Enable secure boot only after encrypting flash

This prevents a device from being bricked in case when both secure boot & flash encryption are enabled and encryption gets interrupted during first boot. After interruption, all partitions on the device need to be reflashed (including the bootloader). List of changes: * Secure boot key generation and bootloader digest generation logic, implemented inside function esp_secure_boot_permanently_enable(), has been pulled out into new API esp_secure_boot_generate_digest(). The enabling of R/W protection of secure boot key on EFUSE still happens inside esp_secure_boot_permanently_enable() * Now esp_secure_boot_permanently_enable() is called only after flash encryption process completes * esp_secure_boot_generate_digest() is called before flash encryption process starts
2025-08-13 05:47:11 +00:00 · 2019-04-04 15:25:22 +05:30
parent a9425cd045
commit 62b0d51c02
4 changed files with 145 additions and 33 deletions
--- a/components/bootloader_support/src/flash_encrypt.c
+++ b/components/bootloader_support/src/flash_encrypt.c
@@ -224,18 +224,18 @@ static esp_err_t encrypt_bootloader()
            return err;
        }

-        if (esp_secure_boot_enabled()) {
-            /* If secure boot is enabled and bootloader was plaintext, also
-               need to encrypt secure boot IV+digest.
-            */
-            ESP_LOGD(TAG, "Encrypting secure bootloader IV & digest...");
-            err = esp_flash_encrypt_region(FLASH_OFFS_SECURE_BOOT_IV_DIGEST,
-                                           FLASH_SECTOR_SIZE);
-            if (err != ESP_OK) {
-                ESP_LOGE(TAG, "Failed to encrypt bootloader IV & digest in place: 0x%x", err);
-                return err;
-            }
+#ifdef CONFIG_SECURE_BOOT_ENABLED
+        /* If secure boot is enabled and bootloader was plaintext, also
+         * need to encrypt secure boot IV+digest.
+         */
+        ESP_LOGD(TAG, "Encrypting secure bootloader IV & digest...");
+        err = esp_flash_encrypt_region(FLASH_OFFS_SECURE_BOOT_IV_DIGEST,
+                                       FLASH_SECTOR_SIZE);
+        if (err != ESP_OK) {
+            ESP_LOGE(TAG, "Failed to encrypt bootloader IV & digest in place: 0x%x", err);
+            return err;
        }
+#endif
    }
    else {
        ESP_LOGW(TAG, "no valid bootloader was found");