From 1cb8a72e1c63fbf7637a175fba1958bb9b3ff1cf Mon Sep 17 00:00:00 2001 From: Sachin Parekh Date: Tue, 24 May 2022 22:14:21 +0530 Subject: [PATCH 1/4] espsecure: Fix secure boot v1 key generation - Add test cases for SB v1 and v2 key generation --- espsecure/__init__.py | 2 +- test/test_espsecure.py | 25 +++++++++++++++++++++++++ 2 files changed, 26 insertions(+), 1 deletion(-) diff --git a/espsecure/__init__.py b/espsecure/__init__.py index ea6fd8b80..3da5297b8 100755 --- a/espsecure/__init__.py +++ b/espsecure/__init__.py @@ -160,7 +160,7 @@ def generate_signing_key(args): raise esptool.FatalError("ERROR: Key file %s already exists" % args.keyfile) if args.version == "1": if hasattr(args, "scheme"): - if args.scheme != "ecdsa256": + if args.scheme != "ecdsa256" and args.scheme is not None: raise esptool.FatalError("ERROR: V1 only supports ECDSA256") """ Generate an ECDSA signing key for signing secure boot images (post-bootloader) diff --git a/test/test_espsecure.py b/test/test_espsecure.py index 1dfe560ae..35c0cc84d 100755 --- a/test/test_espsecure.py +++ b/test/test_espsecure.py @@ -121,6 +121,31 @@ class SigningTests(EspSecureTestCase): GenerateKeyArgs = namedtuple("generate_key_args", ["version", "scheme", "keyfile"]) + def test_key_generation_v1(self): + # tempfile.TemporaryDirectory() would be better + # but we need compatibility with old Pythons + keydir = tempfile.mkdtemp() + self.addCleanup(os.rmdir, keydir) + + # keyfile cannot exist before generation -> tempfile.NamedTemporaryFile() + # cannot be used for keyfile + keyfile_name = os.path.join(keydir, "key.pem") + self.addCleanup(os.remove, keyfile_name) + self.run_espsecure("generate_signing_key --version 1 {}".format(keyfile_name)) + + def test_key_generation_v2(self): + # tempfile.TemporaryDirectory() would be better + # but we need compatibility with old Pythons + keydir = tempfile.mkdtemp() + self.addCleanup(os.rmdir, keydir) + + # keyfile cannot exist before generation -> tempfile.NamedTemporaryFile() + # cannot be used for keyfile + keyfile_name = os.path.join(keydir, "key.pem") + self.addCleanup(os.remove, keyfile_name) + + self.run_espsecure("generate_signing_key --version 2 {}".format(keyfile_name)) + def _test_sign_v1_data(self, key_name): try: output_file = tempfile.NamedTemporaryFile(delete=False) From 190091b5cd89275be4b06bf28bf03292fc33fe77 Mon Sep 17 00:00:00 2001 From: wuzhenghui Date: Tue, 24 May 2022 18:32:55 +0800 Subject: [PATCH 2/4] efuse: update bit name in efuse table --- espefuse/efuse/esp32c3/mem_definition.py | 12 +++++++----- espefuse/efuse/esp32h2beta1/mem_definition.py | 9 ++++----- espefuse/efuse/esp32s3/mem_definition.py | 10 +++++----- espefuse/efuse/esp32s3beta2/mem_definition.py | 10 +++++----- 4 files changed, 21 insertions(+), 20 deletions(-) diff --git a/espefuse/efuse/esp32c3/mem_definition.py b/espefuse/efuse/esp32c3/mem_definition.py index 40fd581ca..1bef54b19 100644 --- a/espefuse/efuse/esp32c3/mem_definition.py +++ b/espefuse/efuse/esp32c3/mem_definition.py @@ -146,11 +146,10 @@ class EfuseDefineFields(EfuseFieldsBase): "unit is (ms/2). When the value is 15, delay is 7.5 ms", None), ("DIS_DOWNLOAD_MODE", "security", 0, 4, 0, "bool", 18, None, None, "Disables all Download boot modes", None), - ("DIS_LEGACY_SPI_BOOT", "config", 0, 4, 1, "bool", 18, None, None, "Disables Legacy SPI boot mode", None), - ("UART_PRINT_CHANNEL", "config", 0, 4, 2, "bool", 18, None, None, "Selects the default UART for printing boot msg", - {0: "UART0", - 1: "UART1"}), - ("DIS_USB_DOWNLOAD_MODE", "usb config", 0, 4, 4, "bool", 18, None, None, "Disables use of USB in UART download boot mode", None), + ("DIS_DIRECT_BOOT", "config", 0, 4, 1, "bool", 18, None, None, "Disables direct boot mode", None), + ("DIS_USB_SERIAL_JTAG_ROM_PRINT", "config", 0, 4, 2, "bool", 18, None, None, "Disables USB-Serial-JTAG ROM printing", None), + ("DIS_USB_SERIAL_JTAG_DOWNLOAD_MODE", "usb config", 0, 4, 4, "bool", 18, None, None, "Disables USB-Serial-JTAG download feature in " + "UART download boot mode", None), ("ENABLE_SECURITY_DOWNLOAD", "security", 0, 4, 5, "bool", 18, None, None, "Enables secure UART download mode " "(read/write flash only)", None), ("UART_PRINT_CONTROL", "config", 0, 4, 6, "uint:2", 18, None, None, "Sets the default UART boot message output mode", @@ -162,6 +161,9 @@ class EfuseDefineFields(EfuseFieldsBase): "during SPI boot", None), ("SECURE_VERSION", "identity", 0, 4, 14, "uint:16", 18, None, "bitcount", "Secure version (used by ESP-IDF anti-rollback feature)", None), + ("ERR_RST_ENABLE", "config", 0, 4, 31, "bool", 19, None, None, "Use BLOCK0 to check error record registers", + {0: "without check", + 1: "with check"}), # # Table 53: Parameters in BLOCK1-10 # Name Category Block Word Pos Type:len WR_DIS RD_DIS Class Description Dictionary diff --git a/espefuse/efuse/esp32h2beta1/mem_definition.py b/espefuse/efuse/esp32h2beta1/mem_definition.py index e55fd61ba..bc9998aa0 100644 --- a/espefuse/efuse/esp32h2beta1/mem_definition.py +++ b/espefuse/efuse/esp32h2beta1/mem_definition.py @@ -150,11 +150,10 @@ class EfuseDefineFields(EfuseFieldsBase): "unit is (ms/2). When the value is 15, delay is 7.5 ms", None), ("DIS_DOWNLOAD_MODE", "security", 0, 4, 0, "bool", 18, None, None, "Disables all Download boot modes", None), - ("DIS_LEGACY_SPI_BOOT", "config", 0, 4, 1, "bool", 18, None, None, "Disables Legacy SPI boot mode", None), - ("UART_PRINT_CHANNEL", "config", 0, 4, 2, "bool", 18, None, None, "Selects the default UART for printing boot msg", - {0: "UART0", - 1: "UART1"}), - ("DIS_USB_DOWNLOAD_MODE", "usb config", 0, 4, 4, "bool", 18, None, None, "Disables use of USB in UART download boot mode", None), + ("DIS_DIRECT_BOOT", "config", 0, 4, 1, "bool", 18, None, None, "Disables direct boot mode", None), + ("DIS_USB_SERIAL_JTAG_ROM_PRINT", "config", 0, 4, 2, "bool", 18, None, None, "Disables USB-Serial-JTAG ROM printing", None), + ("DIS_USB_SERIAL_JTAG_DOWNLOAD_MODE", "usb config", 0, 4, 4, "bool", 18, None, None, "Disables USB-Serial-JTAG download feature in " + "UART download boot mode", None), ("ENABLE_SECURITY_DOWNLOAD", "security", 0, 4, 5, "bool", 18, None, None, "Enables secure UART download mode " "(read/write flash only)", None), ("UART_PRINT_CONTROL", "config", 0, 4, 6, "uint:2", 18, None, None, "Sets the default UART boot message output mode", diff --git a/espefuse/efuse/esp32s3/mem_definition.py b/espefuse/efuse/esp32s3/mem_definition.py index f9155a874..52eb12d34 100644 --- a/espefuse/efuse/esp32s3/mem_definition.py +++ b/espefuse/efuse/esp32s3/mem_definition.py @@ -159,14 +159,12 @@ class EfuseDefineFields(EfuseFieldsBase): "unit is (ms/2). When the value is 15, delay is 7.5 ms", None), ("DIS_DOWNLOAD_MODE", "security", 0, 4, 0, "bool", 18, None, None, "Disables all Download boot modes", None), - ("DIS_LEGACY_SPI_BOOT", "config", 0, 4, 1, "bool", 18, None, None, "Disables Legacy SPI boot mode", None), - ("UART_PRINT_CHANNEL", "config", 0, 4, 2, "bool", 18, None, None, "Selects the default UART for printing boot msg", - {0: "UART0", - 1: "UART1"}), + ("DIS_DIRECT_BOOT", "config", 0, 4, 1, "bool", 18, None, None, "Disables direct boot mode", None), + ("DIS_USB_SERIAL_JTAG_ROM_PRINT", "config", 0, 4, 2, "bool", 18, None, None, "Disables USB-Serial-JTAG ROM printing", None), ("FLASH_ECC_MODE", "config", 0, 4, 3, "bool", 18, None, None, "Configures the ECC mode for SPI flash", {0: "16-byte to 18-byte mode", 1: "16-byte to 17-byte mode"}), - ("DIS_USB_DOWNLOAD_MODE", "config", 0, 4, 4, "bool", 18, None, None, "Disables USB OTG download feature in " + ("DIS_USB_SERIAL_JTAG_DOWNLOAD_MODE", "config", 0, 4, 4, "bool", 18, None, None, "Disables USB-Serial-JTAG download feature in " "UART download boot mode", None), ("ENABLE_SECURITY_DOWNLOAD", "security", 0, 4, 5, "bool", 18, None, None, "Enables secure UART download mode " "(read/write flash only)", None), @@ -187,6 +185,8 @@ class EfuseDefineFields(EfuseFieldsBase): "during SPI boot", None), ("SECURE_VERSION", "identity", 0, 4, 14, "uint:16", 18, None, "bitcount", "Secure version (used by ESP-IDF anti-rollback feature)", None), + ("DIS_USB_OTG_DOWNLOAD_MODE", "config", 0, 4, 31, "bool", 19, None, None, "Disables USB-OTG download feature in " + "UART download boot mode", None), # # Table 53: Parameters in BLOCK1-10 # Name Category Block Word Pos Type:len WR_DIS RD_DIS Class Description Dictionary diff --git a/espefuse/efuse/esp32s3beta2/mem_definition.py b/espefuse/efuse/esp32s3beta2/mem_definition.py index abe8fd4f6..701a19f0a 100644 --- a/espefuse/efuse/esp32s3beta2/mem_definition.py +++ b/espefuse/efuse/esp32s3beta2/mem_definition.py @@ -153,14 +153,12 @@ class EfuseDefineFields(EfuseFieldsBase): "unit is (ms/2). When the value is 15, delay is 7.5 ms", None), ("DIS_DOWNLOAD_MODE", "security", 0, 4, 0, "bool", 18, None, None, "Disables all Download boot modes", None), - ("DIS_LEGACY_SPI_BOOT", "config", 0, 4, 1, "bool", 18, None, None, "Disables Legacy SPI boot mode", None), - ("UART_PRINT_CHANNEL", "config", 0, 4, 2, "bool", 18, None, None, "Selects the default UART for printing boot msg", - {0: "UART0", - 1: "UART1"}), + ("DIS_DIRECT_BOOT", "config", 0, 4, 1, "bool", 18, None, None, "Disables direct boot mode", None), + ("DIS_USB_SERIAL_JTAG_ROM_PRINT", "config", 0, 4, 2, "bool", 18, None, None, "Disables USB-Serial-JTAG ROM printing", None), ("FLASH_ECC_MODE", "config", 0, 4, 3, "bool", 18, None, None, "Configures the ECC mode for SPI flash", {0: "16-byte to 18-byte mode", 1: "16-byte to 17-byte mode"}), - ("DIS_USB_DOWNLOAD_MODE", "config", 0, 4, 4, "bool", 18, None, None, "Disables USB OTG download feature in " + ("DIS_USB_SERIAL_JTAG_DOWNLOAD_MODE", "config", 0, 4, 4, "bool", 18, None, None, "Disables USB-Serial-JTAG download feature in " "UART download boot mode", None), ("ENABLE_SECURITY_DOWNLOAD", "security", 0, 4, 5, "bool", 18, None, None, "Enables secure UART download mode " "(read/write flash only)", None), @@ -181,6 +179,8 @@ class EfuseDefineFields(EfuseFieldsBase): "during SPI boot", None), ("SECURE_VERSION", "identity", 0, 4, 14, "uint:16", 18, None, "bitcount", "Secure version (used by ESP-IDF anti-rollback feature)", None), + ("DIS_USB_OTG_DOWNLOAD_MODE", "config", 0, 4, 31, "bool", 19, None, None, "Disables USB-OTG download feature in " + "UART download boot mode", None), # # Table 53: Parameters in BLOCK1-10 # Name Category Block Word Pos Type:len WR_DIS RD_DIS Class Description Dictionary From b322f5a3cedcaebcade37255d8423ea5cc88d07b Mon Sep 17 00:00:00 2001 From: wuzhenghui Date: Wed, 25 May 2022 14:24:37 +0800 Subject: [PATCH 3/4] fix test scripts --- test/efuse_scripts/esp32xx/test_efuse_script.py | 6 +++--- test/efuse_scripts/esp32xx/test_efuse_script2.py | 2 +- test/test_espefuse_host.py | 14 ++++++++++++-- 3 files changed, 16 insertions(+), 6 deletions(-) diff --git a/test/efuse_scripts/esp32xx/test_efuse_script.py b/test/efuse_scripts/esp32xx/test_efuse_script.py index d40c04b74..5818208a4 100644 --- a/test/efuse_scripts/esp32xx/test_efuse_script.py +++ b/test/efuse_scripts/esp32xx/test_efuse_script.py @@ -1,6 +1,6 @@ # flake8: noqa # fmt: off -espefuse(esp, efuses, args, 'burn_efuse DIS_FORCE_DOWNLOAD 1 DIS_CAN 1 DIS_USB_DOWNLOAD_MODE 1') +espefuse(esp, efuses, args, 'burn_efuse DIS_FORCE_DOWNLOAD 1 DIS_CAN 1 DIS_DOWNLOAD_MODE 1') espefuse(esp, efuses, args, 'burn_bit BLOCK_USR_DATA 64 66 69 72 78 82 83 90') espefuse(esp, efuses, args, 'read_protect_efuse BLOCK_SYS_DATA2') espefuse(esp, efuses, args, 'write_protect_efuse BLOCK_SYS_DATA2') @@ -19,8 +19,8 @@ raise esptool.FatalError("DIS_FORCE_DOWNLOAD was not set") if efuses["DIS_CAN"].get() != 1: raise esptool.FatalError("DIS_CAN was not set") -if efuses["DIS_USB_DOWNLOAD_MODE"].get() != 1: - raise esptool.FatalError("DIS_USB_DOWNLOAD_MODE was not set") +if efuses["DIS_DOWNLOAD_MODE"].get() != 1: + raise esptool.FatalError("DIS_DOWNLOAD_MODE was not set") if efuses["BLOCK_USR_DATA"].get_meaning() != "00 00 00 00 00 00 00 00 25 41 0c 04 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00": raise esptool.FatalError("BLOCK_USR_DATA was not set correctly") diff --git a/test/efuse_scripts/esp32xx/test_efuse_script2.py b/test/efuse_scripts/esp32xx/test_efuse_script2.py index b0a441692..4bf3f2014 100644 --- a/test/efuse_scripts/esp32xx/test_efuse_script2.py +++ b/test/efuse_scripts/esp32xx/test_efuse_script2.py @@ -1,6 +1,6 @@ # flake8: noqa # fmt: off -espefuse(esp, efuses, args, 'burn_efuse DIS_FORCE_DOWNLOAD 1 DIS_CAN 1 DIS_USB_DOWNLOAD_MODE 1') +espefuse(esp, efuses, args, 'burn_efuse DIS_FORCE_DOWNLOAD 1 DIS_CAN 1 DIS_DOWNLOAD_MODE 1') if efuses["DIS_FORCE_DOWNLOAD"].get() != 0: raise esptool.FatalError("Burn should be at the end") diff --git a/test/test_espefuse_host.py b/test/test_espefuse_host.py index 83189d3c3..a7aad89bc 100755 --- a/test/test_espefuse_host.py +++ b/test/test_espefuse_host.py @@ -347,8 +347,9 @@ def test_write_protect_efuse(self): SECURE_BOOT_KEY_REVOKE2 KEY_PURPOSE_0 KEY_PURPOSE_1 KEY_PURPOSE_2 KEY_PURPOSE_3 KEY_PURPOSE_4 KEY_PURPOSE_5 SECURE_BOOT_EN SECURE_BOOT_AGGRESSIVE_REVOKE FLASH_TPUW - DIS_DOWNLOAD_MODE DIS_LEGACY_SPI_BOOT UART_PRINT_CHANNEL - DIS_USB_DOWNLOAD_MODE ENABLE_SECURITY_DOWNLOAD + DIS_DOWNLOAD_MODE DIS_DIRECT_BOOT + DIS_USB_SERIAL_JTAG_ROM_PRINT + DIS_USB_SERIAL_JTAG_DOWNLOAD_MODE ENABLE_SECURITY_DOWNLOAD UART_PRINT_CONTROL MAC SPI_PAD_CONFIG_CLK SPI_PAD_CONFIG_Q SPI_PAD_CONFIG_D SPI_PAD_CONFIG_CS SPI_PAD_CONFIG_HD SPI_PAD_CONFIG_WP SPI_PAD_CONFIG_DQS SPI_PAD_CONFIG_D4 @@ -357,6 +358,15 @@ def test_write_protect_efuse(self): BLOCK2_VERSION BLOCK_USR_DATA BLOCK_KEY0 BLOCK_KEY1 BLOCK_KEY2 BLOCK_KEY3 BLOCK_KEY4 BLOCK_KEY5""" efuse_lists2 = "RD_DIS DIS_ICACHE" + if chip_target == "esp32s2": + replace_rule = { + # New bit definition after esp32c3 Old defintion in esp32s2 + "DIS_USB_SERIAL_JTAG_DOWNLOAD_MODE": "DIS_USB_DOWNLOAD_MODE", + "DIS_DIRECT_BOOT": "DIS_LEGACY_SPI_BOOT", + "DIS_USB_SERIAL_JTAG_ROM_PRINT": "UART_PRINT_CHANNEL", + } + for old_name in replace_rule: + efuse_lists = efuse_lists.replace(old_name, replace_rule[old_name]) self.espefuse_py("write_protect_efuse {}".format(efuse_lists)) output = self.espefuse_py("write_protect_efuse {}".format(efuse_lists2)) self.assertEqual(2, output.count("is already write protected")) From d20bf7f1086027edb40a29a112612e354685b0cf Mon Sep 17 00:00:00 2001 From: "radim.karnis" Date: Fri, 27 May 2022 09:34:01 +0200 Subject: [PATCH 4/4] Update version to v4.1 --- esptool/__init__.py | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/esptool/__init__.py b/esptool/__init__.py index 14edfae49..327fb93cc 100644 --- a/esptool/__init__.py +++ b/esptool/__init__.py @@ -30,7 +30,7 @@ "write_mem", ] -__version__ = "4.1-dev" +__version__ = "4.1" import argparse import inspect