From 5979ca3d1438b3090567e56f60724c3bbcdf8933 Mon Sep 17 00:00:00 2001 From: Mahavir Jain Date: Wed, 10 Dec 2025 14:45:57 +0530 Subject: [PATCH] feat(bootloader): add config to force secure boot already init case Mostly helpful in testing scenarios. The newly added config SECURE_BOOT_REQUIRE_ALREADY_ENABLED will ensure the SB feature must already be enabled, otherwise the bootloader simply fails to boot. --- components/bootloader/Kconfig.projbuild | 14 ++++++++++++++ .../src/secure_boot_v1/secure_boot.c | 14 +++++++++++++- .../src/secure_boot_v2/secure_boot.c | 6 ++++++ 3 files changed, 33 insertions(+), 1 deletion(-) diff --git a/components/bootloader/Kconfig.projbuild b/components/bootloader/Kconfig.projbuild index b39cb883e5..c95afd7c6c 100644 --- a/components/bootloader/Kconfig.projbuild +++ b/components/bootloader/Kconfig.projbuild @@ -1050,6 +1050,20 @@ menu "Security features" Only set this option in testing environments. + config SECURE_BOOT_REQUIRE_ALREADY_ENABLED + bool "Require secure boot to be already enabled" + depends on SECURE_BOOT_INSECURE + default n + help + If not set (default), and secure boot is not yet enabled in eFuses, the 2nd stage bootloader + will enable secure boot: generate the secure boot digest and program eFuses. + If this option is set, and secure boot is not yet enabled, the bootloader will error out and + reboot. + If secure boot is enabled in eFuses, this option does not change the bootloader behavior. + + Only use this option in testing environments, to avoid accidentally enabling secure boot on + the wrong device. The device needs to have secure boot already enabled using espefuse. + config SECURE_FLASH_REQUIRE_ALREADY_ENABLED bool "Require flash encryption to be already enabled" depends on SECURE_FLASH_ENCRYPTION_MODE_DEVELOPMENT diff --git a/components/bootloader_support/src/secure_boot_v1/secure_boot.c b/components/bootloader_support/src/secure_boot_v1/secure_boot.c index ce705ef03c..fa22af115a 100644 --- a/components/bootloader_support/src/secure_boot_v1/secure_boot.c +++ b/components/bootloader_support/src/secure_boot_v1/secure_boot.c @@ -1,5 +1,5 @@ /* - * SPDX-FileCopyrightText: 2015-2021 Espressif Systems (Shanghai) CO LTD + * SPDX-FileCopyrightText: 2015-2025 Espressif Systems (Shanghai) CO LTD * * SPDX-License-Identifier: Apache-2.0 */ @@ -94,6 +94,12 @@ esp_err_t esp_secure_boot_generate_digest(void) " No need to generate digest. continuing.."); return ESP_OK; } +#if CONFIG_SECURE_BOOT_REQUIRE_ALREADY_ENABLED + else { + ESP_LOGE(TAG, "secure boot is not enabled, and SECURE_BOOT_REQUIRE_ALREADY_ENABLED is set, refusing to boot."); + return ESP_ERR_INVALID_STATE; + } +#endif // CONFIG_SECURE_BOOT_REQUIRE_ALREADY_ENABLED esp_efuse_coding_scheme_t coding_scheme = esp_efuse_get_coding_scheme(EFUSE_BLK_SECURE_BOOT); if (coding_scheme != EFUSE_CODING_SCHEME_NONE && coding_scheme != EFUSE_CODING_SCHEME_3_4) { @@ -149,6 +155,12 @@ esp_err_t esp_secure_boot_permanently_enable(void) ESP_LOGI(TAG, "bootloader secure boot is already enabled, continuing.."); return ESP_OK; } +#if CONFIG_SECURE_BOOT_REQUIRE_ALREADY_ENABLED + else { + ESP_LOGE(TAG, "secure boot is not enabled, and SECURE_BOOT_REQUIRE_ALREADY_ENABLED is set, refusing to boot."); + return ESP_ERR_INVALID_STATE; + } +#endif // CONFIG_SECURE_BOOT_REQUIRE_ALREADY_ENABLED bool dis_read = esp_efuse_read_field_bit(ESP_EFUSE_RD_DIS_BLK2); bool dis_write = esp_efuse_read_field_bit(ESP_EFUSE_WR_DIS_BLK2); diff --git a/components/bootloader_support/src/secure_boot_v2/secure_boot.c b/components/bootloader_support/src/secure_boot_v2/secure_boot.c index 9bfe03fb8e..73b6a8c4fb 100644 --- a/components/bootloader_support/src/secure_boot_v2/secure_boot.c +++ b/components/bootloader_support/src/secure_boot_v2/secure_boot.c @@ -363,6 +363,12 @@ esp_err_t esp_secure_boot_v2_permanently_enable(const esp_image_metadata_t *imag ESP_LOGI(TAG, "secure boot v2 is already enabled, continuing.."); return ESP_OK; } +#if CONFIG_SECURE_BOOT_REQUIRE_ALREADY_ENABLED + else { + ESP_LOGE(TAG, "secure boot is not enabled, and SECURE_BOOT_REQUIRE_ALREADY_ENABLED is set, refusing to boot."); + return ESP_ERR_INVALID_STATE; + } +#endif // CONFIG_SECURE_BOOT_REQUIRE_ALREADY_ENABLED esp_efuse_batch_write_begin(); /* Batch all efuse writes at the end of this function */