Merge branch 'feature/security_add_all_secure_example' into 'master'

Feature/security add all secure example Closes IDF-1977 See merge request espressif/esp-idf!29554
espressif · Jun 27, 2024 · 8c6e97b · 8c6e97b
2 parents 92b4231 + 40059de
commit 8c6e97b
Show file tree

Hide file tree

Showing 23 changed files with 934 additions and 44 deletions.
diff --git a/components/bootloader_support/src/flash_encrypt.c b/components/bootloader_support/src/flash_encrypt.c
@@ -357,23 +357,48 @@ bool esp_flash_encryption_cfg_verify_release_mode(void)
         ESP_LOGW(TAG, "Not disabled UART bootloader cache (set DIS_DOWNLOAD_ICACHE->1)");
     }
 #endif
+    bool soft_dis_jtag_complete = false;
+#if SOC_EFUSE_SOFT_DIS_JTAG
+    size_t soft_dis_jtag_cnt_val = 0;
+    esp_efuse_read_field_cnt(ESP_EFUSE_SOFT_DIS_JTAG, &soft_dis_jtag_cnt_val);
+    soft_dis_jtag_complete = (soft_dis_jtag_cnt_val == ESP_EFUSE_SOFT_DIS_JTAG[0]->bit_count);
+    if (soft_dis_jtag_complete) {
+        bool hmac_key_found = false;
+        hmac_key_found = esp_efuse_find_purpose(ESP_EFUSE_KEY_PURPOSE_HMAC_DOWN_JTAG, NULL);
+        hmac_key_found |= esp_efuse_find_purpose(ESP_EFUSE_KEY_PURPOSE_HMAC_DOWN_ALL, NULL);
+        if (!hmac_key_found) {
+            ESP_LOGW(TAG, "SOFT_DIS_JTAG is set but HMAC key with respective purpose not found");
+            soft_dis_jtag_complete = false;
+        }
+    }
+#endif
 
+    if (!soft_dis_jtag_complete) {
 #if SOC_EFUSE_DIS_PAD_JTAG
-    secure = esp_efuse_read_field_bit(ESP_EFUSE_DIS_PAD_JTAG);
-    result &= secure;
-    if (!secure) {
-        ESP_LOGW(TAG, "Not disabled JTAG PADs (set DIS_PAD_JTAG->1)");
-    }
+        secure = esp_efuse_read_field_bit(ESP_EFUSE_DIS_PAD_JTAG);
+        result &= secure;
+        if (!secure) {
+            ESP_LOGW(TAG, "Not disabled JTAG PADs (set DIS_PAD_JTAG->1)");
+        }
 #endif
 
 #if SOC_EFUSE_DIS_USB_JTAG
-    secure = esp_efuse_read_field_bit(ESP_EFUSE_DIS_USB_JTAG);
-    result &= secure;
-    if (!secure) {
-        ESP_LOGW(TAG, "Not disabled USB JTAG (set DIS_USB_JTAG->1)");
-    }
+        secure = esp_efuse_read_field_bit(ESP_EFUSE_DIS_USB_JTAG);
+        result &= secure;
+        if (!secure) {
+            ESP_LOGW(TAG, "Not disabled USB JTAG (set DIS_USB_JTAG->1)");
+        }
 #endif
 
+#if SOC_EFUSE_HARD_DIS_JTAG
+        secure = esp_efuse_read_field_bit(ESP_EFUSE_HARD_DIS_JTAG);
+        result &= secure;
+        if (!secure) {
+            ESP_LOGW(TAG, "Not disabled JTAG (set HARD_DIS_JTAG->1)");
+        }
+#endif
+    }
+
 #if SOC_EFUSE_DIS_DIRECT_BOOT
     secure = esp_efuse_read_field_bit(ESP_EFUSE_DIS_DIRECT_BOOT);
     result &= secure;
@@ -382,14 +407,6 @@ bool esp_flash_encryption_cfg_verify_release_mode(void)
     }
 #endif
 
-#if SOC_EFUSE_HARD_DIS_JTAG
-    secure = esp_efuse_read_field_bit(ESP_EFUSE_HARD_DIS_JTAG);
-    result &= secure;
-    if (!secure) {
-        ESP_LOGW(TAG, "Not disabled JTAG (set HARD_DIS_JTAG->1)");
-    }
-#endif
-
 #if SOC_EFUSE_DIS_BOOT_REMAP
     secure = esp_efuse_read_field_bit(ESP_EFUSE_DIS_BOOT_REMAP);
     result &= secure;

diff --git a/components/bootloader_support/src/secure_boot.c b/components/bootloader_support/src/secure_boot.c
@@ -1,5 +1,5 @@
 /*
- * SPDX-FileCopyrightText: 2015-2021 Espressif Systems (Shanghai) CO LTD
+ * SPDX-FileCopyrightText: 2015-2024 Espressif Systems (Shanghai) CO LTD
  *
  * SPDX-License-Identifier: Apache-2.0
  */
@@ -298,38 +298,47 @@ bool esp_secure_boot_cfg_verify_release_mode(void)
     }
 #endif
 
-#if SOC_EFUSE_HARD_DIS_JTAG
-    secure = esp_efuse_read_field_bit(ESP_EFUSE_HARD_DIS_JTAG);
-    result &= secure;
-    if (!secure) {
-        ESP_LOGW(TAG, "Not disabled JTAG (set HARD_DIS_JTAG->1)");
-    }
-#endif
-
+    bool soft_dis_jtag_complete = false;
 #if SOC_EFUSE_SOFT_DIS_JTAG
     size_t soft_dis_jtag_cnt_val = 0;
     esp_efuse_read_field_cnt(ESP_EFUSE_SOFT_DIS_JTAG, &soft_dis_jtag_cnt_val);
-    if (soft_dis_jtag_cnt_val != ESP_EFUSE_SOFT_DIS_JTAG[0]->bit_count) {
-        result &= secure;
-        ESP_LOGW(TAG, "Not disabled JTAG in the soft way (set SOFT_DIS_JTAG->max)");
+    soft_dis_jtag_complete = (soft_dis_jtag_cnt_val == ESP_EFUSE_SOFT_DIS_JTAG[0]->bit_count);
+    if (soft_dis_jtag_complete) {
+        bool hmac_key_found = false;
+            hmac_key_found = esp_efuse_find_purpose(ESP_EFUSE_KEY_PURPOSE_HMAC_DOWN_JTAG, NULL);
+            hmac_key_found |= esp_efuse_find_purpose(ESP_EFUSE_KEY_PURPOSE_HMAC_DOWN_ALL, NULL);
+        if (!hmac_key_found) {
+            ESP_LOGW(TAG, "SOFT_DIS_JTAG is set but HMAC key with respective purpose not found");
+            soft_dis_jtag_complete = false;
+        }
     }
 #endif
 
+    if (!soft_dis_jtag_complete) {
+#if SOC_EFUSE_HARD_DIS_JTAG
+        secure = esp_efuse_read_field_bit(ESP_EFUSE_HARD_DIS_JTAG);
+        result &= secure;
+        if (!secure) {
+            ESP_LOGW(TAG, "Not disabled JTAG (set HARD_DIS_JTAG->1)");
+        }
+#endif
+
 #if SOC_EFUSE_DIS_PAD_JTAG
-    secure = esp_efuse_read_field_bit(ESP_EFUSE_DIS_PAD_JTAG);
-    result &= secure;
-    if (!secure) {
-        ESP_LOGW(TAG, "Not disabled JTAG PADs (set DIS_PAD_JTAG->1)");
-    }
+        secure = esp_efuse_read_field_bit(ESP_EFUSE_DIS_PAD_JTAG);
+        result &= secure;
+        if (!secure) {
+            ESP_LOGW(TAG, "Not disabled JTAG PADs (set DIS_PAD_JTAG->1)");
+        }
 #endif
 
 #if SOC_EFUSE_DIS_USB_JTAG
-    secure = esp_efuse_read_field_bit(ESP_EFUSE_DIS_USB_JTAG);
-    result &= secure;
-    if (!secure) {
-        ESP_LOGW(TAG, "Not disabled USB JTAG (set DIS_USB_JTAG->1)");
-    }
+        secure = esp_efuse_read_field_bit(ESP_EFUSE_DIS_USB_JTAG);
+        result &= secure;
+        if (!secure) {
+            ESP_LOGW(TAG, "Not disabled USB JTAG (set DIS_USB_JTAG->1)");
+        }
 #endif
+    }
 
 #ifdef CONFIG_SECURE_BOOT_ENABLE_AGGRESSIVE_KEY_REVOKE
     secure = esp_efuse_read_field_bit(ESP_EFUSE_SECURE_BOOT_AGGRESSIVE_REVOKE);

diff --git a/examples/security/.build-test-rules.yml b/examples/security/.build-test-rules.yml
@@ -29,3 +29,7 @@ examples/security/nvs_encryption_hmac:
     - nvs_sec_provider
   depends_filepatterns:
     - examples/security/nvs_encryption_hmac/**/*
+
+examples/security/security_features_app:
+  disable:
+    - if: IDF_TARGET not in ["esp32c3"]
diff --git a/examples/security/hmac_soft_jtag/README.md b/examples/security/hmac_soft_jtag/README.md
@@ -46,8 +46,9 @@ espefuse.py -p $ESPPORT burn_key <KEY_BLOCK_NO> <KEY_FILE>.bin HMAC_DOWN_ALL
 **Step 4:** Generate token data from the HMAC key. Keep this token data handy before re-enabling JTAG access.
 
 ```bash
-python jtag_example_helper.py generate_token <KEY_FILE>.bin
+python jtag_example_helper.py generate_token <KEY_FILE>.bin <OUTPUT_FILE(optional)>
 ```
+**Note**: The OUTPUT_FILE argument is optional. If provided, the token data will be stored in the specified file in either binary format (.bin) or hexadecimal format (.hex) based on the file extension. If no OUTPUT_FILE is specified, the token data will be printed to the console.
 
 ### Configure the project
 

diff --git a/examples/security/hmac_soft_jtag/jtag_example_helper.py b/examples/security/hmac_soft_jtag/jtag_example_helper.py
@@ -6,15 +6,27 @@
 import hmac
 import os
 import subprocess
+from typing import Optional
 
 
-def generate_token_data(hmac_key_file: str) -> None:
+def generate_token_data(hmac_key_file: str, output_file: Optional[str] = None) -> None:
     with open(hmac_key_file, 'rb') as file:
         key_data = file.read()
         data = bytes([0] * 32)
         token_data = hmac.HMAC(key_data, data, hashlib.sha256).digest()
         token_hex = binascii.hexlify(token_data).decode('utf-8')
-        print(token_hex)
+
+        if output_file:
+            if output_file.endswith('.bin'):
+                with open(output_file, 'wb') as out_file:
+                    out_file.write(token_data)
+            elif output_file.endswith('.hex'):
+                with open(output_file, 'w') as out_file:
+                    out_file.write(token_hex)
+            else:
+                print(f'Unsupported file format for output file: {output_file}')
+        else:
+            print(token_hex)
 
 
 def generate_hmac_key(hmac_key_file: str) -> None:
@@ -69,6 +81,7 @@ def main() -> None:
 
     token_generator_parser = subparsers.add_parser('generate_token')
     token_generator_parser.add_argument('hmac_key_file', help='File containing the HMAC key')
+    token_generator_parser.add_argument('output_file', nargs='?', help='File to store the generated token (optional)')
 
     args = parser.parse_args()
 
@@ -77,7 +90,7 @@ def main() -> None:
     elif args.command == 'generate_hmac_key':
         generate_hmac_key(args.hmac_key_file)
     elif args.command == 'generate_token':
-        generate_token_data(args.hmac_key_file)
+        generate_token_data(args.hmac_key_file, args.output_file)
     else:
         parser.print_help()
 

diff --git a/examples/security/security_features_app/CMakeLists.txt b/examples/security/security_features_app/CMakeLists.txt
@@ -0,0 +1,8 @@
+# The following lines of boilerplate have to be in your project's
+# CMakeLists in this exact order for cmake to work correctly
+cmake_minimum_required(VERSION 3.16)
+
+include($ENV{IDF_PATH}/tools/cmake/project.cmake)
+project(security_features_app)
+
+target_add_binary_data(${CMAKE_PROJECT_NAME}.elf "${CONFIG_EXAMPLE_SECURE_JTAG_TOKEN_PATH}" TEXT)