doc: Add warnings about using JTAG debugging with hardware security features
This is related to the following issues but is not a fix, just documentation of a workaround until we can improve the support: https://github.com/espressif/esp-idf/issues/4878 https://github.com/espressif/esp-idf/issues/4734
This commit is contained in:
parent
c955b7d133
commit
07c1d9d9c7
4 changed files with 68 additions and 2 deletions
|
@ -234,6 +234,36 @@ Below is an excerpt from series of errors reported by GDB after the application
|
||||||
cpu1: xtensa_resume (line 431): DSR (FFFFFFFF) indicates DIR instruction generated an exception!
|
cpu1: xtensa_resume (line 431): DSR (FFFFFFFF) indicates DIR instruction generated an exception!
|
||||||
cpu1: xtensa_resume (line 431): DSR (FFFFFFFF) indicates DIR instruction generated an overrun!
|
cpu1: xtensa_resume (line 431): DSR (FFFFFFFF) indicates DIR instruction generated an overrun!
|
||||||
|
|
||||||
|
.. _jtag-debugging-security-features:
|
||||||
|
|
||||||
|
JTAG with Flash Encryption or Secure Boot
|
||||||
|
^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
|
||||||
|
|
||||||
|
By default, enabling Flash Encryption and/or Secure Boot will disable JTAG debugging. On first boot, the bootloader will burn an eFuse bit to permanently disable JTAG at the same time it enables the other features.
|
||||||
|
|
||||||
|
The project configuration option :ref:`CONFIG_SECURE_BOOT_ALLOW_JTAG` will keep JTAG enabled at this time, removing all physical security but allowing debugging. (Although the name suggests Secure Boot, this option can be applied even when only Flash Encryption is enabled).
|
||||||
|
|
||||||
|
However, OpenOCD may attempt to automatically read and write the flash in order to set :ref:`software breakpoints <jtag-debugging-tip-where-breakpoints>`. This has two problems:
|
||||||
|
|
||||||
|
- Software breakpoints are incompatible with Flash Encryption, OpenOCD currently has no support for encrypting or decrypting flash contents.
|
||||||
|
- If Secure Boot is enabled, setting a software breakpoint will change the digest of a signed app and make the signature invalid. This means if a software breakpoint is set and then a reset occurs, the signature verification will fail on boot.
|
||||||
|
|
||||||
|
To disable software breakpoints while using JTAG, add an extra argument ``-c 'set ESP_FLASH_SIZE 0'`` to the start of the OpenOCD command line. For example::
|
||||||
|
|
||||||
|
openocd -c 'set ESP_FLASH_SIZE 0' -f board/esp32-wrover-kit-3.3v.cfg
|
||||||
|
|
||||||
|
.. note::
|
||||||
|
|
||||||
|
For the same reason, the ESP-IDF app may fail bootloader verification of app signatures, when this option is enabled and a software breakpoint is set.
|
||||||
|
|
||||||
|
.. _jtag-debugging-tip-at-firmware-issue:
|
||||||
|
|
||||||
|
JTAG and ESP32-WROOM-32 AT firmware Compatibility Issue
|
||||||
|
^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
|
||||||
|
|
||||||
|
The ESP32-WROOM series of modules come pre-flashed with AT firmware. This firmware configures the pins GPIO12 to GPIO15 as SPI slave interface, which makes using JTAG impossible.
|
||||||
|
|
||||||
|
To make JTAG available, build new firmware that is not using pins GPIO12 to GPIO15 dedicated to JTAG communication. After that, flash the firmware onto your module. See also :ref:`jtag-debugging-tip-jtag-pins-reconfigured`.
|
||||||
|
|
||||||
.. _jtag-debugging-tip-reporting-issues:
|
.. _jtag-debugging-tip-reporting-issues:
|
||||||
|
|
||||||
|
|
|
@ -594,8 +594,8 @@ It is recommended to use flash encryption and secure boot together. However, if
|
||||||
|
|
||||||
.. _flash-encryption-advanced-features:
|
.. _flash-encryption-advanced-features:
|
||||||
|
|
||||||
Flash Encryption Advanced Features
|
Advanced Features
|
||||||
----------------------------------
|
-----------------
|
||||||
|
|
||||||
The following information is useful for advanced use of flash encryption:
|
The following information is useful for advanced use of flash encryption:
|
||||||
|
|
||||||
|
@ -661,6 +661,12 @@ It is possible to write these eFuse manually, and write protect it before first
|
||||||
|
|
||||||
It is strongly recommended to never write protect ``FLASH_CRYPT_CONFIG`` when it the value is zero. If this eFuse is set to zero, no bits in the flash encryption key are tweaked and the flash encryption algorithm is equivalent to AES ECB mode.
|
It is strongly recommended to never write protect ``FLASH_CRYPT_CONFIG`` when it the value is zero. If this eFuse is set to zero, no bits in the flash encryption key are tweaked and the flash encryption algorithm is equivalent to AES ECB mode.
|
||||||
|
|
||||||
|
JTAG Debugging
|
||||||
|
^^^^^^^^^^^^^^
|
||||||
|
|
||||||
|
By default, when Flash Encryption is enabled (in either Development or Release mode) then JTAG debugging is disabled via eFuse. The bootloader does this on first boot, at the same time it enables flash encryption.
|
||||||
|
|
||||||
|
See :ref:`jtag-debugging-security-features` for more information about using JTAG Debugging with Flash Encryption.
|
||||||
|
|
||||||
Technical Details
|
Technical Details
|
||||||
-----------------
|
-----------------
|
||||||
|
|
|
@ -300,3 +300,12 @@ How To Enable Signed App Verification
|
||||||
4. If you disable "Sign binaries during build" option then you'll have to enter path of a public key file used to verify signed images in "Secure boot public signature verification key".
|
4. If you disable "Sign binaries during build" option then you'll have to enter path of a public key file used to verify signed images in "Secure boot public signature verification key".
|
||||||
In this case, private signing key should be generated by following instructions in :ref:`secure-boot-generate-key`; public verification key and signed image should be generated by following instructions in :ref:`remote-sign-image`.
|
In this case, private signing key should be generated by following instructions in :ref:`secure-boot-generate-key`; public verification key and signed image should be generated by following instructions in :ref:`remote-sign-image`.
|
||||||
|
|
||||||
|
Advanced Features
|
||||||
|
-----------------
|
||||||
|
|
||||||
|
JTAG Debugging
|
||||||
|
~~~~~~~~~~~~~~
|
||||||
|
|
||||||
|
By default, when Secure Boot is enabled then JTAG debugging is disabled via eFuse. The bootloader does this on first boot, at the same time it enables Secure Boot.
|
||||||
|
|
||||||
|
See :ref:`jtag-debugging-security-features` for more information about using JTAG Debugging with either Secure Boot or signed app verification enabled.
|
||||||
|
|
|
@ -233,6 +233,27 @@ ESP32 的目标配置文件
|
||||||
cpu1: xtensa_resume (line 431): DSR (FFFFFFFF) indicates DIR instruction generated an exception!
|
cpu1: xtensa_resume (line 431): DSR (FFFFFFFF) indicates DIR instruction generated an exception!
|
||||||
cpu1: xtensa_resume (line 431): DSR (FFFFFFFF) indicates DIR instruction generated an overrun!
|
cpu1: xtensa_resume (line 431): DSR (FFFFFFFF) indicates DIR instruction generated an overrun!
|
||||||
|
|
||||||
|
.. _jtag-debugging-security-features:
|
||||||
|
|
||||||
|
JTAG with Flash Encryption or Secure Boot
|
||||||
|
^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
|
||||||
|
|
||||||
|
By default, enabling Flash Encryption and/or Secure Boot will disable JTAG debugging. On first boot, the bootloader will burn an eFuse bit to permanently disable JTAG at the same time it enables the other features.
|
||||||
|
|
||||||
|
The project configuration option :ref:`CONFIG_SECURE_BOOT_ALLOW_JTAG` will keep JTAG enabled at this time, removing all physical security but allowing debugging. (Although the name suggests Secure Boot, this option can be applied even when only Flash Encryption is enabled).
|
||||||
|
|
||||||
|
However, OpenOCD may attempt to automatically read and write the flash in order to set :ref:`software breakpoints <jtag-debugging-tip-where-breakpoints>`. This has two problems:
|
||||||
|
|
||||||
|
- Software breakpoints are incompatible with Flash Encryption, OpenOCD currently has no support for encrypting or decrypting flash contents.
|
||||||
|
- If Secure Boot is enabled, setting a software breakpoint will change the digest of a signed app and make the signature invalid. This means if a software breakpoint is set and then a reset occurs, the signature verification will fail on boot.
|
||||||
|
|
||||||
|
To disable software breakpoints while using JTAG, add an extra argument ``-c 'set ESP_FLASH_SIZE 0'`` to the start of the OpenOCD command line. For example::
|
||||||
|
|
||||||
|
openocd -c 'set ESP_FLASH_SIZE 0' -f board/esp32-wrover-kit-3.3v.cfg
|
||||||
|
|
||||||
|
.. note::
|
||||||
|
|
||||||
|
For the same reason, the ESP-IDF app may fail bootloader verification of app signatures, when this option is enabled and a software breakpoint is set.
|
||||||
|
|
||||||
.. _jtag-debugging-tip-reporting-issues:
|
.. _jtag-debugging-tip-reporting-issues:
|
||||||
|
|
||||||
|
|
Loading…
Reference in a new issue