bootloader/flash_encrypt: added esp32s2 flash encryption code on build system and enabled example

flash_enctryption: enabled flash encryption example on esp32s2 bootloader: raise WDT overflow value providing sufficient interval to encrypt app partition flash_ encrypt: Fixed the TODOs on flash encryption key generation for esp32s2 flash_encryption: added secure boot features to flash enctryption for esp32s2 bootloader: leave only esp32s2 compatible potentially insecure options on menuconfig. flash_encryption: removed secure boot version 1 from esp32s2 encryption code flash_encryption: added CONFIG_SECURE_FLASH_REQUIRE_ALREADY_ENABLED option for esp32s2 flash_encryption: fixed the count of left plaintext flash flash_encryption: disable dcache and icache download when using encryption in release mode flash_encryption: add cache potentally insecure options for s2 chips flash_encryption: fixed bug which bricked some chips in relase mode
2025-08-15 06:26:49 +00:00 · 2020-03-11 14:48:56 -03:00
parent cd1aba595e
commit 7635dce502
5 changed files with 125 additions and 51 deletions
--- a/components/bootloader_support/src/flash_encrypt.c
+++ b/components/bootloader_support/src/flash_encrypt.c
@@ -20,6 +20,14 @@
 #include "esp_flash_encrypt.h"
 #include "esp_secure_boot.h"

+#if CONFIG_IDF_TARGET_ESP32
+#define CRYPT_CNT ESP_EFUSE_WR_DIS_FLASH_CRYPT_CNT
+#define WR_DIS_CRYPT_CNT ESP_EFUSE_WR_DIS_FLASH_CRYPT_CNT
+#elif CONFIG_IDF_TARGET_ESP32S2
+#define CRYPT_CNT ESP_EFUSE_WR_DIS_SPI_BOOT_CRYPT_CNT
+#define WR_DIS_CRYPT_CNT ESP_EFUSE_WR_DIS_SPI_BOOT_CRYPT_CNT
+#endif
+
 #ifndef BOOTLOADER_BUILD
 static const char *TAG = "flash_encrypt";

@@ -34,7 +42,7 @@ void esp_flash_encryption_init_checks()
 #ifdef CONFIG_SECURE_BOOT
    if (esp_secure_boot_enabled() && esp_flash_encryption_enabled()) {
        uint8_t flash_crypt_cnt_wr_dis = 0;
-        esp_efuse_read_field_blob(ESP_EFUSE_WR_DIS_FLASH_CRYPT_CNT, &flash_crypt_cnt_wr_dis, 1);
+        esp_efuse_read_field_blob(CRYPT_CNT, &flash_crypt_cnt_wr_dis, 1);
        if (!flash_crypt_cnt_wr_dis) {
            ESP_EARLY_LOGE(TAG, "Flash encryption & Secure Boot together requires FLASH_CRYPT_CNT efuse to be write protected. Fixing now...");
            esp_flash_write_protect_crypt_cnt();
@@ -62,22 +70,33 @@ void esp_flash_encryption_init_checks()
 void esp_flash_write_protect_crypt_cnt(void)
 {
    uint8_t flash_crypt_cnt_wr_dis = 0;
-    esp_efuse_read_field_blob(ESP_EFUSE_WR_DIS_FLASH_CRYPT_CNT, &flash_crypt_cnt_wr_dis, 1);
+
+    esp_efuse_read_field_blob(CRYPT_CNT, &flash_crypt_cnt_wr_dis, 1);
+
    if (!flash_crypt_cnt_wr_dis) {
-        esp_efuse_write_field_cnt(ESP_EFUSE_WR_DIS_FLASH_CRYPT_CNT, 1);
+        esp_efuse_write_field_cnt(WR_DIS_CRYPT_CNT, 1);
    }
 }

 esp_flash_enc_mode_t esp_get_flash_encryption_mode(void)
 {
    uint8_t efuse_flash_crypt_cnt_wr_protected = 0;
+#if CONFIG_IDF_TARGET_ESP32   
    uint8_t dis_dl_enc = 0, dis_dl_dec = 0, dis_dl_cache = 0;
+#elif CONFIG_IDF_TARGET_ESP32S2
+    uint8_t  dis_dl_enc = 0; 
+    uint32_t dis_dl_cache = 0; 
+#endif
+
    esp_flash_enc_mode_t mode = ESP_FLASH_ENC_MODE_DEVELOPMENT;

    if (esp_flash_encryption_enabled()) {
        /* Check if FLASH CRYPT CNT is write protected */
-        esp_efuse_read_field_blob(ESP_EFUSE_WR_DIS_FLASH_CRYPT_CNT, &efuse_flash_crypt_cnt_wr_protected, 1);
+        esp_efuse_read_field_blob(WR_DIS_CRYPT_CNT, &efuse_flash_crypt_cnt_wr_protected, 1);
+
        if (efuse_flash_crypt_cnt_wr_protected) {
+
+#if CONFIG_IDF_TARGET_ESP32
            esp_efuse_read_field_blob(ESP_EFUSE_DISABLE_DL_CACHE, &dis_dl_cache, 1);
            esp_efuse_read_field_blob(ESP_EFUSE_DISABLE_DL_ENCRYPT, &dis_dl_enc, 1);
            esp_efuse_read_field_blob(ESP_EFUSE_DISABLE_DL_DECRYPT, &dis_dl_dec, 1);
@@ -85,6 +104,15 @@ esp_flash_enc_mode_t esp_get_flash_encryption_mode(void)
            if ( dis_dl_cache && dis_dl_enc && dis_dl_dec ) {
                mode = ESP_FLASH_ENC_MODE_RELEASE;
            }
+#elif CONFIG_IDF_TARGET_ESP32S2
+            esp_efuse_read_field_blob(ESP_EFUSE_DIS_DOWNLOAD_MANUAL_ENCRYPT, &dis_dl_enc, 1);
+            esp_efuse_read_field_blob(ESP_EFUSE_DIS_DOWNLOAD_ICACHE, &dis_dl_cache, 1);
+            esp_efuse_read_field_blob(ESP_EFUSE_DIS_DOWNLOAD_DCACHE, &dis_dl_cache, 1);
+
+            if (dis_dl_enc && (dis_dl_cache & (EFUSE_DIS_DOWNLOAD_DCACHE | EFUSE_DIS_DOWNLOAD_ICACHE))) {
+                mode = ESP_FLASH_ENC_MODE_RELEASE;
+            }
+#endif            
        }
    } else {
        mode = ESP_FLASH_ENC_MODE_DISABLED;