1 /*
2  * SPDX-FileCopyrightText: 2015-2021 Espressif Systems (Shanghai) CO LTD
3  *
4  * SPDX-License-Identifier: Apache-2.0
5  */
6 
7 #include <strings.h>
8 #include "esp_flash_encrypt.h"
9 #include "esp_secure_boot.h"
10 #include "esp_efuse.h"
11 #include "esp_efuse_table.h"
12 #include "esp_log.h"
13 #include "sdkconfig.h"
14 
15 static __attribute__((unused)) const char *TAG = "flash_encrypt";
16 
esp_flash_encryption_enable_secure_features(void)17 esp_err_t esp_flash_encryption_enable_secure_features(void)
18 {
19 
20     /* CRYPT_CONFIG determines which bits of the AES block key are XORed
21        with bits from the flash address, to provide the key tweak.
22 
23        CRYPT_CONFIG == 0 is effectively AES ECB mode (NOT SUPPORTED)
24 
25        For now this is hardcoded to XOR all 256 bits of the key.
26 
27        If you need to override it, you can pre-burn this efuse to the
28        desired value and then write-protect it, in which case this
29        operation does nothing. Please note this is not recommended!
30     */
31     ESP_LOGI(TAG, "Setting CRYPT_CONFIG efuse to 0xF");
32     uint32_t crypt_config = 0;
33     esp_efuse_read_field_blob(ESP_EFUSE_ENCRYPT_CONFIG, &crypt_config, 4);
34     if (crypt_config == 0) {
35         crypt_config = EFUSE_FLASH_CRYPT_CONFIG;
36         esp_efuse_write_field_blob(ESP_EFUSE_ENCRYPT_CONFIG, &crypt_config, 4);
37     } else if (crypt_config != EFUSE_FLASH_CRYPT_CONFIG) {
38         ESP_LOGE(TAG, "EFUSE_ENCRYPT_CONFIG should be set 0xF but it is 0x%x", crypt_config);
39     }
40 
41 #ifndef CONFIG_SECURE_FLASH_UART_BOOTLOADER_ALLOW_ENC
42     ESP_LOGI(TAG, "Disable UART bootloader encryption...");
43     esp_efuse_write_field_bit(ESP_EFUSE_DISABLE_DL_ENCRYPT);
44 #else
45     ESP_LOGW(TAG, "Not disabling UART bootloader encryption");
46 #endif
47 
48 #ifndef CONFIG_SECURE_FLASH_UART_BOOTLOADER_ALLOW_DEC
49     ESP_LOGI(TAG, "Disable UART bootloader decryption...");
50     esp_efuse_write_field_bit(ESP_EFUSE_DISABLE_DL_DECRYPT);
51 #else
52     ESP_LOGW(TAG, "Not disabling UART bootloader decryption - SECURITY COMPROMISED");
53 #endif
54 
55 #ifndef CONFIG_SECURE_FLASH_UART_BOOTLOADER_ALLOW_CACHE
56     ESP_LOGI(TAG, "Disable UART bootloader MMU cache...");
57     esp_efuse_write_field_bit(ESP_EFUSE_DISABLE_DL_CACHE);
58 #else
59     ESP_LOGW(TAG, "Not disabling UART bootloader MMU cache - SECURITY COMPROMISED");
60 #endif
61 
62 #ifndef CONFIG_SECURE_BOOT_ALLOW_JTAG
63     ESP_LOGI(TAG, "Disable JTAG...");
64     esp_efuse_write_field_bit(ESP_EFUSE_DISABLE_JTAG);
65 #else
66     ESP_LOGW(TAG, "Not disabling JTAG - SECURITY COMPROMISED");
67 #endif
68 
69 #ifndef CONFIG_SECURE_BOOT_ALLOW_ROM_BASIC
70     ESP_LOGI(TAG, "Disable ROM BASIC interpreter fallback...");
71     esp_efuse_write_field_bit(ESP_EFUSE_CONSOLE_DEBUG_DISABLE);
72 #else
73     ESP_LOGW(TAG, "Not disabling ROM BASIC fallback - SECURITY COMPROMISED");
74 #endif
75 
76 #if defined(CONFIG_SECURE_BOOT_V2_ENABLED) && !defined(CONFIG_SECURE_BOOT_V2_ALLOW_EFUSE_RD_DIS)
77     // This bit is set when enabling Secure Boot V2, but we can't enable it until this later point in the first boot
78     // otherwise the Flash Encryption key cannot be read protected
79     esp_efuse_write_field_bit(ESP_EFUSE_WR_DIS_EFUSE_RD_DISABLE);
80 #endif
81 
82 #ifndef CONFIG_SECURE_FLASH_SKIP_WRITE_PROTECTION_CACHE
83     // Set write-protection for DIS_ICACHE to prevent bricking chip in case it will be set accidentally.
84     // esp32 has DIS_ICACHE. Write-protection bit = 3.
85     // List of eFuses with the same write protection bit:
86     // MAC, MAC_CRC, DISABLE_APP_CPU, DISABLE_BT, DIS_CACHE, VOL_LEVEL_HP_INV.
87     esp_efuse_write_field_bit(ESP_EFUSE_WR_DIS_DIS_CACHE);
88 #endif
89 
90     return ESP_OK;
91 }
92