| # |
| # For a description of the syntax of this configuration file, |
| # see the file kconfig-language.txt in the NuttX tools repository. |
| # |
| |
| comment "Secure Boot" |
| |
| config ESP32_SECURE_BOOT |
| bool "Enable hardware Secure Boot in bootloader (READ HELP FIRST)" |
| default n |
| depends on ESP32_APP_FORMAT_MCUBOOT |
| ---help--- |
| Build a bootloader which enables Secure Boot on first boot. |
| |
| Once enabled, Secure Boot will not boot a modified bootloader. The bootloader will only boot an |
| application firmware image if it has a verified digital signature. There are implications for reflashing |
| updated images once Secure Boot is enabled. |
| |
| When enabling Secure Boot, JTAG and ROM BASIC Interpreter are permanently disabled by default. |
| |
| if ESP32_SECURE_BOOT |
| |
| config ESP32_SECURE_BOOT_BUILD_SIGNED_BINARIES |
| bool "Sign binaries during build" |
| default y |
| ---help--- |
| Once Secure Boot is enabled, bootloader and application images are required to be signed. |
| |
| If enabled (default), these binary files are signed as part of the build process. |
| The files named in "Bootloader private signing key" and "Application private signing key" will |
| be used to sign the bootloader and application images, respectively. |
| |
| If disabled, unsigned firmware images will be built. |
| They must be then signed manually using imgtool (e.g., on a remote signing server). |
| |
| config ESP32_SECURE_BOOT_BOOTLOADER_SIGNING_KEY |
| string "Bootloader private signing key" |
| default "bootloader_signing_key.pem" |
| ---help--- |
| Path to the key file used to sign the bootloader image. |
| |
| Key file is an RSA private key in PEM format. |
| |
| Path is evaluated relative to the directory indicated by the ESPSEC_KEYDIR environment |
| variable. |
| |
| You can generate a new signing key by running the following command: |
| $ espsecure.py generate_signing_key --version 2 bootloader_signing_key.pem |
| |
| See the Secure Boot section of the ESP-IDF Programmer's Guide for this version for details. |
| |
| choice ESP32_SECURE_SIGNED_APPS_SCHEME |
| prompt "Application image signing scheme" |
| default ESP32_SECURE_SIGNED_APPS_SCHEME_RSA_3072 |
| ---help--- |
| Select the secure application signing scheme. |
| |
| config ESP32_SECURE_SIGNED_APPS_SCHEME_RSA_2048 |
| bool "RSA-2048" |
| |
| config ESP32_SECURE_SIGNED_APPS_SCHEME_RSA_3072 |
| bool "RSA-3072" |
| |
| config ESP32_SECURE_SIGNED_APPS_SCHEME_ECDSA_P256 |
| bool "ECDSA-P256" |
| |
| config ESP32_SECURE_SIGNED_APPS_SCHEME_ED25519 |
| bool "ED25519" |
| |
| endchoice |
| |
| config ESP32_SECURE_BOOT_APP_SIGNING_KEY |
| string "Application private signing key" |
| default "app_signing_key.pem" |
| ---help--- |
| Path to the key file used to sign NuttX application images. |
| |
| Key file is in PEM format and its type shall be specified by the configuration defined in |
| "Application image signing scheme". |
| |
| Path is evaluated relative to the directory indicated by the ESPSEC_KEYDIR environment |
| variable. |
| |
| You can generate a new signing key by running the following command: |
| $ imgtool keygen --key app_signing_key.pem --type <ESP32_SECURE_SIGNED_APPS_SCHEME> |
| |
| config ESP32_SECURE_BOOT_INSECURE |
| bool "Allow potentially insecure options" |
| default n |
| ---help--- |
| You can disable some of the default protections offered by Secure Boot, in order to enable testing or a |
| custom combination of security features. |
| |
| Only enable these options if you are very sure. |
| |
| Refer to the Secure Boot section of the ESP-IDF Programmer's Guide for this version before enabling. |
| |
| endif # ESP32_SECURE_BOOT |
| |
| comment "Flash Encryption" |
| |
| config ESP32_SECURE_FLASH_ENC_ENABLED |
| bool "Enable Flash Encryption on boot (READ HELP FIRST)" |
| default n |
| depends on ESP32_APP_FORMAT_MCUBOOT |
| ---help--- |
| If this option is set, flash contents will be encrypted by the bootloader on first boot. |
| |
| Note: After first boot, the system will be permanently encrypted. Re-flashing an encrypted |
| system is complicated and not always possible. |
| |
| Read https://docs.espressif.com/projects/esp-idf/en/latest/security/flash-encryption.html |
| before enabling. |
| |
| if ESP32_SECURE_FLASH_ENC_ENABLED |
| |
| choice ESP32_SECURE_FLASH_ENCRYPTION_MODE |
| bool "Enable usage mode" |
| default ESP32_SECURE_FLASH_ENCRYPTION_MODE_DEVELOPMENT |
| ---help--- |
| By default, Development mode is enabled which allows ROM download mode to perform Flash Encryption |
| operations (plaintext is sent to the device, and it encrypts it internally and writes ciphertext |
| to flash). This mode is not secure, it's possible for an attacker to write their own chosen plaintext |
| to flash. |
| |
| Release mode should always be selected for production or manufacturing. Once enabled it's no longer |
| possible for the device in ROM Download Mode to use the Flash Encryption hardware. |
| |
| Refer to the Flash Encryption section of the ESP-IDF Programmer's Guide for details: |
| https://docs.espressif.com/projects/esp-idf/en/latest/esp32/security/flash-encryption.html#flash-encryption-configuration |
| |
| config ESP32_SECURE_FLASH_ENCRYPTION_MODE_DEVELOPMENT |
| bool "Development (NOT SECURE)" |
| select ESP32_SECURE_FLASH_UART_BOOTLOADER_ALLOW_ENC |
| |
| config ESP32_SECURE_FLASH_ENCRYPTION_MODE_RELEASE |
| bool "Release" |
| |
| endchoice |
| |
| endif # ESP32_SECURE_FLASH_ENC_ENABLED |
| |
| menu "Potentially insecure options" |
| visible if ESP32_SECURE_BOOT_INSECURE || ESP32_SECURE_FLASH_ENCRYPTION_MODE_DEVELOPMENT |
| |
| # NOTE: Options in this menu NEED to have ESP32_SECURE_BOOT_INSECURE |
| # and/or ESP32_SECURE_FLASH_ENCRYPTION_MODE_DEVELOPMENT in "depends on", as the menu |
| # itself doesn't enable/disable its children (if it's not set, |
| # it's possible for the insecure menu to be disabled but the insecure option |
| # to remain on which is very bad.) |
| |
| config ESP32_SECURE_BOOT_ALLOW_ROM_BASIC |
| bool "Leave ROM BASIC Interpreter available on reset" |
| default n |
| depends on ESP32_SECURE_BOOT_INSECURE || ESP32_SECURE_FLASH_ENCRYPTION_MODE_DEVELOPMENT |
| ---help--- |
| By default, the BASIC ROM Console starts on reset if no valid bootloader is |
| read from the flash. |
| |
| When either Flash Encryption or Secure Boot are enabled, the default is to |
| disable this BASIC fallback mode permanently via eFuse. |
| |
| If this option is set, this eFuse is not burned and the BASIC ROM Console may |
| remain accessible. Only set this option in testing environments. |
| |
| config ESP32_SECURE_BOOT_ALLOW_JTAG |
| bool "Allow JTAG Debugging" |
| default n |
| depends on ESP32_SECURE_BOOT_INSECURE || ESP32_SECURE_FLASH_ENCRYPTION_MODE_DEVELOPMENT |
| ---help--- |
| If not set (default), the bootloader will permanently disable JTAG (across entire chip) on first boot |
| when either Secure Boot or Flash Encryption is enabled. |
| |
| Setting this option leaves JTAG on for debugging, which negates all protections of Flash Encryption |
| and some of the protections of Secure Boot. |
| |
| Only set this option in testing environments. |
| |
| config ESP32_SECURE_BOOT_ALLOW_EFUSE_RD_DIS |
| bool "Allow additional read protecting of efuses" |
| default n |
| depends on ESP32_SECURE_BOOT_INSECURE |
| ---help--- |
| If not set (default, recommended), on first boot the bootloader will burn the WR_DIS_RD_DIS |
| efuse when Secure Boot is enabled. This prevents any more efuses from being read protected. |
| |
| If this option is set, it will remain possible to write the EFUSE_RD_DIS efuse field after Secure |
| Boot is enabled. This may allow an attacker to read-protect the BLK2 efuse (for ESP32) and |
| BLOCK4-BLOCK10 (i.e. BLOCK_KEY0-BLOCK_KEY5)(for other chips) holding the public key digest, causing an |
| immediate denial of service and possibly allowing an additional fault injection attack to |
| bypass the signature protection. |
| |
| NOTE: Once a BLOCK is read-protected, the application will read all zeros from that block |
| |
| NOTE: If UART ROM download mode "Permanently disabled (recommended)" is set, |
| then it is __NOT__ possible to read/write efuses using espefuse.py utility. |
| However, efuse can be read/written from the application. |
| |
| config ESP32_SECURE_FLASH_UART_BOOTLOADER_ALLOW_ENC |
| bool "Leave UART bootloader encryption enabled" |
| default n |
| depends on ESP32_SECURE_FLASH_ENCRYPTION_MODE_DEVELOPMENT |
| ---help--- |
| If not set (default), the bootloader will permanently disable UART bootloader encryption access on |
| first boot. If set, the UART bootloader will still be able to access hardware encryption. |
| |
| It is recommended to only set this option in testing environments. |
| |
| config ESP32_SECURE_FLASH_UART_BOOTLOADER_ALLOW_DEC |
| bool "Leave UART bootloader decryption enabled" |
| default n |
| depends on ESP32_SECURE_FLASH_ENCRYPTION_MODE_DEVELOPMENT |
| ---help--- |
| If not set (default), the bootloader will permanently disable UART bootloader decryption access on |
| first boot. If set, the UART bootloader will still be able to access hardware decryption. |
| |
| Only set this option in testing environments. Setting this option allows complete bypass of flash |
| encryption. |
| |
| config ESP32_SECURE_FLASH_UART_BOOTLOADER_ALLOW_CACHE |
| bool "Leave UART bootloader flash cache enabled" |
| default n |
| depends on ESP32_SECURE_FLASH_ENCRYPTION_MODE_DEVELOPMENT |
| ---help--- |
| If not set (default), the bootloader will permanently disable UART bootloader flash cache access on |
| first boot. If set, the UART bootloader will still be able to access the flash cache. |
| |
| Only set this option in testing environments. |
| |
| config ESP32_SECURE_FLASH_REQUIRE_ALREADY_ENABLED |
| bool "Require Flash Encryption to be already enabled" |
| default n |
| depends on ESP32_SECURE_FLASH_ENCRYPTION_MODE_DEVELOPMENT |
| ---help--- |
| If not set (default), and Flash Encryption is not yet enabled in eFuses, the 2nd stage bootloader |
| will enable Flash Encryption: generate the Flash Encryption key and program eFuses. |
| If this option is set, and Flash Encryption is not yet enabled, the bootloader will error out and |
| reboot. |
| If Flash Encryption is enabled in eFuses, this option does not change the bootloader behavior. |
| |
| Only use this option in testing environments, to avoid accidentally enabling Flash Encryption on |
| the wrong device. The device needs to have Flash Encryption already enabled using espefuse.py. |
| |
| endmenu # Potentially insecure options |
| |
| choice ESP32_SECURE_UART_ROM_DL_MODE |
| bool "UART ROM download mode" |
| default ESP32_SECURE_INSECURE_ALLOW_DL_MODE |
| depends on ESP32_SECURE_BOOT || ESP32_SECURE_FLASH_ENC_ENABLED |
| |
| config ESP32_SECURE_DISABLE_ROM_DL_MODE |
| bool "Permanently disabled (recommended)" |
| ---help--- |
| If set, during startup the app will burn an eFuse bit to permanently disable the UART ROM |
| Download Mode. This prevents any future use of esptool.py, espefuse.py and similar tools. |
| |
| Once disabled, if the SoC is booted with strapping pins set for ROM Download Mode |
| then an error is printed instead. |
| |
| It is recommended to enable this option in any production application where Flash |
| Encryption and/or Secure Boot is enabled and access to Download Mode is not required. |
| |
| It is also possible to permanently disable Download Mode by calling |
| esp_efuse_disable_rom_download_mode() at runtime. |
| |
| config ESP32_SECURE_INSECURE_ALLOW_DL_MODE |
| bool "Enabled (not recommended)" |
| ---help--- |
| This is a potentially insecure option. |
| Enabling this option will allow the full UART download mode to stay enabled. |
| This option SHOULD NOT BE ENABLED for production use cases. |
| |
| endchoice |
