alex/esp-idf
1
0
Fork 0
mirror of https://github.com/espressif/esp-idf.git synced 2025-11-02 13:45:46 +00:00
Code Issues Packages Projects Releases Wiki Activity

feat(security): Enable Flash encryption for ESP32P4

Browse Source
This commit is contained in:
Aditya Patwardhan
2023-11-06 18:54:22 +05:30
committed by Mahavir Jain
parent e09d50d244
commit a84234c23f
9 changed files with 49 additions and 21 deletions
Download Patch File Download Diff File Expand all files Collapse all files

1
docs/en/security/flash-encryption.rst
View File

@@ -929,6 +929,7 @@ On the first boot, the flash encryption process burns by default the following e
:SOC_EFUSE_DIS_PAD_JTAG and SOC_EFUSE_DIS_USB_JTAG: - ``DIS_PAD_JTAG`` and ``DIS_USB_JTAG`` which disables JTAG.
:SOC_EFUSE_HARD_DIS_JTAG and SOC_EFUSE_DIS_USB_JTAG: - ``HARD_DIS_JTAG`` and ``DIS_USB_JTAG`` which disables JTAG.
- ``DIS_DIRECT_BOOT`` (old name ``DIS_LEGACY_SPI_BOOT``) which disables direct boot mode
:SOC_EFUSE_DIS_DOWNLOAD_MSPI: - ``DIS_DOWNLOAD_MSPI`` which disables the MSPI access in download mode.
However, before the first boot you can choose to keep any of these features enabled by burning only selected eFuses and write-protect the rest of eFuses with unset value 0. For example:

1
docs/en/security/host-based-security-workflows.rst
View File

@@ -290,6 +290,7 @@ In this case, all the eFuses related to flash encryption are written with help o
:SOC_EFUSE_DIS_USB_JTAG: - ``DIS_USB_JTAG``: Disable USB switch to JTAG
:SOC_EFUSE_DIS_PAD_JTAG: - ``DIS_PAD_JTAG``: Disable JTAG permanently
:not esp32: - ``DIS_DOWNLOAD_MANUAL_ENCRYPT``: Disable UART bootloader encryption access
:SOC_EFUSE_DIS_DOWNLOAD_MSPI: - ``DIS_DOWNLOAD_MSPI``: Disable the MSPI access in download mode
The respective eFuses can be burned by running: