Add efuse protection function
This commit is contained in:
parent
ccae27506e
commit
0986203a68
16 changed files with 52 additions and 1674 deletions
6
components/mch2022-efuse/CMakeLists.txt
Normal file
6
components/mch2022-efuse/CMakeLists.txt
Normal file
|
@ -0,0 +1,6 @@
|
||||||
|
idf_component_register(
|
||||||
|
SRCS "esp_efuse_custom_table.c" "efuse.c"
|
||||||
|
INCLUDE_DIRS "."
|
||||||
|
"include"
|
||||||
|
REQUIRES "spi_flash"
|
||||||
|
)
|
|
@ -8,7 +8,38 @@
|
||||||
#include "esp_efuse_table.h"
|
#include "esp_efuse_table.h"
|
||||||
#include "esp_efuse_custom_table.h"
|
#include "esp_efuse_custom_table.h"
|
||||||
|
|
||||||
void print_state() {
|
static const char *TAG = "efuse";
|
||||||
|
|
||||||
|
void halt(const char* reason) {
|
||||||
|
ESP_LOGE(TAG, "Failed efuse write operation: %s", reason);
|
||||||
|
while (true) {
|
||||||
|
vTaskDelay(1000 / portTICK_PERIOD_MS);
|
||||||
|
}
|
||||||
|
}
|
||||||
|
|
||||||
|
void efuse_protect() {
|
||||||
|
// XPD settings
|
||||||
|
if (esp_efuse_write_field_bit(ESP_EFUSE_XPD_SDIO_REG) != ESP_OK) halt("XPD_SDIO_REG"); // Enable the VDD_SDIO voltage regulator
|
||||||
|
if (esp_efuse_write_field_bit(ESP_EFUSE_SDIO_TIEH) != ESP_OK) halt("SDIO_TIEH"); // Set VDD_SDIO voltage regulator output to 3.3v
|
||||||
|
if (esp_efuse_write_field_bit(ESP_EFUSE_SDIO_FORCE) != ESP_OK) halt("SDIO_FORCE"); // Enable VDD_SDIO efuse override
|
||||||
|
|
||||||
|
// Debug settings
|
||||||
|
if (esp_efuse_write_field_bit(ESP_EFUSE_CONSOLE_DEBUG_DISABLE) != ESP_OK) halt("CONSOLE_DEBUG_DISABLE"); // Disable BASIC ROM console
|
||||||
|
|
||||||
|
// Write protect
|
||||||
|
if (esp_efuse_write_field_bit(ESP_EFUSE_WR_DIS_FLASH_CRYPT_CNT) != ESP_OK) halt("WR_DIS_FLASH_CRYPT_CNT"); // Prevent disabling UART download mode
|
||||||
|
if (esp_efuse_write_field_bit(ESP_EFUSE_WR_DIS_MAC_AND_CHIP_INFO) != ESP_OK) halt("WR_DIS_MAC_AND_CHIP_INFO"); // Prevent writing to MAC address fuses
|
||||||
|
if (esp_efuse_write_field_bit(ESP_EFUSE_WR_DIS_XPD) != ESP_OK) halt("WR_DIS_XPD"); // Write protect XPD settings
|
||||||
|
if (esp_efuse_write_field_bit(ESP_EFUSE_WR_DIS_SPI_PAD) != ESP_OK) halt("WR_DIS_SPI_PAD"); // Pin mapping for SPI flash and PSRAM
|
||||||
|
if (esp_efuse_write_field_bit(ESP_EFUSE_WR_DIS_SCHEME_KEY_CRYPT) != ESP_OK) halt("WR_DIS_SCHEME_KEY_CRYPT"); // Disable flash encryption
|
||||||
|
if (esp_efuse_write_field_bit(ESP_EFUSE_WR_DIS_ABS_DONE_0) != ESP_OK) halt("WR_DIS_ABS_DONE_0"); // Disable secure boot V1
|
||||||
|
if (esp_efuse_write_field_bit(ESP_EFUSE_WR_DIS_ABS_DONE_1) != ESP_OK) halt("WR_DIS_ABS_DONE_1"); // Disable secure boot V2
|
||||||
|
if (esp_efuse_write_field_bit(ESP_EFUSE_WR_DIS_CONSOLE_DEBUG_AND_DISABLE_DL_CRYPT) != ESP_OK) halt("WR_DIS_CONSOLE_DEBUG_AND_DISABLE_DL_CRYPT"); // Write protect download mode functions
|
||||||
|
if (esp_efuse_write_field_bit(ESP_EFUSE_WR_DIS_BLK3) != ESP_OK) halt("WR_DIS_BLK3"); // Write protect block 3 (to prevent changing MAC version)
|
||||||
|
if (esp_efuse_write_field_bit(ESP_EFUSE_WR_DIS_EFUSE_RD_DISABLE) != ESP_OK) halt("WR_DIS_EFUSE_RD_DISABLE"); // Write protect read disable and ADC vref
|
||||||
|
}
|
||||||
|
|
||||||
|
void efuse_print_state() {
|
||||||
esp_chip_info_t chip_info;
|
esp_chip_info_t chip_info;
|
||||||
esp_chip_info(&chip_info);
|
esp_chip_info(&chip_info);
|
||||||
uint8_t mac_address[6];
|
uint8_t mac_address[6];
|
||||||
|
@ -72,7 +103,3 @@ void print_state() {
|
||||||
printf("Read disabled for EFUSE block 3: %s\n", rd_blk3 ? "yes" : "no");
|
printf("Read disabled for EFUSE block 3: %s\n", rd_blk3 ? "yes" : "no");
|
||||||
fflush(stdout);
|
fflush(stdout);
|
||||||
}
|
}
|
||||||
|
|
||||||
void app_main(void) {
|
|
||||||
print_state();
|
|
||||||
}
|
|
Can't render this file because it contains an unexpected character in line 1 and column 53.
|
4
components/mch2022-efuse/include/efuse.h
Normal file
4
components/mch2022-efuse/include/efuse.h
Normal file
|
@ -0,0 +1,4 @@
|
||||||
|
#pragma once
|
||||||
|
|
||||||
|
void efuse_print_state();
|
||||||
|
void efuse_protect();
|
2
efuse/.gitignore
vendored
2
efuse/.gitignore
vendored
|
@ -1,2 +0,0 @@
|
||||||
sdkconfig.old
|
|
||||||
build
|
|
|
@ -1,6 +0,0 @@
|
||||||
# The following lines of boilerplate have to be in your project's
|
|
||||||
# CMakeLists in this exact order for cmake to work correctly
|
|
||||||
cmake_minimum_required(VERSION 3.5)
|
|
||||||
|
|
||||||
include($ENV{IDF_PATH}/tools/cmake/project.cmake)
|
|
||||||
project(appfs-test)
|
|
|
@ -1,8 +0,0 @@
|
||||||
#
|
|
||||||
# This is a project Makefile. It is assumed the directory this Makefile resides in is a
|
|
||||||
# project subdirectory.
|
|
||||||
#
|
|
||||||
|
|
||||||
PROJECT_NAME := hello-world
|
|
||||||
|
|
||||||
include $(IDF_PATH)/make/project.mk
|
|
|
@ -1,39 +0,0 @@
|
||||||
#!/bin/bash
|
|
||||||
|
|
||||||
set -e # Exit script on error
|
|
||||||
|
|
||||||
if [ "$#" -ne 1 ]; then
|
|
||||||
echo "Usage: $0 <port>"
|
|
||||||
exit 1
|
|
||||||
fi
|
|
||||||
|
|
||||||
PORT=$1
|
|
||||||
|
|
||||||
echo "Burning e-fuses for MCH2022 badge on port $PORT..."
|
|
||||||
|
|
||||||
# Set the flash/psram voltage to 3.3V
|
|
||||||
espefuse.py --port $PORT --do-not-confirm set_flash_voltage 3.3V # Ignore GPIO12 (MTDI) and force flash/psram voltage (using XPD efuses)
|
|
||||||
|
|
||||||
# Write protect the basic system settings
|
|
||||||
espefuse.py --port $PORT --do-not-confirm write_protect_efuse MAC # Disables writing to MAC, MAC_CRC, CIP_VER_REV1, CHIP_VERSION, CHIP_PACKAGE fuses
|
|
||||||
espefuse.py --port $PORT --do-not-confirm write_protect_efuse CODING_SCHEME # Disables writing to CODING_SCHEME, KEY_STATUS, FLASH_CRYPT_CONFIG, BLK3_PART_RESERVE
|
|
||||||
|
|
||||||
# Write protect the XPD fuses
|
|
||||||
espefuse.py --port $PORT --do-not-confirm write_protect_efuse XPD_SDIO_FORCE # Disables writing to XPD_SDIO_FORCE, XPD_SDIO_REG and XPD_SDIO_TIEH
|
|
||||||
|
|
||||||
# Write protect the SPI pad fuses
|
|
||||||
espefuse.py --port $PORT --do-not-confirm write_protect_efuse SPI_PAD_CONFIG_CLK # Disables writing to CHIP_VER_REV2 and all SPI_PAD_CONFIG_X fuses
|
|
||||||
|
|
||||||
# Write protect the JTAG disable fuse (don't allow people to disable JTAG)
|
|
||||||
espefuse.py --port $PORT --do-not-confirm write_protect_efuse JTAG_DISABLE
|
|
||||||
|
|
||||||
# Disable the BASIC ROM console (it causes problems with waking up from deep sleep)
|
|
||||||
espefuse.py --port $PORT --do-not-confirm burn_efuse CONSOLE_DEBUG_DISABLE
|
|
||||||
|
|
||||||
# Write protect the download mode disable efuse
|
|
||||||
espefuse.py --port $PORT --do-not-confirm write_protect_efuse UART_DOWNLOAD_DIS # Disables writing to FLASH_CRYPT_CNT, UART_DOWNLOAD_DIS and EFUSE_WR_DIS_FLASH_CRYPT_CNT
|
|
||||||
|
|
||||||
# Write protect the secure boot fuses (don't allow people to enable secure boot)
|
|
||||||
espefuse.py --port $PORT --do-not-confirm write_protect_efuse DISABLE_DL_ENCRYPT # Disables writing to CONSOLE_DEBUG_DISABLE, DISABLE_DL_ENCRYPT, DISABLE_DL_DECRYPT and DISABLE_DL_CACHE
|
|
||||||
espefuse.py --port $PORT --do-not-confirm write_protect_efuse ABS_DONE_0
|
|
||||||
espefuse.py --port $PORT --do-not-confirm write_protect_efuse ABS_DONE_1
|
|
|
@ -1,6 +0,0 @@
|
||||||
idf_component_register(
|
|
||||||
SRCS "main.c"
|
|
||||||
"esp_efuse_custom_table.c"
|
|
||||||
INCLUDE_DIRS "."
|
|
||||||
"include"
|
|
||||||
)
|
|
|
@ -1,4 +0,0 @@
|
||||||
#
|
|
||||||
# "main" pseudo-component makefile.
|
|
||||||
#
|
|
||||||
# (Uses default behaviour of compiling all source files in directory, adding 'include' to include path.)
|
|
|
@ -1,7 +0,0 @@
|
||||||
# Name, Type, SubType, Offset, Size, Flags
|
|
||||||
nvs, data, nvs, 0x9000, 0x4000
|
|
||||||
otadata, data, ota, 0xd000, 0x2000
|
|
||||||
phy_init, data, phy, 0xf000, 0x1000
|
|
||||||
ota_0, 0, ota_0, 0x10000, 1856K
|
|
||||||
ota_1, 0, ota_1, , 1856K
|
|
||||||
locfd, data, fat, , 12608K
|
|
|
1581
efuse/sdkconfig
1581
efuse/sdkconfig
File diff suppressed because it is too large
Load diff
|
@ -1,16 +0,0 @@
|
||||||
# After editing this file, run the command manually "make efuse_custom_table" or "idf.py efuse_custom_table"
|
|
||||||
|
|
||||||
# WR_DIS_EFUSE_RD_DISABLE, EFUSE_BLK0, 0, 1, Write protection for RD_DIS, ADC_VREF
|
|
||||||
WR_DIS_WR_DIS, EFUSE_BLK0, 1, 1, Write protection for WR_DIS
|
|
||||||
# WR_DIS_FLASH_CRYPT_CNT, EFUSE_BLK0, 2, 1, Write protection for FLASH_CRYPT_CNT, UART_DOWNLOAD_DIS
|
|
||||||
WR_DIS_MAC_AND_CHIP_INFO, EFUSE_BLK0, 3, 1, Write protection for MAC, MAC_CRC, CIP_VER_REV1, CHIP_VERSION, CHIP_PACKAGE
|
|
||||||
WR_DIS_XPD, EFUSE_BLK0, 5, 1, Write protection for XPD_SDIO_FORCE, XPD_SDIO_REG, XPD_SDIO_TIEH
|
|
||||||
WR_DIS_SPI_PAD, EFUSE_BLK0, 6, 1, Write protection for CHIP_VER_REV2, SPI_PAD_CONFIG
|
|
||||||
# WR_DIS_BLK1, EFUSE_BLK0, 7, 1, Write protection for WR_DIS_BLK1
|
|
||||||
# WR_DIS_BLK2, EFUSE_BLK0, 8, 1, Write protection for WR_DIS_BLK2
|
|
||||||
# WR_DIS_BLK3, EFUSE_BLK0, 9, 1, Write protection for WR_DIS_BLK3, MAC_VERSION
|
|
||||||
WR_DIS_SCHEME_KEY_CRYPT, EFUSE_BLK0, 10, 1, Write protection for CODING_SCHEME, KEY_STATUS, FLASH_CRYPT_CONFIG, BLK3_PART_RESERVE
|
|
||||||
WR_DIS_ABS_DONE_0, EFUSE_BLK0, 12, 1, Write protection for ABS_DONE_0
|
|
||||||
WR_DIS_ABS_DONE_1, EFUSE_BLK0, 13, 1, Write protection for ABS_DONE_1
|
|
||||||
WR_DIS_JTAG_DISABLE, EFUSE_BLK0, 14, 1, Write protection for JTAG_DISABLE
|
|
||||||
WR_DIS_CONSOLE_DEBUG_AND_DISABLE_DL_CRYPT, EFUSE_BLK0, 15, 1, Write protection for CONSOLE_DEBUG_DISABLE, DISABLE_DL
|
|
Can't render this file because it contains an unexpected character in line 1 and column 53.
|
10
main/main.c
10
main/main.c
|
@ -33,6 +33,8 @@
|
||||||
|
|
||||||
#include "esp32/rom/crc.h"
|
#include "esp32/rom/crc.h"
|
||||||
|
|
||||||
|
#include "efuse.h"
|
||||||
|
|
||||||
static const char *TAG = "main";
|
static const char *TAG = "main";
|
||||||
|
|
||||||
typedef enum action {
|
typedef enum action {
|
||||||
|
@ -282,6 +284,8 @@ void app_main(void) {
|
||||||
|
|
||||||
/* Initialize hardware */
|
/* Initialize hardware */
|
||||||
|
|
||||||
|
efuse_protect();
|
||||||
|
|
||||||
bool lcdReady = false;
|
bool lcdReady = false;
|
||||||
res = board_init(&lcdReady);
|
res = board_init(&lcdReady);
|
||||||
|
|
||||||
|
@ -299,6 +303,7 @@ void app_main(void) {
|
||||||
BNO055* bno055 = get_bno055();
|
BNO055* bno055 = get_bno055();
|
||||||
RP2040* rp2040 = get_rp2040();
|
RP2040* rp2040 = get_rp2040();
|
||||||
|
|
||||||
|
/* Start AppFS */
|
||||||
graphics_task(pax_buffer, ili9341, framebuffer, NULL, "AppFS init...");
|
graphics_task(pax_buffer, ili9341, framebuffer, NULL, "AppFS init...");
|
||||||
res = appfs_init();
|
res = appfs_init();
|
||||||
if (res != ESP_OK) {
|
if (res != ESP_OK) {
|
||||||
|
@ -308,6 +313,7 @@ void app_main(void) {
|
||||||
}
|
}
|
||||||
ESP_LOGI(TAG, "AppFS initialized");
|
ESP_LOGI(TAG, "AppFS initialized");
|
||||||
|
|
||||||
|
/* Start NVS */
|
||||||
graphics_task(pax_buffer, ili9341, framebuffer, NULL, "NVS init...");
|
graphics_task(pax_buffer, ili9341, framebuffer, NULL, "NVS init...");
|
||||||
res = nvs_init();
|
res = nvs_init();
|
||||||
if (res != ESP_OK) {
|
if (res != ESP_OK) {
|
||||||
|
@ -317,6 +323,7 @@ void app_main(void) {
|
||||||
}
|
}
|
||||||
ESP_LOGI(TAG, "NVS initialized");
|
ESP_LOGI(TAG, "NVS initialized");
|
||||||
|
|
||||||
|
/* Start SD card */
|
||||||
graphics_task(pax_buffer, ili9341, framebuffer, NULL, "Mount SD card...");
|
graphics_task(pax_buffer, ili9341, framebuffer, NULL, "Mount SD card...");
|
||||||
res = mount_sd(SD_CMD, SD_CLK, SD_D0, SD_PWR, "/sd", false, 5);
|
res = mount_sd(SD_CMD, SD_CLK, SD_D0, SD_PWR, "/sd", false, 5);
|
||||||
bool sdcard_ready = (res == ESP_OK);
|
bool sdcard_ready = (res == ESP_OK);
|
||||||
|
@ -325,12 +332,15 @@ void app_main(void) {
|
||||||
graphics_task(pax_buffer, ili9341, framebuffer, NULL, "SD card mounted");
|
graphics_task(pax_buffer, ili9341, framebuffer, NULL, "SD card mounted");
|
||||||
}
|
}
|
||||||
|
|
||||||
|
/* Start LEDs */
|
||||||
ws2812_init(GPIO_LED_DATA);
|
ws2812_init(GPIO_LED_DATA);
|
||||||
uint8_t ledBuffer[15] = {50, 0, 0, 50, 0, 0, 50, 0, 0, 50, 0, 0, 50, 0, 0};
|
uint8_t ledBuffer[15] = {50, 0, 0, 50, 0, 0, 50, 0, 0, 50, 0, 0, 50, 0, 0};
|
||||||
ws2812_send_data(ledBuffer, sizeof(ledBuffer));
|
ws2812_send_data(ledBuffer, sizeof(ledBuffer));
|
||||||
|
|
||||||
|
/* Start RP2040 firmware update check */
|
||||||
rp2040_updater(rp2040, pax_buffer, ili9341, framebuffer);
|
rp2040_updater(rp2040, pax_buffer, ili9341, framebuffer);
|
||||||
|
|
||||||
|
/* Launcher menu */
|
||||||
while (true) {
|
while (true) {
|
||||||
menu_action_t menu_action;
|
menu_action_t menu_action;
|
||||||
appfs_handle_t appfs_fd;
|
appfs_handle_t appfs_fd;
|
||||||
|
|
Loading…
Reference in a new issue