alex/esp-idf
1
0
Fork 0
mirror of https://github.com/espressif/esp-idf.git synced 2025-08-10 04:43:33 +00:00
Code Issues Packages Projects Releases Wiki Activity

paritition_table: Verify the partition table md5sum when loading the app

Browse Source 
Additionally, always enable the partition MD5 check if flash encryption is on in
Release mode. This ensures the partition table ciphertext has not been modified
(CVE-2021-27926).

The exception is pre-V3.1 ESP-IDF bootloaders and partition tables, which
don't have support for the MD5 entry.
This commit is contained in:
Angus Gratton
2021-02-04 11:12:04 +11:00
parent b23f8e21cd
commit c572e0bf5f
8 changed files with 145 additions and 27 deletions
Download Patch File Download Diff File Expand all files Collapse all files

21
components/esp32/Kconfig
View File

@@ -794,10 +794,11 @@ menu "ESP32-specific"
that after enabling this Wi-Fi/Bluetooth will not work.
config ESP32_COMPATIBLE_PRE_V2_1_BOOTLOADERS
bool "App compatible with bootloaders before IDF v2.1"
bool "App compatible with bootloaders before ESP-IDF v2.1"
select ESP32_COMPATIBLE_PRE_V3_1_BOOTLOADERS
default n
help
Bootloaders before IDF v2.1 did less initialisation of the
Bootloaders before ESP-IDF v2.1 did less initialisation of the
system clock. This setting needs to be enabled to build an app
which can be booted by these older bootloaders.
@@ -809,6 +810,22 @@ menu "ESP32-specific"
Enabling this setting adds approximately 1KB to the app's IRAM usage.
config ESP32_COMPATIBLE_PRE_V3_1_BOOTLOADERS
bool "App compatible with bootloader and partition table before ESP-IDF v3.1"
default n
help
Partition tables before ESP-IDF V3.1 do not contain an MD5 checksum
field, and the bootloader before ESP-IDF v3.1 cannot read a partition
table that contains an MD5 checksum field.
Enable this option only if your app needs to boot on a bootloader and/or
partition table that was generated from a version *before* ESP-IDF v3.1.
If this option and Flash Encryption are enabled at the same time, and any
data partitions in the partition table are marked Encrypted, then the
partition encrypted flag should be manually verified in the app before accessing
the partition (see CVE-2021-27926).
config ESP32_RTCDATA_IN_FAST_MEM
bool "Place RTC_DATA_ATTR and RTC_RODATA_ATTR variables into RTC fast memory segment"
default n