config SECURE_BOOT_ALLOW_ROM_BASIC
bool "Leave ROM BASIC Interpreter available on reset"
- depends on SECURE_BOOT_INSECURE
+ depends on SECURE_BOOT_INSECURE || FLASH_ENCRYPTION_INSECURE
default N
help
- If not set (default), bootloader permanently disables ROM BASIC (on UART console) as a fallback if the bootloader image becomes invalid. This happens on first boot.
+ By default, the BASIC ROM Console starts on reset if no valid bootloader is
+ read from the flash.
- Only set this option in testing environments.
+ When either flash encryption or secure boot are enabled, the default is to
+ disable this BASIC fallback mode permanently via efuse.
+
+ If this option is set, this efuse is not burned and the BASIC ROM Console may
+ remain accessible. Only set this option in testing environments.
config SECURE_BOOT_ALLOW_JTAG
bool "Allow JTAG Debugging"
#else
ESP_LOGW(TAG, "Not disabling JTAG - SECURITY COMPROMISED");
#endif
+#ifndef CONFIG_SECURE_BOOT_ALLOW_ROM_BASIC
+ ESP_LOGI(TAG, "Disable ROM BASIC interpreter fallback...");
+ new_wdata6 |= EFUSE_RD_CONSOLE_DEBUG_DISABLE;
+#else
+ ESP_LOGW(TAG, "Not disabling ROM BASIC fallback - SECURITY COMPROMISED");
+#endif
if (new_wdata6 != 0) {
REG_WRITE(EFUSE_BLK0_WDATA6_REG, new_wdata6);