From 346cba9c57056aa379e41a38ac229b6c8bcf3bde Mon Sep 17 00:00:00 2001 From: KonstantinKondrashov Date: Mon, 13 Jun 2022 21:42:28 +0800 Subject: [PATCH] efuse example: Adds CI tests for ESP32-C2 --- .gitlab/ci/target-test.yml | 6 + examples/system/.build-test-rules.yml | 4 - examples/system/efuse/README.md | 4 +- examples/system/efuse/example_test.py | 118 +++++++++++------- examples/system/efuse/main/efuse_main.c | 14 +++ .../sdkconfig.ci.virt_sb_v2_and_fe.esp32 | 21 ++++ .../sdkconfig.ci.virt_sb_v2_and_fe.esp32c2 | 17 +++ ...=> sdkconfig.ci.virt_sb_v2_and_fe.esp32c3} | 5 +- .../sdkconfig.ci.virt_sb_v2_and_fe.esp32s2 | 17 +++ .../sdkconfig.ci.virt_secure_boot_v2.esp32 | 20 +++ .../sdkconfig.ci.virt_secure_boot_v2.esp32c2 | 16 +++ ... sdkconfig.ci.virt_secure_boot_v2.esp32c3} | 5 +- .../sdkconfig.ci.virt_secure_boot_v2.esp32s2 | 16 +++ ...secure_boot_signing_key_ecdsa_nistp256.pem | 5 + 14 files changed, 214 insertions(+), 54 deletions(-) create mode 100644 examples/system/efuse/sdkconfig.ci.virt_sb_v2_and_fe.esp32 create mode 100644 examples/system/efuse/sdkconfig.ci.virt_sb_v2_and_fe.esp32c2 rename examples/system/efuse/{sdkconfig.ci.virt_sb_v2_and_fe => sdkconfig.ci.virt_sb_v2_and_fe.esp32c3} (85%) create mode 100644 examples/system/efuse/sdkconfig.ci.virt_sb_v2_and_fe.esp32s2 create mode 100644 examples/system/efuse/sdkconfig.ci.virt_secure_boot_v2.esp32 create mode 100644 examples/system/efuse/sdkconfig.ci.virt_secure_boot_v2.esp32c2 rename examples/system/efuse/{sdkconfig.ci.virt_secure_boot_v2 => sdkconfig.ci.virt_secure_boot_v2.esp32c3} (85%) create mode 100644 examples/system/efuse/sdkconfig.ci.virt_secure_boot_v2.esp32s2 create mode 100644 examples/system/efuse/test/secure_boot_signing_key_ecdsa_nistp256.pem diff --git a/.gitlab/ci/target-test.yml b/.gitlab/ci/target-test.yml index c4c3591d48..6ca24aa1d1 100644 --- a/.gitlab/ci/target-test.yml +++ b/.gitlab/ci/target-test.yml @@ -613,6 +613,12 @@ example_test_C3_GENERIC: - ESP32C3 - Example_GENERIC +example_test_C2_GENERIC: + extends: .example_test_esp32c2_template + tags: + - ESP32C2 + - Example_GENERIC + example_test_ESP32_SDSPI: extends: .example_test_esp32_template tags: diff --git a/examples/system/.build-test-rules.yml b/examples/system/.build-test-rules.yml index 7cfcddac8d..6235efcdea 100644 --- a/examples/system/.build-test-rules.yml +++ b/examples/system/.build-test-rules.yml @@ -43,10 +43,6 @@ examples/system/deep_sleep: reason: target esp32c2 is not supported yet examples/system/efuse: - disable: - - if: IDF_TARGET == "esp32c2" - temporary: true - reason: target esp32c2 is not supported yet disable_test: - if: IDF_TARGET == "esp32s3" temporary: true diff --git a/examples/system/efuse/README.md b/examples/system/efuse/README.md index 14e9e36e3d..23a722c6d7 100644 --- a/examples/system/efuse/README.md +++ b/examples/system/efuse/README.md @@ -1,5 +1,5 @@ -| Supported Targets | ESP32 | ESP32-C3 | ESP32-S2 | ESP32-S3 | -| ----------------- | ----- | -------- | -------- | -------- | +| Supported Targets | ESP32 | ESP32-C2 | ESP32-C3 | ESP32-S2 | ESP32-S3 | +| ----------------- | ----- | -------- | -------- | -------- | -------- | # eFuse Example diff --git a/examples/system/efuse/example_test.py b/examples/system/efuse/example_test.py index 868b2266f2..af5afa9e62 100644 --- a/examples/system/efuse/example_test.py +++ b/examples/system/efuse/example_test.py @@ -27,7 +27,7 @@ def erase_field_on_emul_efuse(dut, pos_of_bits): # type: (ttfw_idf.TinyFW.Env, dut.write_flash(flash_files) -@ttfw_idf.idf_example_test(env_tag='Example_GENERIC', target=['esp32', 'esp32c3']) +@ttfw_idf.idf_example_test(env_tag='Example_GENERIC', target=['esp32', 'esp32c3', 'esp32c2']) def test_examples_efuse(env, _): # type: (ttfw_idf.TinyFW.Env, None) -> None dut = env.get_dut('efuse', 'examples/system/efuse') dut.start_app() @@ -54,7 +54,7 @@ def test_examples_efuse(env, _): # type: (ttfw_idf.TinyFW.Env, None) -> None timeout=30) -@ttfw_idf.idf_example_test(env_tag='Example_GENERIC', target=['esp32', 'esp32s2', 'esp32c3']) +@ttfw_idf.idf_example_test(env_tag='Example_GENERIC', target=['esp32', 'esp32s2', 'esp32c3', 'esp32c2']) def test_examples_efuse_with_virt_flash_enc(env, _): # type: (ttfw_idf.TinyFW.Env, None) -> None dut = env.get_dut('efuse', 'examples/system/efuse', app_config_name='virt_flash_enc') # check and log bin size @@ -79,7 +79,10 @@ def test_examples_efuse_with_virt_flash_enc(env, _): # type: (ttfw_idf.TinyFW.E dut.expect('Disable JTAG...') dut.expect('Disable ROM BASIC interpreter fallback...') else: - dut.expect('Writing EFUSE_BLK_KEY0 with purpose 4') + if dut.TARGET == 'esp32c2': + dut.expect('Writing EFUSE_BLK_KEY0 with purpose 1') + else: + dut.expect('Writing EFUSE_BLK_KEY0 with purpose 4') dut.expect('Not disabling UART bootloader encryption') dut.expect('Disable UART bootloader cache...') dut.expect('Disable JTAG...') @@ -138,7 +141,7 @@ def test_examples_efuse_with_virt_flash_enc_aes_256(env, _): # type: (ttfw_idf. dut.expect('example: Done') -@ttfw_idf.idf_example_test(env_tag='Example_GENERIC', target=['esp32', 'esp32s2', 'esp32c3']) +@ttfw_idf.idf_example_test(env_tag='Example_GENERIC', target=['esp32', 'esp32s2', 'esp32c3', 'esp32c2']) def test_examples_efuse_with_virt_flash_enc_pre_loaded(env, _): # type: (ttfw_idf.TinyFW.Env, None) -> None dut = env.get_dut('efuse', 'examples/system/efuse', app_config_name='virt_flash_enc') @@ -161,6 +164,9 @@ def test_examples_efuse_with_virt_flash_enc_pre_loaded(env, _): # type: (ttfw_i FLASH_CRYPT_CNT = 20 # Resets eFuse, which enables Flash encryption feature erase_field_on_emul_efuse(dut, [FLASH_CRYPT_CNT]) + elif dut.TARGET == 'esp32c2': + FLASH_CRYPT_CNT = 39 + erase_field_on_emul_efuse(dut, [FLASH_CRYPT_CNT]) else: # offset of this eFuse is taken from components/efuse/{target}/esp_efuse_table.csv print(' - Flash emul_efuse with pre-loaded efuses (SPI_BOOT_CRYPT_CNT 1 -> 0)') @@ -201,7 +207,7 @@ def test_examples_efuse_with_virt_flash_enc_pre_loaded(env, _): # type: (ttfw_i dut.expect('example: Done') -@ttfw_idf.idf_example_test(env_tag='Example_GENERIC', target=['esp32', 'esp32s2', 'esp32c3']) +@ttfw_idf.idf_example_test(env_tag='Example_GENERIC', target=['esp32', 'esp32s2', 'esp32c3', 'esp32c2']) def test_examples_efuse_with_virt_flash_enc_release(env, _): # type: (ttfw_idf.TinyFW.Env, None) -> None dut = env.get_dut('efuse', 'examples/system/efuse', app_config_name='virt_flash_enc_release') # check and log bin size @@ -226,7 +232,10 @@ def test_examples_efuse_with_virt_flash_enc_release(env, _): # type: (ttfw_idf. dut.expect('Disable JTAG...') dut.expect('Disable ROM BASIC interpreter fallback...') else: - dut.expect('Writing EFUSE_BLK_KEY0 with purpose 4') + if dut.TARGET == 'esp32c2': + dut.expect('Writing EFUSE_BLK_KEY0 with purpose 1') + else: + dut.expect('Writing EFUSE_BLK_KEY0 with purpose 4') dut.expect('Disable UART bootloader encryption') dut.expect('Disable UART bootloader cache...') dut.expect('Disable JTAG...') @@ -347,7 +356,7 @@ def test_examples_efuse_with_virt_secure_boot_v1_pre_loaded(env, _): # type: (t @ttfw_idf.idf_example_test(env_tag='Example_EthKitV12', target=['esp32']) def test_examples_efuse_with_virt_secure_boot_v2(env, _): # type: (ttfw_idf.TinyFW.Env, None) -> None # only for ESP32 ECO3 - dut = env.get_dut('efuse', 'examples/system/efuse', app_config_name='virt_secure_boot_v2') + dut = env.get_dut('efuse', 'examples/system/efuse', app_config_name='virt_secure_boot_v2.' + env.default_dut_cls.TARGET) # check and log bin size binary_file = os.path.join(dut.app.binary_path, 'bootloader', 'bootloader.bin') bin_size = os.path.getsize(binary_file) @@ -408,7 +417,7 @@ def test_examples_efuse_with_virt_secure_boot_v2(env, _): # type: (ttfw_idf.Tin @ttfw_idf.idf_example_test(env_tag='Example_EthKitV12', target=['esp32']) def test_examples_efuse_with_virt_secure_boot_v2_pre_loaded(env, _): # type: (ttfw_idf.TinyFW.Env, None) -> None # only for ESP32 ECO3 - dut = env.get_dut('efuse', 'examples/system/efuse', app_config_name='virt_secure_boot_v2') + dut = env.get_dut('efuse', 'examples/system/efuse', app_config_name='virt_secure_boot_v2.' + env.default_dut_cls.TARGET) print(' - Erase flash') dut.erase_flash() @@ -469,9 +478,9 @@ def test_examples_efuse_with_virt_secure_boot_v2_pre_loaded(env, _): # type: (t dut.expect('example: Done') -@ttfw_idf.idf_example_test(env_tag='Example_GENERIC', target=['esp32s2', 'esp32c3']) +@ttfw_idf.idf_example_test(env_tag='Example_GENERIC', target=['esp32s2', 'esp32c3', 'esp32c2']) def test_examples_efuse_with_virt_secure_boot_v2_esp32xx(env, _): # type: (ttfw_idf.TinyFW.Env, None) -> None - dut = env.get_dut('efuse', 'examples/system/efuse', app_config_name='virt_secure_boot_v2') + dut = env.get_dut('efuse', 'examples/system/efuse', app_config_name='virt_secure_boot_v2.' + env.default_dut_cls.TARGET) # check and log bin size binary_file = os.path.join(dut.app.binary_path, 'bootloader', 'bootloader.bin') bin_size = os.path.getsize(binary_file) @@ -489,24 +498,29 @@ def test_examples_efuse_with_virt_secure_boot_v2_esp32xx(env, _): # type: (ttfw dut.expect('Verifying image signature...') dut.expect('secure_boot_v2: Secure boot V2 is not enabled yet and eFuse digest keys are not set') - dut.expect('secure_boot_v2: Verifying with RSA-PSS...') + signed_scheme = 'ECDSA' if dut.TARGET == 'esp32c2' else 'RSA-PSS' + dut.expect('secure_boot_v2: Verifying with %s...' % signed_scheme) dut.expect('secure_boot_v2: Signature verified successfully!') dut.expect('secure_boot_v2: enabling secure boot v2...') dut.expect('Verifying image signature...') dut.expect('secure_boot_v2: Secure boot V2 is not enabled yet and eFuse digest keys are not set') - dut.expect('secure_boot_v2: Verifying with RSA-PSS...') + dut.expect('secure_boot_v2: Verifying with %s...' % signed_scheme) dut.expect('secure_boot_v2: Signature verified successfully!') dut.expect('secure_boot_v2: Secure boot digests absent, generating..') dut.expect('secure_boot_v2: Digests successfully calculated, 1 valid signatures') dut.expect('secure_boot_v2: 1 signature block(s) found appended to the bootloader') - dut.expect('Writing EFUSE_BLK_KEY0 with purpose 9') + if dut.TARGET == 'esp32c2': + dut.expect('Writing EFUSE_BLK_KEY0 with purpose 3') + else: + dut.expect('Writing EFUSE_BLK_KEY0 with purpose 9') dut.expect('secure_boot_v2: Digests successfully calculated, 1 valid signatures') dut.expect('secure_boot_v2: 1 signature block(s) found appended to the app') dut.expect('secure_boot_v2: Application key(0) matches with bootloader key(0)') - dut.expect('secure_boot_v2: Revoking empty key digest slot (1)...') - dut.expect('secure_boot_v2: Revoking empty key digest slot (2)...') + if dut.TARGET != 'esp32c2': + dut.expect('secure_boot_v2: Revoking empty key digest slot (1)...') + dut.expect('secure_boot_v2: Revoking empty key digest slot (2)...') dut.expect('secure_boot_v2: blowing secure boot efuse...') dut.expect('UART ROM Download mode kept enabled - SECURITY COMPROMISED') dut.expect('Disable hardware & software JTAG...') @@ -520,7 +534,7 @@ def test_examples_efuse_with_virt_secure_boot_v2_esp32xx(env, _): # type: (ttfw dut.reset() dut.expect('Loading virtual efuse blocks from flash') dut.expect('Verifying image signature...') - dut.expect('secure_boot_v2: Verifying with RSA-PSS...') + dut.expect('secure_boot_v2: Verifying with %s...' % signed_scheme) dut.expect('secure_boot_v2: Signature verified successfully!') dut.expect('secure_boot_v2: enabling secure boot v2...') dut.expect('secure_boot_v2: secure boot v2 is already enabled, continuing..') @@ -528,9 +542,9 @@ def test_examples_efuse_with_virt_secure_boot_v2_esp32xx(env, _): # type: (ttfw dut.expect('example: Done') -@ttfw_idf.idf_example_test(env_tag='Example_GENERIC', target=['esp32s2', 'esp32c3']) +@ttfw_idf.idf_example_test(env_tag='Example_GENERIC', target=['esp32s2', 'esp32c3', 'esp32c2']) def test_examples_efuse_with_virt_secure_boot_v2_esp32xx_pre_loaded(env, _): # type: (ttfw_idf.TinyFW.Env, None) -> None - dut = env.get_dut('efuse', 'examples/system/efuse', app_config_name='virt_secure_boot_v2') + dut = env.get_dut('efuse', 'examples/system/efuse', app_config_name='virt_secure_boot_v2.' + env.default_dut_cls.TARGET) print(' - Erase flash') dut.erase_flash() @@ -546,28 +560,34 @@ def test_examples_efuse_with_virt_secure_boot_v2_esp32xx_pre_loaded(env, _): # print(' - Flash emul_efuse with pre-loaded efuses (SECURE_BOOT_EN 1 -> 0, SECURE_BOOT_KEY_REVOKE[0..2] -> 0)') # offsets of eFuses are taken from components/efuse/{target}/esp_efuse_table.csv - SECURE_BOOT_EN = 116 - SECURE_BOOT_KEY_REVOKE0 = 85 - SECURE_BOOT_KEY_REVOKE1 = 86 - SECURE_BOOT_KEY_REVOKE2 = 87 - # Resets eFuse, which enables Secure boot feature - # Resets eFuses, which control digest slots - erase_field_on_emul_efuse(dut, [SECURE_BOOT_EN, SECURE_BOOT_KEY_REVOKE0, SECURE_BOOT_KEY_REVOKE1, SECURE_BOOT_KEY_REVOKE2]) + if dut.TARGET == 'esp32c2': + SECURE_BOOT_EN = 53 + erase_field_on_emul_efuse(dut, [SECURE_BOOT_EN]) + else: + SECURE_BOOT_EN = 116 + SECURE_BOOT_KEY_REVOKE0 = 85 + SECURE_BOOT_KEY_REVOKE1 = 86 + SECURE_BOOT_KEY_REVOKE2 = 87 + # Resets eFuse, which enables Secure boot feature + # Resets eFuses, which control digest slots + erase_field_on_emul_efuse(dut, [SECURE_BOOT_EN, SECURE_BOOT_KEY_REVOKE0, SECURE_BOOT_KEY_REVOKE1, SECURE_BOOT_KEY_REVOKE2]) print(' - Start app (flash partition_table and app)') dut.start_app() dut.expect('Loading virtual efuse blocks from flash') dut.expect('Verifying image signature...') - dut.expect('secure_boot_v2: Verifying with RSA-PSS...') + signed_scheme = 'ECDSA' if dut.TARGET == 'esp32c2' else 'RSA-PSS' + dut.expect('secure_boot_v2: Verifying with %s...' % signed_scheme) dut.expect('secure_boot_v2: Signature verified successfully!') dut.expect('secure_boot_v2: Secure boot digests already present') dut.expect('secure_boot_v2: Using pre-loaded public key digest in eFuse') dut.expect('secure_boot_v2: Digests successfully calculated, 1 valid signatures') dut.expect('secure_boot_v2: 1 signature block(s) found appended to the app') dut.expect('secure_boot_v2: Application key(0) matches with bootloader key(0)') - dut.expect('secure_boot_v2: Revoking empty key digest slot (1)...') - dut.expect('secure_boot_v2: Revoking empty key digest slot (2)...') + if dut.TARGET != 'esp32c2': + dut.expect('secure_boot_v2: Revoking empty key digest slot (1)...') + dut.expect('secure_boot_v2: Revoking empty key digest slot (2)...') dut.expect('secure_boot_v2: blowing secure boot efuse...') dut.expect('UART ROM Download mode kept enabled - SECURITY COMPROMISED') @@ -582,7 +602,7 @@ def test_examples_efuse_with_virt_secure_boot_v2_esp32xx_pre_loaded(env, _): # dut.reset() dut.expect('Loading virtual efuse blocks from flash') dut.expect('Verifying image signature...') - dut.expect('secure_boot_v2: Verifying with RSA-PSS...') + dut.expect('secure_boot_v2: Verifying with %s...' % signed_scheme) dut.expect('secure_boot_v2: Signature verified successfully!') dut.expect('secure_boot_v2: enabling secure boot v2...') dut.expect('secure_boot_v2: secure boot v2 is already enabled, continuing..') @@ -654,7 +674,7 @@ def test_examples_efuse_with_virt_sb_v1_and_fe(env, _): # type: (ttfw_idf.TinyF @ttfw_idf.idf_example_test(env_tag='Example_EthKitV12', target=['esp32']) def test_examples_efuse_with_virt_sb_v2_and_fe(env, _): # type: (ttfw_idf.TinyFW.Env, None) -> None # only for ESP32 ECO3 - dut = env.get_dut('efuse', 'examples/system/efuse', app_config_name='virt_sb_v2_and_fe') + dut = env.get_dut('efuse', 'examples/system/efuse', app_config_name='virt_sb_v2_and_fe.' + env.default_dut_cls.TARGET) # check and log bin size binary_file = os.path.join(dut.app.binary_path, 'bootloader', 'bootloader.bin') bin_size = os.path.getsize(binary_file) @@ -730,9 +750,9 @@ def test_examples_efuse_with_virt_sb_v2_and_fe(env, _): # type: (ttfw_idf.TinyF dut.expect('example: Done') -@ttfw_idf.idf_example_test(env_tag='Example_GENERIC', target=['esp32s2', 'esp32c3']) +@ttfw_idf.idf_example_test(env_tag='Example_GENERIC', target=['esp32s2', 'esp32c3', 'esp32c2']) def test_examples_efuse_with_virt_sb_v2_and_fe_esp32xx(env, _): # type: (ttfw_idf.TinyFW.Env, None) -> None - dut = env.get_dut('efuse', 'examples/system/efuse', app_config_name='virt_sb_v2_and_fe') + dut = env.get_dut('efuse', 'examples/system/efuse', app_config_name='virt_sb_v2_and_fe.' + env.default_dut_cls.TARGET) # check and log bin size binary_file = os.path.join(dut.app.binary_path, 'bootloader', 'bootloader.bin') bin_size = os.path.getsize(binary_file) @@ -750,51 +770,65 @@ def test_examples_efuse_with_virt_sb_v2_and_fe_esp32xx(env, _): # type: (ttfw_i dut.expect('Verifying image signature...') dut.expect('secure_boot_v2: Secure boot V2 is not enabled yet and eFuse digest keys are not set') - dut.expect('secure_boot_v2: Verifying with RSA-PSS...') + signed_scheme = 'ECDSA' if dut.TARGET == 'esp32c2' else 'RSA-PSS' + dut.expect('secure_boot_v2: Verifying with %s...' % signed_scheme) dut.expect('secure_boot_v2: Signature verified successfully!') dut.expect('secure_boot_v2: enabling secure boot v2...') dut.expect('Verifying image signature...') dut.expect('secure_boot_v2: Secure boot V2 is not enabled yet and eFuse digest keys are not set') - dut.expect('secure_boot_v2: Verifying with RSA-PSS...') + dut.expect('secure_boot_v2: Verifying with %s...' % signed_scheme) dut.expect('secure_boot_v2: Signature verified successfully!') dut.expect('secure_boot_v2: Secure boot digests absent, generating..') dut.expect('secure_boot_v2: Digests successfully calculated, 1 valid signatures') dut.expect('secure_boot_v2: 1 signature block(s) found appended to the bootloader') - dut.expect('Writing EFUSE_BLK_KEY0 with purpose 9') + if dut.TARGET == 'esp32c2': + dut.expect('Writing EFUSE_BLK_KEY0 with purpose 3') + else: + dut.expect('Writing EFUSE_BLK_KEY0 with purpose 9') dut.expect('secure_boot_v2: Digests successfully calculated, 1 valid signatures') dut.expect('secure_boot_v2: 1 signature block(s) found appended to the app') dut.expect('secure_boot_v2: Application key(0) matches with bootloader key(0)') - dut.expect('secure_boot_v2: Revoking empty key digest slot (1)...') - dut.expect('secure_boot_v2: Revoking empty key digest slot (2)...') + if dut.TARGET != 'esp32c2': + dut.expect('secure_boot_v2: Revoking empty key digest slot (1)...') + dut.expect('secure_boot_v2: Revoking empty key digest slot (2)...') dut.expect('secure_boot_v2: blowing secure boot efuse...') dut.expect('UART ROM Download mode kept enabled - SECURITY COMPROMISED') dut.expect('Disable hardware & software JTAG...') - dut.expect('secure_boot_v2: Secure boot permanently enabled') + + if dut.TARGET != 'esp32c2': + dut.expect('secure_boot_v2: Secure boot permanently enabled') dut.expect('Checking flash encryption...') dut.expect('flash_encrypt: Generating new flash encryption key...') - dut.expect('Writing EFUSE_BLK_KEY1 with purpose 4') + if dut.TARGET == 'esp32c2': + dut.expect('Writing EFUSE_BLK_KEY0 with purpose 2') + else: + dut.expect('Writing EFUSE_BLK_KEY1 with purpose 4') + dut.expect('Not disabling UART bootloader encryption') dut.expect('Disable UART bootloader cache...') dut.expect('Disable JTAG...') + if dut.TARGET == 'esp32c2': + dut.expect('boot: Secure boot permanently enabled') + dut.expect('Verifying image signature...') - dut.expect('secure_boot_v2: Verifying with RSA-PSS...') + dut.expect('secure_boot_v2: Verifying with %s...' % signed_scheme) dut.expect('secure_boot_v2: Signature verified successfully!') dut.expect('flash_encrypt: bootloader encrypted successfully') dut.expect('flash_encrypt: partition table encrypted and loaded successfully') dut.expect('Verifying image signature...') - dut.expect('secure_boot_v2: Verifying with RSA-PSS...') + dut.expect('secure_boot_v2: Verifying with %s...' % signed_scheme) dut.expect('secure_boot_v2: Signature verified successfully!') dut.expect('flash_encrypt: Flash encryption completed', timeout=90) dut.expect('Resetting with flash encryption enabled...') dut.expect('Loading virtual efuse blocks from flash') dut.expect('Verifying image signature...') - dut.expect('secure_boot_v2: Verifying with RSA-PSS...') + dut.expect('secure_boot_v2: Verifying with %s...' % signed_scheme) dut.expect('secure_boot_v2: Signature verified successfully!') dut.expect('secure_boot_v2: enabling secure boot v2...') dut.expect('secure_boot_v2: secure boot v2 is already enabled, continuing..') diff --git a/examples/system/efuse/main/efuse_main.c b/examples/system/efuse/main/efuse_main.c index 1a5c290f07..8c24a407d9 100644 --- a/examples/system/efuse/main/efuse_main.c +++ b/examples/system/efuse/main/efuse_main.c @@ -15,6 +15,10 @@ #include "esp_efuse.h" #include "esp_efuse_table.h" #include "esp_efuse_custom_table.h" +#if CONFIG_IDF_TARGET_ESP32C2 +#include "esp_secure_boot.h" +#include "esp_flash_encrypt.h" +#endif #include "sdkconfig.h" static const char* TAG = "example"; @@ -138,6 +142,16 @@ void app_main(void) read_efuse_fields(&device_desc); ESP_LOGW(TAG, "This example does not burn any efuse in reality only virtually"); + +#if CONFIG_IDF_TARGET_ESP32C2 + if (esp_secure_boot_enabled() || esp_flash_encryption_enabled()) { + ESP_LOGW(TAG, "BLOCK3 is used for secure boot or/and flash encryption"); + ESP_LOGW(TAG, "eFuses from the custom eFuse table can not be used as they are placed in BLOCK3"); + ESP_LOGI(TAG, "Done"); + return; + } +#endif + #ifdef CONFIG_EFUSE_VIRTUAL ESP_LOGW(TAG, "Write operations in efuse fields are performed virtually"); if (device_desc.device_role == 0) { diff --git a/examples/system/efuse/sdkconfig.ci.virt_sb_v2_and_fe.esp32 b/examples/system/efuse/sdkconfig.ci.virt_sb_v2_and_fe.esp32 new file mode 100644 index 0000000000..4abf5fcc95 --- /dev/null +++ b/examples/system/efuse/sdkconfig.ci.virt_sb_v2_and_fe.esp32 @@ -0,0 +1,21 @@ +# FLASH_ENCRYPTION & SECURE_BOOT_V2 with EFUSE_VIRTUAL_KEEP_IN_FLASH + +CONFIG_IDF_TARGET="esp32" + +# ESP32 supports SECURE_BOOT_V2 only in ECO3 +CONFIG_ESP32_REV_MIN_3=y +CONFIG_ESP32_REV_MIN=3 + +CONFIG_PARTITION_TABLE_OFFSET=0xD000 +CONFIG_PARTITION_TABLE_CUSTOM=y +CONFIG_PARTITION_TABLE_CUSTOM_FILENAME="test/partitions_efuse_emul.csv" + +CONFIG_SECURE_BOOT=y +CONFIG_SECURE_BOOT_V2_ENABLED=y +CONFIG_SECURE_BOOT_SIGNING_KEY="test/secure_boot_signing_key.pem" + +CONFIG_SECURE_FLASH_ENC_ENABLED=y + +# IMPORTANT: ONLY VIRTUAL eFuse MODE! +CONFIG_EFUSE_VIRTUAL=y +CONFIG_EFUSE_VIRTUAL_KEEP_IN_FLASH=y diff --git a/examples/system/efuse/sdkconfig.ci.virt_sb_v2_and_fe.esp32c2 b/examples/system/efuse/sdkconfig.ci.virt_sb_v2_and_fe.esp32c2 new file mode 100644 index 0000000000..2be2ad7ea4 --- /dev/null +++ b/examples/system/efuse/sdkconfig.ci.virt_sb_v2_and_fe.esp32c2 @@ -0,0 +1,17 @@ +# FLASH_ENCRYPTION & SECURE_BOOT_V2 with EFUSE_VIRTUAL_KEEP_IN_FLASH + +CONFIG_IDF_TARGET="esp32c2" + +CONFIG_PARTITION_TABLE_OFFSET=0xD000 +CONFIG_PARTITION_TABLE_CUSTOM=y +CONFIG_PARTITION_TABLE_CUSTOM_FILENAME="test/partitions_efuse_emul.csv" + +CONFIG_SECURE_BOOT=y +CONFIG_SECURE_BOOT_V2_ENABLED=y +CONFIG_SECURE_BOOT_SIGNING_KEY="test/secure_boot_signing_key_ecdsa_nistp256.pem" + +CONFIG_SECURE_FLASH_ENC_ENABLED=y + +# IMPORTANT: ONLY VIRTUAL eFuse MODE! +CONFIG_EFUSE_VIRTUAL=y +CONFIG_EFUSE_VIRTUAL_KEEP_IN_FLASH=y diff --git a/examples/system/efuse/sdkconfig.ci.virt_sb_v2_and_fe b/examples/system/efuse/sdkconfig.ci.virt_sb_v2_and_fe.esp32c3 similarity index 85% rename from examples/system/efuse/sdkconfig.ci.virt_sb_v2_and_fe rename to examples/system/efuse/sdkconfig.ci.virt_sb_v2_and_fe.esp32c3 index 1f7b03c551..04c2764dfd 100644 --- a/examples/system/efuse/sdkconfig.ci.virt_sb_v2_and_fe +++ b/examples/system/efuse/sdkconfig.ci.virt_sb_v2_and_fe.esp32c3 @@ -1,8 +1,7 @@ # FLASH_ENCRYPTION & SECURE_BOOT_V2 with EFUSE_VIRTUAL_KEEP_IN_FLASH -# ESP32 supports SECURE_BOOT_V2 only in ECO3 -CONFIG_ESP32_REV_MIN_3=y -CONFIG_ESP32_REV_MIN=3 +CONFIG_IDF_TARGET="esp32c3" + # ESP32C3 supports SECURE_BOOT_V2 only in ECO3 CONFIG_ESP32C3_REV_MIN_3=y CONFIG_ESP32C3_REV_MIN=3 diff --git a/examples/system/efuse/sdkconfig.ci.virt_sb_v2_and_fe.esp32s2 b/examples/system/efuse/sdkconfig.ci.virt_sb_v2_and_fe.esp32s2 new file mode 100644 index 0000000000..1ba66bfa5a --- /dev/null +++ b/examples/system/efuse/sdkconfig.ci.virt_sb_v2_and_fe.esp32s2 @@ -0,0 +1,17 @@ +# FLASH_ENCRYPTION & SECURE_BOOT_V2 with EFUSE_VIRTUAL_KEEP_IN_FLASH + +CONFIG_IDF_TARGET="esp32s2" + +CONFIG_PARTITION_TABLE_OFFSET=0xD000 +CONFIG_PARTITION_TABLE_CUSTOM=y +CONFIG_PARTITION_TABLE_CUSTOM_FILENAME="test/partitions_efuse_emul.csv" + +CONFIG_SECURE_BOOT=y +CONFIG_SECURE_BOOT_V2_ENABLED=y +CONFIG_SECURE_BOOT_SIGNING_KEY="test/secure_boot_signing_key.pem" + +CONFIG_SECURE_FLASH_ENC_ENABLED=y + +# IMPORTANT: ONLY VIRTUAL eFuse MODE! +CONFIG_EFUSE_VIRTUAL=y +CONFIG_EFUSE_VIRTUAL_KEEP_IN_FLASH=y diff --git a/examples/system/efuse/sdkconfig.ci.virt_secure_boot_v2.esp32 b/examples/system/efuse/sdkconfig.ci.virt_secure_boot_v2.esp32 new file mode 100644 index 0000000000..da26487548 --- /dev/null +++ b/examples/system/efuse/sdkconfig.ci.virt_secure_boot_v2.esp32 @@ -0,0 +1,20 @@ +# SECURE_BOOT_V2 with EFUSE_VIRTUAL_KEEP_IN_FLASH + +CONFIG_IDF_TARGET="esp32" + +# ESP32 supports SECURE_BOOT_V2 only in ECO3 +CONFIG_ESP32_REV_MIN_3=y +CONFIG_ESP32_REV_MIN=3 + +CONFIG_PARTITION_TABLE_OFFSET=0xC000 +CONFIG_PARTITION_TABLE_CUSTOM=y +CONFIG_PARTITION_TABLE_CUSTOM_FILENAME="test/partitions_efuse_emul.csv" + +CONFIG_SECURE_BOOT=y +CONFIG_SECURE_BOOT_V2_ENABLED=y +CONFIG_SECURE_BOOT_SIGNING_KEY="test/secure_boot_signing_key.pem" +CONFIG_SECURE_INSECURE_ALLOW_DL_MODE=y + +# IMPORTANT: ONLY VIRTUAL eFuse MODE! +CONFIG_EFUSE_VIRTUAL=y +CONFIG_EFUSE_VIRTUAL_KEEP_IN_FLASH=y diff --git a/examples/system/efuse/sdkconfig.ci.virt_secure_boot_v2.esp32c2 b/examples/system/efuse/sdkconfig.ci.virt_secure_boot_v2.esp32c2 new file mode 100644 index 0000000000..6d8478ce4c --- /dev/null +++ b/examples/system/efuse/sdkconfig.ci.virt_secure_boot_v2.esp32c2 @@ -0,0 +1,16 @@ +# SECURE_BOOT_V2 with EFUSE_VIRTUAL_KEEP_IN_FLASH + +CONFIG_IDF_TARGET="esp32c2" + +CONFIG_PARTITION_TABLE_OFFSET=0xC000 +CONFIG_PARTITION_TABLE_CUSTOM=y +CONFIG_PARTITION_TABLE_CUSTOM_FILENAME="test/partitions_efuse_emul.csv" + +CONFIG_SECURE_BOOT=y +CONFIG_SECURE_BOOT_V2_ENABLED=y +CONFIG_SECURE_BOOT_SIGNING_KEY="test/secure_boot_signing_key_ecdsa_nistp256.pem" +CONFIG_SECURE_INSECURE_ALLOW_DL_MODE=y + +# IMPORTANT: ONLY VIRTUAL eFuse MODE! +CONFIG_EFUSE_VIRTUAL=y +CONFIG_EFUSE_VIRTUAL_KEEP_IN_FLASH=y diff --git a/examples/system/efuse/sdkconfig.ci.virt_secure_boot_v2 b/examples/system/efuse/sdkconfig.ci.virt_secure_boot_v2.esp32c3 similarity index 85% rename from examples/system/efuse/sdkconfig.ci.virt_secure_boot_v2 rename to examples/system/efuse/sdkconfig.ci.virt_secure_boot_v2.esp32c3 index 1f31177a3b..35dc608a61 100644 --- a/examples/system/efuse/sdkconfig.ci.virt_secure_boot_v2 +++ b/examples/system/efuse/sdkconfig.ci.virt_secure_boot_v2.esp32c3 @@ -1,8 +1,7 @@ # SECURE_BOOT_V2 with EFUSE_VIRTUAL_KEEP_IN_FLASH -# ESP32 supports SECURE_BOOT_V2 only in ECO3 -CONFIG_ESP32_REV_MIN_3=y -CONFIG_ESP32_REV_MIN=3 +CONFIG_IDF_TARGET="esp32c3" + # ESP32C3 supports SECURE_BOOT_V2 only in ECO3 CONFIG_ESP32C3_REV_MIN_3=y CONFIG_ESP32C3_REV_MIN=3 diff --git a/examples/system/efuse/sdkconfig.ci.virt_secure_boot_v2.esp32s2 b/examples/system/efuse/sdkconfig.ci.virt_secure_boot_v2.esp32s2 new file mode 100644 index 0000000000..53b1cbcdd6 --- /dev/null +++ b/examples/system/efuse/sdkconfig.ci.virt_secure_boot_v2.esp32s2 @@ -0,0 +1,16 @@ +# SECURE_BOOT_V2 with EFUSE_VIRTUAL_KEEP_IN_FLASH + +CONFIG_IDF_TARGET="esp32s2" + +CONFIG_PARTITION_TABLE_OFFSET=0xC000 +CONFIG_PARTITION_TABLE_CUSTOM=y +CONFIG_PARTITION_TABLE_CUSTOM_FILENAME="test/partitions_efuse_emul.csv" + +CONFIG_SECURE_BOOT=y +CONFIG_SECURE_BOOT_V2_ENABLED=y +CONFIG_SECURE_BOOT_SIGNING_KEY="test/secure_boot_signing_key.pem" +CONFIG_SECURE_INSECURE_ALLOW_DL_MODE=y + +# IMPORTANT: ONLY VIRTUAL eFuse MODE! +CONFIG_EFUSE_VIRTUAL=y +CONFIG_EFUSE_VIRTUAL_KEEP_IN_FLASH=y diff --git a/examples/system/efuse/test/secure_boot_signing_key_ecdsa_nistp256.pem b/examples/system/efuse/test/secure_boot_signing_key_ecdsa_nistp256.pem new file mode 100644 index 0000000000..b885d6c6bc --- /dev/null +++ b/examples/system/efuse/test/secure_boot_signing_key_ecdsa_nistp256.pem @@ -0,0 +1,5 @@ +-----BEGIN EC PRIVATE KEY----- +MHcCAQEEIKbc9BxtbY3xeDA9J5PCCsPIk7pcTDylSQEzH2qXYcNCoAoGCCqGSM49 +AwEHoUQDQgAEU9yRNPfLJd3+ZsvdjWMqQgGmmccAnwBtb+IJz8KkbbXys38S7D+z +5MLc+VY2AwGXNUyd0myLInojX2SKUOsOfw== +-----END EC PRIVATE KEY-----