ESP32 SecureBoot V2: eFuse write operations are updated to use the eFuse Manager APIs

sachin-billore · espressif-bot · commit f1dae0d6e125 · 2020-08-27T04:24:04.000Z
Closes IDF-2034 Closes espressif/esp-idf#5771
diff --git a/components/bootloader_support/src/esp32/secure_boot.c b/components/bootloader_support/src/esp32/secure_boot.c
@@ -34,6 +34,7 @@
 #include "esp_secure_boot.h"
 #include "esp_flash_encrypt.h"
 #include "esp_efuse.h"
+#include "esp_efuse_table.h"
 
 /* The following API implementations are used only when called
  * from the bootloader code.
@@ -290,16 +291,19 @@ static esp_err_t secure_boot_v2_digest_generate(uint32_t flash_offset, uint32_t
 
 esp_err_t esp_secure_boot_v2_permanently_enable(const esp_image_metadata_t *image_data)
 {
-    uint32_t new_wdata0 = 0;
-    uint32_t new_wdata6 = 0;
-
     ESP_LOGI(TAG, "enabling secure boot v2...");
     esp_err_t ret;
     if (esp_secure_boot_enabled()) {
         ESP_LOGI(TAG, "secure boot v2 is already enabled. Continuing..");
         return ESP_OK;
     }
 
+    ret = esp_efuse_batch_write_begin();
+    if (ret != ESP_OK) {
+        ESP_LOGE(TAG, "Error batch programming security eFuses.");
+        return ret;
+    }
+
     uint32_t coding_scheme = REG_GET_FIELD(EFUSE_BLK0_RDATA6_REG, EFUSE_CODING_SCHEME);
     if (coding_scheme != EFUSE_CODING_SCHEME_VAL_NONE) {
         ESP_LOGE(TAG, "No coding schemes are supported in secure boot v2.(Detected scheme: 0x%x)", coding_scheme);
@@ -336,14 +340,19 @@ esp_err_t esp_secure_boot_v2_permanently_enable(const esp_image_metadata_t *imag
         }
 
         ESP_LOGI(TAG, "Burning public key hash to efuse.");
-        uint32_t *boot_public_key_digest_ptr = (uint32_t *) boot_pub_key_digest;
-        for (int i = 0; i < 8 ; i++) {
-            REG_WRITE(EFUSE_BLK2_WDATA0_REG + 4 * i, boot_public_key_digest_ptr[i]);
-            ESP_LOGD(TAG, "EFUSE_BLKx_WDATA%d_REG = 0x%08x", i, boot_public_key_digest_ptr[i]);
+        ret = esp_efuse_write_block(EFUSE_BLK2, boot_pub_key_digest, 0, (DIGEST_LEN * 8));
+        if (ret != ESP_OK) {
+            ESP_LOGE(TAG, "Writing public key hash to efuse failed.");
+            return ret;
         }
 
         ESP_LOGI(TAG, "Write protecting public key digest...");
-        new_wdata0 |= EFUSE_WR_DIS_BLK2;
+        ret = esp_efuse_set_write_protect(EFUSE_BLK2);
+        if (ret != ESP_OK) {
+            ESP_LOGE(TAG, "Write protecting public key digest...failed.");
+            return ret;
+        }
+
         efuse_key_write_protected = true;
         efuse_key_read_protected = false;
     } else {
@@ -375,26 +384,38 @@ esp_err_t esp_secure_boot_v2_permanently_enable(const esp_image_metadata_t *imag
     ESP_LOGI(TAG, "blowing secure boot efuse...");
     ESP_LOGD(TAG, "before updating, EFUSE_BLK0_RDATA6 %x", REG_READ(EFUSE_BLK0_RDATA6_REG));
 
-    new_wdata6 |= EFUSE_RD_ABS_DONE_1;
+    ret = esp_efuse_write_field_bit(ESP_EFUSE_ABS_DONE_1);
+    if (ret != ESP_OK) {
+        ESP_LOGE(TAG, "Blowing secure boot efuse...failed.");
+        return ret;
+    }
 
 #ifndef CONFIG_SECURE_BOOT_ALLOW_JTAG
     ESP_LOGI(TAG, "Disable JTAG...");
-    new_wdata6 |= EFUSE_RD_DISABLE_JTAG;
+    ret = esp_efuse_write_field_bit(ESP_EFUSE_DISABLE_JTAG);
+    if (ret != ESP_OK) {
+        ESP_LOGE(TAG, "Disable JTAG...failed.");
+        return ret;
+    }
 #else
     ESP_LOGW(TAG, "Not disabling JTAG - SECURITY COMPROMISED");
 #endif
 
 #ifndef CONFIG_SECURE_BOOT_ALLOW_ROM_BASIC
     ESP_LOGI(TAG, "Disable ROM BASIC interpreter fallback...");
-    new_wdata6 |= EFUSE_RD_CONSOLE_DEBUG_DISABLE;
+    ret = esp_efuse_write_field_bit(ESP_EFUSE_CONSOLE_DEBUG_DISABLE);
+    if (ret != ESP_OK) {
+        ESP_LOGE(TAG, "Disable ROM BASIC interpreter fallback...failed.");
+        return ret;
+    }
 #else
     ESP_LOGW(TAG, "Not disabling ROM BASIC fallback - SECURITY COMPROMISED");
 #endif
 
 #ifdef CONFIG_SECURE_DISABLE_ROM_DL_MODE
     ESP_LOGI(TAG, "Disable ROM Download mode...");
-    esp_err_t err = esp_efuse_disable_rom_download_mode();
-    if (err != ESP_OK) {
+    ret = esp_efuse_disable_rom_download_mode();
+    if (ret != ESP_OK) {
         ESP_LOGE(TAG, "Could not disable ROM Download mode...");
         return ESP_FAIL;
     }
@@ -411,15 +432,21 @@ esp_err_t esp_secure_boot_v2_permanently_enable(const esp_image_metadata_t *imag
 #endif
     if (rd_dis_now) {
         ESP_LOGI(TAG, "Prevent read disabling of additional efuses...");
-        new_wdata0 |= EFUSE_WR_DIS_RD_DIS;
+        ret = esp_efuse_write_field_bit(ESP_EFUSE_WR_DIS_EFUSE_RD_DISABLE);
+        if (ret != ESP_OK) {
+            ESP_LOGE(TAG, "Prevent read disabling of additional efuses...failed.");
+            return ret;
+        }
     }
 #else
     ESP_LOGW(TAG, "Allowing read disabling of additional efuses - SECURITY COMPROMISED");
 #endif
 
-    REG_WRITE(EFUSE_BLK0_WDATA0_REG, new_wdata0);
-    REG_WRITE(EFUSE_BLK0_WDATA6_REG, new_wdata6);
-    esp_efuse_burn_new_values();
+    ret = esp_efuse_batch_write_commit();
+    if (ret != ESP_OK) {
+        ESP_LOGE(TAG, "Error programming security eFuses.");
+        return ret;
+    }
     uint32_t after = REG_READ(EFUSE_BLK0_RDATA6_REG);
     ESP_LOGD(TAG, "after updating, EFUSE_BLK0_RDATA0 0x%08x EFUSE_BLK0_RDATA6 0x%08x",
              REG_READ(EFUSE_BLK0_RDATA0_REG), after);
diff --git a/components/efuse/esp32/esp_efuse_table.c b/components/efuse/esp32/esp_efuse_table.c
@@ -17,7 +17,7 @@
 #include <assert.h>
 #include "esp_efuse_table.h"
 
-// md5_digest_table 11b691b6fa8546a3862a7a876be5f758
+// md5_digest_table 8c9f6537b47cc5b26a1a5896158c612a
 // This file was generated from the file esp_efuse_table.csv. DO NOT CHANGE THIS FILE MANUALLY.
 // If you want to change some fields, you need to change esp_efuse_table.csv file
 // then run `efuse_common_table` or `efuse_custom_table` command it will generate this file.
@@ -64,7 +64,11 @@ static const esp_efuse_desc_t SECURE_BOOT_KEY[] = {
 };
 
 static const esp_efuse_desc_t ABS_DONE_0[] = {
-    {EFUSE_BLK0, 196, 1}, 	 // Secure boot is enabled for bootloader image. EFUSE_RD_ABS_DONE_0,
+    {EFUSE_BLK0, 196, 1}, 	 // Secure boot V1 is enabled for bootloader image. EFUSE_RD_ABS_DONE_0,
+};
+
+static const esp_efuse_desc_t ABS_DONE_1[] = {
+    {EFUSE_BLK0, 197, 1}, 	 // Secure boot V2 is enabled for bootloader image. EFUSE_RD_ABS_DONE_1,
 };
 
 static const esp_efuse_desc_t ENCRYPT_FLASH_KEY[] = {
@@ -103,6 +107,10 @@ static const esp_efuse_desc_t UART_DOWNLOAD_DIS[] = {
     {EFUSE_BLK0, 27, 1}, 	 // Disable UART download mode. Valid for ESP32 V3 and newer,
 };
 
+static const esp_efuse_desc_t WR_DIS_EFUSE_RD_DISABLE[] = {
+    {EFUSE_BLK0, 0, 1}, 	 // Write protection for EFUSE_RD_DISABLE,
+};
+
 static const esp_efuse_desc_t WR_DIS_FLASH_CRYPT_CNT[] = {
     {EFUSE_BLK0, 2, 1}, 	 // Flash encrypt. Write protection FLASH_CRYPT_CNT,
 };
@@ -235,7 +243,12 @@ const esp_efuse_desc_t* ESP_EFUSE_SECURE_BOOT_KEY[] = {
 };
 
 const esp_efuse_desc_t* ESP_EFUSE_ABS_DONE_0[] = {
-    &ABS_DONE_0[0],    		// Secure boot is enabled for bootloader image. EFUSE_RD_ABS_DONE_0
+    &ABS_DONE_0[0],    		// Secure boot V1 is enabled for bootloader image. EFUSE_RD_ABS_DONE_0
+    NULL
+};
+
+const esp_efuse_desc_t* ESP_EFUSE_ABS_DONE_1[] = {
+    &ABS_DONE_1[0],    		// Secure boot V2 is enabled for bootloader image. EFUSE_RD_ABS_DONE_1
     NULL
 };
 
@@ -284,6 +297,11 @@ const esp_efuse_desc_t* ESP_EFUSE_UART_DOWNLOAD_DIS[] = {
     NULL
 };
 
+const esp_efuse_desc_t* ESP_EFUSE_WR_DIS_EFUSE_RD_DISABLE[] = {
+    &WR_DIS_EFUSE_RD_DISABLE[0],    		// Write protection for EFUSE_RD_DISABLE
+    NULL
+};
+
 const esp_efuse_desc_t* ESP_EFUSE_WR_DIS_FLASH_CRYPT_CNT[] = {
     &WR_DIS_FLASH_CRYPT_CNT[0],    		// Flash encrypt. Write protection FLASH_CRYPT_CNT
     NULL
diff --git a/components/efuse/esp32/esp_efuse_table.csv b/components/efuse/esp32/esp_efuse_table.csv
@@ -29,7 +29,8 @@ MAC_CUSTOM_VER,         EFUSE_BLK3,    184,   8,    Custom MAC version
 # Security boot #
 #################
 SECURE_BOOT_KEY,        EFUSE_BLK2,    0,     MAX_BLK_LEN,   Security boot. Key. (length = "None" - 256. "3/4" - 192. "REPEAT" - 128)
-ABS_DONE_0,             EFUSE_BLK0,    196,   1,     Secure boot is enabled for bootloader image. EFUSE_RD_ABS_DONE_0
+ABS_DONE_0,             EFUSE_BLK0,    196,   1,     Secure boot V1 is enabled for bootloader image. EFUSE_RD_ABS_DONE_0
+ABS_DONE_1,             EFUSE_BLK0,    197,   1,     Secure boot V2 is enabled for bootloader image. EFUSE_RD_ABS_DONE_1
 
 # Flash encrypt #
 #################
@@ -48,6 +49,7 @@ UART_DOWNLOAD_DIS,      EFUSE_BLK0,    27,    1,    Disable UART download mode.
 
 # Write protection #
 ####################
+WR_DIS_EFUSE_RD_DISABLE,EFUSE_BLK0,    0,     1,    Write protection for EFUSE_RD_DISABLE
 WR_DIS_FLASH_CRYPT_CNT, EFUSE_BLK0,    2,     1,    Flash encrypt. Write protection FLASH_CRYPT_CNT, UART_DOWNLOAD_DIS. EFUSE_WR_DIS_FLASH_CRYPT_CNT
 WR_DIS_BLK1,            EFUSE_BLK0,    7,     1,    Flash encrypt. Write protection encryption key. EFUSE_WR_DIS_BLK1
 WR_DIS_BLK2,            EFUSE_BLK0,    8,     1,    Security boot. Write protection security key. EFUSE_WR_DIS_BLK2
diff --git a/components/efuse/esp32/include/esp_efuse_table.h b/components/efuse/esp32/include/esp_efuse_table.h
@@ -17,7 +17,7 @@ extern "C" {
 #endif
 
 
-// md5_digest_table 11b691b6fa8546a3862a7a876be5f758
+// md5_digest_table 8c9f6537b47cc5b26a1a5896158c612a
 // This file was generated from the file esp_efuse_table.csv. DO NOT CHANGE THIS FILE MANUALLY.
 // If you want to change some fields, you need to change esp_efuse_table.csv file
 // then run `efuse_common_table` or `efuse_custom_table` command it will generate this file.
@@ -31,6 +31,7 @@ extern const esp_efuse_desc_t* ESP_EFUSE_MAC_CUSTOM[];
 extern const esp_efuse_desc_t* ESP_EFUSE_MAC_CUSTOM_VER[];
 extern const esp_efuse_desc_t* ESP_EFUSE_SECURE_BOOT_KEY[];
 extern const esp_efuse_desc_t* ESP_EFUSE_ABS_DONE_0[];
+extern const esp_efuse_desc_t* ESP_EFUSE_ABS_DONE_1[];
 extern const esp_efuse_desc_t* ESP_EFUSE_ENCRYPT_FLASH_KEY[];
 extern const esp_efuse_desc_t* ESP_EFUSE_ENCRYPT_CONFIG[];
 extern const esp_efuse_desc_t* ESP_EFUSE_DISABLE_DL_ENCRYPT[];
@@ -40,6 +41,7 @@ extern const esp_efuse_desc_t* ESP_EFUSE_FLASH_CRYPT_CNT[];
 extern const esp_efuse_desc_t* ESP_EFUSE_DISABLE_JTAG[];
 extern const esp_efuse_desc_t* ESP_EFUSE_CONSOLE_DEBUG_DISABLE[];
 extern const esp_efuse_desc_t* ESP_EFUSE_UART_DOWNLOAD_DIS[];
+extern const esp_efuse_desc_t* ESP_EFUSE_WR_DIS_EFUSE_RD_DISABLE[];
 extern const esp_efuse_desc_t* ESP_EFUSE_WR_DIS_FLASH_CRYPT_CNT[];
 extern const esp_efuse_desc_t* ESP_EFUSE_WR_DIS_BLK1[];
 extern const esp_efuse_desc_t* ESP_EFUSE_WR_DIS_BLK2[];
