espressif: add missing information for secure features
Add instructions on the readme-espressif.md on how to encrypt
data on the host.
Also add configuration and instructions for disabling/switch
UART ROM Download Mode.
Signed-off-by: Almir Okato <almir.okato@espressif.com>
diff --git a/boot/espressif/hal/src/flash_encrypt.c b/boot/espressif/hal/src/flash_encrypt.c
index 143571b..237eca7 100644
--- a/boot/espressif/hal/src/flash_encrypt.c
+++ b/boot/espressif/hal/src/flash_encrypt.c
@@ -15,6 +15,7 @@
#include "esp_efuse_table.h"
#include "esp_log.h"
#include "hal/wdt_hal.h"
+#include "soc/soc_caps.h"
#include "esp_mcuboot_image.h"
@@ -167,6 +168,26 @@
return err;
}
+#if defined(SOC_SUPPORTS_SECURE_DL_MODE) && defined(CONFIG_SECURE_ENABLE_SECURE_ROM_DL_MODE)
+ ESP_LOGI(TAG, "Enabling Secure Download mode...");
+ err = esp_efuse_enable_rom_secure_download_mode();
+ if (err != ESP_OK) {
+ ESP_LOGE(TAG, "Could not enable Secure Download mode...");
+ esp_efuse_batch_write_cancel();
+ return err;
+ }
+#elif CONFIG_SECURE_DISABLE_ROM_DL_MODE
+ ESP_LOGI(TAG, "Disable ROM Download mode...");
+ err = esp_efuse_disable_rom_download_mode();
+ if (err != ESP_OK) {
+ ESP_LOGE(TAG, "Could not disable ROM Download mode...");
+ esp_efuse_batch_write_cancel();
+ return err;
+ }
+#else
+ ESP_LOGW(TAG, "UART ROM Download mode kept enabled - SECURITY COMPROMISED");
+#endif
+
err = esp_efuse_batch_write_commit();
if (err != ESP_OK) {
ESP_LOGE(TAG, "Error programming security eFuses (err=0x%x).", err);