alex/esp-idf
1
0
Fork 0
mirror of https://github.com/espressif/esp-idf.git synced 2025-08-30 13:56:36 +00:00
Code Issues Packages Projects Releases Wiki Activity

flash encryption: Add config option to disable any plaintext reflashes

Browse Source 
Enabled by default when Secure Boot is on, so Flash Encryption protection
is always available in case of a Secure Boot bypass.
This commit is contained in:
Angus Gratton
2019-06-12 11:03:42 +10:00
committed by bot
parent 70ecb7ec94
commit e8a4e70c42
4 changed files with 67 additions and 15 deletions
Download Patch File Download Diff File Expand all files Collapse all files

8
components/bootloader_support/src/flash_encrypt.c
View File

@@ -205,6 +205,14 @@ static esp_err_t encrypt_flash_contents(uint32_t flash_crypt_cnt, bool flash_cry
uint32_t new_flash_crypt_cnt = flash_crypt_cnt + (1 << (ffs_inv - 1));
ESP_LOGD(TAG, "FLASH_CRYPT_CNT 0x%x -> 0x%x", flash_crypt_cnt, new_flash_crypt_cnt);
REG_SET_FIELD(EFUSE_BLK0_WDATA0_REG, EFUSE_FLASH_CRYPT_CNT, new_flash_crypt_cnt);
#ifdef CONFIG_FLASH_ENCRYPTION_DISABLE_PLAINTEXT
ESP_LOGI(TAG, "Write protecting FLASH_CRYPT_CNT efuse...");
REG_SET_BIT(EFUSE_BLK0_WDATA0_REG, EFUSE_WR_DIS_FLASH_CRYPT_CNT);
#else
ESP_LOGW(TAG, "Not disabling FLASH_CRYPT_CNT - plaintext flashing is still possible");
#endif
esp_efuse_burn_new_values();
ESP_LOGI(TAG, "Flash encryption completed");