bootutil: add MCUBOOT_FLASH_HAS_HW_ENCRYPTION config-condition

MCUboot's state machine relies on erased valued data
(e.g. 0xFF) readed from this erased region that could
be not written  before, however if the flash device has
hardware flash encryption and its flash read operation
always decrypts what is being read from flash, thus a
region that was erased would not be read as what
MCUboot expected (after erasing, the region
physically contains 0xFF, but once reading it, flash
controller decrypts 0xFF to something else).
So this configuration force the erased value into the
region after the erasing the trailer regions, and also
make an erase operation before writing trailers.

Signed-off-by: Almir Okato <[email protected]>

Author: almir-okato

boot/bootutil/src/bootutil_public.c

@@ -327,6 +327,11 @@ boot_write_magic(const struct flash_area *fap)
     BOOT_LOG_DBG("boot_write_magic: fa_id=%d off=0x%lx (0x%lx)",
                  flash_area_get_id(fap), (unsigned long)off,
                  (unsigned long)(flash_area_get_off(fap) + off));
+
+#ifdef MCUBOOT_FLASH_HAS_HW_ENCRYPTION
+    rc = flash_area_erase(fap, pad_off, BOOT_MAGIC_ALIGN_SIZE);
+#endif
+
     rc = flash_area_write(fap, pad_off, &magic[0], BOOT_MAGIC_ALIGN_SIZE);
 
     if (rc != 0) {
@@ -365,6 +370,10 @@ boot_write_trailer(const struct flash_area *fap, uint32_t off,
     memcpy(buf, inbuf, inlen);
     memset(&buf[inlen], erased_val, align - inlen);
 
+#ifdef MCUBOOT_FLASH_HAS_HW_ENCRYPTION
+    rc = flash_area_erase(fap, off, align);
+#endif
+
     rc = flash_area_write(fap, off, buf, align);
     if (rc != 0) {
         return BOOT_EFLASH;

boot/bootutil/src/loader.c

@@ -652,6 +652,9 @@ boot_write_status(const struct boot_loader_state *state, struct boot_status *bs)
                  flash_area_get_id(fap), (unsigned long)off,
                  (unsigned long)flash_area_get_off(fap) + off);
 
+#ifdef MCUBOOT_FLASH_HAS_HW_ENCRYPTION
+    rc = flash_area_erase(fap, off, align);
+#endif
     rc = flash_area_write(fap, off, buf, align);
     if (rc != 0) {
         rc = BOOT_EFLASH;

boot/bootutil/src/swap_misc.c

@@ -64,6 +64,40 @@ swap_erase_trailer_sectors(const struct boot_loader_state *state,
             rc = boot_erase_region(fap, off, sz, false);
             assert(rc == 0);
 
+#ifdef MCUBOOT_FLASH_HAS_HW_ENCRYPTION
+        /* MCUboot's state machine relies on erased valued data
+         * (e.g. 0xFF) readed from this erased region that could
+         * be not written before, however if the flash device has
+         * hardware flash encryption and its flash read operation
+         * always decrypts what is being read from flash, thus a
+         * region that was erased would not be read as what
+         * MCUboot expected (after erasing, the region
+         * physically contains 0xFF, but once reading it, flash
+         * controller decrypts 0xFF to something else).
+         * So this configuration force the erased value into the
+         * region after the erasing.
+         */
+#ifndef MIN
+#  define MIN(a, b)                 (((a) < (b)) ? (a) : (b))
+#endif
+
+        uint8_t write_data[FLASH_AUX_WRITE_BUFFER_SIZE];
+        memset(write_data, flash_area_erased_val(fap), sizeof(write_data));
+        uint32_t bytes_remaining = sz;
+        uint32_t offset = off;
+
+        uint32_t bytes_written = MIN(sizeof(write_data), sz);
+        while (bytes_remaining != 0) {
+            if (flash_area_write(fap, offset, write_data, bytes_written)) {
+                BOOT_LOG_ERR("%s: Force write erased value after erasing a trailer region failed", __func__);
+                rc = -1;
+                break;
+            }
+            offset += bytes_written;
+            bytes_remaining -= bytes_written;
+        }
+#endif // MCUBOOT_FLASH_HAS_HW_ENCRYPTION
+
             sector--;
             total_sz += sz;
         } while (total_sz < trailer_sz);
@@ -92,6 +126,40 @@ swap_scramble_trailer_sectors(const struct boot_loader_state *state,
         return BOOT_EFLASH;
     }
 
+#ifdef MCUBOOT_FLASH_HAS_HW_ENCRYPTION
+        /* MCUboot's state machine relies on erased valued data
+         * (e.g. 0xFF) readed from this erased region that could
+         * be not written before, however if the flash device has
+         * hardware flash encryption and its flash read operation
+         * always decrypts what is being read from flash, thus a
+         * region that was erased would not be read as what
+         * MCUboot expected (after erasing, the region
+         * physically contains 0xFF, but once reading it, flash
+         * controller decrypts 0xFF to something else).
+         * So this configuration force the erased value into the
+         * region after the erasing.
+         */
+#ifndef MIN
+#  define MIN(a, b)                 (((a) < (b)) ? (a) : (b))
+#endif
+
+        uint8_t write_data[FLASH_AUX_WRITE_BUFFER_SIZE];
+        memset(write_data, flash_area_erased_val(fap), sizeof(write_data));
+        uint32_t bytes_remaining = (flash_area_get_size(fap) - off);
+        uint32_t offset = off;
+
+        uint32_t bytes_written = MIN(sizeof(write_data), (flash_area_get_size(fap) - off));
+        while (bytes_remaining != 0) {
+            if (flash_area_write(fap, offset, write_data, bytes_written)) {
+                BOOT_LOG_ERR("%s: Force write erased value after erasing a trailer region failed", __func__);
+                rc = -1;
+                break;
+            }
+            offset += bytes_written;
+            bytes_remaining -= bytes_written;
+        }
+#endif // MCUBOOT_FLASH_HAS_HW_ENCRYPTION
+
     return 0;
 }
 

boot/bootutil/src/swap_scratch.c

@@ -943,6 +943,15 @@ swap_run(struct boot_loader_state *state, struct boot_status *bs,
         swap_idx++;
     }
 
+#ifdef MCUBOOT_FLASH_HAS_HW_ENCRYPTION
+    int rc;
+    /* Ensure that the trailer from scratch area will have
+     * unset state after the swap process finishes.
+     */
+    rc = swap_scramble_trailer_sectors(state, state->scratch.area);
+    assert(rc == 0);
+#endif // MCUBOOT_FLASH_HAS_HW_ENCRYPTION
+
 }
 #endif /* !MCUBOOT_OVERWRITE_ONLY */
 

boot/espressif/hal/include/mcuboot_config/mcuboot_config.h

@@ -33,6 +33,14 @@
 #define MCUBOOT_BOOT_MAX_ALIGN 32
 #endif
 
+#ifdef CONFIG_SECURE_FLASH_ENC_ENABLED
+#define MCUBOOT_FLASH_HAS_HW_ENCRYPTION 1
+#endif
+
+#ifdef MCUBOOT_FLASH_HAS_HW_ENCRYPTION
+#define FLASH_AUX_WRITE_BUFFER_SIZE 0x100
+#endif
+
 /*
  * Upgrade mode
  *