alex/esp-idf
1
0
Fork 0
mirror of https://github.com/espressif/esp-idf.git synced 2025-08-23 01:10:46 +00:00
Code Issues Packages Projects Releases Wiki Activity

flash encryption: add option to require flash encryption to be enabled

Browse Source 
In testing environment, to avoid accidentally enabling flash
encryption on a device, CONFIG_SECURE_FLASH_REQUIRE_ALREADY_ENABLED
can be set. If set, the bootloader will refuse to boot if flash
encryption is not enabled, instead of enabling it.
This commit is contained in:
Ivan Grokhotkov
2019-07-27 08:55:30 +02:00
parent a37694741c
commit a0256b9e9d
2 changed files with 21 additions and 1 deletions
Download Patch File Download Diff File Expand all files Collapse all files

8
components/bootloader_support/src/esp32/flash_encrypt.c
View File

@@ -37,7 +37,7 @@ static const char *TAG = "flash_encrypt";
/* Static functions for stages of flash encryption */
static esp_err_t initialise_flash_encryption(void);
static esp_err_t encrypt_flash_contents(uint32_t flash_crypt_cnt, bool flash_crypt_wr_dis);
static esp_err_t encrypt_flash_contents(uint32_t flash_crypt_cnt, bool flash_crypt_wr_dis) __attribute__((unused));
static esp_err_t encrypt_bootloader();
static esp_err_t encrypt_and_load_partition_table(esp_partition_info_t *partition_table, int *num_partitions);
static esp_err_t encrypt_partition(int index, const esp_partition_info_t *partition);
@@ -60,8 +60,14 @@ esp_err_t esp_flash_encrypt_check_and_update(void)
return ESP_OK;
}
else {
#ifndef CONFIG_SECURE_FLASH_REQUIRE_ALREADY_ENABLED
/* Flash is not encrypted, so encrypt it! */
return encrypt_flash_contents(flash_crypt_cnt, flash_crypt_wr_dis);
#else
ESP_LOGE(TAG, "flash encryption is not enabled, and SECURE_FLASH_REQUIRE_ALREADY_ENABLED "
"is set, refusing to boot.");
return ESP_ERR_INVALID_STATE;
#endif // CONFIG_SECURE_FLASH_REQUIRE_ALREADY_ENABLED
}
}