efuse: Add 'disable Download Mode' & ESP32-S2 'Secure Download Mode' functionality

2025-11-18 10:31:09 +00:00 · 2020-04-25 16:36:53 +10:00
parent 48d9c14c28
commit f64ae4fa99
11 changed files with 195 additions and 45 deletions
--- a/components/efuse/esp32/esp_efuse_table.c
+++ b/components/efuse/esp32/esp_efuse_table.c
@@ -17,7 +17,7 @@
 #include <assert.h>
 #include "esp_efuse_table.h"

-// md5_digest_table 2e23344575b3d07f01ecb695294e9770
+// md5_digest_table 11b691b6fa8546a3862a7a876be5f758
 // This file was generated from the file esp_efuse_table.csv. DO NOT CHANGE THIS FILE MANUALLY.
 // If you want to change some fields, you need to change esp_efuse_table.csv file
 // then run `efuse_common_table` or `efuse_custom_table` command it will generate this file.
@@ -87,20 +87,24 @@ static const esp_efuse_desc_t DISABLE_DL_CACHE[] = {
    {EFUSE_BLK0, 201, 1}, 	 // Flash encrypt. Disable UART bootloader MMU cache. EFUSE_DISABLE_DL_CACHE.,
 };

-static const esp_efuse_desc_t DISABLE_JTAG[] = {
-    {EFUSE_BLK0, 198, 1}, 	 // Flash encrypt. Disable JTAG. EFUSE_RD_DISABLE_JTAG.,
-};
-
-static const esp_efuse_desc_t CONSOLE_DEBUG_DISABLE[] = {
-    {EFUSE_BLK0, 194, 1}, 	 // Flash encrypt. Disable ROM BASIC interpreter fallback. EFUSE_RD_CONSOLE_DEBUG_DISABLE.,
-};
-
 static const esp_efuse_desc_t FLASH_CRYPT_CNT[] = {
    {EFUSE_BLK0, 20, 7}, 	 // Flash encrypt. Flash encryption is enabled if this field has an odd number of bits set. EFUSE_FLASH_CRYPT_CNT.,
 };

+static const esp_efuse_desc_t DISABLE_JTAG[] = {
+    {EFUSE_BLK0, 198, 1}, 	 // Disable JTAG. EFUSE_RD_DISABLE_JTAG.,
+};
+
+static const esp_efuse_desc_t CONSOLE_DEBUG_DISABLE[] = {
+    {EFUSE_BLK0, 194, 1}, 	 // Disable ROM BASIC interpreter fallback. EFUSE_RD_CONSOLE_DEBUG_DISABLE.,
+};
+
+static const esp_efuse_desc_t UART_DOWNLOAD_DIS[] = {
+    {EFUSE_BLK0, 27, 1}, 	 // Disable UART download mode. Valid for ESP32 V3 and newer,
+};
+
 static const esp_efuse_desc_t WR_DIS_FLASH_CRYPT_CNT[] = {
-    {EFUSE_BLK0, 2, 1}, 	 // Flash encrypt. Write protection FLASH_CRYPT_CNT. EFUSE_WR_DIS_FLASH_CRYPT_CNT,
+    {EFUSE_BLK0, 2, 1}, 	 // Flash encrypt. Write protection FLASH_CRYPT_CNT,
 };

 static const esp_efuse_desc_t WR_DIS_BLK1[] = {
@@ -260,23 +264,28 @@ const esp_efuse_desc_t* ESP_EFUSE_DISABLE_DL_CACHE[] = {
    NULL
 };

-const esp_efuse_desc_t* ESP_EFUSE_DISABLE_JTAG[] = {
-    &DISABLE_JTAG[0],    		// Flash encrypt. Disable JTAG. EFUSE_RD_DISABLE_JTAG.
-    NULL
-};
-
-const esp_efuse_desc_t* ESP_EFUSE_CONSOLE_DEBUG_DISABLE[] = {
-    &CONSOLE_DEBUG_DISABLE[0],    		// Flash encrypt. Disable ROM BASIC interpreter fallback. EFUSE_RD_CONSOLE_DEBUG_DISABLE.
-    NULL
-};
-
 const esp_efuse_desc_t* ESP_EFUSE_FLASH_CRYPT_CNT[] = {
    &FLASH_CRYPT_CNT[0],    		// Flash encrypt. Flash encryption is enabled if this field has an odd number of bits set. EFUSE_FLASH_CRYPT_CNT.
    NULL
 };

+const esp_efuse_desc_t* ESP_EFUSE_DISABLE_JTAG[] = {
+    &DISABLE_JTAG[0],    		// Disable JTAG. EFUSE_RD_DISABLE_JTAG.
+    NULL
+};
+
+const esp_efuse_desc_t* ESP_EFUSE_CONSOLE_DEBUG_DISABLE[] = {
+    &CONSOLE_DEBUG_DISABLE[0],    		// Disable ROM BASIC interpreter fallback. EFUSE_RD_CONSOLE_DEBUG_DISABLE.
+    NULL
+};
+
+const esp_efuse_desc_t* ESP_EFUSE_UART_DOWNLOAD_DIS[] = {
+    &UART_DOWNLOAD_DIS[0],    		// Disable UART download mode. Valid for ESP32 V3 and newer
+    NULL
+};
+
 const esp_efuse_desc_t* ESP_EFUSE_WR_DIS_FLASH_CRYPT_CNT[] = {
-    &WR_DIS_FLASH_CRYPT_CNT[0],    		// Flash encrypt. Write protection FLASH_CRYPT_CNT. EFUSE_WR_DIS_FLASH_CRYPT_CNT
+    &WR_DIS_FLASH_CRYPT_CNT[0],    		// Flash encrypt. Write protection FLASH_CRYPT_CNT
    NULL
 };

--- a/components/efuse/esp32/esp_efuse_table.csv
+++ b/components/efuse/esp32/esp_efuse_table.csv
@@ -39,13 +39,16 @@ ENCRYPT_CONFIG,         EFUSE_BLK0,    188,   4,    Flash encrypt. EFUSE_FLASH_C
 DISABLE_DL_ENCRYPT,     EFUSE_BLK0,    199,   1,    Flash encrypt. Disable UART bootloader encryption. EFUSE_DISABLE_DL_ENCRYPT.
 DISABLE_DL_DECRYPT,     EFUSE_BLK0,    200,   1,    Flash encrypt. Disable UART bootloader decryption. EFUSE_DISABLE_DL_DECRYPT.
 DISABLE_DL_CACHE,       EFUSE_BLK0,    201,   1,    Flash encrypt. Disable UART bootloader MMU cache. EFUSE_DISABLE_DL_CACHE.
-DISABLE_JTAG,           EFUSE_BLK0,    198,   1,    Flash encrypt. Disable JTAG. EFUSE_RD_DISABLE_JTAG.
-CONSOLE_DEBUG_DISABLE,  EFUSE_BLK0,    194,   1,    Flash encrypt. Disable ROM BASIC interpreter fallback. EFUSE_RD_CONSOLE_DEBUG_DISABLE.
 FLASH_CRYPT_CNT,        EFUSE_BLK0,    20,    7,    Flash encrypt. Flash encryption is enabled if this field has an odd number of bits set. EFUSE_FLASH_CRYPT_CNT.

+# Misc Security #
+DISABLE_JTAG,           EFUSE_BLK0,    198,   1,    Disable JTAG. EFUSE_RD_DISABLE_JTAG.
+CONSOLE_DEBUG_DISABLE,  EFUSE_BLK0,    194,   1,    Disable ROM BASIC interpreter fallback. EFUSE_RD_CONSOLE_DEBUG_DISABLE.
+UART_DOWNLOAD_DIS,      EFUSE_BLK0,    27,    1,    Disable UART download mode. Valid for ESP32 V3 and newer, only.
+
 # Write protection #
 ####################
-WR_DIS_FLASH_CRYPT_CNT, EFUSE_BLK0,    2,     1,    Flash encrypt. Write protection FLASH_CRYPT_CNT. EFUSE_WR_DIS_FLASH_CRYPT_CNT
+WR_DIS_FLASH_CRYPT_CNT, EFUSE_BLK0,    2,     1,    Flash encrypt. Write protection FLASH_CRYPT_CNT, UART_DOWNLOAD_DIS. EFUSE_WR_DIS_FLASH_CRYPT_CNT
 WR_DIS_BLK1,            EFUSE_BLK0,    7,     1,    Flash encrypt. Write protection encryption key. EFUSE_WR_DIS_BLK1
 WR_DIS_BLK2,            EFUSE_BLK0,    8,     1,    Security boot. Write protection security key. EFUSE_WR_DIS_BLK2
 WR_DIS_BLK3,            EFUSE_BLK0,    9,     1,    Write protection for EFUSE_BLK3. EFUSE_WR_DIS_BLK3
--- a/components/efuse/esp32/include/esp_efuse_table.h
+++ b/components/efuse/esp32/include/esp_efuse_table.h
@@ -17,7 +17,7 @@ extern "C" {
 #endif


-// md5_digest_table 2e23344575b3d07f01ecb695294e9770
+// md5_digest_table 11b691b6fa8546a3862a7a876be5f758
 // This file was generated from the file esp_efuse_table.csv. DO NOT CHANGE THIS FILE MANUALLY.
 // If you want to change some fields, you need to change esp_efuse_table.csv file
 // then run `efuse_common_table` or `efuse_custom_table` command it will generate this file.
@@ -36,9 +36,10 @@ extern const esp_efuse_desc_t* ESP_EFUSE_ENCRYPT_CONFIG[];
 extern const esp_efuse_desc_t* ESP_EFUSE_DISABLE_DL_ENCRYPT[];
 extern const esp_efuse_desc_t* ESP_EFUSE_DISABLE_DL_DECRYPT[];
 extern const esp_efuse_desc_t* ESP_EFUSE_DISABLE_DL_CACHE[];
+extern const esp_efuse_desc_t* ESP_EFUSE_FLASH_CRYPT_CNT[];
 extern const esp_efuse_desc_t* ESP_EFUSE_DISABLE_JTAG[];
 extern const esp_efuse_desc_t* ESP_EFUSE_CONSOLE_DEBUG_DISABLE[];
-extern const esp_efuse_desc_t* ESP_EFUSE_FLASH_CRYPT_CNT[];
+extern const esp_efuse_desc_t* ESP_EFUSE_UART_DOWNLOAD_DIS[];
 extern const esp_efuse_desc_t* ESP_EFUSE_WR_DIS_FLASH_CRYPT_CNT[];
 extern const esp_efuse_desc_t* ESP_EFUSE_WR_DIS_BLK1[];
 extern const esp_efuse_desc_t* ESP_EFUSE_WR_DIS_BLK2[];