1 /*
2  * SPDX-FileCopyrightText: 2015-2021 Espressif Systems (Shanghai) CO LTD
3  *
4  * SPDX-License-Identifier: Apache-2.0
5  */
6 
7 #include <strings.h>
8 #include "esp_flash_encrypt.h"
9 #include "esp_secure_boot.h"
10 #include "esp_efuse.h"
11 #include "esp_efuse_table.h"
12 #include "esp_log.h"
13 #include "sdkconfig.h"
14 
15 static __attribute__((unused)) const char *TAG = "secure_boot";
16 
esp_secure_boot_enable_secure_features(void)17 esp_err_t esp_secure_boot_enable_secure_features(void)
18 {
19     esp_efuse_write_field_bit(ESP_EFUSE_DIS_BOOT_REMAP);
20     esp_efuse_write_field_bit(ESP_EFUSE_DIS_LEGACY_SPI_BOOT);
21 
22 #ifdef CONFIG_SECURE_ENABLE_SECURE_ROM_DL_MODE
23     ESP_LOGI(TAG, "Enabling Security download mode...");
24     esp_err_t err = esp_efuse_enable_rom_secure_download_mode();
25     if (err != ESP_OK) {
26         ESP_LOGE(TAG, "Could not enable Security download mode...");
27         return err;
28     }
29 #elif CONFIG_SECURE_DISABLE_ROM_DL_MODE
30     ESP_LOGI(TAG, "Disable ROM Download mode...");
31     esp_err_t err = esp_efuse_disable_rom_download_mode();
32     if (err != ESP_OK) {
33         ESP_LOGE(TAG, "Could not disable ROM Download mode...");
34         return err;
35     }
36 #else
37     ESP_LOGW(TAG, "UART ROM Download mode kept enabled - SECURITY COMPROMISED");
38 #endif
39 
40 #ifndef CONFIG_SECURE_BOOT_ALLOW_JTAG
41     ESP_LOGI(TAG, "Disable hardware & software JTAG...");
42     esp_efuse_write_field_bit(ESP_EFUSE_HARD_DIS_JTAG);
43     esp_efuse_write_field_bit(ESP_EFUSE_SOFT_DIS_JTAG);
44 #else
45     ESP_LOGW(TAG, "Not disabling JTAG - SECURITY COMPROMISED");
46 #endif
47 
48 #ifdef CONFIG_SECURE_BOOT_ENABLE_AGGRESSIVE_KEY_REVOKE
49     esp_efuse_write_field_bit(ESP_EFUSE_SECURE_BOOT_AGGRESSIVE_REVOKE);
50 #endif
51 
52     esp_efuse_write_field_bit(ESP_EFUSE_SECURE_BOOT_EN);
53 
54 #ifndef CONFIG_SECURE_BOOT_V2_ALLOW_EFUSE_RD_DIS
55     bool rd_dis_now = true;
56 #ifdef CONFIG_SECURE_FLASH_ENC_ENABLED
57     /* If flash encryption is not enabled yet then don't read-disable efuses yet, do it later in the boot
58        when Flash Encryption is being enabled */
59     rd_dis_now = esp_flash_encryption_enabled();
60 #endif
61     if (rd_dis_now) {
62         ESP_LOGI(TAG, "Prevent read disabling of additional efuses...");
63         esp_efuse_write_field_bit(ESP_EFUSE_WR_DIS_RD_DIS);
64     }
65 #else
66     ESP_LOGW(TAG, "Allowing read disabling of additional efuses - SECURITY COMPROMISED");
67 #endif
68 
69     return ESP_OK;
70 }
71