secure boot v2: esp32: Prevent read disabling additional efuses

Also reduce the number of eFuse write cycles during first boot when Secure Boot and/or Flash Encryption are enabled.
2020-03-20 13:55:15 +11:00
parent f96d28172b
commit cf8dd62fc4
4 changed files with 73 additions and 25 deletions
--- a/components/bootloader/Kconfig.projbuild
+++ b/components/bootloader/Kconfig.projbuild
@@ -640,6 +640,18 @@ menu "Security features"
                image to this length. It is generally not recommended to set this option, unless you have a legacy
                partitioning scheme which doesn't support 64KB aligned partition lengths.

+        config SECURE_BOOT_V2_ALLOW_EFUSE_RD_DIS
+            bool "Allow additional read protecting of efuses"
+            depends on SECURE_BOOT_INSECURE && SECURE_BOOT_V2_ENABLED
+            help
+                If not set (default, recommended), on first boot the bootloader will burn the WR_DIS_RD_DIS
+                efuse when Secure Boot is enabled. This prevents any more efuses from being read protected.
+
+                If this option is set, it will remain possible to write the EFUSE_RD_DIS efuse field after Secure
+                Boot is enabled. This may allow an attacker to read-protect the BLK2 efuse holding the public
+                key digest, causing an immediate denial of service and possibly allowing an additional fault
+                injection attack to bypass the signature protection.
+
        config SECURE_FLASH_UART_BOOTLOADER_ALLOW_ENC
            bool "Leave UART bootloader encryption enabled"
            depends on SECURE_FLASH_ENCRYPTION_MODE_DEVELOPMENT