Flash encryption: Support enabling flash encryption in bootloader, app support

* App access functions are all flash encryption-aware * Documentation for flash encryption * Partition read/write is flash aware * New encrypted write function
2025-08-23 01:10:46 +00:00 · 2016-11-11 17:00:34 +11:00
parent bd20288b81
commit 9eb135fd73
36 changed files with 1511 additions and 404 deletions
--- a/components/bootloader_support/src/bootloader_flash.c
+++ b/components/bootloader_support/src/bootloader_flash.c
@@ -46,38 +46,68 @@ void bootloader_munmap(const void *mapping)
    map = 0;
 }

-esp_err_t bootloader_flash_read(size_t src, void *dest, size_t size)
+esp_err_t bootloader_flash_read(size_t src, void *dest, size_t size, bool allow_decrypt)
 {
    return spi_flash_read(src, dest, size);
 }

+esp_err_t bootloader_flash_write(size_t dest_addr, void *src, size_t size, bool write_encrypted)
+{
+    if (write_encrypted) {
+        return spi_flash_write_encrypted(dest_addr, src, size);
+    } else {
+        return spi_flash_write(dest_addr, src, size);
+    }
+}
+
+esp_err_t bootloader_flash_erase_sector(size_t sector)
+{
+    return spi_flash_erase_sector(sector);
+}
+
 #else
 /* Bootloader version, uses ROM functions only */
+#include <soc/dport_reg.h>
 #include <rom/spi_flash.h>
 #include <rom/cache.h>

 static const char *TAG = "bootloader_flash";

+/* Use first 50 blocks in MMU for bootloader_mmap,
+   50th block for bootloader_flash_read
+*/
+#define MMU_BLOCK0_VADDR  0x3f400000
+#define MMU_BLOCK50_VADDR 0x3f720000
+#define MMU_FLASH_MASK    0xffff0000
+#define MMU_BLOCK_SIZE    0x00010000
+
 static bool mapped;

+static uint32_t current_read_mapping = UINT32_MAX;
+
 const void *bootloader_mmap(uint32_t src_addr, uint32_t size)
 {
    if (mapped) {
        ESP_LOGE(TAG, "tried to bootloader_mmap twice");
        return NULL; /* can't map twice */
    }
+    if (size > 0x320000) {
+        /* Allow mapping up to 50 of the 51 available MMU blocks (last one used for reads) */
+        ESP_LOGE(TAG, "bootloader_mmap excess size %x", size);
+        return NULL;
+    }

-    uint32_t src_addr_aligned = src_addr & 0xffff0000;
-    uint32_t count = (size + (src_addr - src_addr_aligned) + 0xffff) / 0x10000;
+    uint32_t src_addr_aligned = src_addr & MMU_FLASH_MASK;
+    uint32_t count = (size + (src_addr - src_addr_aligned) + 0xffff) / MMU_BLOCK_SIZE;
    Cache_Read_Disable(0);
    Cache_Flush(0);
    ESP_LOGD(TAG, "mmu set paddr=%08x count=%d", src_addr_aligned, count );
-    cache_flash_mmu_set( 0, 0, 0x3f400000, src_addr_aligned, 64, count );
+    cache_flash_mmu_set( 0, 0, MMU_BLOCK0_VADDR, src_addr_aligned, 64, count );
    Cache_Read_Enable( 0 );

    mapped = true;

-    return (void *)(0x3f400000 + (src_addr - src_addr_aligned));
+    return (void *)(MMU_BLOCK0_VADDR + (src_addr - src_addr_aligned));
 }

 void bootloader_munmap(const void *mapping)
@@ -88,25 +118,12 @@ void bootloader_munmap(const void *mapping)
        Cache_Flush(0);
        mmu_init(0);
        mapped = false;
+        current_read_mapping = UINT32_MAX;
    }
 }

-esp_err_t bootloader_flash_read(size_t src_addr, void *dest, size_t size)
+static esp_err_t spi_to_esp_err(SpiFlashOpResult r)
 {
-    if(src_addr & 3) {
-        ESP_LOGE(TAG, "bootloader_flash_read src_addr 0x%x not 4-byte aligned", src_addr);
-        return ESP_FAIL;
-    }
-    if((intptr_t)dest & 3) {
-        ESP_LOGE(TAG, "bootloader_flash_read dest 0x%x not 4-byte aligned", (intptr_t)dest);
-        return ESP_FAIL;
-    }
-
-    Cache_Read_Disable(0);
-    Cache_Flush(0);
-    SpiFlashOpResult r = SPIRead(src_addr, dest, size);
-    Cache_Read_Enable(0);
-
    switch(r) {
    case SPI_FLASH_RESULT_OK:
        return ESP_OK;
@@ -119,4 +136,101 @@ esp_err_t bootloader_flash_read(size_t src_addr, void *dest, size_t size)
    }
 }

+static esp_err_t bootloader_flash_read_no_decrypt(size_t src_addr, void *dest, size_t size)
+{
+    Cache_Read_Disable(0);
+    Cache_Flush(0);
+    SpiFlashOpResult r = SPIRead(src_addr, dest, size);
+    Cache_Read_Enable(0);
+
+    return spi_to_esp_err(r);
+}
+
+static esp_err_t bootloader_flash_read_allow_decrypt(size_t src_addr, void *dest, size_t size)
+{
+    uint32_t *dest_words = (uint32_t *)dest;
+
+    /* Use the 51st MMU mapping to read from flash in 64KB blocks.
+       (MMU will transparently decrypt if encryption is enabled.)
+    */
+    for (int word = 0; word < size / 4; word++) {
+        uint32_t word_src = src_addr + word * 4;  /* Read this offset from flash */
+        uint32_t map_at = word_src & MMU_FLASH_MASK; /* Map this 64KB block from flash */
+        uint32_t *map_ptr;
+        if (map_at != current_read_mapping) {
+            /* Move the 64KB mmu mapping window to fit map_at */
+            Cache_Read_Disable(0);
+            Cache_Flush(0);
+            ESP_LOGD(TAG, "mmu set block paddr=0x%08x (was 0x%08x)", map_at, current_read_mapping);
+            int e = cache_flash_mmu_set(0, 0, MMU_BLOCK50_VADDR, map_at, 64, 1);
+            if (e != 0) {
+                ESP_LOGE(TAG, "cache_flash_mmu_set failed: %d\n", e);
+                Cache_Read_Enable(0);
+                return ESP_FAIL;
+            }
+            current_read_mapping = map_at;
+            Cache_Read_Enable(0);
+        }
+        map_ptr = (uint32_t *)(MMU_BLOCK50_VADDR + (word_src - map_at));
+        dest_words[word] = *map_ptr;
+    }
+    return ESP_OK;
+}
+
+esp_err_t bootloader_flash_read(size_t src_addr, void *dest, size_t size, bool allow_decrypt)
+{
+    if (src_addr & 3) {
+        ESP_LOGE(TAG, "bootloader_flash_read src_addr 0x%x not 4-byte aligned", src_addr);
+        return ESP_FAIL;
+    }
+    if (size & 3) {
+        ESP_LOGE(TAG, "bootloader_flash_read size 0x%x not 4-byte aligned", size);
+        return ESP_FAIL;
+    }
+    if ((intptr_t)dest & 3) {
+        ESP_LOGE(TAG, "bootloader_flash_read dest 0x%x not 4-byte aligned", (intptr_t)dest);
+        return ESP_FAIL;
+    }
+
+    if (allow_decrypt) {
+        return bootloader_flash_read_allow_decrypt(src_addr, dest, size);
+    } else {
+        return bootloader_flash_read_no_decrypt(src_addr, dest, size);
+    }
+}
+
+esp_err_t bootloader_flash_write(size_t dest_addr, void *src, size_t size, bool write_encrypted)
+{
+    esp_err_t err;
+    size_t alignment = write_encrypted ? 32 : 4;
+    if ((dest_addr % alignment) != 0) {
+        ESP_LOGE(TAG, "bootloader_flash_write dest_addr 0x%x not %d-byte aligned", dest_addr, alignment);
+        return ESP_FAIL;
+    }
+    if ((size % alignment) != 0) {
+        ESP_LOGE(TAG, "bootloader_flash_write size 0x%x not %d-byte aligned", size, alignment);
+        return ESP_FAIL;
+    }
+    if (((intptr_t)src % 4) != 0) {
+        ESP_LOGE(TAG, "bootloader_flash_write src 0x%x not 4 byte aligned", (intptr_t)src);
+        return ESP_FAIL;
+    }
+
+    err = spi_to_esp_err(SPIUnlock());
+    if (err != ESP_OK) {
+        return err;
+    }
+
+    if (write_encrypted) {
+        return spi_to_esp_err(SPI_Encrypt_Write(dest_addr, src, size));
+    } else {
+        return spi_to_esp_err(SPIWrite(dest_addr, src, size));
+    }
+}
+
+esp_err_t bootloader_flash_erase_sector(size_t sector)
+{
+    return spi_to_esp_err(SPIEraseSector(sector));
+}
+
 #endif