1 /*
2 * SPDX-FileCopyrightText: 2015-2021 Espressif Systems (Shanghai) CO LTD
3 *
4 * SPDX-License-Identifier: Apache-2.0
5 */
6
7 #include <strings.h>
8 #include "esp_flash_encrypt.h"
9 #include "esp_secure_boot.h"
10 #include "esp_efuse.h"
11 #include "esp_efuse_table.h"
12 #include "esp_log.h"
13 #include "sdkconfig.h"
14
15 static __attribute__((unused)) const char *TAG = "secure_boot";
16
esp_secure_boot_enable_secure_features(void)17 esp_err_t esp_secure_boot_enable_secure_features(void)
18 {
19 esp_efuse_write_field_bit(ESP_EFUSE_DIS_BOOT_REMAP);
20 esp_efuse_write_field_bit(ESP_EFUSE_DIS_LEGACY_SPI_BOOT);
21
22 #ifdef CONFIG_SECURE_ENABLE_SECURE_ROM_DL_MODE
23 ESP_LOGI(TAG, "Enabling Security download mode...");
24 esp_err_t err = esp_efuse_enable_rom_secure_download_mode();
25 if (err != ESP_OK) {
26 ESP_LOGE(TAG, "Could not enable Security download mode...");
27 return err;
28 }
29 #elif CONFIG_SECURE_DISABLE_ROM_DL_MODE
30 ESP_LOGI(TAG, "Disable ROM Download mode...");
31 esp_err_t err = esp_efuse_disable_rom_download_mode();
32 if (err != ESP_OK) {
33 ESP_LOGE(TAG, "Could not disable ROM Download mode...");
34 return err;
35 }
36 #else
37 ESP_LOGW(TAG, "UART ROM Download mode kept enabled - SECURITY COMPROMISED");
38 #endif
39
40 #ifndef CONFIG_SECURE_BOOT_ALLOW_JTAG
41 ESP_LOGI(TAG, "Disable hardware & software JTAG...");
42 esp_efuse_write_field_bit(ESP_EFUSE_HARD_DIS_JTAG);
43 esp_efuse_write_field_bit(ESP_EFUSE_SOFT_DIS_JTAG);
44 #else
45 ESP_LOGW(TAG, "Not disabling JTAG - SECURITY COMPROMISED");
46 #endif
47
48 #ifdef CONFIG_SECURE_BOOT_ENABLE_AGGRESSIVE_KEY_REVOKE
49 esp_efuse_write_field_bit(ESP_EFUSE_SECURE_BOOT_AGGRESSIVE_REVOKE);
50 #endif
51
52 esp_efuse_write_field_bit(ESP_EFUSE_SECURE_BOOT_EN);
53
54 #ifndef CONFIG_SECURE_BOOT_V2_ALLOW_EFUSE_RD_DIS
55 bool rd_dis_now = true;
56 #ifdef CONFIG_SECURE_FLASH_ENC_ENABLED
57 /* If flash encryption is not enabled yet then don't read-disable efuses yet, do it later in the boot
58 when Flash Encryption is being enabled */
59 rd_dis_now = esp_flash_encryption_enabled();
60 #endif
61 if (rd_dis_now) {
62 ESP_LOGI(TAG, "Prevent read disabling of additional efuses...");
63 esp_efuse_write_field_bit(ESP_EFUSE_WR_DIS_RD_DIS);
64 }
65 #else
66 ESP_LOGW(TAG, "Allowing read disabling of additional efuses - SECURITY COMPROMISED");
67 #endif
68
69 return ESP_OK;
70 }
71