Flash encryption / secure boot: Temporarily disable on-device key generation

Will be enabled after seeding of HWRNG in bootloader is fully tested/qualified.
2025-08-11 04:57:38 +00:00 · 2016-12-01 23:16:34 -08:00
parent f62b83fb77
commit ceb8566970
4 changed files with 14 additions and 27 deletions
--- a/components/bootloader_support/src/flash_encrypt.c
+++ b/components/bootloader_support/src/flash_encrypt.c
@@ -78,19 +78,12 @@ static esp_err_t initialise_flash_encryption(void)
        && REG_READ(EFUSE_BLK1_RDATA5_REG) == 0
        && REG_READ(EFUSE_BLK1_RDATA6_REG) == 0
        && REG_READ(EFUSE_BLK1_RDATA7_REG) == 0) {
-        ESP_LOGI(TAG, "Generating new flash encryption key...");
-        uint32_t buf[8];
-        bootloader_fill_random(buf, sizeof(buf));
-        for (int i = 0; i < 8; i++) {
-            ESP_LOGV(TAG, "EFUSE_BLK1_WDATA%d_REG = 0x%08x", i, buf[i]);
-            REG_WRITE(EFUSE_BLK1_WDATA0_REG + 4*i, buf[i]);
-        }
-        bzero(buf, sizeof(buf));
-        esp_efuse_burn_new_values();

-        ESP_LOGI(TAG, "Read & write protecting new key...");
-        REG_WRITE(EFUSE_BLK0_WDATA0_REG, EFUSE_WR_DIS_BLK1 | EFUSE_RD_DIS_BLK1);
-        esp_efuse_burn_new_values();
+        /* On-device key generation is temporarily disabled, until
+         * RNG operation during bootloader is qualified.
+         * See docs/security/flash-encryption.rst for details. */
+        ESP_LOGE(TAG, "On-device key generation is not yet available.");
+        return ESP_ERR_NOT_SUPPORTED;
    } else {

        if(!(efuse_key_read_protected && efuse_key_write_protected)) {
--- a/components/bootloader_support/src/secure_boot.c
+++ b/components/bootloader_support/src/secure_boot.c
@@ -130,21 +130,12 @@ esp_err_t esp_secure_boot_permanently_enable(void) {
        && REG_READ(EFUSE_BLK2_RDATA5_REG) == 0
        && REG_READ(EFUSE_BLK2_RDATA6_REG) == 0
        && REG_READ(EFUSE_BLK2_RDATA7_REG) == 0) {
-        ESP_LOGI(TAG, "Generating new secure boot key...");
-        uint32_t buf[8];
-        bootloader_fill_random(buf, sizeof(buf));
-        for (int i = 0; i < 8; i++) {
-            ESP_LOGV(TAG, "EFUSE_BLK2_WDATA%d_REG = 0x%08x", i, buf[i]);
-            REG_WRITE(EFUSE_BLK2_WDATA0_REG + 4*i, buf[i]);
-        }
-        bzero(buf, sizeof(buf));
-        burn_efuses();
-        ESP_LOGI(TAG, "Read & write protecting new key...");
-        REG_WRITE(EFUSE_BLK0_WDATA0_REG, EFUSE_WR_DIS_BLK2 | EFUSE_RD_DIS_BLK2);
-        burn_efuses();
-        efuse_key_read_protected = true;
-        efuse_key_write_protected = true;

+        /* On-device key generation is temporarily disabled, until
+         * RNG operation during bootloader is qualified.
+         * See docs/security/secure-boot.rst for details. */
+        ESP_LOGE(TAG, "On-device key generation is not yet available.");
+        return ESP_ERR_NOT_SUPPORTED;
    } else {
        ESP_LOGW(TAG, "Using pre-loaded secure boot key in EFUSE block 2");
    }