Only set this option in testing environments.
- config SECURE_BOOT_TEST_MODE
- bool "Secure boot test mode: don't permanently set any eFuses"
- depends on SECURE_BOOT_INSECURE
- default N
- help
- If this option is set, all permanent secure boot changes (via eFuse) are disabled.
-
- Log output will state changes which would be applied, but they will not be.
-
- This option is for testing purposes only - it completely disables secure boot protection.
-
endmenu # Potentially Insecure
endmenu # Security features
err = esp_secure_boot_permanently_enable();
if (err != ESP_OK) {
ESP_LOGE(TAG, "FAILED TO ENABLE SECURE BOOT (%d).", err);
- /* Allow booting to continue, as the failure is probably
- due to user-configured EFUSEs for testing...
+ /* Panic here as secure boot is not properly enabled
+ due to one of the reasons in above function
*/
+ abort();
}
#endif
/* Burn values written to the efuse write registers */
static inline void burn_efuses()
{
-#ifdef CONFIG_SECURE_BOOT_TEST_MODE
- ESP_LOGE(TAG, "SECURE BOOT TEST MODE. Not really burning any efuses! NOT SECURE");
-#else
esp_efuse_burn_new_values();
-#endif
}
esp_err_t esp_secure_boot_generate_digest(void)
efuse_key_write_protected = true;
}
-#ifndef CONFIG_SECURE_BOOT_TEST_MODE
if (!efuse_key_read_protected) {
ESP_LOGE(TAG, "Pre-loaded key is not read protected. Refusing to blow secure boot efuse.");
return ESP_ERR_INVALID_STATE;
ESP_LOGE(TAG, "Pre-loaded key is not write protected. Refusing to blow secure boot efuse.");
return ESP_ERR_INVALID_STATE;
}
-#endif
ESP_LOGI(TAG, "blowing secure boot efuse...");
ESP_LOGD(TAG, "before updating, EFUSE_BLK0_RDATA6 %x", REG_READ(EFUSE_BLK0_RDATA6_REG));
ESP_LOGI(TAG, "secure boot is now enabled for bootloader image");
return ESP_OK;
} else {
-#ifdef CONFIG_SECURE_BOOT_TEST_MODE
- ESP_LOGE(TAG, "secure boot not enabled due to test mode");
-#else
ESP_LOGE(TAG, "secure boot not enabled for bootloader image, EFUSE_RD_ABS_DONE_0 is probably write protected!");
-#endif
return ESP_ERR_INVALID_STATE;
}
}
projects / esp-idf / commitdiff