This is an automated email from the ASF dual-hosted git repository. simbit18 pushed a commit to branch master in repository https://gitbox.apache.org/repos/asf/nuttx.git
commit 3a74b82e093cd85f23916c710a46955af25f5e3f Author: Filipe Cavalcanti <[email protected]> AuthorDate: Fri Oct 10 10:46:18 2025 -0300 arch/xtensa: flash encryption support for ESP32|S2|S3 Deprecates ESP32_STORAGE_MTD_ENCRYPT and ESP32_OTA_PARTITION_ENCRYPT options. Add ESPRESSIF_SECURE_FLASH_ENC_ENABLED Kconfig option. Updates SPI Flash driver to handle encryption automatically. Signed-off-by: Filipe Cavalcanti <[email protected]> --- arch/xtensa/src/common/espressif/Kconfig | 76 +++- arch/xtensa/src/common/espressif/esp_spiflash.c | 492 ++++++++++++++++++++- arch/xtensa/src/esp32/Bootloader.mk | 4 +- arch/xtensa/src/esp32/Kconfig | 16 +- arch/xtensa/src/esp32/Kconfig.security | 2 + arch/xtensa/src/esp32/Make.defs | 2 +- arch/xtensa/src/esp32/esp32_start.c | 13 + arch/xtensa/src/esp32/hal.mk | 6 +- arch/xtensa/src/esp32s2/Bootloader.mk | 10 +- arch/xtensa/src/esp32s2/Kconfig | 2 +- arch/xtensa/src/esp32s2/Kconfig.security | 1 + arch/xtensa/src/esp32s2/hal.mk | 6 +- arch/xtensa/src/esp32s3/Bootloader.mk | 9 +- arch/xtensa/src/esp32s3/Kconfig | 2 +- .../xtensa/esp32/common/scripts/esp32_sections.ld | 2 + .../xtensa/esp32/common/src/esp32_board_spiflash.c | 8 +- tools/esp32s3/Config.mk | 6 +- 17 files changed, 606 insertions(+), 51 deletions(-) diff --git a/arch/xtensa/src/common/espressif/Kconfig b/arch/xtensa/src/common/espressif/Kconfig index adc175e30cc..e04955f10c4 100644 --- a/arch/xtensa/src/common/espressif/Kconfig +++ b/arch/xtensa/src/common/espressif/Kconfig @@ -51,13 +51,14 @@ config ESPRESSIF_EFUSE config ESPRESSIF_EFUSE_VIRTUAL bool "Virtual EFUSE support" depends on ESPRESSIF_EFUSE - default n + default y ---help--- Enable virtual efuse support to simulate eFuse operations in RAM, changes will be reverted each reboot. config ESPRESSIF_EFUSE_VIRTUAL_KEEP_IN_FLASH bool "Keep E-Fuses in flash" depends on ESPRESSIF_EFUSE_VIRTUAL + default y ---help--- In addition to the "Virtual E-Fuses support" option, this option just adds a feature to keep E-Fuses after reboots in flash memory. @@ -386,6 +387,79 @@ config ESPRESSIF_BOOTLOADER_MCUBOOT ---help--- Enables the Espressif port of MCUboot to be used as 2nd stage bootloader. +config ESPRESSIF_SECURE_FLASH_ENC_ENABLED + bool "Enable Flash Encryption on boot (READ DOCS FIRST)" + default n + depends on ESPRESSIF_BOOTLOADER_MCUBOOT + select ESPRESSIF_EFUSE + ---help--- + If this option is set, flash contents will be encrypted by the bootloader on first boot. + + Note: After first boot, the system will be permanently encrypted. Re-flashing an encrypted + system is complicated and not always possible. + + Read https://docs.espressif.com/projects/esp-idf/en/latest/security/flash-encryption.html + before enabling. + +if ESPRESSIF_SECURE_FLASH_ENC_ENABLED + +config ESPRESSIF_SECURE_FLASH_UART_BOOTLOADER_ALLOW_ENC + bool "Leave UART bootloader encryption enabled" + depends on ESPRESSIF_SECURE_FLASH_ENCRYPTION_MODE_DEVELOPMENT + default n + help + If not set (default), the bootloader will permanently disable UART bootloader encryption access on + first boot. If set, the UART bootloader will still be able to access hardware encryption. + + It is recommended to only set this option in testing environments. + +config ESPRESSIF_SECURE_FLASH_UART_BOOTLOADER_ALLOW_DEC + bool "Leave UART bootloader decryption enabled" + default n + depends on ESPRESSIF_SECURE_FLASH_ENCRYPTION_MODE_DEVELOPMENT + ---help--- + If not set (default), the bootloader will permanently disable UART bootloader decryption access on + first boot. If set, the UART bootloader will still be able to access hardware decryption. + + Only set this option in testing environments. Setting this option allows complete bypass of flash + encryption. + +config ESPRESSIF_SECURE_FLASH_UART_BOOTLOADER_ALLOW_CACHE + bool "Leave UART bootloader flash cache enabled" + default n + depends on ESPRESSIF_SECURE_FLASH_ENCRYPTION_MODE_DEVELOPMENT + ---help--- + If not set (default), the bootloader will permanently disable UART bootloader flash cache access on + first boot. If set, the UART bootloader will still be able to access the flash cache. + + Only set this option in testing environments. + +choice ESPRESSIF_SECURE_FLASH_ENCRYPTION_MODE + bool "Enable usage mode" + default ESPRESSIF_SECURE_FLASH_ENCRYPTION_MODE_DEVELOPMENT + ---help--- + By default, Development mode is enabled which allows ROM download mode to perform Flash Encryption + operations (plaintext is sent to the device, and it encrypts it internally and writes ciphertext + to flash). This mode is not secure, it's possible for an attacker to write their own chosen plaintext + to flash. + + Release mode should always be selected for production or manufacturing. Once enabled it's no longer + possible for the device in ROM Download Mode to use the Flash Encryption hardware. + + Refer to the Flash Encryption section of the ESP-IDF Programmer's Guide for details: + https://docs.espressif.com/projects/esp-idf/en/latest/esp32/security/flash-encryption.html#flash-encryption-configuration + + config ESPRESSIF_SECURE_FLASH_ENCRYPTION_MODE_DEVELOPMENT + bool "Development (NOT SECURE)" + select ESPRESSIF_SECURE_FLASH_UART_BOOTLOADER_ALLOW_ENC + + config ESPRESSIF_SECURE_FLASH_ENCRYPTION_MODE_RELEASE + bool "Release" + +endchoice + +endif # ESPRESSIF_SECURE_FLASH_ENC_ENABLED + endmenu # Bootloader and Image Configuration menu "LP Core (Low-power core) Coprocessor Configuration" diff --git a/arch/xtensa/src/common/espressif/esp_spiflash.c b/arch/xtensa/src/common/espressif/esp_spiflash.c index ab82c8fd0dc..8797478f967 100644 --- a/arch/xtensa/src/common/espressif/esp_spiflash.c +++ b/arch/xtensa/src/common/espressif/esp_spiflash.c @@ -27,6 +27,7 @@ #include <nuttx/config.h> #include <nuttx/arch.h> #include <nuttx/init.h> +#include <nuttx/nuttx.h> #include <stdint.h> #include <assert.h> @@ -40,6 +41,8 @@ #include "esp_flash.h" #include "esp_flash_encrypt.h" #include "esp_private/cache_utils.h" +#include "hal/efuse_hal.h" +#include "bootloader_flash_priv.h" #if defined(CONFIG_ARCH_CHIP_ESP32) # include "esp32_irq.h" @@ -72,16 +75,424 @@ # define esp_intr_noniram_disable esp32s3_irq_noniram_disable #endif +#ifdef CONFIG_ESPRESSIF_EFUSE_VIRTUAL_KEEP_IN_FLASH +#define ENCRYPTION_IS_VIRTUAL (!efuse_hal_flash_encryption_enabled()) +#else +#define ENCRYPTION_IS_VIRTUAL 0 +#endif + +#ifndef ALIGN_OFFSET +#define ALIGN_OFFSET(num, align) ((num) & ((align) - 1)) +#endif + +#ifndef ROUND_DOWN +#define ROUND_DOWN(x, align) ((unsigned long)(x) & ~((unsigned long)align - 1)) +#endif + +#ifndef ROUND_UP +#define ROUND_UP(x, align) \ + (((unsigned long)(x) + ((unsigned long)align - 1)) & \ + ~((unsigned long)align - 1)) +#endif + +#define FLASH_BUFFER_SIZE 32 +#define FLASH_ERASE_VALUE 0xff #define SPIFLASH_OP_TASK_STACKSIZE 768 +/**************************************************************************** + * Private Functions Prototypes + ****************************************************************************/ + +#if CONFIG_ESPRESSIF_SECURE_FLASH_ENC_ENABLED +static bool aligned_flash_write(size_t dest_addr, const void *src, + size_t size, bool erase); +static bool aligned_flash_erase(size_t addr, size_t size); +#endif + /**************************************************************************** * Private Data ****************************************************************************/ +#if CONFIG_ESPRESSIF_SECURE_FLASH_ENC_ENABLED +static uint8_t write_aux_buf[FLASH_SECTOR_SIZE] = +{ + 0 +}; +static uint8_t erase_aux_buf[FLASH_SECTOR_SIZE] = +{ + 0 +}; +#endif + /**************************************************************************** * Private Functions ****************************************************************************/ +/**************************************************************************** + * Name: flash_esp32_read_check_enc + * + * Description: + * Read data from flash, automatically handling encryption if enabled. + * This function checks if flash encryption is enabled and uses the + * appropriate read function (encrypted or raw). + * + * Input Parameters: + * address - Source address of the data in flash. + * buffer - Pointer to the destination buffer. + * length - Length of data in bytes. + * + * Returned Value: + * OK on success; -EIO on failure. + * + ****************************************************************************/ + +static int flash_esp32_read_check_enc(uint32_t address, void *buffer, + size_t length) +{ + int ret; + + if (esp_flash_encryption_enabled()) + { + finfo("Flash read ENCRYPTED - address 0x%lx size 0x%x", + address, length); + ret = esp_flash_read_encrypted(NULL, address, buffer, length); + } + else + { + finfo("Flash read RAW - address 0x%lx size 0x%x", address, length); + ret = esp_flash_read(NULL, buffer, address, length); + } + + if (ret != OK) + { + ferr("ERROR: failed to read: ret=%d", ret); + return -EIO; + } + + return OK; +} + +/**************************************************************************** + * Name: flash_esp32_write_check_enc + * + * Description: + * Write data to flash, automatically handling encryption if enabled. + * This function checks if flash encryption is enabled and uses the + * appropriate write function (encrypted or raw). + * + * Input Parameters: + * address - Destination address in flash. + * buffer - Pointer to the source buffer. + * length - Length of data in bytes. + * + * Returned Value: + * OK on success; -EIO on failure. + * + ****************************************************************************/ + +static int flash_esp32_write_check_enc(uint32_t address, const void *buffer, + size_t length) +{ + int ret; + + if (esp_flash_encryption_enabled() && !ENCRYPTION_IS_VIRTUAL) + { + finfo("Flash write ENCRYPTED - address 0x%lx size 0x%x", + address, length); + ret = esp_flash_write_encrypted(NULL, address, buffer, length); + } + else + { + finfo("Flash write RAW - address 0x%lx size 0x%x", + address, length); + ret = esp_flash_write(NULL, buffer, address, length); + } + + if (ret != 0) + { + ferr("ERROR: failed to write: ret=%d", ret); + return -EIO; + } + + return OK; +} + +#if CONFIG_ESPRESSIF_SECURE_FLASH_ENC_ENABLED +/**************************************************************************** + * Name: aligned_flash_write + * + * Description: + * Write data to flash with proper alignment handling. This function + * ensures that writes are aligned according to flash encryption + * requirements. When flash encryption is enabled, writes must be + * aligned to 32 bytes (or FLASH_SECTOR_SIZE if erase is required). + * For unaligned writes, the function reads the existing data, merges + * it with the new data, and writes back the aligned chunk. + * + * Input Parameters: + * dest_addr - Destination address in flash. + * src - Pointer to the source buffer. + * size - Length of data in bytes. + * erase - If true, erase the region before writing (required when + * flash encryption is enabled). + * + * Returned Value: + * true on success; false on failure. + * + ****************************************************************************/ + +static bool aligned_flash_write(size_t dest_addr, const void *src, + size_t size, bool erase) +{ + bool flash_enc_enabled = esp_flash_encryption_enabled(); + size_t alignment; + size_t write_addr = dest_addr; + size_t bytes_remaining = size; + size_t src_offset = 0; + + /* When flash encryption is enabled, write alignment is 32 bytes, however + * to avoid inconsistences the region may be erased right before writing, + * thus the alignment is set to the erase required alignment + * (FLASH_SECTOR_SIZE). + * When flash encryption is not enabled, regular write alignment + * is 4 bytes. + */ + + alignment = flash_enc_enabled ? (erase ? FLASH_SECTOR_SIZE : 32) : 4; + + if (IS_ALIGNED(dest_addr, alignment) && IS_ALIGNED((uintptr_t)src, 4) && + IS_ALIGNED(size, alignment)) + { + /* A single write operation is enough when all parameters are aligned */ + + if (flash_enc_enabled && erase) + { + if (esp_flash_erase_region(NULL, dest_addr, size) != OK) + { + ferr("ERROR: erase failed at 0x%08x", (uintptr_t)dest_addr); + return false; + } + } + + return flash_esp32_write_check_enc(dest_addr, (void *)src, size) == OK; + } + + finfo("forcing unaligned write dest_addr: " + "0x%08x src: 0x%08x size: 0x%x erase: %c", + (uintptr_t)dest_addr, (uintptr_t)src, size, erase ? 't' : 'f'); + + while (bytes_remaining > 0) + { + size_t aligned_curr_addr = ROUND_DOWN(write_addr, alignment); + size_t curr_buf_off = write_addr - aligned_curr_addr; + size_t chunk_len = MIN(bytes_remaining, + FLASH_SECTOR_SIZE - curr_buf_off); + + /* Read data before modifying */ + + if (flash_esp32_read_check_enc(aligned_curr_addr, write_aux_buf, + ROUND_UP(chunk_len, alignment)) != OK) + { + ferr("ERROR: flash read failed at 0x%08x", + (uintptr_t)aligned_curr_addr); + return false; + } + + /* Erase if needed */ + + if (flash_enc_enabled && erase) + { + if (esp_flash_erase_region(NULL, aligned_curr_addr, + ROUND_UP( + chunk_len, FLASH_SECTOR_SIZE)) != OK) + { + ferr("ERROR: flash erase failed at 0x%08x", + (uintptr_t)aligned_curr_addr); + return false; + } + } + + /* Merge data into buffer */ + + memcpy(&write_aux_buf[curr_buf_off], + &((const uint8_t *)src)[src_offset], + chunk_len); + + /* Write back aligned chunk */ + + if (flash_esp32_write_check_enc(aligned_curr_addr, write_aux_buf, + ROUND_UP(chunk_len, alignment)) != OK) + { + ferr("ERROR: flash write failed at 0x%08x", + (uintptr_t)aligned_curr_addr); + return false; + } + + write_addr += chunk_len; + src_offset += chunk_len; + bytes_remaining -= chunk_len; + } + + return true; +} + +/**************************************************************************** + * Name: erase_partial_sector + * + * Description: + * Erase a partial sector while preserving data outside the erase region. + * This function reads the full sector, erases it, then writes back the + * preserved data at the head and tail of the sector. + * + * Input Parameters: + * addr - Base address of the sector to erase. + * sector_size - Size of the sector in bytes. + * erase_start - Offset from sector start where erase begins. + * erase_end - Offset from sector start where erase ends. + * + * Returned Value: + * true on success; false on failure. + * + ****************************************************************************/ + +static bool erase_partial_sector(size_t addr, size_t sector_size, + size_t erase_start, size_t erase_end) +{ + /* Read full sector before erasing */ + + if (flash_esp32_read_check_enc(addr, erase_aux_buf, sector_size) != OK) + { + ferr("ERROR: flash read failed at 0x%08x", (uintptr_t)addr); + return false; + } + + /* Erase full sector */ + + if (esp_flash_erase_region(NULL, addr, sector_size) != OK) + { + ferr("ERROR: flash erase failed at 0x%08x", (uintptr_t)addr); + return false; + } + + /* Write back preserved head data up to erase_start */ + + if (erase_start > 0) + { + if (!aligned_flash_write(addr, erase_aux_buf, erase_start, false)) + { + ferr("ERROR: flash write failed at 0x%08x", (uintptr_t)addr); + return false; + } + } + + /* Write back preserved tail data from erase_end up to sector end */ + + if (erase_end < sector_size) + { + if (!aligned_flash_write(addr + erase_end, &erase_aux_buf[erase_end], + sector_size - erase_end, false)) + { + ferr("ERROR: flash write failed at 0x%08x", + (uintptr_t)(addr + erase_end)); + return false; + } + } + + return true; +} + +/**************************************************************************** + * Name: aligned_flash_erase + * + * Description: + * Erase a region of flash with proper sector alignment handling. + * This function handles both aligned and unaligned erase operations. + * For unaligned operations, it preserves data outside the erase region + * by reading sectors, erasing them, and writing back the preserved data. + * + * Input Parameters: + * addr - Start address of the region to erase. + * size - Length of the region to erase in bytes. + * + * Returned Value: + * true on success; false on failure. + * + ****************************************************************************/ + +static bool aligned_flash_erase(size_t addr, size_t size) +{ + const size_t sector_size = FLASH_SECTOR_SIZE; + const size_t start_addr = ROUND_DOWN(addr, sector_size); + const size_t end_addr = ROUND_UP(addr + size, sector_size); + const size_t total_len = end_addr - start_addr; + size_t current_addr; + + if (IS_ALIGNED(addr, FLASH_SECTOR_SIZE) && \ + IS_ALIGNED(size, FLASH_SECTOR_SIZE)) + { + /* A single erase operation is enough when all parameters are aligned */ + + return esp_flash_erase_region(NULL, addr, size) == OK; + } + + finfo("forcing unaligned erase on sector offset: " + "0x%08x Length: 0x%x total_len: 0x%x", + (uintptr_t)addr, (int)size, total_len); + + current_addr = start_addr; + + while (current_addr < end_addr) + { + bool preserve_head = (addr > current_addr); + bool preserve_tail = ((addr + size) < (current_addr + sector_size)); + + if (preserve_head || preserve_tail) + { + size_t erase_start = preserve_head ? (addr - current_addr) : 0; + size_t erase_end = + MIN(current_addr + sector_size, addr + size) - current_addr; + + finfo("partial sector erase: 0x%08x to: 0x%08x length: 0x%x", + (uintptr_t)(current_addr + erase_start), + (uintptr_t)(current_addr + erase_end), + erase_end - erase_start); + + if (!erase_partial_sector(current_addr, sector_size, erase_start, + erase_end)) + { + return false; + } + + current_addr += sector_size; + } + else + { + /* Full sector erase is safe, erase the next consecutive full + * sectors + */ + + size_t contiguous_size = + ROUND_DOWN(addr + size, sector_size) - current_addr; + + finfo("sectors erased from: 0x%08x length: 0x%x", + (uintptr_t)current_addr, contiguous_size); + + if (esp_flash_erase_region( + NULL, current_addr, contiguous_size) != OK) + { + ferr("ERROR: flash erase failed at 0x%08x", + (uintptr_t)current_addr); + return false; + } + + current_addr += contiguous_size; + } + } + + return true; +} +#endif /* CONFIG_ESP_FLASH_ENCRYPTION */ + /**************************************************************************** * Name: spi_flash_op_block_task * @@ -227,20 +638,7 @@ int esp_spiflash_read(uint32_t address, void *buffer, { int ret = OK; - if (!esp_flash_encryption_enabled()) - { - ret = esp_flash_read(NULL, buffer, address, length); - } - else - { -#ifdef CONFIG_ARCH_CHIP_ESP32S2 - ferr("encryption not supported on ESP32-S2\n"); - ret = ERROR; -#else - ret = esp_flash_read_encrypted(NULL, address, buffer, length); -#endif - } - + ret = flash_esp32_read_check_enc(address, buffer, length); if (ret != 0) { ferr("esp_flash_read failed %d", ret); @@ -270,20 +668,28 @@ int esp_spiflash_write(uint32_t address, const void *buffer, uint32_t length) { int ret = OK; +#if CONFIG_ESPRESSIF_SECURE_FLASH_ENC_ENABLED + bool erase = false; +#endif - if (!esp_flash_encryption_enabled()) +#if CONFIG_ESPRESSIF_SECURE_FLASH_ENC_ENABLED + if (esp_flash_encryption_enabled()) { - ret = esp_flash_write(NULL, buffer, address, length); + /* Ensuring flash region has been erased before writing in order to + * avoid inconsistences when hardware flash encryption is enabled. + */ + + erase = true; } - else + + if (!aligned_flash_write(address, buffer, length, erase)) { -#ifdef CONFIG_ARCH_CHIP_ESP32S2 - ferr("encryption not supported on ESP32-S2\n"); - ret = -ERROR; + ferr("flash erase before write failed\n"); + ret = ERROR; + } #else - ret = esp_flash_write_encrypted(NULL, address, buffer, length); + ret = flash_esp32_write_check_enc(address, buffer, length); #endif - } if (ret != 0) { @@ -313,7 +719,49 @@ int esp_spiflash_erase(uint32_t address, uint32_t length) { int ret = OK; +#if CONFIG_ESPRESSIF_SECURE_FLASH_ENC_ENABLED + if (!aligned_flash_erase(address, length)) + { + ret = -EIO; + } + + if (esp_flash_encryption_enabled()) + { + uint8_t erased_val_buf[FLASH_BUFFER_SIZE]; + uint32_t bytes_remaining = length; + uint32_t offset = address; + uint32_t bytes_written = MIN(sizeof(erased_val_buf), length); + + memset(erased_val_buf, FLASH_ERASE_VALUE, sizeof(erased_val_buf)); + + /* When hardware flash encryption is enabled, force expected erased + * value (0xFF) into flash when erasing a region. + * This is handled on this implementation because MCUboot's state + * machine relies on erased valued data (0xFF) read from a + * previously erased region that was not written yet, however when + * hardware flash encryption is enabled, the flash read always + * decrypts what's being read from flash, thus a region that was + * erased would not be read as what MCUboot expected (0xFF). + */ + + while (bytes_remaining != 0) + { + if (!aligned_flash_write(offset, erased_val_buf, bytes_written, + false)) + { + ferr("ERROR: aligned_flash_write failed during erase\n"); + ret = ERROR; + break; + } + + offset += bytes_written; + bytes_remaining -= bytes_written; + } + } +#else ret = esp_flash_erase_region(NULL, address, length); +#endif + if (ret != 0) { ferr("ERROR: erase failed: ret=%d", ret); diff --git a/arch/xtensa/src/esp32/Bootloader.mk b/arch/xtensa/src/esp32/Bootloader.mk index c98b614c727..c20b9ab92a9 100644 --- a/arch/xtensa/src/esp32/Bootloader.mk +++ b/arch/xtensa/src/esp32/Bootloader.mk @@ -46,7 +46,7 @@ ifndef MCUBOOT_URL endif ifndef ESP_HAL_3RDPARTY_VERSION_FOR_MCUBOOT - ESP_HAL_3RDPARTY_VERSION_FOR_MCUBOOT = 3f02f2139e79ddc60f98ca35ed65c62c6914f079 + ESP_HAL_3RDPARTY_VERSION_FOR_MCUBOOT = 911dbec8e4a92e70056b58a3d2b0d965b8b7bcc9 endif # Helpers for creating the configuration file @@ -124,10 +124,10 @@ ifeq ($(CONFIG_ESP32_APP_FORMAT_MCUBOOT),y) $(if $(CONFIG_UART1_SERIAL_CONSOLE),$(call cfg_val,CONFIG_ESP_CONSOLE_ROM_SERIAL_PORT_NUM,1)) \ $(call cfg_en,CONFIG_IDF_TARGET_ARCH_XTENSA) \ $(call cfg_val,CONFIG_BOOTLOADER_LOG_LEVEL,3) \ + $(if $(CONFIG_ESPRESSIF_EFUSE_VIRTUAL),$(call cfg_en,CONFIG_EFUSE_VIRTUAL)) \ } >> $(BOOTLOADER_CONFIG) ifeq ($(CONFIG_ESPRESSIF_EFUSE_VIRTUAL_KEEP_IN_FLASH),y) $(Q) { \ - $(call cfg_en,CONFIG_EFUSE_VIRTUAL) \ $(call cfg_en,CONFIG_EFUSE_VIRTUAL_KEEP_IN_FLASH) \ $(call cfg_val,CONFIG_EFUSE_VIRTUAL_OFFSET,$(CONFIG_ESPRESSIF_EFUSE_VIRTUAL_KEEP_IN_FLASH_OFFSET)) \ $(call cfg_val,CONFIG_EFUSE_VIRTUAL_SIZE,$(CONFIG_ESPRESSIF_EFUSE_VIRTUAL_KEEP_IN_FLASH_SIZE)) \ diff --git a/arch/xtensa/src/esp32/Kconfig b/arch/xtensa/src/esp32/Kconfig index 369bcd7eafa..8144929a69b 100644 --- a/arch/xtensa/src/esp32/Kconfig +++ b/arch/xtensa/src/esp32/Kconfig @@ -1830,9 +1830,9 @@ if ESP32_HAVE_OTA_PARTITION comment "Application Image OTA Update support" config ESP32_OTA_PARTITION_ENCRYPT - bool "Encrypt OTA partitions" - default y - depends on ESP32_SECURE_FLASH_ENC_ENABLED + bool + ---help--- + This option is deprecated. config ESP32_OTA_PRIMARY_SLOT_OFFSET hex "Application image primary slot offset" @@ -1873,14 +1873,14 @@ if ESP32_SPIFLASH comment "General storage MTD Configuration" config ESP32_STORAGE_MTD_ENCRYPT - bool "Encrypt Storage MTD partition" - default y - depends on ESP32_SECURE_FLASH_ENC_ENABLED + bool + ---help--- + This option is deprecated. config ESP32_STORAGE_MTD_OFFSET hex "Storage MTD base address in SPI Flash" default 0x180000 if !ESP32_HAVE_OTA_PARTITION - default 0x250000 if ESP32_HAVE_OTA_PARTITION + default 0x260000 if ESP32_HAVE_OTA_PARTITION ---help--- MTD base address in SPI Flash. @@ -2794,7 +2794,7 @@ endchoice config ESP32_MCUBOOT_VERSION string "MCUboot version" depends on ESP32_APP_FORMAT_MCUBOOT - default "aa4fa2b6e17361dd3ce16a60883059778fd147a9" + default "8a07053d42e592c85cb35b79c4de1b7749943387" config ESP32_APP_MCUBOOT_HEADER_SIZE int "Application image header size (in bytes)" diff --git a/arch/xtensa/src/esp32/Kconfig.security b/arch/xtensa/src/esp32/Kconfig.security index 67ccaaf605d..b7ab5316120 100644 --- a/arch/xtensa/src/esp32/Kconfig.security +++ b/arch/xtensa/src/esp32/Kconfig.security @@ -103,6 +103,8 @@ config ESP32_SECURE_FLASH_ENC_ENABLED bool "Enable Flash Encryption on boot (READ HELP FIRST)" default n depends on ESP32_APP_FORMAT_MCUBOOT + select ESPRESSIF_EFUSE + select ESPRESSIF_SECURE_FLASH_ENC_ENABLED ---help--- If this option is set, flash contents will be encrypted by the bootloader on first boot. diff --git a/arch/xtensa/src/esp32/Make.defs b/arch/xtensa/src/esp32/Make.defs index 766c9adf618..178bfffb636 100644 --- a/arch/xtensa/src/esp32/Make.defs +++ b/arch/xtensa/src/esp32/Make.defs @@ -212,7 +212,7 @@ endif ESP_HAL_3RDPARTY_REPO = esp-hal-3rdparty ifndef ESP_HAL_3RDPARTY_VERSION - ESP_HAL_3RDPARTY_VERSION = 4eed03a15b2678a81dfd1ed0f3bde042b1fdd4c4 + ESP_HAL_3RDPARTY_VERSION = b9472bd56b916cced7447e25c2b2e1390d7e0d90 endif ifndef ESP_HAL_3RDPARTY_URL diff --git a/arch/xtensa/src/esp32/esp32_start.c b/arch/xtensa/src/esp32/esp32_start.c index e8518704678..a7c9f241ccb 100644 --- a/arch/xtensa/src/esp32/esp32_start.c +++ b/arch/xtensa/src/esp32/esp32_start.c @@ -49,6 +49,9 @@ #include "espressif/esp_loader.h" #include "espressif/esp_efuse.h" #include "esp_private/startup_internal.h" +#include "esp_private/spi_flash_os.h" +#include "esp_private/esp_mmu_map_private.h" +#include "bootloader_flash_config.h" #ifdef CONFIG_ESPRESSIF_SIMPLE_BOOT # include "bootloader_init.h" @@ -193,6 +196,16 @@ static noreturn_function void __esp32_start(void) #endif + /* Initialize flash state and MMU */ + + esp_mspi_pin_init(); + + bootloader_flash_update_id(); + + spi_flash_init_chip_state(); + + esp_mmu_map_init(); + #ifndef CONFIG_SMP /* Make sure that the APP_CPU is disabled for now */ diff --git a/arch/xtensa/src/esp32/hal.mk b/arch/xtensa/src/esp32/hal.mk index c6153b8c506..fabdc8de9ce 100644 --- a/arch/xtensa/src/esp32/hal.mk +++ b/arch/xtensa/src/esp32/hal.mk @@ -210,6 +210,9 @@ CHIP_CSRCS += chip$(DELIM)$(ESP_HAL_3RDPARTY_REPO)$(DELIM)nuttx$(DELIM)src$(DELI # Bootloader files CHIP_CSRCS += chip$(DELIM)$(ESP_HAL_3RDPARTY_REPO)$(DELIM)components$(DELIM)bootloader_support$(DELIM)src$(DELIM)flash_encrypt.c +CHIP_CSRCS += chip$(DELIM)$(ESP_HAL_3RDPARTY_REPO)$(DELIM)components$(DELIM)bootloader_support$(DELIM)bootloader_flash$(DELIM)src$(DELIM)bootloader_flash.c +CHIP_CSRCS += chip$(DELIM)$(ESP_HAL_3RDPARTY_REPO)$(DELIM)components$(DELIM)bootloader_support$(DELIM)bootloader_flash$(DELIM)src$(DELIM)bootloader_flash_config_${CHIP_SERIES}.c +CHIP_CSRCS += chip$(DELIM)$(ESP_HAL_3RDPARTY_REPO)$(DELIM)components$(DELIM)esp_rom$(DELIM)patches$(DELIM)esp_rom_spiflash.c ifeq ($(CONFIG_ESPRESSIF_SIMPLE_BOOT),y) CHIP_CSRCS += chip$(DELIM)$(ESP_HAL_3RDPARTY_REPO)$(DELIM)nuttx$(DELIM)src$(DELIM)bootloader_banner_wrap.c @@ -219,8 +222,6 @@ ifeq ($(CONFIG_ESPRESSIF_SIMPLE_BOOT),y) CHIP_CSRCS += chip$(DELIM)$(ESP_HAL_3RDPARTY_REPO)$(DELIM)components$(DELIM)bootloader_support$(DELIM)src$(DELIM)bootloader_init.c CHIP_CSRCS += chip$(DELIM)$(ESP_HAL_3RDPARTY_REPO)$(DELIM)components$(DELIM)bootloader_support$(DELIM)src$(DELIM)bootloader_common.c CHIP_CSRCS += chip$(DELIM)$(ESP_HAL_3RDPARTY_REPO)$(DELIM)components$(DELIM)bootloader_support$(DELIM)src$(DELIM)bootloader_common_loader.c - CHIP_CSRCS += chip$(DELIM)$(ESP_HAL_3RDPARTY_REPO)$(DELIM)components$(DELIM)bootloader_support$(DELIM)bootloader_flash$(DELIM)src$(DELIM)bootloader_flash.c - CHIP_CSRCS += chip$(DELIM)$(ESP_HAL_3RDPARTY_REPO)$(DELIM)components$(DELIM)bootloader_support$(DELIM)bootloader_flash$(DELIM)src$(DELIM)bootloader_flash_config_${CHIP_SERIES}.c CHIP_CSRCS += chip$(DELIM)$(ESP_HAL_3RDPARTY_REPO)$(DELIM)components$(DELIM)bootloader_support$(DELIM)bootloader_flash$(DELIM)src$(DELIM)flash_qio_mode.c CHIP_CSRCS += chip$(DELIM)$(ESP_HAL_3RDPARTY_REPO)$(DELIM)components$(DELIM)bootloader_support$(DELIM)src$(DELIM)bootloader_clock_init.c CHIP_CSRCS += chip$(DELIM)$(ESP_HAL_3RDPARTY_REPO)$(DELIM)components$(DELIM)bootloader_support$(DELIM)src$(DELIM)bootloader_clock_loader.c @@ -233,7 +234,6 @@ ifeq ($(CONFIG_ESPRESSIF_SIMPLE_BOOT),y) CHIP_CSRCS += chip$(DELIM)$(ESP_HAL_3RDPARTY_REPO)$(DELIM)components$(DELIM)bootloader_support$(DELIM)src$(DELIM)bootloader_sha.c CHIP_CSRCS += chip$(DELIM)$(ESP_HAL_3RDPARTY_REPO)$(DELIM)components$(DELIM)esp_hw_support$(DELIM)port$(DELIM)$(CHIP_SERIES)$(DELIM)rtc_clk_init.c CHIP_CSRCS += chip$(DELIM)$(ESP_HAL_3RDPARTY_REPO)$(DELIM)components$(DELIM)esp_rom$(DELIM)patches$(DELIM)esp_rom_sys.c - CHIP_CSRCS += chip$(DELIM)$(ESP_HAL_3RDPARTY_REPO)$(DELIM)components$(DELIM)esp_rom$(DELIM)patches$(DELIM)esp_rom_spiflash.c CHIP_CSRCS += chip$(DELIM)$(ESP_HAL_3RDPARTY_REPO)$(DELIM)components$(DELIM)esp_rom$(DELIM)patches$(DELIM)esp_rom_crc.c CHIP_CSRCS += chip$(DELIM)$(ESP_HAL_3RDPARTY_REPO)$(DELIM)components$(DELIM)hal$(DELIM)mpu_hal.c diff --git a/arch/xtensa/src/esp32s2/Bootloader.mk b/arch/xtensa/src/esp32s2/Bootloader.mk index 1ea1889dc45..c594a468bb3 100644 --- a/arch/xtensa/src/esp32s2/Bootloader.mk +++ b/arch/xtensa/src/esp32s2/Bootloader.mk @@ -48,7 +48,7 @@ ifndef MCUBOOT_URL endif ifndef ESP_HAL_3RDPARTY_VERSION_FOR_MCUBOOT - ESP_HAL_3RDPARTY_VERSION_FOR_MCUBOOT = 3f02f2139e79ddc60f98ca35ed65c62c6914f079 + ESP_HAL_3RDPARTY_VERSION_FOR_MCUBOOT = 911dbec8e4a92e70056b58a3d2b0d965b8b7bcc9 endif $(BOOTLOADER_DIR): @@ -126,7 +126,15 @@ endif $(if $(CONFIG_UART1_SERIAL_CONSOLE),$(call cfg_val,CONFIG_ESP_CONSOLE_ROM_SERIAL_PORT_NUM,1)) \ $(call cfg_en,CONFIG_IDF_TARGET_ARCH_XTENSA) \ $(call cfg_val,CONFIG_BOOTLOADER_LOG_LEVEL,3) \ + $(if $(CONFIG_ESPRESSIF_EFUSE_VIRTUAL),$(call cfg_en,CONFIG_EFUSE_VIRTUAL)) \ } >> $(BOOTLOADER_CONFIG) +ifeq ($(CONFIG_ESPRESSIF_EFUSE_VIRTUAL_KEEP_IN_FLASH),y) + $(Q) { \ + $(call cfg_en,CONFIG_EFUSE_VIRTUAL_KEEP_IN_FLASH) \ + $(call cfg_val,CONFIG_EFUSE_VIRTUAL_OFFSET,$(CONFIG_ESPRESSIF_EFUSE_VIRTUAL_KEEP_IN_FLASH_OFFSET)) \ + $(call cfg_val,CONFIG_EFUSE_VIRTUAL_SIZE,$(CONFIG_ESPRESSIF_EFUSE_VIRTUAL_KEEP_IN_FLASH_SIZE)) \ + } >> $(BOOTLOADER_CONFIG) +endif endif ifeq ($(CONFIG_ESPRESSIF_SIMPLE_BOOT),y) diff --git a/arch/xtensa/src/esp32s2/Kconfig b/arch/xtensa/src/esp32s2/Kconfig index 3b7d74d8712..75d3b2869a4 100644 --- a/arch/xtensa/src/esp32s2/Kconfig +++ b/arch/xtensa/src/esp32s2/Kconfig @@ -1448,7 +1448,7 @@ endchoice config ESP32S2_MCUBOOT_VERSION string "MCUboot version" - default "aa4fa2b6e17361dd3ce16a60883059778fd147a9" + default "8a07053d42e592c85cb35b79c4de1b7749943387" depends on ESP32S2_APP_FORMAT_MCUBOOT config ESP32S2_APP_MCUBOOT_HEADER_SIZE diff --git a/arch/xtensa/src/esp32s2/Kconfig.security b/arch/xtensa/src/esp32s2/Kconfig.security index 1776b775550..0cc90e53088 100644 --- a/arch/xtensa/src/esp32s2/Kconfig.security +++ b/arch/xtensa/src/esp32s2/Kconfig.security @@ -106,6 +106,7 @@ config ESP32S2_SECURE_FLASH_ENC_ENABLED bool "Enable Flash Encryption on boot (READ HELP FIRST)" default n depends on ESP32S2_APP_FORMAT_MCUBOOT + select ESPRESSIF_EFUSE ---help--- If this option is set, flash contents will be encrypted by the bootloader on first boot. diff --git a/arch/xtensa/src/esp32s2/hal.mk b/arch/xtensa/src/esp32s2/hal.mk index 90605c4f48f..d023f3f87e2 100644 --- a/arch/xtensa/src/esp32s2/hal.mk +++ b/arch/xtensa/src/esp32s2/hal.mk @@ -107,6 +107,9 @@ endif # Source files +CHIP_CSRCS += chip$(DELIM)$(ESP_HAL_3RDPARTY_REPO)$(DELIM)nuttx$(DELIM)src$(DELIM)components$(DELIM)esp_driver_gpio$(DELIM)src$(DELIM)rtc_io.c +CHIP_CSRCS += chip$(DELIM)$(ESP_HAL_3RDPARTY_REPO)$(DELIM)nuttx$(DELIM)src$(DELIM)components$(DELIM)esp_security$(DELIM)src$(DELIM)esp_crypto_lock.c + CHIP_CSRCS += chip$(DELIM)$(ESP_HAL_3RDPARTY_REPO)$(DELIM)components$(DELIM)esp_adc$(DELIM)adc_cali.c CHIP_CSRCS += chip$(DELIM)$(ESP_HAL_3RDPARTY_REPO)$(DELIM)components$(DELIM)esp_adc$(DELIM)$(CHIP_SERIES)$(DELIM)adc_cali_line_fitting.c CHIP_CSRCS += chip$(DELIM)$(ESP_HAL_3RDPARTY_REPO)$(DELIM)components$(DELIM)efuse$(DELIM)src$(DELIM)esp_efuse_fields.c @@ -142,7 +145,6 @@ CHIP_CSRCS += chip$(DELIM)$(ESP_HAL_3RDPARTY_REPO)$(DELIM)components$(DELIM)log$ CHIP_CSRCS += chip$(DELIM)$(ESP_HAL_3RDPARTY_REPO)$(DELIM)components$(DELIM)log$(DELIM)src$(DELIM)os$(DELIM)log_write.c CHIP_CSRCS += chip$(DELIM)$(ESP_HAL_3RDPARTY_REPO)$(DELIM)components$(DELIM)log$(DELIM)src$(DELIM)os$(DELIM)util.c CHIP_CSRCS += chip$(DELIM)$(ESP_HAL_3RDPARTY_REPO)$(DELIM)components$(DELIM)mbedtls$(DELIM)port$(DELIM)sha$(DELIM)core$(DELIM)esp_sha256.c -CHIP_CSRCS += chip$(DELIM)$(ESP_HAL_3RDPARTY_REPO)$(DELIM)nuttx$(DELIM)src$(DELIM)components$(DELIM)esp_driver_gpio$(DELIM)src$(DELIM)rtc_io.c CHIP_CSRCS += chip$(DELIM)$(ESP_HAL_3RDPARTY_REPO)$(DELIM)components$(DELIM)esp_hw_support$(DELIM)adc_share_hw_ctrl.c CHIP_CSRCS += chip$(DELIM)$(ESP_HAL_3RDPARTY_REPO)$(DELIM)components$(DELIM)esp_hw_support$(DELIM)clk_ctrl_os.c CHIP_CSRCS += chip$(DELIM)$(ESP_HAL_3RDPARTY_REPO)$(DELIM)components$(DELIM)esp_hw_support$(DELIM)clk_utils.c @@ -249,6 +251,7 @@ CHIP_CSRCS += chip$(DELIM)$(ESP_HAL_3RDPARTY_REPO)$(DELIM)components$(DELIM)esp_ CHIP_CSRCS += chip$(DELIM)$(ESP_HAL_3RDPARTY_REPO)$(DELIM)components$(DELIM)bootloader_support$(DELIM)src$(DELIM)${CHIP_SERIES}$(DELIM)bootloader_soc.c CHIP_CSRCS += chip$(DELIM)$(ESP_HAL_3RDPARTY_REPO)$(DELIM)components$(DELIM)bootloader_support$(DELIM)src$(DELIM)bootloader_random_${CHIP_SERIES}.c CHIP_CSRCS += chip$(DELIM)$(ESP_HAL_3RDPARTY_REPO)$(DELIM)components$(DELIM)bootloader_support$(DELIM)src$(DELIM)flash_encrypt.c +CHIP_CSRCS += chip$(DELIM)$(ESP_HAL_3RDPARTY_REPO)$(DELIM)components$(DELIM)bootloader_support$(DELIM)bootloader_flash$(DELIM)src$(DELIM)bootloader_flash.c ifeq ($(CONFIG_ESPRESSIF_SIMPLE_BOOT),y) CHIP_CSRCS += chip$(DELIM)$(ESP_HAL_3RDPARTY_REPO)$(DELIM)nuttx$(DELIM)src$(DELIM)bootloader_banner_wrap.c @@ -258,7 +261,6 @@ ifeq ($(CONFIG_ESPRESSIF_SIMPLE_BOOT),y) CHIP_CSRCS += chip$(DELIM)$(ESP_HAL_3RDPARTY_REPO)$(DELIM)components$(DELIM)bootloader_support$(DELIM)src$(DELIM)bootloader_init.c CHIP_CSRCS += chip$(DELIM)$(ESP_HAL_3RDPARTY_REPO)$(DELIM)components$(DELIM)bootloader_support$(DELIM)src$(DELIM)bootloader_common.c CHIP_CSRCS += chip$(DELIM)$(ESP_HAL_3RDPARTY_REPO)$(DELIM)components$(DELIM)bootloader_support$(DELIM)src$(DELIM)bootloader_common_loader.c - CHIP_CSRCS += chip$(DELIM)$(ESP_HAL_3RDPARTY_REPO)$(DELIM)components$(DELIM)bootloader_support$(DELIM)bootloader_flash$(DELIM)src$(DELIM)bootloader_flash.c CHIP_CSRCS += chip$(DELIM)$(ESP_HAL_3RDPARTY_REPO)$(DELIM)components$(DELIM)bootloader_support$(DELIM)bootloader_flash$(DELIM)src$(DELIM)bootloader_flash_config_${CHIP_SERIES}.c CHIP_CSRCS += chip$(DELIM)$(ESP_HAL_3RDPARTY_REPO)$(DELIM)components$(DELIM)bootloader_support$(DELIM)bootloader_flash$(DELIM)src$(DELIM)flash_qio_mode.c CHIP_CSRCS += chip$(DELIM)$(ESP_HAL_3RDPARTY_REPO)$(DELIM)components$(DELIM)bootloader_support$(DELIM)src$(DELIM)bootloader_clock_init.c diff --git a/arch/xtensa/src/esp32s3/Bootloader.mk b/arch/xtensa/src/esp32s3/Bootloader.mk index d3f6d16e29c..ffcb360d34c 100644 --- a/arch/xtensa/src/esp32s3/Bootloader.mk +++ b/arch/xtensa/src/esp32s3/Bootloader.mk @@ -46,7 +46,7 @@ ifndef MCUBOOT_URL endif ifndef ESP_HAL_3RDPARTY_VERSION_FOR_MCUBOOT - ESP_HAL_3RDPARTY_VERSION_FOR_MCUBOOT = 3f02f2139e79ddc60f98ca35ed65c62c6914f079 + ESP_HAL_3RDPARTY_VERSION_FOR_MCUBOOT = 911dbec8e4a92e70056b58a3d2b0d965b8b7bcc9 endif $(BOOTLOADER_DIR): @@ -95,10 +95,15 @@ ifeq ($(CONFIG_ESP32S3_APP_FORMAT_MCUBOOT),y) $(call cfg_en,CONFIG_BOOTLOADER_FLASH_XMC_SUPPORT) \ $(call cfg_en,CONFIG_IDF_TARGET_ARCH_XTENSA) \ $(call cfg_val,CONFIG_BOOTLOADER_LOG_LEVEL,3) \ + $(if $(CONFIG_ESPRESSIF_SECURE_FLASH_ENC_ENABLED),$(call cfg_en,CONFIG_SECURE_FLASH_ENC_ENABLED)) \ + $(if $(CONFIG_ESPRESSIF_SECURE_FLASH_ENCRYPTION_MODE_DEVELOPMENT),$(call cfg_en,CONFIG_SECURE_FLASH_ENCRYPTION_MODE_DEVELOPMENT)) \ + $(if $(CONFIG_ESPRESSIF_SECURE_FLASH_UART_BOOTLOADER_ALLOW_ENC),$(call cfg_en,CONFIG_SECURE_FLASH_UART_BOOTLOADER_ALLOW_ENC)) \ + $(if $(CONFIG_ESPRESSIF_SECURE_FLASH_UART_BOOTLOADER_ALLOW_DEC),$(call cfg_en,CONFIG_SECURE_FLASH_UART_BOOTLOADER_ALLOW_DEC)) \ + $(if $(CONFIG_ESPRESSIF_SECURE_FLASH_UART_BOOTLOADER_ALLOW_CACHE),$(call cfg_en,CONFIG_SECURE_FLASH_UART_BOOTLOADER_ALLOW_CACHE)) \ + $(if $(CONFIG_ESPRESSIF_EFUSE_VIRTUAL),$(call cfg_en,CONFIG_EFUSE_VIRTUAL)) \ } >> $(BOOTLOADER_CONFIG) ifeq ($(CONFIG_ESPRESSIF_EFUSE_VIRTUAL_KEEP_IN_FLASH),y) $(Q) { \ - $(call cfg_en,CONFIG_EFUSE_VIRTUAL) \ $(call cfg_en,CONFIG_EFUSE_VIRTUAL_KEEP_IN_FLASH) \ $(call cfg_val,CONFIG_EFUSE_VIRTUAL_OFFSET,$(CONFIG_ESPRESSIF_EFUSE_VIRTUAL_KEEP_IN_FLASH_OFFSET)) \ $(call cfg_val,CONFIG_EFUSE_VIRTUAL_SIZE,$(CONFIG_ESPRESSIF_EFUSE_VIRTUAL_KEEP_IN_FLASH_SIZE)) \ diff --git a/arch/xtensa/src/esp32s3/Kconfig b/arch/xtensa/src/esp32s3/Kconfig index cbe941cc610..a3cb896c243 100644 --- a/arch/xtensa/src/esp32s3/Kconfig +++ b/arch/xtensa/src/esp32s3/Kconfig @@ -2786,7 +2786,7 @@ endchoice config ESP32S3_MCUBOOT_VERSION string "MCUboot version" - default "aa4fa2b6e17361dd3ce16a60883059778fd147a9" + default "8a07053d42e592c85cb35b79c4de1b7749943387" depends on ESP32S3_APP_FORMAT_MCUBOOT config ESP32S3_APP_MCUBOOT_HEADER_SIZE diff --git a/boards/xtensa/esp32/common/scripts/esp32_sections.ld b/boards/xtensa/esp32/common/scripts/esp32_sections.ld index bb7472f871d..45aa551873c 100644 --- a/boards/xtensa/esp32/common/scripts/esp32_sections.ld +++ b/boards/xtensa/esp32/common/scripts/esp32_sections.ld @@ -267,6 +267,7 @@ SECTIONS *libarch.a:spi_flash_os_func_app.*(.literal .literal.* .text .text.*) *libarch.a:flash_brownout_hook.*(.literal .literal.* .text .text.*) *libarch.a:esp_cache.*(.literal .literal.* .text .text.*) + *libarch.a:cache_esp32.*(.literal .literal.* .text .text.*) *libarch.a:cache_hal_esp32.*(.literal .literal.* .text .text.*) *libarch.a:cache_utils.*(.literal .literal.* .text .text.*) *libarch.a:memspi_host_driver.*(.literal .literal.* .text .text.*) @@ -484,6 +485,7 @@ SECTIONS *libarch.a:spi_flash_os_func_app.*(.rodata .rodata.*) *libarch.a:flash_brownout_hook.*(.rodata .rodata.*) *libarch.a:esp_cache.*(.rodata .rodata.*) + *libarch.a:cache_esp32.*(.rodata .rodata.*) *libarch.a:cache_utils.*(.rodata .rodata.*) *libarch.a:cache_hal_esp32.*(.rodata .rodata.*) *libarch.a:memspi_host_driver.*(.rodata .rodata.*) diff --git a/boards/xtensa/esp32/common/src/esp32_board_spiflash.c b/boards/xtensa/esp32/common/src/esp32_board_spiflash.c index 1f228c13689..965bf28af11 100644 --- a/boards/xtensa/esp32/common/src/esp32_board_spiflash.c +++ b/boards/xtensa/esp32/common/src/esp32_board_spiflash.c @@ -53,15 +53,11 @@ ****************************************************************************/ #ifdef CONFIG_ESP32_OTA_PARTITION_ENCRYPT -# define OTA_ENCRYPT true -#else -# define OTA_ENCRYPT false +# warning "CONFIG_ESP32_OTA_PARTITION_ENCRYPT is deprecated" #endif #ifdef CONFIG_ESP32_STORAGE_MTD_ENCRYPT -# define STORAGE_ENCRYPT true -#else -# define STORAGE_ENCRYPT false +# warning "CONFIG_ESP32_STORAGE_MTD_ENCRYPT is deprecated" #endif /**************************************************************************** diff --git a/tools/esp32s3/Config.mk b/tools/esp32s3/Config.mk index 4397b545c9d..ee9717e5fcc 100644 --- a/tools/esp32s3/Config.mk +++ b/tools/esp32s3/Config.mk @@ -107,7 +107,11 @@ else ifeq ($(CONFIG_ESP32S3_APP_FORMAT_MCUBOOT),y) APP_IMAGE := nuttx.bin FLASH_APP := $(APP_OFFSET) $(APP_IMAGE) - IMGTOOL_ALIGN_ARGS := --align 4 +ifeq ($(CONFIG_ESPRESSIF_SECURE_FLASH_ENC_ENABLED),y) + IMGTOOL_ALIGN_ARGS := --align 32 --max-align 32 +else + IMGTOOL_ALIGN_ARGS := --align 4 +endif IMGTOOL_SIGN_ARGS := --pad $(VERIFIED) $(IMGTOOL_ALIGN_ARGS) -v 0 -s auto \ -H $(CONFIG_ESP32S3_APP_MCUBOOT_HEADER_SIZE) --pad-header \ -S $(CONFIG_ESP32S3_OTA_SLOT_SIZE)
