fix(bootloader_support): Reorder write protection bits of some shared security efuses

2025-09-01 15:43:39 +05:30
parent 690e83d456
commit d902072d80
11 changed files with 78 additions and 21 deletions
@@ -44,7 +44,7 @@ esp_err_t esp_flash_encryption_enable_secure_features(void)

    esp_efuse_write_field_bit(ESP_EFUSE_DIS_DIRECT_BOOT);

-#if defined(CONFIG_SECURE_FLASH_ENCRYPTION_MODE_RELEASE) && defined(SOC_FLASH_ENCRYPTION_XTS_AES_SUPPORT_PSEUDO_ROUND)
+#if defined(CONFIG_SECURE_FLASH_PSEUDO_ROUND_FUNC)
    ESP_LOGI(TAG, "Enable XTS-AES pseudo rounds function...");
    uint8_t xts_pseudo_level = CONFIG_SECURE_FLASH_PSEUDO_ROUND_FUNC_STRENGTH;
    esp_efuse_write_field_blob(ESP_EFUSE_XTS_DPA_PSEUDO_LEVEL, &xts_pseudo_level, ESP_EFUSE_XTS_DPA_PSEUDO_LEVEL[0]->bit_count);
@@ -53,8 +53,6 @@ esp_err_t esp_secure_boot_enable_secure_features(void)
    esp_efuse_write_field_bit(ESP_EFUSE_SECURE_BOOT_SHA384_EN);
 #endif

-    esp_efuse_write_field_bit(ESP_EFUSE_WR_DIS_SECURE_BOOT_SHA384_EN);
-
    esp_efuse_write_field_bit(ESP_EFUSE_SECURE_BOOT_EN);

 #ifndef CONFIG_SECURE_BOOT_V2_ALLOW_EFUSE_RD_DIS
@@ -40,7 +40,7 @@ esp_err_t esp_flash_encryption_enable_secure_features(void)

    esp_efuse_write_field_bit(ESP_EFUSE_DIS_DIRECT_BOOT);

-#if defined(CONFIG_SECURE_FLASH_ENCRYPTION_MODE_RELEASE) && defined(SOC_FLASH_ENCRYPTION_XTS_AES_SUPPORT_PSEUDO_ROUND)
+#if defined(CONFIG_SECURE_FLASH_PSEUDO_ROUND_FUNC)
    ESP_LOGI(TAG, "Enable XTS-AES pseudo rounds function...");
    uint8_t xts_pseudo_level = CONFIG_SECURE_FLASH_PSEUDO_ROUND_FUNC_STRENGTH;
    esp_efuse_write_field_blob(ESP_EFUSE_XTS_DPA_PSEUDO_LEVEL, &xts_pseudo_level, ESP_EFUSE_XTS_DPA_PSEUDO_LEVEL[0]->bit_count);
@@ -36,7 +36,7 @@ esp_err_t esp_flash_encryption_enable_secure_features(void)

    esp_efuse_write_field_bit(ESP_EFUSE_DIS_DIRECT_BOOT);

-#if defined(CONFIG_SECURE_FLASH_ENCRYPTION_MODE_RELEASE) && defined(SOC_FLASH_ENCRYPTION_XTS_AES_SUPPORT_PSEUDO_ROUND)
+#if defined(CONFIG_SECURE_FLASH_PSEUDO_ROUND_FUNC)
    if (spi_flash_encrypt_ll_is_pseudo_rounds_function_supported()) {
        ESP_LOGI(TAG, "Enable XTS-AES pseudo rounds function...");
        uint8_t xts_pseudo_level = CONFIG_SECURE_FLASH_PSEUDO_ROUND_FUNC_STRENGTH;
@@ -210,13 +210,6 @@ void esp_flash_encryption_set_release_mode(void)
 #endif // CONFIG_SOC_FLASH_ENCRYPTION_XTS_AES_128_DERIVED
 #endif // !CONFIG_IDF_TARGET_ESP32

-#ifdef SOC_FLASH_ENCRYPTION_XTS_AES_SUPPORT_PSEUDO_ROUND
-    if (spi_flash_encrypt_ll_is_pseudo_rounds_function_supported()) {
-        uint8_t xts_pseudo_level = ESP_XTS_AES_PSEUDO_ROUNDS_LOW;
-        esp_efuse_write_field_blob(ESP_EFUSE_XTS_DPA_PSEUDO_LEVEL, &xts_pseudo_level, ESP_EFUSE_XTS_DPA_PSEUDO_LEVEL[0]->bit_count);
-    }
-#endif
-
 #ifdef CONFIG_IDF_TARGET_ESP32
    esp_efuse_write_field_bit(ESP_EFUSE_WR_DIS_DIS_CACHE);
 #else
@@ -429,6 +429,13 @@ bool esp_secure_boot_cfg_verify_release_mode(void)
    }

 #if SOC_ECDSA_SUPPORT_CURVE_P384
+#if CONFIG_SECURE_BOOT_ECDSA_KEY_LEN_384_BITS
+    secure = esp_efuse_read_field_bit(ESP_EFUSE_SECURE_BOOT_SHA384_EN);
+    result &= secure;
+    if (!secure) {
+        ESP_LOGW(TAG, "Not enabled Secure Boot using SHA-384 mode (set SECURE_BOOT_SHA384_EN->1)");
+    }
+#else
    /* When using Secure Boot with SHA-384, the efuse bit representing Secure Boot with SHA-384 would already be programmed.
     * But in the case of the existing Secure Boot V2 schemes using SHA-256, the efuse bit representing
     * Secure Boot with SHA-384 needs to be write-protected, so that an attacker cannot perform a denial-of-service
@@ -439,6 +446,7 @@ bool esp_secure_boot_cfg_verify_release_mode(void)
    if (!secure) {
        ESP_LOGW(TAG, "Not write-protected secure boot using SHA-384 mode (set WR_DIS_SECURE_BOOT_SHA384_EN->1)");
    }
+#endif
 #endif

    secure = (num_keys != 0);