This change addresses a rare but critical issue observed on certain
ESP32-C3 and ESP32-S3 devices, where secure boot verification
intermittently fails due to improper cleanup of crypto peripherals
during a restart.
Background – Restart Behavior in IDF
------------------------------------
In ESP-IDF, when the device restarts (via `esp_restart()` or due to a
panic/exception), a partial peripheral reset is performed followed by a
CPU reset. However, until now, crypto-related peripherals were not
included in this selective reset sequence.
Problem Scenario
----------------
If a restart occurs while the application is in the middle of a bignum
operation (i.e., using the MPI/Bignum peripheral), the ROM code may
encounter an inconsistent peripheral state during the subsequent boot.
This leads to transient RSA-PSS secure boot verification failures.
Following such a failure, the ROM typically triggers a full-chip reset
via the watchdog timer (WDT). This full reset clears the crypto
peripheral state, allowing secure boot verification to succeed on the
next boot.
Risk with Aggressive Revocation
-------------------------------
If secure boot aggressive revocation is enabled (disabled by default in
IDF), this transient verification failure could mistakenly lead to
revocation of the secure boot digest.
If your product configuration has aggressive revocation enabled,
applying this fix is strongly recommended.
Frequency of Occurrence
-----------------------
The issue is rare and only occurs in corner cases involving
simultaneous use of the MPI peripheral and an immediate CPU reset.
Fix
---
This fix ensures that all crypto peripherals are explicitly reset prior
to any software-triggered restart (including panic scenarios),
guaranteeing a clean peripheral state for the next boot and preventing
incorrect secure boot behavior.
If the TimerGroup 0 clock is disabled and then reenabled, the watchdog
registers (Flashboot protection included) will be re-enabled, and some
seconds later, will trigger an unintended reset.
Signed-off-by: Gustavo Henrique Nihei <gustavo.nihei@espressif.com>
1. Remove RTC_CLOCK_BBPLL_POWER_ON_WITH_USB Kconfig option
During sleep, BBPLL clock always gets disabled
esp_restart does not disable BBPLL clock, so that first stage bootloader log can be printed
2. Add a new Kconfig option PM_NO_AUTO_LS_ON_USJ_CONNECTED
When this option is selected, IDF will constantly monitor USB CDC port connection status.
As long as it gets connected to a HOST, automatic light-sleep will not happen.
Closes https://github.com/espressif/esp-idf/issues/8507
This commit marks all functions in interrupt_controller_hal.h, cpu_ll.h and cpu_hal.h as deprecated.
Users should use functions from esp_cpu.h instead.
Moved the following kconfig options out of the target component:
* CONFIG_ESP*_DEFAULT_CPU_FREQ* -> esp_system
* ESP*_REV_MIN -> esp_hw_support
* ESP*_TIME_SYSCALL -> newlib
* ESP*_RTC_* -> esp_hw_support
Where applicable these target specific konfig names were merged into
a single common config, e.g;
CONFIG_ESP*_DEFAULT_CPU_FREQ -> CONFIG_ESP_DEFAULT_CPU_FREQ_MHZ
Moved the following kconfig options out of the target component:
* ESP32_X_BROWNOUT_* -> esp_system
* ESP32_X_DEBUG_OCDAWARE -> esp_system
* APP_NO_BLOBS -> build type (main kconfig)
Upstream xtensa exception handling will save PS, PC, and a0 registers
together when saving a minimal context. This commit ppdates the xtensa
exception handling to match upstream behavior.
The following files were deleted:
- components/esp_hw_support/include/soc/cpu.h
- components/soc/esp32s3/include/soc/cpu.h
The following functions are deprecated:
- get_sp()
The following functions declared in soc/cpu.h are now moved to esp_cpu.h:
- esp_cpu_configure_region_protection()
The following functions declared in soc/cpu.h are now moved to components/xtensa/include/esp_cpu_utils.h:
- esp_cpu_process_stack_pc()
All files with soc/cpu.h inclusion are updated to include esp_cpu.h instead.
Signed-off-by: Sudeep Mohanty <sudeep.mohanty@espressif.com>
peripheral enable/disable usually should be managed by driver itself,
so make it as espressif private APIs, not recommended for user to use it
in application code.
However, if user want to re-write the driver or ports to other platform,
this is still possible by including the header in this way:
"esp_private/peripheral_ctrl.h"
As branches/jumps on Xtensa have a maximum range for the destination, it is
unsafe to refer to a label to another compilation unit in a branch/jump instruction.
The labels have been replaced by absolute addresses.
components/os: Move ETS_T1_WDT_INUM, ETS_CACHEERR_INUM and ETS_DPORT_INUM to l5 interrupt
components/os: high level interrupt(5)
components/os: hli_api: meta queue: fix out of bounds access, check for overflow
components/os: hli: don't spill registers, instead save them to a separate region
Level 4 interrupt has a chance of preempting a window overflow or underflow exception.
Therefore it is not possible to use standard context save functions,
as the SP on entry to Level 4 interrupt may be invalid (e.g. in WindowUnderflow4).
Instead, mask window overflows and save the entire general purpose register file,
plus some of the special registers.
Then clear WindowStart, allowing the C handler to execute without spilling the old windows.
On exit from the interrupt handler, do everything in reverse.
components/bt: using high level interrupt in lc
components/os: Add DRAM_ATTR to avoid feature `Allow .bss segment placed in external memory`
components/bt: optimize code structure
components/os: Modify the BT assert process to adapt to coredump and HLI
components/os: Disable exception mode after saving special registers
To store some registers first, avoid stuck due to live lock after disabling exception mode
components/os: using dport instead of AHB in BT to fix live lock
components/bt: Fix hli queue send error
components/bt: Fix CI fail
# Conflicts:
# components/bt/CMakeLists.txt
# components/bt/component.mk
# components/bt/controller/bt.c
# components/bt/controller/lib
# components/esp_common/src/int_wdt.c
# components/esp_system/port/soc/esp32/dport_panic_highint_hdl.S
# components/soc/esp32/include/soc/soc.h
