1 // Copyright 2015-2016 Espressif Systems (Shanghai) PTE LTD
2 //
3 // Licensed under the Apache License, Version 2.0 (the "License");
4 // you may not use this file except in compliance with the License.
5 // You may obtain a copy of the License at
6
7 // http://www.apache.org/licenses/LICENSE-2.0
8 //
9 // Unless required by applicable law or agreed to in writing, software
10 // distributed under the License is distributed on an "AS IS" BASIS,
11 // WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
12 // See the License for the specific language governing permissions and
13 // limitations under the License.
14
15 #include <string.h>
16
17 #include "esp_attr.h"
18 #include "esp_types.h"
19 #include "esp_log.h"
20
21 #include "esp32/rom/cache.h"
22
23 #include "soc/efuse_periph.h"
24 #include "soc/rtc_periph.h"
25 #include "bootloader_sha.h"
26 #include "bootloader_utility.h"
27
28 #include "sdkconfig.h"
29
30 #include "bootloader_flash_priv.h"
31 #include "bootloader_random.h"
32 #include "esp_image_format.h"
33 #include "esp_secure_boot.h"
34 #include "esp_flash_encrypt.h"
35 #include "esp_efuse.h"
36 #include "esp_efuse_table.h"
37
38 /* The following API implementations are used only when called
39 * from the bootloader code.
40 */
41
42 #ifdef CONFIG_SECURE_BOOT_V1_ENABLED
43 static const char *TAG = "secure_boot_v1";
44 /**
45 * @function : secure_boot_generate
46 * @description: generate boot digest (aka "abstract") & iv
47 *
48 * @inputs: image_len - length of image to calculate digest for
49 */
secure_boot_generate(uint32_t image_len)50 static bool secure_boot_generate(uint32_t image_len){
51 esp_err_t err;
52 esp_secure_boot_iv_digest_t digest;
53 const uint32_t *image;
54
55 /* hardware secure boot engine only takes full blocks, so round up the
56 image length. The additional data should all be 0xFF (or the appended SHA, if it falls in the same block).
57 */
58 if (image_len % sizeof(digest.iv) != 0) {
59 image_len = (image_len / sizeof(digest.iv) + 1) * sizeof(digest.iv);
60 }
61 ets_secure_boot_start();
62 ets_secure_boot_rd_iv((uint32_t *)digest.iv);
63 ets_secure_boot_hash(NULL);
64 /* iv stored in sec 0 */
65 err = bootloader_flash_erase_sector(0);
66 if (err != ESP_OK)
67 {
68 ESP_LOGE(TAG, "SPI erase failed: 0x%x", err);
69 return false;
70 }
71
72 /* generate digest from image contents */
73 image = bootloader_mmap(ESP_BOOTLOADER_OFFSET, image_len);
74 if (!image) {
75 ESP_LOGE(TAG, "bootloader_mmap(0x1000, 0x%x) failed", image_len);
76 return false;
77 }
78 for (size_t i = 0; i < image_len; i+= sizeof(digest.iv)) {
79 ets_secure_boot_hash(&image[i/sizeof(uint32_t)]);
80 }
81 bootloader_munmap(image);
82
83 ets_secure_boot_obtain();
84 ets_secure_boot_rd_abstract((uint32_t *)digest.digest);
85 ets_secure_boot_finish();
86
87 ESP_LOGD(TAG, "write iv+digest to flash");
88 err = bootloader_flash_write(FLASH_OFFS_SECURE_BOOT_IV_DIGEST, &digest,
89 sizeof(digest), esp_flash_encryption_enabled());
90 if (err != ESP_OK) {
91 ESP_LOGE(TAG, "SPI write failed: 0x%x", err);
92 return false;
93 }
94 Cache_Read_Enable(0);
95 return true;
96 }
97
esp_secure_boot_generate_digest(void)98 esp_err_t esp_secure_boot_generate_digest(void)
99 {
100 esp_err_t err;
101 if (esp_secure_boot_enabled()) {
102 ESP_LOGI(TAG, "bootloader secure boot is already enabled."
103 " No need to generate digest. continuing..");
104 return ESP_OK;
105 }
106
107 uint32_t coding_scheme = REG_GET_FIELD(EFUSE_BLK0_RDATA6_REG, EFUSE_CODING_SCHEME);
108 if (coding_scheme != EFUSE_CODING_SCHEME_VAL_NONE && coding_scheme != EFUSE_CODING_SCHEME_VAL_34) {
109 ESP_LOGE(TAG, "Unknown/unsupported CODING_SCHEME value 0x%x", coding_scheme);
110 return ESP_ERR_NOT_SUPPORTED;
111 }
112
113 /* Verify the bootloader */
114 esp_image_metadata_t bootloader_data = { 0 };
115 err = esp_image_verify_bootloader_data(&bootloader_data);
116 if (err != ESP_OK) {
117 ESP_LOGE(TAG, "bootloader image appears invalid! error %d", err);
118 return err;
119 }
120
121 /* Generate secure boot key and keep in EFUSE */
122 uint32_t dis_reg = REG_READ(EFUSE_BLK0_RDATA0_REG);
123 bool efuse_key_read_protected = dis_reg & EFUSE_RD_DIS_BLK2;
124 bool efuse_key_write_protected = dis_reg & EFUSE_WR_DIS_BLK2;
125 if (efuse_key_read_protected == false
126 && efuse_key_write_protected == false
127 && REG_READ(EFUSE_BLK2_RDATA0_REG) == 0
128 && REG_READ(EFUSE_BLK2_RDATA1_REG) == 0
129 && REG_READ(EFUSE_BLK2_RDATA2_REG) == 0
130 && REG_READ(EFUSE_BLK2_RDATA3_REG) == 0
131 && REG_READ(EFUSE_BLK2_RDATA4_REG) == 0
132 && REG_READ(EFUSE_BLK2_RDATA5_REG) == 0
133 && REG_READ(EFUSE_BLK2_RDATA6_REG) == 0
134 && REG_READ(EFUSE_BLK2_RDATA7_REG) == 0) {
135 ESP_LOGI(TAG, "Generating new secure boot key...");
136 esp_efuse_write_random_key(EFUSE_BLK2_WDATA0_REG);
137 esp_efuse_burn_new_values();
138 } else {
139 ESP_LOGW(TAG, "Using pre-loaded secure boot key in EFUSE block 2");
140 }
141
142 /* Generate secure boot digest using programmed key in EFUSE */
143 ESP_LOGI(TAG, "Generating secure boot digest...");
144 uint32_t image_len = bootloader_data.image_len;
145 if(bootloader_data.image.hash_appended) {
146 /* Secure boot digest doesn't cover the hash */
147 image_len -= ESP_IMAGE_HASH_LEN;
148 }
149 if (false == secure_boot_generate(image_len)){
150 ESP_LOGE(TAG, "secure boot generation failed");
151 return ESP_FAIL;
152 }
153 ESP_LOGI(TAG, "Digest generation complete.");
154
155 return ESP_OK;
156 }
157
esp_secure_boot_permanently_enable(void)158 esp_err_t esp_secure_boot_permanently_enable(void)
159 {
160 uint32_t new_wdata0 = 0;
161 uint32_t new_wdata6 = 0;
162
163 if (esp_secure_boot_enabled()) {
164 ESP_LOGI(TAG, "bootloader secure boot is already enabled, continuing..");
165 return ESP_OK;
166 }
167
168 uint32_t dis_reg = REG_READ(EFUSE_BLK0_RDATA0_REG);
169 bool efuse_key_read_protected = dis_reg & EFUSE_RD_DIS_BLK2;
170 bool efuse_key_write_protected = dis_reg & EFUSE_WR_DIS_BLK2;
171 if (efuse_key_read_protected == false
172 && efuse_key_write_protected == false) {
173 ESP_LOGI(TAG, "Read & write protecting new key...");
174 new_wdata0 = EFUSE_WR_DIS_BLK2 | EFUSE_RD_DIS_BLK2;
175 efuse_key_read_protected = true;
176 efuse_key_write_protected = true;
177 }
178
179 if (!efuse_key_read_protected) {
180 ESP_LOGE(TAG, "Pre-loaded key is not read protected. Refusing to blow secure boot efuse.");
181 return ESP_ERR_INVALID_STATE;
182 }
183 if (!efuse_key_write_protected) {
184 ESP_LOGE(TAG, "Pre-loaded key is not write protected. Refusing to blow secure boot efuse.");
185 return ESP_ERR_INVALID_STATE;
186 }
187
188 ESP_LOGI(TAG, "blowing secure boot efuse...");
189 ESP_LOGD(TAG, "before updating, EFUSE_BLK0_RDATA6 %x", REG_READ(EFUSE_BLK0_RDATA6_REG));
190
191 new_wdata6 |= EFUSE_RD_ABS_DONE_0;
192
193 #ifndef CONFIG_SECURE_BOOT_ALLOW_JTAG
194 ESP_LOGI(TAG, "Disable JTAG...");
195 new_wdata6 |= EFUSE_RD_DISABLE_JTAG;
196 #else
197 ESP_LOGW(TAG, "Not disabling JTAG - SECURITY COMPROMISED");
198 #endif
199
200 #ifndef CONFIG_SECURE_BOOT_ALLOW_ROM_BASIC
201 ESP_LOGI(TAG, "Disable ROM BASIC interpreter fallback...");
202 new_wdata6 |= EFUSE_RD_CONSOLE_DEBUG_DISABLE;
203 #else
204 ESP_LOGW(TAG, "Not disabling ROM BASIC fallback - SECURITY COMPROMISED");
205 #endif
206
207 REG_WRITE(EFUSE_BLK0_WDATA0_REG, new_wdata0);
208 REG_WRITE(EFUSE_BLK0_WDATA6_REG, new_wdata6);
209 esp_efuse_burn_new_values();
210 uint32_t after = REG_READ(EFUSE_BLK0_RDATA6_REG);
211 ESP_LOGD(TAG, "after updating, EFUSE_BLK0_RDATA6 %x", after);
212 if (after & EFUSE_RD_ABS_DONE_0) {
213 ESP_LOGI(TAG, "secure boot is now enabled for bootloader image");
214 return ESP_OK;
215 } else {
216 ESP_LOGE(TAG, "secure boot not enabled for bootloader image, EFUSE_RD_ABS_DONE_0 is probably write protected!");
217 return ESP_ERR_INVALID_STATE;
218 }
219 }
220 #elif CONFIG_SECURE_BOOT_V2_ENABLED
221
222 #define ALIGN_UP(num, align) (((num) + ((align) - 1)) & ~((align) - 1))
223 static const char *TAG = "secure_boot_v2";
224
validate_signature_block(const ets_secure_boot_signature_t * sig_block,uint8_t * digest)225 static esp_err_t validate_signature_block(const ets_secure_boot_signature_t *sig_block, uint8_t *digest)
226 {
227 uint32_t crc = esp_rom_crc32_le(0, (uint8_t *)sig_block, CRC_SIGN_BLOCK_LEN);
228 if (sig_block->block[0].magic_byte == ETS_SECURE_BOOT_V2_SIGNATURE_MAGIC
229 && sig_block->block[0].block_crc == crc
230 && !memcmp(digest, sig_block->block[0].image_digest, ESP_SECURE_BOOT_DIGEST_LEN)) {
231 ESP_LOGI(TAG, "valid signature block found");
232 return ESP_OK;
233 }
234 return ESP_FAIL;
235 }
236
secure_boot_v2_digest_generate(uint32_t flash_offset,uint32_t flash_size,uint8_t * public_key_digest)237 static esp_err_t secure_boot_v2_digest_generate(uint32_t flash_offset, uint32_t flash_size, uint8_t *public_key_digest)
238 {
239 esp_err_t ret = ESP_FAIL;
240
241 uint8_t image_digest[ESP_SECURE_BOOT_DIGEST_LEN] = {0};
242 size_t sig_block_addr = flash_offset + ALIGN_UP(flash_size, FLASH_SECTOR_SIZE);
243 ret = bootloader_sha256_flash_contents(flash_offset, sig_block_addr - flash_offset, image_digest);
244 if (ret != ESP_OK) {
245 ESP_LOGE(TAG, "error generating image digest, %d", ret);
246 return ret;
247 }
248
249 ESP_LOGD(TAG, "reading signature block");
250 const ets_secure_boot_signature_t *sig_block = bootloader_mmap(sig_block_addr, sizeof(ets_secure_boot_signature_t));
251 if (sig_block == NULL) {
252 ESP_LOGE(TAG, "bootloader_mmap(0x%x, 0x%x) failed", sig_block_addr, sizeof(ets_secure_boot_signature_t));
253 return ret;
254 }
255
256 /* Validating Signature block */
257 ret = validate_signature_block(sig_block, image_digest);
258 if (ret != ESP_OK) {
259 ESP_LOGE(TAG, "signature block (address 0x%x) validation failed %d", sig_block_addr, ret);
260 goto done;
261 }
262
263 /* Verifying Signature block */
264 uint8_t verified_digest[ESP_SECURE_BOOT_DIGEST_LEN] = {0};
265
266 /* Generating the SHA of the public key components in the signature block */
267 bootloader_sha256_handle_t sig_block_sha;
268 sig_block_sha = bootloader_sha256_start();
269 bootloader_sha256_data(sig_block_sha, &sig_block->block[0].key, sizeof(sig_block->block[0].key));
270 bootloader_sha256_finish(sig_block_sha, public_key_digest);
271
272 secure_boot_v2_status_t error;
273 error = ets_secure_boot_verify_signature(sig_block, image_digest, public_key_digest, verified_digest);
274 if (error != SBV2_SUCCESS) {
275 ESP_LOGE(TAG, "secure boot v2 verification failed %d", error);
276 ret = ESP_FAIL;
277 goto done;
278 } else {
279 ret = ESP_OK;
280 }
281
282 done:
283 bootloader_munmap(sig_block);
284 return ret;
285 }
286
esp_secure_boot_v2_permanently_enable(const esp_image_metadata_t * image_data)287 esp_err_t esp_secure_boot_v2_permanently_enable(const esp_image_metadata_t *image_data)
288 {
289 ESP_LOGI(TAG, "enabling secure boot v2...");
290 esp_err_t ret;
291 if (esp_secure_boot_enabled()) {
292 ESP_LOGI(TAG, "secure boot v2 is already enabled. Continuing..");
293 return ESP_OK;
294 }
295
296 ret = esp_efuse_batch_write_begin();
297 if (ret != ESP_OK) {
298 ESP_LOGE(TAG, "Error batch programming security eFuses.");
299 return ret;
300 }
301
302 uint32_t coding_scheme = REG_GET_FIELD(EFUSE_BLK0_RDATA6_REG, EFUSE_CODING_SCHEME);
303 if (coding_scheme != EFUSE_CODING_SCHEME_VAL_NONE) {
304 ESP_LOGE(TAG, "No coding schemes are supported in secure boot v2.(Detected scheme: 0x%x)", coding_scheme);
305 return ESP_ERR_NOT_SUPPORTED;
306 }
307
308 /* Verify the bootloader */
309 esp_image_metadata_t bootloader_data = { 0 };
310 ret = esp_image_verify_bootloader_data(&bootloader_data);
311 if (ret != ESP_OK) {
312 ESP_LOGE(TAG, "bootloader image appears invalid! error %d", ret);
313 return ret;
314 }
315
316 uint8_t boot_pub_key_digest[ESP_SECURE_BOOT_DIGEST_LEN];
317 uint32_t dis_reg = REG_READ(EFUSE_BLK0_RDATA0_REG);
318 bool efuse_key_read_protected = dis_reg & EFUSE_RD_DIS_BLK2;
319 bool efuse_key_write_protected = dis_reg & EFUSE_WR_DIS_BLK2;
320 uint32_t efuse_blk2_r0, efuse_blk2_r1, efuse_blk2_r2, efuse_blk2_r3, efuse_blk2_r4, efuse_blk2_r5, efuse_blk2_r6, efuse_blk2_r7;
321 efuse_blk2_r0 = REG_READ(EFUSE_BLK2_RDATA0_REG);
322 efuse_blk2_r1 = REG_READ(EFUSE_BLK2_RDATA1_REG);
323 efuse_blk2_r2 = REG_READ(EFUSE_BLK2_RDATA2_REG);
324 efuse_blk2_r3 = REG_READ(EFUSE_BLK2_RDATA3_REG);
325 efuse_blk2_r4 = REG_READ(EFUSE_BLK2_RDATA4_REG);
326 efuse_blk2_r5 = REG_READ(EFUSE_BLK2_RDATA5_REG);
327 efuse_blk2_r6 = REG_READ(EFUSE_BLK2_RDATA6_REG);
328 efuse_blk2_r7 = REG_READ(EFUSE_BLK2_RDATA7_REG);
329
330 if (efuse_key_read_protected == true) {
331 ESP_LOGE(TAG, "Secure Boot v2 digest(BLK2) read protected, aborting....");
332 return ESP_FAIL;
333 }
334
335 if (efuse_key_write_protected == false
336 && efuse_blk2_r0 == 0 && efuse_blk2_r1 == 0
337 && efuse_blk2_r2 == 0 && efuse_blk2_r3 == 0
338 && efuse_blk2_r4 == 0 && efuse_blk2_r5 == 0
339 && efuse_blk2_r6 == 0 && efuse_blk2_r7 == 0) {
340 /* Verifies the signature block appended to the image matches with the signature block of the app to be loaded */
341 ret = secure_boot_v2_digest_generate(bootloader_data.start_addr, bootloader_data.image_len - SIG_BLOCK_PADDING, boot_pub_key_digest);
342 if (ret != ESP_OK) {
343 ESP_LOGE(TAG, "Public key digest generation failed");
344 return ret;
345 }
346
347 ESP_LOGI(TAG, "Burning public key hash to efuse.");
348 ret = esp_efuse_write_block(EFUSE_BLK2, boot_pub_key_digest, 0, (ESP_SECURE_BOOT_DIGEST_LEN * 8));
349 if (ret != ESP_OK) {
350 ESP_LOGE(TAG, "Writing public key hash to efuse failed.");
351 return ret;
352 }
353
354 } else {
355 uint32_t efuse_blk2_digest[8];
356 efuse_blk2_digest[0] = efuse_blk2_r0;
357 efuse_blk2_digest[1] = efuse_blk2_r1;
358 efuse_blk2_digest[2] = efuse_blk2_r2;
359 efuse_blk2_digest[3] = efuse_blk2_r3;
360 efuse_blk2_digest[4] = efuse_blk2_r4;
361 efuse_blk2_digest[5] = efuse_blk2_r5;
362 efuse_blk2_digest[6] = efuse_blk2_r6;
363 efuse_blk2_digest[7] = efuse_blk2_r7;
364 memcpy(boot_pub_key_digest, efuse_blk2_digest, ESP_SECURE_BOOT_DIGEST_LEN);
365 ESP_LOGW(TAG, "Using pre-loaded secure boot v2 public key digest in EFUSE block 2");
366 }
367
368 if (efuse_key_write_protected == false) {
369 ESP_LOGI(TAG, "Write protecting public key digest...");
370 ret = esp_efuse_set_write_protect(EFUSE_BLK2);
371 if (ret != ESP_OK) {
372 ESP_LOGE(TAG, "Write protecting public key digest...failed.");
373 return ret;
374 }
375 efuse_key_write_protected = true;
376 }
377
378 uint8_t app_pub_key_digest[ESP_SECURE_BOOT_DIGEST_LEN];
379 ret = secure_boot_v2_digest_generate(image_data->start_addr, image_data->image_len - SIG_BLOCK_PADDING, app_pub_key_digest);
380 if (ret != ESP_OK) {
381 ESP_LOGE(TAG, "Application signature block is invalid.");
382 return ret;
383 }
384
385 /* Confirming if the public key in the bootloader's signature block matches with the one in the application's signature block */
386 if (memcmp(boot_pub_key_digest, app_pub_key_digest, ESP_SECURE_BOOT_DIGEST_LEN) != 0) {
387 ESP_LOGE(TAG, "Application not signed with a valid private key.");
388 return ESP_FAIL;
389 }
390
391 if (efuse_key_read_protected) {
392 ESP_LOGE(TAG, "Efuse BLK2 (public key digest) is read protected. Refusing to blow secure boot efuse.");
393 return ESP_ERR_INVALID_STATE;
394 }
395 if (!efuse_key_write_protected) {
396 ESP_LOGE(TAG, "Efuse BLK2 (public key digest) is not write protected. Refusing to blow secure boot efuse.");
397 return ESP_ERR_INVALID_STATE;
398 }
399
400 ESP_LOGI(TAG, "blowing secure boot efuse...");
401 ESP_LOGD(TAG, "before updating, EFUSE_BLK0_RDATA6 %x", REG_READ(EFUSE_BLK0_RDATA6_REG));
402
403 ret = esp_efuse_write_field_bit(ESP_EFUSE_ABS_DONE_1);
404 if (ret != ESP_OK) {
405 ESP_LOGE(TAG, "Blowing secure boot efuse...failed.");
406 return ret;
407 }
408
409 #ifndef CONFIG_SECURE_BOOT_ALLOW_JTAG
410 ESP_LOGI(TAG, "Disable JTAG...");
411 ret = esp_efuse_write_field_bit(ESP_EFUSE_DISABLE_JTAG);
412 if (ret != ESP_OK) {
413 ESP_LOGE(TAG, "Disable JTAG...failed.");
414 return ret;
415 }
416 #else
417 ESP_LOGW(TAG, "Not disabling JTAG - SECURITY COMPROMISED");
418 #endif
419
420 #ifndef CONFIG_SECURE_BOOT_ALLOW_ROM_BASIC
421 ESP_LOGI(TAG, "Disable ROM BASIC interpreter fallback...");
422 ret = esp_efuse_write_field_bit(ESP_EFUSE_CONSOLE_DEBUG_DISABLE);
423 if (ret != ESP_OK) {
424 ESP_LOGE(TAG, "Disable ROM BASIC interpreter fallback...failed.");
425 return ret;
426 }
427 #else
428 ESP_LOGW(TAG, "Not disabling ROM BASIC fallback - SECURITY COMPROMISED");
429 #endif
430
431 #ifdef CONFIG_SECURE_DISABLE_ROM_DL_MODE
432 ESP_LOGI(TAG, "Disable ROM Download mode...");
433 ret = esp_efuse_disable_rom_download_mode();
434 if (ret != ESP_OK) {
435 ESP_LOGE(TAG, "Could not disable ROM Download mode...");
436 return ESP_FAIL;
437 }
438 #else
439 ESP_LOGW(TAG, "Not disabling ROM Download mode - SECURITY COMPROMISED");
440 #endif
441
442 #ifndef CONFIG_SECURE_BOOT_V2_ALLOW_EFUSE_RD_DIS
443 bool rd_dis_now = true;
444 #ifdef CONFIG_SECURE_FLASH_ENC_ENABLED
445 /* If flash encryption is not enabled yet then don't read-disable efuses yet, do it later in the boot
446 when Flash Encryption is being enabled */
447 rd_dis_now = esp_flash_encryption_enabled();
448 #endif
449 if (rd_dis_now) {
450 ESP_LOGI(TAG, "Prevent read disabling of additional efuses...");
451 ret = esp_efuse_write_field_bit(ESP_EFUSE_WR_DIS_EFUSE_RD_DISABLE);
452 if (ret != ESP_OK) {
453 ESP_LOGE(TAG, "Prevent read disabling of additional efuses...failed.");
454 return ret;
455 }
456 }
457 #else
458 ESP_LOGW(TAG, "Allowing read disabling of additional efuses - SECURITY COMPROMISED");
459 #endif
460
461 ret = esp_efuse_batch_write_commit();
462 if (ret != ESP_OK) {
463 ESP_LOGE(TAG, "Error programming security eFuses.");
464 return ret;
465 }
466 uint32_t after = REG_READ(EFUSE_BLK0_RDATA6_REG);
467 ESP_LOGD(TAG, "after updating, EFUSE_BLK0_RDATA0 0x%08x EFUSE_BLK0_RDATA6 0x%08x",
468 REG_READ(EFUSE_BLK0_RDATA0_REG), after);
469 if (after & EFUSE_RD_ABS_DONE_1) {
470 ESP_LOGI(TAG, "secure boot v2 is now enabled.");
471 return ESP_OK;
472 } else {
473 ESP_LOGE(TAG, " secure boot v2 not enabled, EFUSE_RD_ABS_DONE_1 is probably write protected!");
474 return ESP_ERR_INVALID_STATE;
475 }
476 }
477
478 #endif // CONFIG_SECURE_BOOT_V2_ENABLED
479