alex/esp-idf
1
0
Fork 0
mirror of https://github.com/espressif/esp-idf.git synced 2025-08-10 20:54:24 +00:00
Code Issues Packages Projects Releases Wiki Activity

feat(security): Enable Flash encryption for ESP32P4

Browse Source
This commit is contained in:
Aditya Patwardhan
2023-11-06 18:54:22 +05:30
committed by Mahavir Jain
parent e09d50d244
commit a84234c23f
9 changed files with 49 additions and 21 deletions
Download Patch File Download Diff File Expand all files Collapse all files

18
components/bootloader_support/src/flash_encrypt.c
View File

@@ -137,16 +137,14 @@ esp_flash_enc_mode_t esp_get_flash_encryption_mode(void)
}
#else
if (esp_efuse_read_field_bit(ESP_EFUSE_DIS_DOWNLOAD_MANUAL_ENCRYPT)
#if CONFIG_IDF_TARGET_ESP32P4
//TODO: IDF-7545
#if SOC_EFUSE_DIS_DOWNLOAD_MSPI
&& esp_efuse_read_field_bit(ESP_EFUSE_SPI_DOWNLOAD_MSPI_DIS)
#else
#endif
#if SOC_EFUSE_DIS_DOWNLOAD_ICACHE
&& esp_efuse_read_field_bit(ESP_EFUSE_DIS_DOWNLOAD_ICACHE)
#endif
#if SOC_EFUSE_DIS_DOWNLOAD_DCACHE
&& esp_efuse_read_field_bit(ESP_EFUSE_DIS_DOWNLOAD_DCACHE)
#endif
#endif
) {
mode = ESP_FLASH_ENC_MODE_RELEASE;
@@ -192,17 +190,15 @@ void esp_flash_encryption_set_release_mode(void)
esp_efuse_write_field_bit(ESP_EFUSE_DISABLE_DL_DECRYPT);
#else
esp_efuse_write_field_bit(ESP_EFUSE_DIS_DOWNLOAD_MANUAL_ENCRYPT);
#if CONFIG_IDF_TARGET_ESP32P4
//TODO: IDF-7545
#if SOC_EFUSE_DIS_DOWNLOAD_MSPI
esp_efuse_write_field_bit(ESP_EFUSE_SPI_DOWNLOAD_MSPI_DIS);
#else
#endif
#if SOC_EFUSE_DIS_DOWNLOAD_ICACHE
esp_efuse_write_field_bit(ESP_EFUSE_DIS_DOWNLOAD_ICACHE);
#endif
#if SOC_EFUSE_DIS_DOWNLOAD_DCACHE
esp_efuse_write_field_bit(ESP_EFUSE_DIS_DOWNLOAD_DCACHE);
#endif
#endif
#ifdef CONFIG_SOC_FLASH_ENCRYPTION_XTS_AES_128_DERIVED
// For AES128_DERIVED, FE key is 16 bytes and XTS_KEY_LENGTH_256 is 0.
// It is important to protect XTS_KEY_LENGTH_256 from further changing it to 1. Set write protection for this bit.
@@ -345,14 +341,13 @@ bool esp_flash_encryption_cfg_verify_release_mode(void)
}
#endif
#if CONFIG_IDF_TARGET_ESP32P4
//TODO: IDF-7545
#if SOC_EFUSE_DIS_DOWNLOAD_MSPI
secure = esp_efuse_read_field_bit(ESP_EFUSE_SPI_DOWNLOAD_MSPI_DIS);
result &= secure;
if (!secure) {
ESP_LOGW(TAG, "Not disabled UART bootloader download mspi (set DIS_DOWNLOAD_MSPI->1)");
}
#else
#endif
#if SOC_EFUSE_DIS_DOWNLOAD_ICACHE
secure = esp_efuse_read_field_bit(ESP_EFUSE_DIS_DOWNLOAD_ICACHE);
result &= secure;
@@ -360,7 +355,6 @@ bool esp_flash_encryption_cfg_verify_release_mode(void)
ESP_LOGW(TAG, "Not disabled UART bootloader cache (set DIS_DOWNLOAD_ICACHE->1)");
}
#endif
#endif
#if SOC_EFUSE_DIS_PAD_JTAG
secure = esp_efuse_read_field_bit(ESP_EFUSE_DIS_PAD_JTAG);

13
components/bootloader_support/src/flash_encryption/flash_encrypt.c
View File

@@ -1,5 +1,5 @@
/*
* SPDX-FileCopyrightText: 2015-2022 Espressif Systems (Shanghai) CO LTD
* SPDX-FileCopyrightText: 2015-2023 Espressif Systems (Shanghai) CO LTD
*
* SPDX-License-Identifier: Apache-2.0
*/
@@ -15,6 +15,11 @@
#include "esp_efuse_table.h"
#include "esp_log.h"
#include "hal/wdt_hal.h"
#if CONFIG_IDF_TARGET_ESP32P4 //TODO-IDF-7925
#include "soc/keymng_reg.h"
#endif
#ifdef CONFIG_SOC_EFUSE_CONSISTS_OF_ONE_KEY_BLOCK
#include "soc/sensitive_reg.h"
#endif
@@ -209,6 +214,12 @@ static esp_err_t check_and_generate_encryption_keys(void)
}
ESP_LOGI(TAG, "Using pre-loaded flash encryption key in efuse");
}
#if CONFIG_IDF_TARGET_ESP32P4 //TODO - IDF-7925
// Force Key Manager to use eFuse key for XTS-AES operation
REG_SET_FIELD(KEYMNG_STATIC_REG, KEYMNG_USE_EFUSE_KEY, 2);
#endif
return ESP_OK;
}