RDATA7_REG) == 0) {
102 ESP_LOGI(TAG, "Generating new flash encryption key...");
103 esp_efuse_write_random_key(EFUSE_BLK1_WDATA0_REG);
104 // defer efuse programming step to the end
105
106 ESP_LOGI(TAG, "Read & write protecting new key...");
107 new_wdata0 |= EFUSE_WR_DIS_BLK1 | EFUSE_RD_DIS_BLK1;
108 } else {
109
110 if(!(efuse_key_read_protected && efuse_key_write_protected)) {
111 ESP_LOGE(TAG, "Flash encryption key has to be either unset or both read and write protected");
112 return ESP_ERR_INVALID_STATE;
113 }
114 ESP_LOGW(TAG, "Using pre-loaded flash encryption key in EFUSE block 1");
115 }
116 /* CRYPT_CONFIG determines which bits of the AES block key are XORed
117 with bits from the flash address, to provide the key tweak.
118
119 CRYPT_CONFIG == 0 is effectively AES ECB mode (NOT SUPPORTED)
120
121 For now this is hardcoded to XOR all 256 bits of the key.
122
123 If you need to override it, you can pre-burn this efuse to the
124 desired value and then write-protect it, in which case this
125 operation does nothing. Please note this is not recommended!
126 */
127 ESP_LOGI(TAG, "Setting CRYPT_CONFIG efuse to 0xF");
128 new_wdata5 |= EFUSE_FLASH_CRYPT_CONFIG_M;
129
130 #ifndef CONFIG_SECURE_FLASH_UART_BOOTLOADER_ALLOW_ENC
131 ESP_LOGI(TAG, "Disable UART bootloader encryption...");
132 new_wdata6 |= EFUSE_DISABLE_DL_ENCRYPT;
133 #else
134 ESP_LOGW(TAG, "Not disabling UART bootloader encryption");
135 #endif
136
137 #ifndef CONFIG_SECURE_FLASH_UART_BOOTLOADER_ALLOW_DEC
138 ESP_LOGI(TAG, "Disable UART bootloader decryption...");
139 new_wdata6 |= EFUSE_DISABLE_DL_DECRYPT;
140 #else
141 ESP_LOGW(TAG, "Not disabling UART bootloader decryption - SECURITY COMPROMISED");
142 #endif
143
144 #ifndef CONFIG_SECURE_FLASH_UART_BOOTLOADER_ALLOW_CACHE
145 ESP_LOGI(TAG, "Disable UART bootloader MMU cache...");
146 new_wdata6 |= EFUSE_DISABLE_DL_CACHE;
147 #else
148 ESP_LOGW(TAG, "Not disabling UART bootloader MMU cache - SECURITY COMPROMISED");
149 #endif
150
151 #ifndef CONFIG_SECURE_BOOT_ALLOW_JTAG
152 ESP_LOGI(TAG, "Disable JTAG...");
153 new_wdata6 |= EFUSE_RD_DISABLE_JTAG;
154 #else
155 ESP_LOGW(TAG, "Not disabling JTAG - SECURITY COMPROMISED");
156 #endif
157
158 #ifndef CONFIG_SECURE_BOOT_ALLOW_ROM_BASIC
159 ESP_LOGI(TAG, "Disable ROM BASIC interpreter fallback...");
160 new_wdata6 |= EFUSE_RD_CONSOLE_DEBUG_DISABLE;
161 #else
162 ESP_LOGW(TAG, "Not disabling ROM BASIC fallback - SECURITY COMPROMISED");
163 #endif
164
165 #if defined(CONFIG_SECURE_BOOT_V2_ENABLED) && !defined(CONFIG_SECURE_BOOT_V2_ALLOW_EFUSE_RD_DIS)
166 // This bit is set when enabling Secure Boot V2, but we can't enable it until this later point in the first boot
167 // otherwise the Flash Encryption key cannot be read protected
168 new_wdata0 |= EFUSE_WR_DIS_RD_DIS;
169 #endif
170
171 REG_WRITE(EFUSE_BLK0_WDATA0_REG, new_wdata0);
172 REG_WRITE(EFUSE_BLK0_WDATA5_REG, new_wdata5);
173 REG_WRITE(EFUSE_BLK0_WDATA6_REG, new_wdata6);
174 esp_efuse_burn_new_values();
175
176 return ESP_OK;
177 }
178
179 /* Encrypt all flash data that should be encrypted */
encrypt_flash_contents(uint32_t flash_crypt_cnt,bool flash_crypt_wr_dis)180 static esp_err_t encrypt_flash_contents(uint32_t flash_crypt_cnt, bool flash_crypt_wr_dis)
181 {
182 esp_err_t err;
183 esp_partition_info_t partition_table[ESP_PARTITION_TABLE_MAX_ENTRIES];
184 int num_partitions;
185
186 /* If the last flash_crypt_cnt bit is burned or write-disabled, the
187 device can't re-encrypt itself. */
188 if (flash_crypt_wr_dis || flash_crypt_cnt == 0xFF) {
189 ESP_LOGE(TAG, "Cannot re-encrypt data (FLASH_CRYPT_CNT 0x%02x write disabled %d", flash_crypt_cnt, flash_crypt_wr_dis);
190 return ESP_FAIL;
191 }
192
193 if (flash_crypt_cnt == 0) {
194 /* Very first flash of encrypted data: generate keys, etc. */
195 err = initialise_flash_encryption();
196 if (err != ESP_OK) {
197 return err;
198 }
199 }
200
201 err = encrypt_bootloader();
202 if (err != ESP_OK) {
203 return err;
204 }
205
206 err = encrypt_and_load_partition_table(partition_table, &num_partitions);
207 if (err != ESP_OK) {
208 return err;
209 }
210
211 /* Now iterate the just-loaded partition table, looking for entries to encrypt
212 */
213
214 /* Go through each partition and encrypt if necessary */
215 for (int i = 0; i < num_partitions; i++) {
216 err = encrypt_partition(i, &partition_table[i]);
217 if (err != ESP_OK) {
218 return err;
219 }
220 }
221
222 ESP_LOGD(TAG, "All flash regions checked for encryption pass");
223
224 uint32_t new_flash_crypt_cnt;
225 #ifdef CONFIG_SECURE_FLASH_ENCRYPTION_MODE_RELEASE
226 // Go straight to max, permanently enabled
227 ESP_LOGI(TAG, "Setting FLASH_CRYPT_CNT for permanent encryption");
228 new_flash_crypt_cnt = EFUSE_FLASH_CRYPT_CNT;
229 #else
230 /* Set least significant 0-bit in flash_crypt_cnt */
231 int ffs_inv = __builtin_ffs((~flash_crypt_cnt) & EFUSE_RD_FLASH_CRYPT_CNT);
232 /* ffs_inv shouldn't be zero, as zero implies flash_crypt_cnt == EFUSE_RD_FLASH_CRYPT_CNT (0x7F) */
233 new_flash_crypt_cnt = flash_crypt_cnt + (1 << (ffs_inv - 1));
234 #endif
235 ESP_LOGD(TAG, "FLASH_CRYPT_CNT 0x%x -> 0x%x", flash_crypt_cnt, new_flash_crypt_cnt);
236 uint32_t wdata0_reg = ((new_flash_crypt_cnt & EFUSE_FLASH_CRYPT_CNT) << EFUSE_FLASH_CRYPT_CNT_S);
237
238 REG_WRITE(EFUSE_BLK0_WDATA0_REG, wdata0_reg);
239 esp_efuse_burn_new_values();
240
241 ESP_LOGI(TAG, "Flash encryption completed");
242
243 return ESP_OK;
244 }
245
encrypt_bootloader(void)246 static esp_err_t encrypt_bootloader(void)
247 {
248 esp_err_t err;
249 uint32_t image_length;
250 /* Check for plaintext bootloader (verification will fail if it's already encrypted) */
251 if (esp_image_verify_bootloader(&image_length) == ESP_OK) {
252 ESP_LOGD(TAG, "bootloader is plaintext. Encrypting...");
253
254 #if CONFIG_SECURE_BOOT_V2_ENABLED
255 /* The image length obtained from esp_image_verify_bootloader includes the sector boundary padding and the signature block lengths */
256 if (ESP_BOOTLOADER_OFFSET + image_length > ESP_PARTITION_TABLE_OFFSET) {
257 ESP_LOGE(TAG, "Bootloader is too large to fit Secure Boot V2 signature sector and partition table (configured offset 0x%x)", ESP_PARTITION_TABLE_OFFSET);
258 return ESP_ERR_INVALID_STATE;
259 }
260 #endif // CONFIG_SECURE_BOOT_V2_ENABLED
261
262 err = esp_flash_encrypt_region(ESP_BOOTLOADER_OFFSET, image_length);
263 if (err != ESP_OK) {
264 ESP_LOGE(TAG, "Failed to encrypt bootloader in place: 0x%x", err);
265 return err;
266 }
267
268 #ifdef CONFIG_SECURE_BOOT_V1_ENABLED
269 /* If secure boot is enabled and bootloader was plaintext, also
270 * need to encrypt secure boot IV+digest.
271 */
272 ESP_LOGD(TAG, "Encrypting secure bootloader IV & digest...");
273 err = esp_flash_encrypt_region(FLASH_OFFS_SECURE_BOOT_IV_DIGEST,
274 FLASH_SECTOR_SIZE);
275 if (err != ESP_OK) {
276 ESP_LOGE(TAG, "Failed to encrypt bootloader IV & digest in place: 0x%x", err);
277 return err;
278 }
279 #endif
280 }
281 else {
282 ESP_LOGW(TAG, "no valid bootloader was found");
283 }
284
285 return ESP_OK;
286 }
287
encrypt_and_load_partition_table(esp_partition_info_t * partition_table,int * num_partitions)288 static esp_err_t encrypt_and_load_partition_table(esp_partition_info_t *partition_table, int *num_partitions)
289 {
290 esp_err_t err;
291 /* Check for plaintext partition table */
292 err = bootloader_flash_read(ESP_PARTITION_TABLE_OFFSET, partition_table, ESP_PARTITION_TABLE_MAX_LEN, false);
293 if (err != ESP_OK) {
294 ESP_LOGE(TAG, "Failed to read partition table data");
295 return err;
296 }
297 if (esp_partition_table_verify(partition_table, false, num_partitions) == ESP_OK) {
298 ESP_LOGD(TAG, "partition table is plaintext. Encrypting...");
299 esp_err_t err = esp_flash_encrypt_region(ESP_PARTITION_TABLE_OFFSET,
300 FLASH_SECTOR_SIZE);
301 if (err != ESP_OK) {
302 ESP_LOGE(TAG, "Failed to encrypt partition table in place. %x", err);
303 return err;
304 }
305 }
306 else {
307 ESP_LOGE(TAG, "Failed to read partition table data - not plaintext?");
308 return ESP_ERR_INVALID_STATE;
309 }
310
311 /* Valid partition table loded */
312 return ESP_OK;
313 }
314
315
encrypt_partition(int index,const esp_partition_info_t * partition)316 static esp_err_t encrypt_partition(int index, const esp_partition_info_t *partition)
317 {
318 esp_err_t err;
319 bool should_encrypt = (partition->flags & PART_FLAG_ENCRYPTED);
320
321 if (partition->type == PART_TYPE_APP) {
322 /* check if the partition holds a valid unencrypted app */
323 esp_image_metadata_t data_ignored;
324 err = esp_image_verify(ESP_IMAGE_VERIFY,
325 &partition->pos,
326 &data_ignored);
327 should_encrypt = (err == ESP_OK);
328 } else if ((partition->type == PART_TYPE_DATA && partition->subtype == PART_SUBTYPE_DATA_OTA)
329 || (partition->type == PART_TYPE_DATA && partition->subtype == PART_SUBTYPE_DATA_NVS_KEYS)) {
330 /* check if we have ota data partition and the partition should be encrypted unconditionally */
331 should_encrypt = true;
332 }
333
334 if (!should_encrypt) {
335 return ESP_OK;
336 }
337 else {
338 /* should_encrypt */
339 ESP_LOGI(TAG, "Encrypting partition %d at offset 0x%x...", index, partition->pos.offset);
340
341 err = esp_flash_encrypt_region(partition->pos.offset, partition->pos.size);
342 if (err != ESP_OK) {
343 ESP_LOGE(TAG, "Failed to encrypt partition %d", index);
344 }
345 return err;
346 }
347 }
348
349
esp_flash_encrypt_region(uint32_t src_addr,size_t data_length)350 esp_err_t esp_flash_encrypt_region(uint32_t src_addr, size_t data_length)
351 {
352 esp_err_t err;
353 uint32_t buf[FLASH_SECTOR_SIZE / sizeof(uint32_t)];
354
355 if (src_addr % FLASH_SECTOR_SIZE != 0) {
356 ESP_LOGE(TAG, "esp_flash_encrypt_region bad src_addr 0x%x",src_addr);
357 return ESP_FAIL;
358 }
359
360 wdt_hal_context_t rtc_wdt_ctx = {.inst = WDT_RWDT, .rwdt_dev = &RTCCNTL};
361 for (size_t i = 0; i < data_length; i += FLASH_SECTOR_SIZE) {
362 wdt_hal_write_protect_disable(&rtc_wdt_ctx);
363 wdt_hal_feed(&rtc_wdt_ctx);
364 wdt_hal_write_protect_enable(&rtc_wdt_ctx);
365 uint32_t sec_start = i + src_addr;
366 err = bootloader_flash_read(sec_start, buf, FLASH_SECTOR_SIZE, false);
367 if (err != ESP_OK) {
368 goto flash_failed;
369 }
370 err = bootloader_flash_erase_sector(sec_start / FLASH_SECTOR_SIZE);
371 if (err != ESP_OK) {
372 goto flash_failed;
373 }
374 err = bootloader_flash_write(sec_start, buf, FLASH_SECTOR_SIZE, true);
375 if (err != ESP_OK) {
376 goto flash_failed;
377 }
378 }
379 return ESP_OK;
380
381 flash_failed:
382 ESP_LOGE(TAG, "flash operation failed: 0x%x", err);
383 return err;
384 }
385
