alex/esp-idf
1
0
Fork 0
mirror of https://github.com/espressif/esp-idf.git synced 2025-08-16 06:54:22 +00:00
Code Issues Packages Projects Releases Wiki Activity

feat(security): Enable Flash encryption for ESP32P4

Browse Source
This commit is contained in:
Aditya Patwardhan
2023-11-06 18:54:22 +05:30
committed by Mahavir Jain
parent e09d50d244
commit a84234c23f
9 changed files with 49 additions and 21 deletions
Download Patch File Download Diff File Expand all files Collapse all files

18
components/bootloader_support/src/flash_encrypt.c
View File

@@ -137,16 +137,14 @@ esp_flash_enc_mode_t esp_get_flash_encryption_mode(void)
}
#else
if (esp_efuse_read_field_bit(ESP_EFUSE_DIS_DOWNLOAD_MANUAL_ENCRYPT)
#if CONFIG_IDF_TARGET_ESP32P4
//TODO: IDF-7545
#if SOC_EFUSE_DIS_DOWNLOAD_MSPI
&& esp_efuse_read_field_bit(ESP_EFUSE_SPI_DOWNLOAD_MSPI_DIS)
#else
#endif
#if SOC_EFUSE_DIS_DOWNLOAD_ICACHE
&& esp_efuse_read_field_bit(ESP_EFUSE_DIS_DOWNLOAD_ICACHE)
#endif
#if SOC_EFUSE_DIS_DOWNLOAD_DCACHE
&& esp_efuse_read_field_bit(ESP_EFUSE_DIS_DOWNLOAD_DCACHE)
#endif
#endif
) {
mode = ESP_FLASH_ENC_MODE_RELEASE;
@@ -192,17 +190,15 @@ void esp_flash_encryption_set_release_mode(void)
esp_efuse_write_field_bit(ESP_EFUSE_DISABLE_DL_DECRYPT);
#else
esp_efuse_write_field_bit(ESP_EFUSE_DIS_DOWNLOAD_MANUAL_ENCRYPT);
#if CONFIG_IDF_TARGET_ESP32P4
//TODO: IDF-7545
#if SOC_EFUSE_DIS_DOWNLOAD_MSPI
esp_efuse_write_field_bit(ESP_EFUSE_SPI_DOWNLOAD_MSPI_DIS);
#else
#endif
#if SOC_EFUSE_DIS_DOWNLOAD_ICACHE
esp_efuse_write_field_bit(ESP_EFUSE_DIS_DOWNLOAD_ICACHE);
#endif
#if SOC_EFUSE_DIS_DOWNLOAD_DCACHE
esp_efuse_write_field_bit(ESP_EFUSE_DIS_DOWNLOAD_DCACHE);
#endif
#endif
#ifdef CONFIG_SOC_FLASH_ENCRYPTION_XTS_AES_128_DERIVED
// For AES128_DERIVED, FE key is 16 bytes and XTS_KEY_LENGTH_256 is 0.
// It is important to protect XTS_KEY_LENGTH_256 from further changing it to 1. Set write protection for this bit.
@@ -345,14 +341,13 @@ bool esp_flash_encryption_cfg_verify_release_mode(void)
}
#endif
#if CONFIG_IDF_TARGET_ESP32P4
//TODO: IDF-7545
#if SOC_EFUSE_DIS_DOWNLOAD_MSPI
secure = esp_efuse_read_field_bit(ESP_EFUSE_SPI_DOWNLOAD_MSPI_DIS);
result &= secure;
if (!secure) {
ESP_LOGW(TAG, "Not disabled UART bootloader download mspi (set DIS_DOWNLOAD_MSPI->1)");
}
#else
#endif
#if SOC_EFUSE_DIS_DOWNLOAD_ICACHE
secure = esp_efuse_read_field_bit(ESP_EFUSE_DIS_DOWNLOAD_ICACHE);
result &= secure;
@@ -360,7 +355,6 @@ bool esp_flash_encryption_cfg_verify_release_mode(void)
ESP_LOGW(TAG, "Not disabled UART bootloader cache (set DIS_DOWNLOAD_ICACHE->1)");
}
#endif
#endif
#if SOC_EFUSE_DIS_PAD_JTAG
secure = esp_efuse_read_field_bit(ESP_EFUSE_DIS_PAD_JTAG);