You are viewing a plain text version of this content. The canonical link for it is here.
Posted to commits@nuttx.apache.org by xi...@apache.org on 2022/01/01 12:37:49 UTC
[incubator-nuttx] branch master updated (98899ff -> cff2bc0)
This is an automated email from the ASF dual-hosted git repository.
xiaoxiang pushed a change to branch master
in repository https://gitbox.apache.org/repos/asf/incubator-nuttx.git.
from 98899ff boards: hifive1-revb: Enable some nsh commands in nsh/defconfig
new 9e5e60b esp32s2/esp32c3: Build MCUboot bootloader with Flash Encryption support
new 25f2dc2 risc-v/esp32c3: Enable the creation of encrypted Flash partitions
new c1fac72 xtensa/esp32: Add missing param documentation for SPI Flash function
new cff2bc0 esp32c3-devkit: Restrict FS options when Flash Encryption is enabled
The 4 revisions listed above as "new" are entirely new to this
repository and will be described in separate emails. The revisions
listed as "add" were already present in the repository and have only
been added to this reference.
Summary of changes:
arch/risc-v/src/esp32c3/Bootloader.mk | 7 ++
arch/risc-v/src/esp32c3/Kconfig | 12 +++
arch/risc-v/src/esp32c3/Kconfig.security | 94 +++++++++++++++++++++-
arch/risc-v/src/esp32c3/esp32c3_spiflash_mtd.c | 37 ++++++---
arch/risc-v/src/esp32c3/esp32c3_spiflash_mtd.h | 5 +-
arch/xtensa/src/esp32/Kconfig.security | 4 +-
arch/xtensa/src/esp32/esp32_spiflash.h | 2 +
arch/xtensa/src/esp32s2/Bootloader.mk | 7 ++
arch/xtensa/src/esp32s2/Kconfig | 10 +++
arch/xtensa/src/esp32s2/Kconfig.security | 94 +++++++++++++++++++++-
boards/risc-v/esp32c3/esp32c3-devkit/Kconfig | 17 ++++
.../esp32c3/esp32c3-devkit/src/esp32c3_spiflash.c | 27 ++++++-
tools/esp32s2/Config.mk | 2 +-
13 files changed, 292 insertions(+), 26 deletions(-)
[incubator-nuttx] 03/04: xtensa/esp32: Add missing param documentation for SPI Flash function
Posted by xi...@apache.org.
This is an automated email from the ASF dual-hosted git repository.
xiaoxiang pushed a commit to branch master
in repository https://gitbox.apache.org/repos/asf/incubator-nuttx.git
commit c1fac720ec15147260d94ccc535dea3f9eaf5efa
Author: Gustavo Henrique Nihei <gu...@espressif.com>
AuthorDate: Thu Dec 30 11:51:22 2021 -0300
xtensa/esp32: Add missing param documentation for SPI Flash function
Signed-off-by: Gustavo Henrique Nihei <gu...@espressif.com>
---
arch/xtensa/src/esp32/esp32_spiflash.h | 2 ++
1 file changed, 2 insertions(+)
diff --git a/arch/xtensa/src/esp32/esp32_spiflash.h b/arch/xtensa/src/esp32/esp32_spiflash.h
index 38337ad..0023f18 100644
--- a/arch/xtensa/src/esp32/esp32_spiflash.h
+++ b/arch/xtensa/src/esp32/esp32_spiflash.h
@@ -57,6 +57,8 @@ extern "C"
* Input Parameters:
* mtd_offset - MTD Partition offset from the base address in SPI Flash.
* mtd_size - Size for the MTD partition.
+ * encrypted - Flag indicating whether the newly allocated partition will
+ * have its content encrypted.
*
* Returned Value:
* ESP32 SPI Flash MTD data pointer if success or NULL if fail.
[incubator-nuttx] 04/04: esp32c3-devkit: Restrict FS options when Flash Encryption is enabled
Posted by xi...@apache.org.
This is an automated email from the ASF dual-hosted git repository.
xiaoxiang pushed a commit to branch master
in repository https://gitbox.apache.org/repos/asf/incubator-nuttx.git
commit cff2bc05e0e58c09a5b657f71b2ef561f6befe80
Author: Gustavo Henrique Nihei <gu...@espressif.com>
AuthorDate: Thu Dec 30 11:56:40 2021 -0300
esp32c3-devkit: Restrict FS options when Flash Encryption is enabled
Signed-off-by: Gustavo Henrique Nihei <gu...@espressif.com>
---
boards/risc-v/esp32c3/esp32c3-devkit/Kconfig | 12 ++++++++++++
1 file changed, 12 insertions(+)
diff --git a/boards/risc-v/esp32c3/esp32c3-devkit/Kconfig b/boards/risc-v/esp32c3/esp32c3-devkit/Kconfig
index 1712a03..feb8269 100644
--- a/boards/risc-v/esp32c3/esp32c3-devkit/Kconfig
+++ b/boards/risc-v/esp32c3/esp32c3-devkit/Kconfig
@@ -84,14 +84,26 @@ choice ESP32C3_SPIFLASH_FS
bool "SmartFS"
select FS_SMARTFS
select MTD_SMART
+ depends on !ESP32C3_SECURE_FLASH_ENC_ENABLED
+
+ comment "SmartFS not supported with Flash Encryption"
+ depends on ESP32C3_SECURE_FLASH_ENC_ENABLED
config ESP32C3_SPIFLASH_NXFFS
bool "NXFFS"
select FS_NXFFS
+ depends on !ESP32C3_SECURE_FLASH_ENC_ENABLED
+
+ comment "NXFFS not supported with Flash Encryption"
+ depends on ESP32C3_SECURE_FLASH_ENC_ENABLED
config ESP32C3_SPIFLASH_SPIFFS
bool "SPIFFS"
select FS_SPIFFS
+ depends on !ESP32C3_SECURE_FLASH_ENC_ENABLED
+
+ comment "SPIFFS not supported with Flash Encryption"
+ depends on ESP32C3_SECURE_FLASH_ENC_ENABLED
config ESP32C3_SPIFLASH_LITTLEFS
bool "LittleFS"
[incubator-nuttx] 01/04: esp32s2/esp32c3: Build MCUboot bootloader with Flash Encryption support
Posted by xi...@apache.org.
This is an automated email from the ASF dual-hosted git repository.
xiaoxiang pushed a commit to branch master
in repository https://gitbox.apache.org/repos/asf/incubator-nuttx.git
commit 9e5e60ba4893b22f6bc6289a734415c365712461
Author: Gustavo Henrique Nihei <gu...@espressif.com>
AuthorDate: Thu Dec 30 11:58:24 2021 -0300
esp32s2/esp32c3: Build MCUboot bootloader with Flash Encryption support
---
arch/risc-v/src/esp32c3/Bootloader.mk | 7 +++
arch/risc-v/src/esp32c3/Kconfig | 2 +
arch/risc-v/src/esp32c3/Kconfig.security | 94 ++++++++++++++++++++++++++++++--
arch/xtensa/src/esp32/Kconfig.security | 4 +-
arch/xtensa/src/esp32s2/Bootloader.mk | 7 +++
arch/xtensa/src/esp32s2/Kconfig | 10 ++++
arch/xtensa/src/esp32s2/Kconfig.security | 94 ++++++++++++++++++++++++++++++--
tools/esp32s2/Config.mk | 2 +-
8 files changed, 209 insertions(+), 11 deletions(-)
diff --git a/arch/risc-v/src/esp32c3/Bootloader.mk b/arch/risc-v/src/esp32c3/Bootloader.mk
index 5211259..ba39945 100644
--- a/arch/risc-v/src/esp32c3/Bootloader.mk
+++ b/arch/risc-v/src/esp32c3/Bootloader.mk
@@ -78,7 +78,14 @@ ifeq ($(CONFIG_ESP32C3_APP_FORMAT_MCUBOOT),y)
$(if $(CONFIG_ESP32C3_SECURE_BOOT_ALLOW_JTAG),$(call cfg_en,CONFIG_SECURE_BOOT_ALLOW_JTAG)) \
$(if $(CONFIG_ESP32C3_SECURE_BOOT_ALLOW_EFUSE_RD_DIS),$(call cfg_en,CONFIG_SECURE_BOOT_V2_ALLOW_EFUSE_RD_DIS)) \
$(if $(CONFIG_ESP32C3_SECURE_DISABLE_ROM_DL_MODE),$(call cfg_en,CONFIG_SECURE_DISABLE_ROM_DL_MODE)) \
+ $(if $(CONFIG_ESP32C3_SECURE_ENABLE_SECURE_ROM_DL_MODE),$(call cfg_en,CONFIG_SECURE_ENABLE_SECURE_ROM_DL_MODE)) \
$(if $(CONFIG_ESP32C3_SECURE_INSECURE_ALLOW_DL_MODE),$(call cfg_en,CONFIG_SECURE_INSECURE_ALLOW_DL_MODE)) \
+ $(if $(CONFIG_ESP32C3_SECURE_FLASH_ENC_ENABLED),$(call cfg_en,CONFIG_SECURE_FLASH_ENC_ENABLED)) \
+ $(if $(CONFIG_ESP32C3_SECURE_FLASH_ENCRYPTION_MODE_DEVELOPMENT),$(call cfg_en,CONFIG_SECURE_FLASH_ENCRYPTION_MODE_DEVELOPMENT)) \
+ $(if $(CONFIG_ESP32C3_SECURE_FLASH_ENCRYPTION_MODE_RELEASE),$(call cfg_en,CONFIG_SECURE_FLASH_ENCRYPTION_MODE_RELEASE)) \
+ $(if $(CONFIG_ESP32C3_SECURE_FLASH_UART_BOOTLOADER_ALLOW_ENC),$(call cfg_en,CONFIG_SECURE_FLASH_UART_BOOTLOADER_ALLOW_ENC)) \
+ $(if $(CONFIG_ESP32C3_SECURE_FLASH_UART_BOOTLOADER_ALLOW_CACHE),$(call cfg_en,CONFIG_SECURE_FLASH_UART_BOOTLOADER_ALLOW_CACHE)) \
+ $(if $(CONFIG_ESP32C3_SECURE_FLASH_REQUIRE_ALREADY_ENABLED),$(call cfg_en,CONFIG_SECURE_FLASH_REQUIRE_ALREADY_ENABLED)) \
$(call cfg_val,CONFIG_ESP_BOOTLOADER_SIZE,0xF000) \
$(call cfg_val,CONFIG_ESP_APPLICATION_PRIMARY_START_ADDRESS,$(CONFIG_ESP32C3_OTA_PRIMARY_SLOT_OFFSET)) \
$(call cfg_val,CONFIG_ESP_APPLICATION_SIZE,$(CONFIG_ESP32C3_OTA_SLOT_SIZE)) \
diff --git a/arch/risc-v/src/esp32c3/Kconfig b/arch/risc-v/src/esp32c3/Kconfig
index a8356bb..7b3cdd1 100644
--- a/arch/risc-v/src/esp32c3/Kconfig
+++ b/arch/risc-v/src/esp32c3/Kconfig
@@ -77,6 +77,8 @@ config ESP32C3_ESPTOOLPY_NO_STUB
The flasher tool sends a precompiled download stub first by default.
That stub allows things like compressed downloads and more.
Usually you should not need to disable that feature.
+ It is only required to be disabled in certain scenarios when either
+ Secure Boot V2 or Flash Encryption is enabled.
config ESP32C3_FLASH_DETECT
bool "Auto-detect FLASH size"
diff --git a/arch/risc-v/src/esp32c3/Kconfig.security b/arch/risc-v/src/esp32c3/Kconfig.security
index d4876bd..250e33c 100644
--- a/arch/risc-v/src/esp32c3/Kconfig.security
+++ b/arch/risc-v/src/esp32c3/Kconfig.security
@@ -21,7 +21,7 @@ config ESP32C3_SECURE_BOOT
if ESP32C3_SECURE_BOOT
-comment "Secure Boot support requires building bootloader from source (ESP32C3_BOOTLOADER_BUILD_FROM_SOURCE)"
+comment "Secure Boot support requires building the bootloader from source (ESP32C3_BOOTLOADER_BUILD_FROM_SOURCE)"
depends on !ESP32C3_BOOTLOADER_BUILD_FROM_SOURCE
config ESP32C3_SECURE_BOOT_BUILD_SIGNED_BINARIES
@@ -101,8 +101,54 @@ config ESP32C3_SECURE_BOOT_INSECURE
endif # ESP32C3_SECURE_BOOT
+comment "Flash Encryption"
+
+config ESP32C3_SECURE_FLASH_ENC_ENABLED
+ bool "Enable Flash Encryption on boot (READ HELP FIRST)"
+ default n
+ depends on ESP32C3_APP_FORMAT_MCUBOOT
+ ---help---
+ If this option is set, flash contents will be encrypted by the bootloader on first boot.
+
+ Note: After first boot, the system will be permanently encrypted. Re-flashing an encrypted
+ system is complicated and not always possible.
+
+ Read https://docs.espressif.com/projects/esp-idf/en/latest/esp32c3/security/flash-encryption.html
+ before enabling.
+
+if ESP32C3_SECURE_FLASH_ENC_ENABLED
+
+comment "Flash Encryption support requires building the bootloader from source (ESP32C3_BOOTLOADER_BUILD_FROM_SOURCE)"
+ depends on !ESP32C3_BOOTLOADER_BUILD_FROM_SOURCE
+
+choice ESP32C3_SECURE_FLASH_ENCRYPTION_MODE
+ bool "Enable usage mode"
+ default ESP32C3_SECURE_FLASH_ENCRYPTION_MODE_DEVELOPMENT
+ ---help---
+ By default, Development mode is enabled which allows ROM download mode to perform Flash Encryption
+ operations (plaintext is sent to the device, and it encrypts it internally and writes ciphertext
+ to flash). This mode is not secure, it's possible for an attacker to write their own chosen plaintext
+ to flash.
+
+ Release mode should always be selected for production or manufacturing. Once enabled it's no longer
+ possible for the device in ROM Download Mode to use the Flash Encryption hardware.
+
+ Refer to the Flash Encryption section of the ESP-IDF Programmer's Guide for details:
+ https://docs.espressif.com/projects/esp-idf/en/latest/esp32c3/security/flash-encryption.html#flash-encryption-configuration
+
+ config ESP32C3_SECURE_FLASH_ENCRYPTION_MODE_DEVELOPMENT
+ bool "Development (NOT SECURE)"
+ select ESP32C3_SECURE_FLASH_UART_BOOTLOADER_ALLOW_ENC
+
+ config ESP32C3_SECURE_FLASH_ENCRYPTION_MODE_RELEASE
+ bool "Release"
+
+endchoice
+
+endif # ESP32C3_SECURE_FLASH_ENC_ENABLED
+
menu "Potentially insecure options"
- visible if ESP32C3_SECURE_BOOT_INSECURE
+ visible if ESP32C3_SECURE_BOOT_INSECURE || ESP32C3_SECURE_FLASH_ENCRYPTION_MODE_DEVELOPMENT
# NOTE: Options in this menu NEED to have ESP32C3_SECURE_BOOT_INSECURE
# and/or ESP32C3_SECURE_FLASH_ENCRYPTION_MODE_DEVELOPMENT in "depends on", as the menu
@@ -113,7 +159,7 @@ menu "Potentially insecure options"
config ESP32C3_SECURE_BOOT_ALLOW_JTAG
bool "Allow JTAG Debugging"
default n
- depends on ESP32C3_SECURE_BOOT_INSECURE
+ depends on ESP32C3_SECURE_BOOT_INSECURE || ESP32C3_SECURE_FLASH_ENCRYPTION_MODE_DEVELOPMENT
---help---
If not set (default), the bootloader will permanently disable JTAG (across entire chip) on first boot
when either Secure Boot or Flash Encryption is enabled.
@@ -143,12 +189,51 @@ config ESP32C3_SECURE_BOOT_ALLOW_EFUSE_RD_DIS
then it is __NOT__ possible to read/write efuses using espefuse.py utility.
However, efuse can be read/written from the application.
+config ESP32C3_SECURE_FLASH_UART_BOOTLOADER_ALLOW_ENC
+ bool "Leave UART bootloader encryption enabled"
+ default n
+ depends on ESP32C3_SECURE_FLASH_ENCRYPTION_MODE_DEVELOPMENT
+ ---help---
+ If not set (default), the bootloader will permanently disable UART bootloader encryption access on
+ first boot. If set, the UART bootloader will still be able to access hardware encryption.
+
+ It is recommended to only set this option in testing environments.
+
+config ESP32C3_SECURE_FLASH_UART_BOOTLOADER_ALLOW_CACHE
+ bool "Leave UART bootloader flash cache enabled"
+ default n
+ depends on ESP32C3_SECURE_FLASH_ENCRYPTION_MODE_DEVELOPMENT
+ ---help---
+ If not set (default), the bootloader will permanently disable UART bootloader flash cache access on
+ first boot. If set, the UART bootloader will still be able to access the flash cache.
+
+ Only set this option in testing environments.
+
+config ESP32C3_SECURE_FLASH_REQUIRE_ALREADY_ENABLED
+ bool "Require Flash Encryption to be already enabled"
+ default n
+ depends on ESP32C3_SECURE_FLASH_ENCRYPTION_MODE_DEVELOPMENT
+ ---help---
+ If not set (default), and Flash Encryption is not yet enabled in eFuses, the 2nd stage bootloader
+ will enable Flash Encryption: generate the Flash Encryption key and program eFuses.
+ If this option is set, and Flash Encryption is not yet enabled, the bootloader will error out and
+ reboot.
+ If Flash Encryption is enabled in eFuses, this option does not change the bootloader behavior.
+
+ Only use this option in testing environments, to avoid accidentally enabling Flash Encryption on
+ the wrong device. The device needs to have Flash Encryption already enabled using espefuse.py.
+
endmenu # Potentially insecure options
+config ESP32C3_SECURE_ROM_DL_MODE_ENABLED
+ bool
+ default y if !ESP32C3_SECURE_FLASH_ENCRYPTION_MODE_DEVELOPMENT
+
choice ESP32C3_SECURE_UART_ROM_DL_MODE
bool "UART ROM download mode"
+ default ESP32C3_SECURE_ENABLE_SECURE_ROM_DL_MODE if ESP32C3_SECURE_ROM_DL_MODE_ENABLED
default ESP32C3_SECURE_INSECURE_ALLOW_DL_MODE
- depends on ESP32C3_SECURE_BOOT
+ depends on ESP32C3_SECURE_BOOT || ESP32C3_SECURE_FLASH_ENC_ENABLED
config ESP32C3_SECURE_DISABLE_ROM_DL_MODE
bool "Permanently disabled (recommended)"
@@ -167,6 +252,7 @@ choice ESP32C3_SECURE_UART_ROM_DL_MODE
config ESP32C3_SECURE_ENABLE_SECURE_ROM_DL_MODE
bool "Permanently switch to Secure mode (recommended)"
+ select ESP32C3_ESPTOOLPY_NO_STUB
---help---
If set, during startup the app will burn an eFuse bit to permanently switch the UART ROM
Download Mode into a separate Secure Download mode. This option can only work if
diff --git a/arch/xtensa/src/esp32/Kconfig.security b/arch/xtensa/src/esp32/Kconfig.security
index b79b2f50..1422b23 100644
--- a/arch/xtensa/src/esp32/Kconfig.security
+++ b/arch/xtensa/src/esp32/Kconfig.security
@@ -20,7 +20,7 @@ config ESP32_SECURE_BOOT
if ESP32_SECURE_BOOT
-comment "Secure Boot support requires building bootloader from source (ESP32_BOOTLOADER_BUILD_FROM_SOURCE)"
+comment "Secure Boot support requires building the bootloader from source (ESP32_BOOTLOADER_BUILD_FROM_SOURCE)"
depends on !ESP32_BOOTLOADER_BUILD_FROM_SOURCE
config ESP32_SECURE_BOOT_BUILD_SIGNED_BINARIES
@@ -117,7 +117,7 @@ config ESP32_SECURE_FLASH_ENC_ENABLED
if ESP32_SECURE_FLASH_ENC_ENABLED
-comment "Flash Encryption support requires building bootloader from source (ESP32_BOOTLOADER_BUILD_FROM_SOURCE)"
+comment "Flash Encryption support requires building the bootloader from source (ESP32_BOOTLOADER_BUILD_FROM_SOURCE)"
depends on !ESP32_BOOTLOADER_BUILD_FROM_SOURCE
choice ESP32_SECURE_FLASH_ENCRYPTION_MODE
diff --git a/arch/xtensa/src/esp32s2/Bootloader.mk b/arch/xtensa/src/esp32s2/Bootloader.mk
index 3ad1fc0..54248df 100644
--- a/arch/xtensa/src/esp32s2/Bootloader.mk
+++ b/arch/xtensa/src/esp32s2/Bootloader.mk
@@ -78,7 +78,14 @@ ifeq ($(CONFIG_ESP32S2_APP_FORMAT_MCUBOOT),y)
$(if $(CONFIG_ESP32S2_SECURE_BOOT_ALLOW_JTAG),$(call cfg_en,CONFIG_SECURE_BOOT_ALLOW_JTAG)) \
$(if $(CONFIG_ESP32S2_SECURE_BOOT_ALLOW_EFUSE_RD_DIS),$(call cfg_en,CONFIG_SECURE_BOOT_V2_ALLOW_EFUSE_RD_DIS)) \
$(if $(CONFIG_ESP32S2_SECURE_DISABLE_ROM_DL_MODE),$(call cfg_en,CONFIG_SECURE_DISABLE_ROM_DL_MODE)) \
+ $(if $(CONFIG_ESP32S2_SECURE_ENABLE_SECURE_ROM_DL_MODE),$(call cfg_en,CONFIG_SECURE_ENABLE_SECURE_ROM_DL_MODE)) \
$(if $(CONFIG_ESP32S2_SECURE_INSECURE_ALLOW_DL_MODE),$(call cfg_en,CONFIG_SECURE_INSECURE_ALLOW_DL_MODE)) \
+ $(if $(CONFIG_ESP32S2_SECURE_FLASH_ENC_ENABLED),$(call cfg_en,CONFIG_SECURE_FLASH_ENC_ENABLED)) \
+ $(if $(CONFIG_ESP32S2_SECURE_FLASH_ENCRYPTION_MODE_DEVELOPMENT),$(call cfg_en,CONFIG_SECURE_FLASH_ENCRYPTION_MODE_DEVELOPMENT)) \
+ $(if $(CONFIG_ESP32S2_SECURE_FLASH_ENCRYPTION_MODE_RELEASE),$(call cfg_en,CONFIG_SECURE_FLASH_ENCRYPTION_MODE_RELEASE)) \
+ $(if $(CONFIG_ESP32S2_SECURE_FLASH_UART_BOOTLOADER_ALLOW_ENC),$(call cfg_en,CONFIG_SECURE_FLASH_UART_BOOTLOADER_ALLOW_ENC)) \
+ $(if $(CONFIG_ESP32S2_SECURE_FLASH_UART_BOOTLOADER_ALLOW_CACHE),$(call cfg_en,CONFIG_SECURE_FLASH_UART_BOOTLOADER_ALLOW_CACHE)) \
+ $(if $(CONFIG_ESP32S2_SECURE_FLASH_REQUIRE_ALREADY_ENABLED),$(call cfg_en,CONFIG_SECURE_FLASH_REQUIRE_ALREADY_ENABLED)) \
$(call cfg_val,CONFIG_ESP_BOOTLOADER_SIZE,0xF000) \
$(call cfg_val,CONFIG_ESP_APPLICATION_PRIMARY_START_ADDRESS,$(CONFIG_ESP32S2_OTA_PRIMARY_SLOT_OFFSET)) \
$(call cfg_val,CONFIG_ESP_APPLICATION_SIZE,$(CONFIG_ESP32S2_OTA_SLOT_SIZE)) \
diff --git a/arch/xtensa/src/esp32s2/Kconfig b/arch/xtensa/src/esp32s2/Kconfig
index da2c9cb..23152d1 100644
--- a/arch/xtensa/src/esp32s2/Kconfig
+++ b/arch/xtensa/src/esp32s2/Kconfig
@@ -81,6 +81,16 @@ config ESP32S2_FLASH_16M
bool
default n
+config ESP32S2_ESPTOOLPY_NO_STUB
+ bool "Disable download stub"
+ default n
+ ---help---
+ The flasher tool sends a precompiled download stub first by default.
+ That stub allows things like compressed downloads and more.
+ Usually you should not need to disable that feature.
+ It is only required to be disabled in certain scenarios when either
+ Secure Boot V2 or Flash Encryption is enabled.
+
config ESP32S2_FLASH_DETECT
bool "Auto-detect FLASH size"
default y
diff --git a/arch/xtensa/src/esp32s2/Kconfig.security b/arch/xtensa/src/esp32s2/Kconfig.security
index f9b1297..f03c975 100644
--- a/arch/xtensa/src/esp32s2/Kconfig.security
+++ b/arch/xtensa/src/esp32s2/Kconfig.security
@@ -20,7 +20,7 @@ config ESP32S2_SECURE_BOOT
if ESP32S2_SECURE_BOOT
-comment "Secure Boot support requires building bootloader from source (ESP32S2_BOOTLOADER_BUILD_FROM_SOURCE)"
+comment "Secure Boot support requires building the bootloader from source (ESP32S2_BOOTLOADER_BUILD_FROM_SOURCE)"
depends on !ESP32S2_BOOTLOADER_BUILD_FROM_SOURCE
config ESP32S2_SECURE_BOOT_BUILD_SIGNED_BINARIES
@@ -100,8 +100,54 @@ config ESP32S2_SECURE_BOOT_INSECURE
endif # ESP32S2_SECURE_BOOT
+comment "Flash Encryption"
+
+config ESP32S2_SECURE_FLASH_ENC_ENABLED
+ bool "Enable Flash Encryption on boot (READ HELP FIRST)"
+ default n
+ depends on ESP32S2_APP_FORMAT_MCUBOOT
+ ---help---
+ If this option is set, flash contents will be encrypted by the bootloader on first boot.
+
+ Note: After first boot, the system will be permanently encrypted. Re-flashing an encrypted
+ system is complicated and not always possible.
+
+ Read https://docs.espressif.com/projects/esp-idf/en/latest/esp32s2/security/flash-encryption.html
+ before enabling.
+
+if ESP32S2_SECURE_FLASH_ENC_ENABLED
+
+comment "Flash Encryption support requires building the bootloader from source (ESP32S2_BOOTLOADER_BUILD_FROM_SOURCE)"
+ depends on !ESP32S2_BOOTLOADER_BUILD_FROM_SOURCE
+
+choice ESP32S2_SECURE_FLASH_ENCRYPTION_MODE
+ bool "Enable usage mode"
+ default ESP32S2_SECURE_FLASH_ENCRYPTION_MODE_DEVELOPMENT
+ ---help---
+ By default, Development mode is enabled which allows ROM download mode to perform Flash Encryption
+ operations (plaintext is sent to the device, and it encrypts it internally and writes ciphertext
+ to flash). This mode is not secure, it's possible for an attacker to write their own chosen plaintext
+ to flash.
+
+ Release mode should always be selected for production or manufacturing. Once enabled it's no longer
+ possible for the device in ROM Download Mode to use the Flash Encryption hardware.
+
+ Refer to the Flash Encryption section of the ESP-IDF Programmer's Guide for details:
+ https://docs.espressif.com/projects/esp-idf/en/latest/esp32s2/security/flash-encryption.html#flash-encryption-configuration
+
+ config ESP32S2_SECURE_FLASH_ENCRYPTION_MODE_DEVELOPMENT
+ bool "Development (NOT SECURE)"
+ select ESP32S2_SECURE_FLASH_UART_BOOTLOADER_ALLOW_ENC
+
+ config ESP32S2_SECURE_FLASH_ENCRYPTION_MODE_RELEASE
+ bool "Release"
+
+endchoice
+
+endif # ESP32S2_SECURE_FLASH_ENC_ENABLED
+
menu "Potentially insecure options"
- visible if ESP32S2_SECURE_BOOT_INSECURE
+ visible if ESP32S2_SECURE_BOOT_INSECURE || ESP32S2_SECURE_FLASH_ENCRYPTION_MODE_DEVELOPMENT
# NOTE: Options in this menu NEED to have ESP32S2_SECURE_BOOT_INSECURE
# and/or ESP32S2_SECURE_FLASH_ENCRYPTION_MODE_DEVELOPMENT in "depends on", as the menu
@@ -112,7 +158,7 @@ menu "Potentially insecure options"
config ESP32S2_SECURE_BOOT_ALLOW_JTAG
bool "Allow JTAG Debugging"
default n
- depends on ESP32S2_SECURE_BOOT_INSECURE
+ depends on ESP32S2_SECURE_BOOT_INSECURE || ESP32S2_SECURE_FLASH_ENCRYPTION_MODE_DEVELOPMENT
---help---
If not set (default), the bootloader will permanently disable JTAG (across entire chip) on first boot
when either Secure Boot or Flash Encryption is enabled.
@@ -142,12 +188,51 @@ config ESP32S2_SECURE_BOOT_ALLOW_EFUSE_RD_DIS
then it is __NOT__ possible to read/write efuses using espefuse.py utility.
However, efuse can be read/written from the application.
+config ESP32S2_SECURE_FLASH_UART_BOOTLOADER_ALLOW_ENC
+ bool "Leave UART bootloader encryption enabled"
+ default n
+ depends on ESP32S2_SECURE_FLASH_ENCRYPTION_MODE_DEVELOPMENT
+ ---help---
+ If not set (default), the bootloader will permanently disable UART bootloader encryption access on
+ first boot. If set, the UART bootloader will still be able to access hardware encryption.
+
+ It is recommended to only set this option in testing environments.
+
+config ESP32S2_SECURE_FLASH_UART_BOOTLOADER_ALLOW_CACHE
+ bool "Leave UART bootloader flash cache enabled"
+ default n
+ depends on ESP32S2_SECURE_FLASH_ENCRYPTION_MODE_DEVELOPMENT
+ ---help---
+ If not set (default), the bootloader will permanently disable UART bootloader flash cache access on
+ first boot. If set, the UART bootloader will still be able to access the flash cache.
+
+ Only set this option in testing environments.
+
+config ESP32S2_SECURE_FLASH_REQUIRE_ALREADY_ENABLED
+ bool "Require Flash Encryption to be already enabled"
+ default n
+ depends on ESP32S2_SECURE_FLASH_ENCRYPTION_MODE_DEVELOPMENT
+ ---help---
+ If not set (default), and Flash Encryption is not yet enabled in eFuses, the 2nd stage bootloader
+ will enable Flash Encryption: generate the Flash Encryption key and program eFuses.
+ If this option is set, and Flash Encryption is not yet enabled, the bootloader will error out and
+ reboot.
+ If Flash Encryption is enabled in eFuses, this option does not change the bootloader behavior.
+
+ Only use this option in testing environments, to avoid accidentally enabling Flash Encryption on
+ the wrong device. The device needs to have Flash Encryption already enabled using espefuse.py.
+
endmenu # Potentially insecure options
+config ESP32S2_SECURE_ROM_DL_MODE_ENABLED
+ bool
+ default y if !ESP32S2_SECURE_FLASH_ENCRYPTION_MODE_DEVELOPMENT
+
choice ESP32S2_SECURE_UART_ROM_DL_MODE
bool "UART ROM download mode"
+ default ESP32S2_SECURE_ENABLE_SECURE_ROM_DL_MODE if ESP32S2_SECURE_ROM_DL_MODE_ENABLED
default ESP32S2_SECURE_INSECURE_ALLOW_DL_MODE
- depends on ESP32S2_SECURE_BOOT
+ depends on ESP32S2_SECURE_BOOT || ESP32S2_SECURE_FLASH_ENC_ENABLED
config ESP32S2_SECURE_DISABLE_ROM_DL_MODE
bool "Permanently disabled (recommended)"
@@ -166,6 +251,7 @@ choice ESP32S2_SECURE_UART_ROM_DL_MODE
config ESP32S2_SECURE_ENABLE_SECURE_ROM_DL_MODE
bool "Permanently switch to Secure mode (recommended)"
+ select ESP32S2_ESPTOOLPY_NO_STUB
---help---
If set, during startup the app will burn an eFuse bit to permanently switch the UART ROM
Download Mode into a separate Secure Download mode. This option can only work if
diff --git a/tools/esp32s2/Config.mk b/tools/esp32s2/Config.mk
index ec56206..8c24c47 100644
--- a/tools/esp32s2/Config.mk
+++ b/tools/esp32s2/Config.mk
@@ -253,7 +253,7 @@ define FLASH
echo "USAGE: make flash ESPTOOL_PORT=<port> [ ESPTOOL_BAUD=<baud> ] [ ESPTOOL_BINDIR=<dir> ]"; \
exit 1; \
fi
- $(eval ESPTOOL_OPTS := -c esp32s2 -p $(ESPTOOL_PORT) -b $(ESPTOOL_BAUD) $(ESPTOOL_RESET_OPTS))
+ $(eval ESPTOOL_OPTS := -c esp32s2 -p $(ESPTOOL_PORT) -b $(ESPTOOL_BAUD) $(ESPTOOL_RESET_OPTS) $(if $(CONFIG_ESP32S2_ESPTOOLPY_NO_STUB),--no-stub))
esptool.py $(ESPTOOL_OPTS) write_flash $(ESPTOOL_WRITEFLASH_OPTS) $(ESPTOOL_BINS)
$(if $(CONFIG_ESP32S2_SECURE_BOOT),$(call HELP_FLASH_BOOTLOADER))
[incubator-nuttx] 02/04: risc-v/esp32c3: Enable the creation of encrypted Flash partitions
Posted by xi...@apache.org.
This is an automated email from the ASF dual-hosted git repository.
xiaoxiang pushed a commit to branch master
in repository https://gitbox.apache.org/repos/asf/incubator-nuttx.git
commit 25f2dc20775de8a15672687169f0191074600b1f
Author: Gustavo Henrique Nihei <gu...@espressif.com>
AuthorDate: Thu Dec 30 11:51:03 2021 -0300
risc-v/esp32c3: Enable the creation of encrypted Flash partitions
Signed-off-by: Gustavo Henrique Nihei <gu...@espressif.com>
---
arch/risc-v/src/esp32c3/Kconfig | 10 ++++++
arch/risc-v/src/esp32c3/esp32c3_spiflash_mtd.c | 37 +++++++++++++++-------
arch/risc-v/src/esp32c3/esp32c3_spiflash_mtd.h | 5 ++-
boards/risc-v/esp32c3/esp32c3-devkit/Kconfig | 5 +++
.../esp32c3/esp32c3-devkit/src/esp32c3_spiflash.c | 27 ++++++++++++++--
5 files changed, 69 insertions(+), 15 deletions(-)
diff --git a/arch/risc-v/src/esp32c3/Kconfig b/arch/risc-v/src/esp32c3/Kconfig
index 7b3cdd1..1e0b498 100644
--- a/arch/risc-v/src/esp32c3/Kconfig
+++ b/arch/risc-v/src/esp32c3/Kconfig
@@ -778,6 +778,11 @@ config ESP32C3_WIFI_FS_MOUNTPT
---help---
Mount point of Wi-Fi storage file system.
+config ESP32C3_WIFI_MTD_ENCRYPT
+ bool "Encrypt Wi-Fi MTD partition"
+ default y
+ depends on ESP32C3_SECURE_FLASH_ENC_ENABLED
+
config ESP32C3_WIFI_MTD_OFFSET
hex "Wi-Fi MTD partition offset"
default 0x280000 if !ESP32C3_HAVE_OTA_PARTITION
@@ -891,6 +896,11 @@ if ESP32C3_HAVE_OTA_PARTITION
comment "Application Image OTA Update support"
+config ESP32C3_OTA_PARTITION_ENCRYPT
+ bool "Encrypt OTA partitions"
+ default y
+ depends on ESP32C3_SECURE_FLASH_ENC_ENABLED
+
config ESP32C3_OTA_PRIMARY_SLOT_OFFSET
hex "Application image primary slot offset"
default 0x10000
diff --git a/arch/risc-v/src/esp32c3/esp32c3_spiflash_mtd.c b/arch/risc-v/src/esp32c3/esp32c3_spiflash_mtd.c
index c9933f7..68dc75d 100644
--- a/arch/risc-v/src/esp32c3/esp32c3_spiflash_mtd.c
+++ b/arch/risc-v/src/esp32c3/esp32c3_spiflash_mtd.c
@@ -691,30 +691,40 @@ static int esp32c3_ioctl(struct mtd_dev_s *dev, int cmd,
* Name: esp32c3_spiflash_alloc_mtdpart
*
* Description:
- * Allocate SPI Flash MTD.
+ * Allocate an MTD partition from the ESP32-C3 SPI Flash.
*
* Input Parameters:
- * None
+ * mtd_offset - MTD Partition offset from the base address in SPI Flash.
+ * mtd_size - Size for the MTD partition.
+ * encrypted - Flag indicating whether the newly allocated partition will
+ * have its content encrypted.
*
* Returned Value:
- * SPI Flash MTD data pointer if success or NULL if fail.
+ * ESP32-C3 SPI Flash MTD data pointer if success or NULL if fail.
*
****************************************************************************/
struct mtd_dev_s *esp32c3_spiflash_alloc_mtdpart(uint32_t mtd_offset,
- uint32_t mtd_size)
+ uint32_t mtd_size,
+ bool encrypted)
{
- struct esp32c3_mtd_dev_s *priv =
- (struct esp32c3_mtd_dev_s *)&g_esp32c3_spiflash;
- const esp32c3_spiflash_chip_t *chip = &(*priv->data)->chip;
+ const struct esp32c3_mtd_dev_s *priv;
+ const esp32c3_spiflash_chip_t *chip;
struct mtd_dev_s *mtd_part;
uint32_t blocks;
uint32_t startblock;
uint32_t size;
- ASSERT((mtd_offset + mtd_size) <= chip->chip_size);
- ASSERT((mtd_offset % chip->sector_size) == 0);
- ASSERT((mtd_size % chip->sector_size) == 0);
+ if (encrypted)
+ {
+ priv = &g_esp32c3_spiflash_encrypt;
+ }
+ else
+ {
+ priv = &g_esp32c3_spiflash;
+ }
+
+ chip = &(*priv->data)->chip;
finfo("ESP32-C3 SPI Flash information:\n");
finfo("\tID = 0x%" PRIx32 "\n", chip->device_id);
@@ -724,6 +734,10 @@ struct mtd_dev_s *esp32c3_spiflash_alloc_mtdpart(uint32_t mtd_offset,
finfo("\tSector size = %" PRId32 " KB\n", chip->sector_size / 1024);
finfo("\tBlock size = %" PRId32 " KB\n", chip->block_size / 1024);
+ ASSERT((mtd_offset + mtd_size) <= chip->chip_size);
+ ASSERT((mtd_offset % chip->sector_size) == 0);
+ ASSERT((mtd_size % chip->sector_size) == 0);
+
if (mtd_size == 0)
{
size = chip->chip_size - mtd_offset;
@@ -739,7 +753,8 @@ struct mtd_dev_s *esp32c3_spiflash_alloc_mtdpart(uint32_t mtd_offset,
startblock = MTD_SIZE2BLK(priv, mtd_offset);
blocks = MTD_SIZE2BLK(priv, size);
- mtd_part = mtd_partition(&priv->mtd, startblock, blocks);
+ mtd_part = mtd_partition((struct mtd_dev_s *)&priv->mtd, startblock,
+ blocks);
if (!mtd_part)
{
ferr("ERROR: Failed to create MTD partition\n");
diff --git a/arch/risc-v/src/esp32c3/esp32c3_spiflash_mtd.h b/arch/risc-v/src/esp32c3/esp32c3_spiflash_mtd.h
index 3c3a261..1d0700a 100644
--- a/arch/risc-v/src/esp32c3/esp32c3_spiflash_mtd.h
+++ b/arch/risc-v/src/esp32c3/esp32c3_spiflash_mtd.h
@@ -87,6 +87,8 @@ struct mtd_dev_s *esp32c3_spiflash_encrypt_mtd(void);
* Input Parameters:
* mtd_offset - MTD Partition offset from the base address in SPI Flash.
* mtd_size - Size for the MTD partition.
+ * encrypted - Flag indicating whether the newly allocated partition will
+ * have its content encrypted.
*
* Returned Value:
* SPI Flash MTD data pointer if success or NULL if fail.
@@ -94,7 +96,8 @@ struct mtd_dev_s *esp32c3_spiflash_encrypt_mtd(void);
****************************************************************************/
struct mtd_dev_s *esp32c3_spiflash_alloc_mtdpart(uint32_t mtd_offset,
- uint32_t mtd_size);
+ uint32_t mtd_size,
+ bool encrypted);
#ifdef __cplusplus
}
diff --git a/boards/risc-v/esp32c3/esp32c3-devkit/Kconfig b/boards/risc-v/esp32c3/esp32c3-devkit/Kconfig
index 0a8b03b..1712a03 100644
--- a/boards/risc-v/esp32c3/esp32c3-devkit/Kconfig
+++ b/boards/risc-v/esp32c3/esp32c3-devkit/Kconfig
@@ -50,6 +50,11 @@ config ESP32C3_MERGE_BINS
This is only useful when the path to binary files (e.g. bootloader)
is provided via the ESPTOOL_BINDIR variable.
+config ESP32C3_STORAGE_MTD_ENCRYPT
+ bool "Encrypt Storage MTD partition"
+ default y
+ depends on ESP32C3_SECURE_FLASH_ENC_ENABLED
+
config ESP32C3_STORAGE_MTD_OFFSET
hex "Storage MTD base address in SPI Flash"
default 0x180000 if !ESP32C3_HAVE_OTA_PARTITION
diff --git a/boards/risc-v/esp32c3/esp32c3-devkit/src/esp32c3_spiflash.c b/boards/risc-v/esp32c3/esp32c3-devkit/src/esp32c3_spiflash.c
index 5ca5874..0c244bd 100644
--- a/boards/risc-v/esp32c3/esp32c3-devkit/src/esp32c3_spiflash.c
+++ b/boards/risc-v/esp32c3/esp32c3-devkit/src/esp32c3_spiflash.c
@@ -52,6 +52,24 @@
#define ARRAYSIZE(x) (sizeof((x)) / sizeof((x)[0]))
+#ifdef CONFIG_ESP32C3_OTA_PARTITION_ENCRYPT
+# define OTA_ENCRYPT true
+#else
+# define OTA_ENCRYPT false
+#endif
+
+#ifdef CONFIG_ESP32C3_WIFI_MTD_ENCRYPT
+# define WIFI_ENCRYPT true
+#else
+# define WIFI_ENCRYPT false
+#endif
+
+#ifdef CONFIG_ESP32C3_STORAGE_MTD_ENCRYPT
+# define STORAGE_ENCRYPT true
+#else
+# define STORAGE_ENCRYPT false
+#endif
+
/****************************************************************************
* Private Types
****************************************************************************/
@@ -130,7 +148,8 @@ static int init_ota_partitions(void)
for (int i = 0; i < ARRAYSIZE(g_ota_partition_table); ++i)
{
const struct ota_partition_s *part = &g_ota_partition_table[i];
- mtd = esp32c3_spiflash_alloc_mtdpart(part->offset, part->size);
+ mtd = esp32c3_spiflash_alloc_mtdpart(part->offset, part->size,
+ OTA_ENCRYPT);
ret = ftl_initialize(i, mtd);
if (ret < 0)
@@ -370,7 +389,8 @@ static int init_wifi_partition(void)
FAR struct mtd_dev_s *mtd;
mtd = esp32c3_spiflash_alloc_mtdpart(CONFIG_ESP32C3_WIFI_MTD_OFFSET,
- CONFIG_ESP32C3_WIFI_MTD_SIZE);
+ CONFIG_ESP32C3_WIFI_MTD_SIZE,
+ WIFI_ENCRYPT);
if (!mtd)
{
ferr("ERROR: Failed to alloc MTD partition of SPI Flash\n");
@@ -434,7 +454,8 @@ static int init_storage_partition(void)
FAR struct mtd_dev_s *mtd;
mtd = esp32c3_spiflash_alloc_mtdpart(CONFIG_ESP32C3_STORAGE_MTD_OFFSET,
- CONFIG_ESP32C3_STORAGE_MTD_SIZE);
+ CONFIG_ESP32C3_STORAGE_MTD_SIZE,
+ STORAGE_ENCRYPT);
if (!mtd)
{
ferr("ERROR: Failed to alloc MTD partition of SPI Flash\n");