1 /*
2  * SPDX-FileCopyrightText: 2022 Espressif Systems (Shanghai) CO LTD
3  *
4  * SPDX-License-Identifier: Apache-2.0
5  */
6 
7 #include <strings.h>
8 #include "esp_flash_encrypt.h"
9 #include "esp_secure_boot.h"
10 #include "esp_efuse.h"
11 #include "esp_efuse_table.h"
12 #include "esp_log.h"
13 #include "sdkconfig.h"
14 
15 static __attribute__((unused)) const char *TAG = "secure_boot";
16 
esp_secure_boot_enable_secure_features(void)17 esp_err_t esp_secure_boot_enable_secure_features(void)
18 {
19     esp_efuse_write_field_bit(ESP_EFUSE_DIS_DIRECT_BOOT);
20 
21 #ifdef CONFIG_SECURE_ENABLE_SECURE_ROM_DL_MODE
22     ESP_LOGI(TAG, "Enabling Security download mode...");
23     esp_err_t err = esp_efuse_enable_rom_secure_download_mode();
24     if (err != ESP_OK) {
25         ESP_LOGE(TAG, "Could not enable Security download mode...");
26         return err;
27     }
28 #elif CONFIG_SECURE_DISABLE_ROM_DL_MODE
29     ESP_LOGI(TAG, "Disable ROM Download mode...");
30     esp_err_t err = esp_efuse_disable_rom_download_mode();
31     if (err != ESP_OK) {
32         ESP_LOGE(TAG, "Could not disable ROM Download mode...");
33         return err;
34     }
35 #else
36     ESP_LOGW(TAG, "UART ROM Download mode kept enabled - SECURITY COMPROMISED");
37 #endif
38 
39 #ifndef CONFIG_SECURE_BOOT_ALLOW_JTAG
40     ESP_LOGI(TAG, "Disable hardware & software JTAG...");
41     esp_efuse_write_field_bit(ESP_EFUSE_DIS_PAD_JTAG);
42     esp_efuse_write_field_bit(ESP_EFUSE_DIS_USB_JTAG);
43     esp_efuse_write_field_cnt(ESP_EFUSE_SOFT_DIS_JTAG, ESP_EFUSE_SOFT_DIS_JTAG[0]->bit_count);
44 #else
45     ESP_LOGW(TAG, "Not disabling JTAG - SECURITY COMPROMISED");
46 #endif
47 
48 #ifdef CONFIG_SECURE_BOOT_ENABLE_AGGRESSIVE_KEY_REVOKE
49     esp_efuse_write_field_bit(ESP_EFUSE_SECURE_BOOT_AGGRESSIVE_REVOKE);
50 #endif
51 
52     esp_efuse_write_field_bit(ESP_EFUSE_SECURE_BOOT_EN);
53 
54 #ifndef CONFIG_SECURE_BOOT_V2_ALLOW_EFUSE_RD_DIS
55     bool rd_dis_now = true;
56 #ifdef CONFIG_SECURE_FLASH_ENC_ENABLED
57     /* If flash encryption is not enabled yet then don't read-disable efuses yet, do it later in the boot
58        when Flash Encryption is being enabled */
59     rd_dis_now = esp_flash_encryption_enabled();
60 #endif
61     if (rd_dis_now) {
62         ESP_LOGI(TAG, "Prevent read disabling of additional efuses...");
63         esp_efuse_write_field_bit(ESP_EFUSE_WR_DIS_RD_DIS);
64     }
65 #else
66     ESP_LOGW(TAG, "Allowing read disabling of additional efuses - SECURITY COMPROMISED");
67 #endif
68 
69     return ESP_OK;
70 }
71