Add efuse protection function

This commit is contained in:
Renze Nicolai 2022-05-12 22:41:31 +02:00
parent ccae27506e
commit 0986203a68
16 changed files with 52 additions and 1674 deletions

View file

@ -0,0 +1,6 @@
idf_component_register(
SRCS "esp_efuse_custom_table.c" "efuse.c"
INCLUDE_DIRS "."
"include"
REQUIRES "spi_flash"
)

View file

@ -8,7 +8,38 @@
#include "esp_efuse_table.h" #include "esp_efuse_table.h"
#include "esp_efuse_custom_table.h" #include "esp_efuse_custom_table.h"
void print_state() { static const char *TAG = "efuse";
void halt(const char* reason) {
ESP_LOGE(TAG, "Failed efuse write operation: %s", reason);
while (true) {
vTaskDelay(1000 / portTICK_PERIOD_MS);
}
}
void efuse_protect() {
// XPD settings
if (esp_efuse_write_field_bit(ESP_EFUSE_XPD_SDIO_REG) != ESP_OK) halt("XPD_SDIO_REG"); // Enable the VDD_SDIO voltage regulator
if (esp_efuse_write_field_bit(ESP_EFUSE_SDIO_TIEH) != ESP_OK) halt("SDIO_TIEH"); // Set VDD_SDIO voltage regulator output to 3.3v
if (esp_efuse_write_field_bit(ESP_EFUSE_SDIO_FORCE) != ESP_OK) halt("SDIO_FORCE"); // Enable VDD_SDIO efuse override
// Debug settings
if (esp_efuse_write_field_bit(ESP_EFUSE_CONSOLE_DEBUG_DISABLE) != ESP_OK) halt("CONSOLE_DEBUG_DISABLE"); // Disable BASIC ROM console
// Write protect
if (esp_efuse_write_field_bit(ESP_EFUSE_WR_DIS_FLASH_CRYPT_CNT) != ESP_OK) halt("WR_DIS_FLASH_CRYPT_CNT"); // Prevent disabling UART download mode
if (esp_efuse_write_field_bit(ESP_EFUSE_WR_DIS_MAC_AND_CHIP_INFO) != ESP_OK) halt("WR_DIS_MAC_AND_CHIP_INFO"); // Prevent writing to MAC address fuses
if (esp_efuse_write_field_bit(ESP_EFUSE_WR_DIS_XPD) != ESP_OK) halt("WR_DIS_XPD"); // Write protect XPD settings
if (esp_efuse_write_field_bit(ESP_EFUSE_WR_DIS_SPI_PAD) != ESP_OK) halt("WR_DIS_SPI_PAD"); // Pin mapping for SPI flash and PSRAM
if (esp_efuse_write_field_bit(ESP_EFUSE_WR_DIS_SCHEME_KEY_CRYPT) != ESP_OK) halt("WR_DIS_SCHEME_KEY_CRYPT"); // Disable flash encryption
if (esp_efuse_write_field_bit(ESP_EFUSE_WR_DIS_ABS_DONE_0) != ESP_OK) halt("WR_DIS_ABS_DONE_0"); // Disable secure boot V1
if (esp_efuse_write_field_bit(ESP_EFUSE_WR_DIS_ABS_DONE_1) != ESP_OK) halt("WR_DIS_ABS_DONE_1"); // Disable secure boot V2
if (esp_efuse_write_field_bit(ESP_EFUSE_WR_DIS_CONSOLE_DEBUG_AND_DISABLE_DL_CRYPT) != ESP_OK) halt("WR_DIS_CONSOLE_DEBUG_AND_DISABLE_DL_CRYPT"); // Write protect download mode functions
if (esp_efuse_write_field_bit(ESP_EFUSE_WR_DIS_BLK3) != ESP_OK) halt("WR_DIS_BLK3"); // Write protect block 3 (to prevent changing MAC version)
if (esp_efuse_write_field_bit(ESP_EFUSE_WR_DIS_EFUSE_RD_DISABLE) != ESP_OK) halt("WR_DIS_EFUSE_RD_DISABLE"); // Write protect read disable and ADC vref
}
void efuse_print_state() {
esp_chip_info_t chip_info; esp_chip_info_t chip_info;
esp_chip_info(&chip_info); esp_chip_info(&chip_info);
uint8_t mac_address[6]; uint8_t mac_address[6];
@ -72,7 +103,3 @@ void print_state() {
printf("Read disabled for EFUSE block 3: %s\n", rd_blk3 ? "yes" : "no"); printf("Read disabled for EFUSE block 3: %s\n", rd_blk3 ? "yes" : "no");
fflush(stdout); fflush(stdout);
} }
void app_main(void) {
print_state();
}

View file

Can't render this file because it contains an unexpected character in line 1 and column 53.

View file

@ -0,0 +1,4 @@
#pragma once
void efuse_print_state();
void efuse_protect();

2
efuse/.gitignore vendored
View file

@ -1,2 +0,0 @@
sdkconfig.old
build

View file

@ -1,6 +0,0 @@
# The following lines of boilerplate have to be in your project's
# CMakeLists in this exact order for cmake to work correctly
cmake_minimum_required(VERSION 3.5)
include($ENV{IDF_PATH}/tools/cmake/project.cmake)
project(appfs-test)

View file

@ -1,8 +0,0 @@
#
# This is a project Makefile. It is assumed the directory this Makefile resides in is a
# project subdirectory.
#
PROJECT_NAME := hello-world
include $(IDF_PATH)/make/project.mk

View file

@ -1,39 +0,0 @@
#!/bin/bash
set -e # Exit script on error
if [ "$#" -ne 1 ]; then
echo "Usage: $0 <port>"
exit 1
fi
PORT=$1
echo "Burning e-fuses for MCH2022 badge on port $PORT..."
# Set the flash/psram voltage to 3.3V
espefuse.py --port $PORT --do-not-confirm set_flash_voltage 3.3V # Ignore GPIO12 (MTDI) and force flash/psram voltage (using XPD efuses)
# Write protect the basic system settings
espefuse.py --port $PORT --do-not-confirm write_protect_efuse MAC # Disables writing to MAC, MAC_CRC, CIP_VER_REV1, CHIP_VERSION, CHIP_PACKAGE fuses
espefuse.py --port $PORT --do-not-confirm write_protect_efuse CODING_SCHEME # Disables writing to CODING_SCHEME, KEY_STATUS, FLASH_CRYPT_CONFIG, BLK3_PART_RESERVE
# Write protect the XPD fuses
espefuse.py --port $PORT --do-not-confirm write_protect_efuse XPD_SDIO_FORCE # Disables writing to XPD_SDIO_FORCE, XPD_SDIO_REG and XPD_SDIO_TIEH
# Write protect the SPI pad fuses
espefuse.py --port $PORT --do-not-confirm write_protect_efuse SPI_PAD_CONFIG_CLK # Disables writing to CHIP_VER_REV2 and all SPI_PAD_CONFIG_X fuses
# Write protect the JTAG disable fuse (don't allow people to disable JTAG)
espefuse.py --port $PORT --do-not-confirm write_protect_efuse JTAG_DISABLE
# Disable the BASIC ROM console (it causes problems with waking up from deep sleep)
espefuse.py --port $PORT --do-not-confirm burn_efuse CONSOLE_DEBUG_DISABLE
# Write protect the download mode disable efuse
espefuse.py --port $PORT --do-not-confirm write_protect_efuse UART_DOWNLOAD_DIS # Disables writing to FLASH_CRYPT_CNT, UART_DOWNLOAD_DIS and EFUSE_WR_DIS_FLASH_CRYPT_CNT
# Write protect the secure boot fuses (don't allow people to enable secure boot)
espefuse.py --port $PORT --do-not-confirm write_protect_efuse DISABLE_DL_ENCRYPT # Disables writing to CONSOLE_DEBUG_DISABLE, DISABLE_DL_ENCRYPT, DISABLE_DL_DECRYPT and DISABLE_DL_CACHE
espefuse.py --port $PORT --do-not-confirm write_protect_efuse ABS_DONE_0
espefuse.py --port $PORT --do-not-confirm write_protect_efuse ABS_DONE_1

View file

@ -1,6 +0,0 @@
idf_component_register(
SRCS "main.c"
"esp_efuse_custom_table.c"
INCLUDE_DIRS "."
"include"
)

View file

@ -1,4 +0,0 @@
#
# "main" pseudo-component makefile.
#
# (Uses default behaviour of compiling all source files in directory, adding 'include' to include path.)

View file

@ -1,7 +0,0 @@
# Name, Type, SubType, Offset, Size, Flags
nvs, data, nvs, 0x9000, 0x4000
otadata, data, ota, 0xd000, 0x2000
phy_init, data, phy, 0xf000, 0x1000
ota_0, 0, ota_0, 0x10000, 1856K
ota_1, 0, ota_1, , 1856K
locfd, data, fat, , 12608K
1 # Name, Type, SubType, Offset, Size, Flags
2 nvs, data, nvs, 0x9000, 0x4000
3 otadata, data, ota, 0xd000, 0x2000
4 phy_init, data, phy, 0xf000, 0x1000
5 ota_0, 0, ota_0, 0x10000, 1856K
6 ota_1, 0, ota_1, , 1856K
7 locfd, data, fat, , 12608K

File diff suppressed because it is too large Load diff

View file

@ -1,16 +0,0 @@
# After editing this file, run the command manually "make efuse_custom_table" or "idf.py efuse_custom_table"
# WR_DIS_EFUSE_RD_DISABLE, EFUSE_BLK0, 0, 1, Write protection for RD_DIS, ADC_VREF
WR_DIS_WR_DIS, EFUSE_BLK0, 1, 1, Write protection for WR_DIS
# WR_DIS_FLASH_CRYPT_CNT, EFUSE_BLK0, 2, 1, Write protection for FLASH_CRYPT_CNT, UART_DOWNLOAD_DIS
WR_DIS_MAC_AND_CHIP_INFO, EFUSE_BLK0, 3, 1, Write protection for MAC, MAC_CRC, CIP_VER_REV1, CHIP_VERSION, CHIP_PACKAGE
WR_DIS_XPD, EFUSE_BLK0, 5, 1, Write protection for XPD_SDIO_FORCE, XPD_SDIO_REG, XPD_SDIO_TIEH
WR_DIS_SPI_PAD, EFUSE_BLK0, 6, 1, Write protection for CHIP_VER_REV2, SPI_PAD_CONFIG
# WR_DIS_BLK1, EFUSE_BLK0, 7, 1, Write protection for WR_DIS_BLK1
# WR_DIS_BLK2, EFUSE_BLK0, 8, 1, Write protection for WR_DIS_BLK2
# WR_DIS_BLK3, EFUSE_BLK0, 9, 1, Write protection for WR_DIS_BLK3, MAC_VERSION
WR_DIS_SCHEME_KEY_CRYPT, EFUSE_BLK0, 10, 1, Write protection for CODING_SCHEME, KEY_STATUS, FLASH_CRYPT_CONFIG, BLK3_PART_RESERVE
WR_DIS_ABS_DONE_0, EFUSE_BLK0, 12, 1, Write protection for ABS_DONE_0
WR_DIS_ABS_DONE_1, EFUSE_BLK0, 13, 1, Write protection for ABS_DONE_1
WR_DIS_JTAG_DISABLE, EFUSE_BLK0, 14, 1, Write protection for JTAG_DISABLE
WR_DIS_CONSOLE_DEBUG_AND_DISABLE_DL_CRYPT, EFUSE_BLK0, 15, 1, Write protection for CONSOLE_DEBUG_DISABLE, DISABLE_DL
Can't render this file because it contains an unexpected character in line 1 and column 53.

View file

@ -33,6 +33,8 @@
#include "esp32/rom/crc.h" #include "esp32/rom/crc.h"
#include "efuse.h"
static const char *TAG = "main"; static const char *TAG = "main";
typedef enum action { typedef enum action {
@ -282,6 +284,8 @@ void app_main(void) {
/* Initialize hardware */ /* Initialize hardware */
efuse_protect();
bool lcdReady = false; bool lcdReady = false;
res = board_init(&lcdReady); res = board_init(&lcdReady);
@ -299,6 +303,7 @@ void app_main(void) {
BNO055* bno055 = get_bno055(); BNO055* bno055 = get_bno055();
RP2040* rp2040 = get_rp2040(); RP2040* rp2040 = get_rp2040();
/* Start AppFS */
graphics_task(pax_buffer, ili9341, framebuffer, NULL, "AppFS init..."); graphics_task(pax_buffer, ili9341, framebuffer, NULL, "AppFS init...");
res = appfs_init(); res = appfs_init();
if (res != ESP_OK) { if (res != ESP_OK) {
@ -308,6 +313,7 @@ void app_main(void) {
} }
ESP_LOGI(TAG, "AppFS initialized"); ESP_LOGI(TAG, "AppFS initialized");
/* Start NVS */
graphics_task(pax_buffer, ili9341, framebuffer, NULL, "NVS init..."); graphics_task(pax_buffer, ili9341, framebuffer, NULL, "NVS init...");
res = nvs_init(); res = nvs_init();
if (res != ESP_OK) { if (res != ESP_OK) {
@ -317,6 +323,7 @@ void app_main(void) {
} }
ESP_LOGI(TAG, "NVS initialized"); ESP_LOGI(TAG, "NVS initialized");
/* Start SD card */
graphics_task(pax_buffer, ili9341, framebuffer, NULL, "Mount SD card..."); graphics_task(pax_buffer, ili9341, framebuffer, NULL, "Mount SD card...");
res = mount_sd(SD_CMD, SD_CLK, SD_D0, SD_PWR, "/sd", false, 5); res = mount_sd(SD_CMD, SD_CLK, SD_D0, SD_PWR, "/sd", false, 5);
bool sdcard_ready = (res == ESP_OK); bool sdcard_ready = (res == ESP_OK);
@ -325,12 +332,15 @@ void app_main(void) {
graphics_task(pax_buffer, ili9341, framebuffer, NULL, "SD card mounted"); graphics_task(pax_buffer, ili9341, framebuffer, NULL, "SD card mounted");
} }
/* Start LEDs */
ws2812_init(GPIO_LED_DATA); ws2812_init(GPIO_LED_DATA);
uint8_t ledBuffer[15] = {50, 0, 0, 50, 0, 0, 50, 0, 0, 50, 0, 0, 50, 0, 0}; uint8_t ledBuffer[15] = {50, 0, 0, 50, 0, 0, 50, 0, 0, 50, 0, 0, 50, 0, 0};
ws2812_send_data(ledBuffer, sizeof(ledBuffer)); ws2812_send_data(ledBuffer, sizeof(ledBuffer));
/* Start RP2040 firmware update check */
rp2040_updater(rp2040, pax_buffer, ili9341, framebuffer); rp2040_updater(rp2040, pax_buffer, ili9341, framebuffer);
/* Launcher menu */
while (true) { while (true) {
menu_action_t menu_action; menu_action_t menu_action;
appfs_handle_t appfs_fd; appfs_handle_t appfs_fd;