espressif/esp-idf
1
0
Fork 0
mirror of https://github.com/espressif/esp-idf.git synced 2026-04-27 19:13:21 +00:00
Code Issues Packages Projects Releases Wiki Activity

Merge branch 'feat/secure_boot_externally_init_case' into 'master'

Browse Source 
feat(bootloader): add config to force secure boot already init case

See merge request espressif/esp-idf!44107
This commit is contained in:
Mahavir Jain
2025-12-30 14:12:11 +05:30
parent 4b11cb883d 5979ca3d14
commit a4293b1c3f
3 changed files with 33 additions and 1 deletions
Download Patch File Download Diff File Expand all files Collapse all files
components/bootloader/Kconfig.projbuild
+14
View File
@@ -1050,6 +1050,20 @@ menu "Security features"
Only set this option in testing environments.
config SECURE_BOOT_REQUIRE_ALREADY_ENABLED
bool "Require secure boot to be already enabled"
depends on SECURE_BOOT_INSECURE
default n
help
If not set (default), and secure boot is not yet enabled in eFuses, the 2nd stage bootloader
will enable secure boot: generate the secure boot digest and program eFuses.
If this option is set, and secure boot is not yet enabled, the bootloader will error out and
reboot.
If secure boot is enabled in eFuses, this option does not change the bootloader behavior.
Only use this option in testing environments, to avoid accidentally enabling secure boot on
the wrong device. The device needs to have secure boot already enabled using espefuse.
config SECURE_FLASH_REQUIRE_ALREADY_ENABLED
bool "Require flash encryption to be already enabled"
depends on SECURE_FLASH_ENCRYPTION_MODE_DEVELOPMENT
components/bootloader_support/src/secure_boot_v1/secure_boot.c
+13 -1
View File
@@ -1,5 +1,5 @@
/*
* SPDX-FileCopyrightText: 2015-2021 Espressif Systems (Shanghai) CO LTD
* SPDX-FileCopyrightText: 2015-2025 Espressif Systems (Shanghai) CO LTD
*
* SPDX-License-Identifier: Apache-2.0
*/
@@ -94,6 +94,12 @@ esp_err_t esp_secure_boot_generate_digest(void)
" No need to generate digest. continuing..");
return ESP_OK;
}
#if CONFIG_SECURE_BOOT_REQUIRE_ALREADY_ENABLED
else {
ESP_LOGE(TAG, "secure boot is not enabled, and SECURE_BOOT_REQUIRE_ALREADY_ENABLED is set, refusing to boot.");
return ESP_ERR_INVALID_STATE;
}
#endif // CONFIG_SECURE_BOOT_REQUIRE_ALREADY_ENABLED
esp_efuse_coding_scheme_t coding_scheme = esp_efuse_get_coding_scheme(EFUSE_BLK_SECURE_BOOT);
if (coding_scheme != EFUSE_CODING_SCHEME_NONE && coding_scheme != EFUSE_CODING_SCHEME_3_4) {
@@ -149,6 +155,12 @@ esp_err_t esp_secure_boot_permanently_enable(void)
ESP_LOGI(TAG, "bootloader secure boot is already enabled, continuing..");
return ESP_OK;
}
#if CONFIG_SECURE_BOOT_REQUIRE_ALREADY_ENABLED
else {
ESP_LOGE(TAG, "secure boot is not enabled, and SECURE_BOOT_REQUIRE_ALREADY_ENABLED is set, refusing to boot.");
return ESP_ERR_INVALID_STATE;
}
#endif // CONFIG_SECURE_BOOT_REQUIRE_ALREADY_ENABLED
bool dis_read = esp_efuse_read_field_bit(ESP_EFUSE_RD_DIS_BLK2);
bool dis_write = esp_efuse_read_field_bit(ESP_EFUSE_WR_DIS_BLK2);
components/bootloader_support/src/secure_boot_v2/secure_boot.c
+6
View File
@@ -363,6 +363,12 @@ esp_err_t esp_secure_boot_v2_permanently_enable(const esp_image_metadata_t *imag
ESP_LOGI(TAG, "secure boot v2 is already enabled, continuing..");
return ESP_OK;
}
#if CONFIG_SECURE_BOOT_REQUIRE_ALREADY_ENABLED
else {
ESP_LOGE(TAG, "secure boot is not enabled, and SECURE_BOOT_REQUIRE_ALREADY_ENABLED is set, refusing to boot.");
return ESP_ERR_INVALID_STATE;
}
#endif // CONFIG_SECURE_BOOT_REQUIRE_ALREADY_ENABLED
esp_efuse_batch_write_begin(); /* Batch all efuse writes at the end of this function */