attestation: only allow attestation initialisation on secure devices

Blockstream · Nov 6, 2024 · 279331b · 279331b
1 parent 3bec0a6
commit 279331b
Show file tree

Hide file tree

Showing 2 changed files with 9 additions and 1 deletion.
diff --git a/jade_attest.py b/jade_attest.py
@@ -192,6 +192,9 @@ def attestation_verify(jade, args):
         if verinfo['BOARD_TYPE'] not in ESP32S3_CHIP_BOARDS:
             print('Attestation only available on esp32s3 chipset')
             sys.exit(2)
+        if verinfo['JADE_FEATURES'] != 'SB':
+            print('Attestation only available on secure-boot devices')
+            sys.exit(3)
 
         if args.initialise:
             attestation_initialise(jade, args)

diff --git a/main/attestation/attestation.c b/main/attestation/attestation.c
@@ -32,7 +32,7 @@
 #define JADE_ATTEST_EFUSE EFUSE_BLK_KEY5
 #define JADE_ATTEST_HMAC_EFUSE_ID (JADE_ATTEST_EFUSE - EFUSE_BLK_KEY0)
 
-#ifdef CONFIG_DEBUG_MODE
+#if defined(CONFIG_DEBUG_MODE) && !defined(CONFIG_SECURE_BOOT)
 #define ALLOW_REINITIALISE 1
 #endif
 
@@ -428,6 +428,10 @@ static void rsa_ctx_to_ds_params(mbedtls_rsa_context* rsa, esp_ds_p_data_t* para
 
 bool attestation_can_be_initialised(void)
 {
+    // Only 'secure-boot' units can be set-up with attestation
+#ifndef CONFIG_SECURE_BOOT
+    return false;
+#else
     // Check efuse is currently unused (ie. 'user', [or already set if in dev mode])
     const esp_efuse_purpose_t purpose = esp_efuse_get_key_purpose(JADE_ATTEST_EFUSE);
 #ifdef ALLOW_REINITIALISE
@@ -453,6 +457,7 @@ bool attestation_can_be_initialised(void)
     }
 
     return true;
+#endif // CONFIG_SECURE_BOOT
 }
 
 bool attestation_initialised(void)