blackbeard420/esp-idf
1
0
Fork 0
mirror of https://github.com/espressif/esp-idf synced 2025-04-14 10:40:10 -04:00
Code Issues Projects Releases Wiki Activity

flash encryption: add option to require flash encryption to be enabled

Browse Source 
In testing environment, to avoid accidentally enabling flash
encryption on a device, CONFIG_SECURE_FLASH_REQUIRE_ALREADY_ENABLED
can be set. If set, the bootloader will refuse to boot if flash
encryption is not enabled, instead of enabling it.
This commit is contained in:
Ivan Grokhotkov 2019-07-27 08:55:30 +02:00
parent a37694741c
commit a0256b9e9d
2 changed files with 21 additions and 1 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

14
components/bootloader/Kconfig.projbuild
View File

@ -515,6 +515,20 @@ menu "Security features"
Only set this option in testing environments. Only set this option in testing environments.
config SECURE_FLASH_REQUIRE_ALREADY_ENABLED
bool "Require flash encryption to be already enabled"
depends on SECURE_FLASH_ENCRYPTION_MODE_DEVELOPMENT
default N
help
If not set (default), and flash encryption is not yet enabled in eFuses, the 2nd stage bootloader
will enable flash encryption: generate the flash encryption key and program eFuses.
If this option is set, and flash encryption is not yet enabled, the bootloader will error out and
reboot.
If flash encryption is enabled in eFuses, this option does not change the bootloader behavior.
Only use this option in testing environments, to avoid accidentally enabling flash encryption on
the wrong device. The device needs to have flash encryption already enabled using espefuse.py.
endmenu # Potentially Insecure endmenu # Potentially Insecure
endmenu # Security features endmenu # Security features

8
components/bootloader_support/src/esp32/flash_encrypt.c
View File

@ -37,7 +37,7 @@ static const char *TAG = "flash_encrypt";
/* Static functions for stages of flash encryption */ /* Static functions for stages of flash encryption */
static esp_err_t initialise_flash_encryption(void); static esp_err_t initialise_flash_encryption(void);
static esp_err_t encrypt_flash_contents(uint32_t flash_crypt_cnt, bool flash_crypt_wr_dis); static esp_err_t encrypt_flash_contents(uint32_t flash_crypt_cnt, bool flash_crypt_wr_dis) __attribute__((unused));
static esp_err_t encrypt_bootloader(); static esp_err_t encrypt_bootloader();
static esp_err_t encrypt_and_load_partition_table(esp_partition_info_t *partition_table, int *num_partitions); static esp_err_t encrypt_and_load_partition_table(esp_partition_info_t *partition_table, int *num_partitions);
static esp_err_t encrypt_partition(int index, const esp_partition_info_t *partition); static esp_err_t encrypt_partition(int index, const esp_partition_info_t *partition);
@ -60,8 +60,14 @@ esp_err_t esp_flash_encrypt_check_and_update(void)
return ESP_OK; return ESP_OK;
} }
else { else {
#ifndef CONFIG_SECURE_FLASH_REQUIRE_ALREADY_ENABLED
/* Flash is not encrypted, so encrypt it! */ /* Flash is not encrypted, so encrypt it! */
return encrypt_flash_contents(flash_crypt_cnt, flash_crypt_wr_dis); return encrypt_flash_contents(flash_crypt_cnt, flash_crypt_wr_dis);
#else
ESP_LOGE(TAG, "flash encryption is not enabled, and SECURE_FLASH_REQUIRE_ALREADY_ENABLED "
"is set, refusing to boot.");
return ESP_ERR_INVALID_STATE;
#endif // CONFIG_SECURE_FLASH_REQUIRE_ALREADY_ENABLED
} }
} }