Add is_secure_boot_enable and is_secure_lock_enabled to PHY.

Signed-off-by: Pol Henarejos <pol.henarejos@cttc.es>

src/fs/otp.c

@@ -125,6 +125,45 @@ typedef esp_err_t otp_ret_t;
 #define SECURE_BOOT_BOOTKEY_INDEX 0
 #endif
 
+bool otp_is_secure_boot_enabled() {
+#ifdef PICO_RP2350
+    alignas(2) uint8_t BOOTKEY[] = "\xe1\xd1\x6b\xa7\x64\xab\xd7\x12\xd4\xef\x6e\x3e\xdd\x74\x4e\xd5\x63\x8c\x26\xb\x77\x1c\xf9\x81\x51\x11\xb\xaf\xac\x9b\xc8\x71";
+    const uint8_t *bootkey = otp_buffer(OTP_DATA_BOOTKEY0_0_ROW + 0x10*bootkey);
+    if (memcmp(bootkey, BOOTKEY, sizeof(BOOTKEY)) != 0) {
+        return false;
+    }
+    const uint8_t *boot_flags1 = otp_buffer(OTP_DATA_BOOT_FLAGS1_ROW);
+    if ((boot_flags1[0] & (1 << (SECURE_BOOT_BOOTKEY_INDEX + OTP_DATA_BOOT_FLAGS1_KEY_VALID_LSB))) == 0) {
+        return false;
+    }
+    const uint8_t *crit1 = otp_buffer(OTP_DATA_CRIT1_ROW);
+    if ((crit1[0] & (1 << OTP_DATA_CRIT1_SECURE_BOOT_ENABLE_LSB)) == 0) {
+        return false;
+    }
+#elif defined(ESP_PLATFORM)
+    // TODO: Implement secure boot check for ESP32-S3
+#endif
+    return true;
+}
+
+bool otp_is_secure_boot_locked() {
+#ifdef PICO_RP2350
+    const uint8_t *boot_flags1 = otp_buffer_raw(OTP_DATA_BOOT_FLAGS1_ROW);
+    if ((boot_flags1[1] & ((OTP_DATA_BOOT_FLAGS1_KEY_INVALID_BITS >> OTP_DATA_BOOT_FLAGS1_KEY_INVALID_LSB) & (~(1 << SECURE_BOOT_BOOTKEY_INDEX)))) == 0) {
+        return false;
+    }
+    const uint8_t *crit1 = otp_buffer_raw(OTP_DATA_CRIT1_ROW);
+    if ((crit1[0] & (1 << OTP_DATA_CRIT1_DEBUG_DISABLE_LSB)) == 0
+        || (crit1[0] & (1 << OTP_DATA_CRIT1_GLITCH_DETECTOR_ENABLE_LSB)) == 0
+        || ((crit1[0] & (3 << OTP_DATA_CRIT1_GLITCH_DETECTOR_SENS_LSB)) != (3 << OTP_DATA_CRIT1_GLITCH_DETECTOR_SENS_LSB))) {
+        return false;
+    }
+#elif defined(ESP_PLATFORM)
+    // TODO: Implement secure boot lock check for ESP32-S3
+#endif
+    return true;
+}
+
 int otp_enable_secure_boot(uint8_t bootkey, bool secure_lock) {
     int ret = 0;
 #ifdef PICO_RP2350

src/fs/otp.h

@@ -50,4 +50,7 @@ extern void init_otp_files();
 extern const uint8_t *otp_key_1;
 extern const uint8_t *otp_key_2;
 
+extern bool otp_is_secure_boot_enabled();
+extern bool otp_is_secure_boot_locked();
+
 #endif // _OTP_H_

src/fs/phy.c

@@ -17,6 +17,7 @@
 
 #include "pico_keys.h"
 #include "file.h"
+#include "otp.h"
 
 #ifndef ENABLE_EMULATION
 
@@ -47,7 +48,14 @@ int phy_serialize_data(const phy_data_t *phy, uint8_t *data, uint16_t *len) {
     }
     *p++ = PHY_OPTS;
     *p++ = 2;
-    p += put_uint16_t_be(phy->opts, p);
+    uint16_t opts = phy->opts;
+    if (otp_is_secure_boot_enabled()) {
+        opts |= PHY_OPT_SECBOOT;
+    }
+    if (otp_is_secure_boot_locked()) {
+        opts |= PHY_OPT_SECLOCK;
+    }
+    p += put_uint16_t_be(opts, p);
     if (phy->up_btn_present) {
         *p++ = PHY_UP_BTN;
         *p++ = 1;
@@ -115,6 +123,12 @@ int phy_unserialize_data(const uint8_t *data, uint16_t len, phy_data_t *phy) {
             case PHY_OPTS:
                 if (tlen == 2) {
                     phy->opts = get_uint16_t_be(p);
+                    if (otp_is_secure_boot_enabled()) {
+                        phy->opts |= PHY_OPT_SECBOOT;
+                    }
+                    if (otp_is_secure_boot_locked()) {
+                        phy->opts |= PHY_OPT_SECLOCK;
+                    }
                     p += 2;
                 }
                 break;

src/fs/phy.h

@@ -34,6 +34,8 @@
 #define PHY_OPT_DIMM    0x2
 #define PHY_OPT_DISABLE_POWER_RESET 0x4
 #define PHY_OPT_LED_STEADY 0x8
+#define PHY_OPT_SECBOOT    0x10
+#define PHY_OPT_SECLOCK    0x20
 
 #define PHY_CURVE_SECP256R1  0x1
 #define PHY_CURVE_SECP384R1  0x2