1 /*
2  * SPDX-FileCopyrightText: 2015-2022 Espressif Systems (Shanghai) CO LTD
3  *
4  * SPDX-License-Identifier: Apache-2.0
5  */
6 
7 #include <strings.h>
8 #include "esp_flash_encrypt.h"
9 #include "esp_secure_boot.h"
10 #include "esp_efuse.h"
11 #include "esp_efuse_table.h"
12 #include "esp_log.h"
13 #include "sdkconfig.h"
14 
15 static __attribute__((unused)) const char *TAG = "secure_boot";
16 
esp_secure_boot_enable_secure_features(void)17 esp_err_t esp_secure_boot_enable_secure_features(void)
18 {
19     esp_efuse_write_field_bit(ESP_EFUSE_DIS_DIRECT_BOOT);
20 
21 #ifdef CONFIG_SECURE_ENABLE_SECURE_ROM_DL_MODE
22     ESP_LOGI(TAG, "Enabling Security download mode...");
23     esp_err_t err = esp_efuse_enable_rom_secure_download_mode();
24     if (err != ESP_OK) {
25         ESP_LOGE(TAG, "Could not enable Security download mode...");
26         return err;
27     }
28 #elif CONFIG_SECURE_DISABLE_ROM_DL_MODE
29     ESP_LOGI(TAG, "Disable ROM Download mode...");
30     esp_err_t err = esp_efuse_disable_rom_download_mode();
31     if (err != ESP_OK) {
32         ESP_LOGE(TAG, "Could not disable ROM Download mode...");
33         return err;
34     }
35 #else
36     ESP_LOGW(TAG, "UART ROM Download mode kept enabled - SECURITY COMPROMISED");
37 #endif
38 
39 #ifndef CONFIG_SECURE_BOOT_ALLOW_JTAG
40     ESP_LOGI(TAG, "Disable hardware & software JTAG...");
41     esp_efuse_write_field_bit(ESP_EFUSE_DIS_PAD_JTAG);
42 #else
43     ESP_LOGW(TAG, "Not disabling JTAG - SECURITY COMPROMISED");
44 #endif
45 
46     esp_efuse_write_field_bit(ESP_EFUSE_SECURE_BOOT_EN);
47 
48 #ifndef CONFIG_SECURE_BOOT_V2_ALLOW_EFUSE_RD_DIS
49     // Secure boot and Flash encryption share one eFuse key block so they can not be set separately.
50     // CONFIG_SECURE_BOOT_FLASH_ENC_KEYS_BURN_TOGETHER option is used to burn SB and FE at the same time.
51     // SB key is readable, the corresponding bit in RD_DIS is unset.
52     //   We set write-protection for RD_DIS to ensure that the SB key is always readable.
53     // FE key is read-protected, the corresponding bit in RD_DIS is set.
54     ESP_LOGI(TAG, "Prevent read disabling of additional efuses...");
55     esp_efuse_write_field_bit(ESP_EFUSE_WR_DIS_RD_DIS);
56 #else
57     ESP_LOGW(TAG, "Allowing read disabling of additional efuses - SECURITY COMPROMISED");
58 #endif
59 
60     return ESP_OK;
61 }
62