1 /*
2 * SPDX-FileCopyrightText: 2022 Espressif Systems (Shanghai) CO LTD
3 *
4 * SPDX-License-Identifier: Apache-2.0
5 */
6
7 #include <strings.h>
8 #include "esp_flash_encrypt.h"
9 #include "esp_secure_boot.h"
10 #include "esp_efuse.h"
11 #include "esp_efuse_table.h"
12 #include "esp_log.h"
13 #include "sdkconfig.h"
14
15 static __attribute__((unused)) const char *TAG = "secure_boot";
16
esp_secure_boot_enable_secure_features(void)17 esp_err_t esp_secure_boot_enable_secure_features(void)
18 {
19 esp_efuse_write_field_bit(ESP_EFUSE_DIS_DIRECT_BOOT);
20
21 #ifdef CONFIG_SECURE_ENABLE_SECURE_ROM_DL_MODE
22 ESP_LOGI(TAG, "Enabling Security download mode...");
23 esp_err_t err = esp_efuse_enable_rom_secure_download_mode();
24 if (err != ESP_OK) {
25 ESP_LOGE(TAG, "Could not enable Security download mode...");
26 return err;
27 }
28 #elif CONFIG_SECURE_DISABLE_ROM_DL_MODE
29 ESP_LOGI(TAG, "Disable ROM Download mode...");
30 esp_err_t err = esp_efuse_disable_rom_download_mode();
31 if (err != ESP_OK) {
32 ESP_LOGE(TAG, "Could not disable ROM Download mode...");
33 return err;
34 }
35 #else
36 ESP_LOGW(TAG, "UART ROM Download mode kept enabled - SECURITY COMPROMISED");
37 #endif
38
39 #ifndef CONFIG_SECURE_BOOT_ALLOW_JTAG
40 ESP_LOGI(TAG, "Disable hardware & software JTAG...");
41 esp_efuse_write_field_bit(ESP_EFUSE_DIS_PAD_JTAG);
42 esp_efuse_write_field_bit(ESP_EFUSE_DIS_USB_JTAG);
43 esp_efuse_write_field_cnt(ESP_EFUSE_SOFT_DIS_JTAG, ESP_EFUSE_SOFT_DIS_JTAG[0]->bit_count);
44 #else
45 ESP_LOGW(TAG, "Not disabling JTAG - SECURITY COMPROMISED");
46 #endif
47
48 #ifdef CONFIG_SECURE_BOOT_ENABLE_AGGRESSIVE_KEY_REVOKE
49 esp_efuse_write_field_bit(ESP_EFUSE_SECURE_BOOT_AGGRESSIVE_REVOKE);
50 #endif
51
52 esp_efuse_write_field_bit(ESP_EFUSE_SECURE_BOOT_EN);
53
54 #ifndef CONFIG_SECURE_BOOT_V2_ALLOW_EFUSE_RD_DIS
55 bool rd_dis_now = true;
56 #ifdef CONFIG_SECURE_FLASH_ENC_ENABLED
57 /* If flash encryption is not enabled yet then don't read-disable efuses yet, do it later in the boot
58 when Flash Encryption is being enabled */
59 rd_dis_now = esp_flash_encryption_enabled();
60 #endif
61 if (rd_dis_now) {
62 ESP_LOGI(TAG, "Prevent read disabling of additional efuses...");
63 esp_efuse_write_field_bit(ESP_EFUSE_WR_DIS_RD_DIS);
64 }
65 #else
66 ESP_LOGW(TAG, "Allowing read disabling of additional efuses - SECURITY COMPROMISED");
67 #endif
68
69 return ESP_OK;
70 }
71