From 802df9e70534e8565d9e9547ed9f8bd2dac762ea Mon Sep 17 00:00:00 2001
From: Pol Henarejos <pol.henarejos@cttc.es>
Date: Mon, 4 Nov 2024 18:31:34 +0100
Subject: [PATCH] Add flags to enable secure boot and secure boot lock via
 firmware on boot.

Signed-off-by: Pol Henarejos <pol.henarejos@cttc.es>
---
 pico_keys_sdk_import.cmake | 22 ++++++++++++++++++
 src/fs/otp.c               | 46 ++++++++++++++++++++++++++++++++++++++
 2 files changed, 68 insertions(+)

diff --git a/pico_keys_sdk_import.cmake b/pico_keys_sdk_import.cmake
index 58d16c8..612c1fd 100644
--- a/pico_keys_sdk_import.cmake
+++ b/pico_keys_sdk_import.cmake
@@ -113,6 +113,28 @@ endif()
 
 message(STATUS "USB VID/PID:\t\t\t ${USB_VID}:${USB_PID}")
 
+option(ENABLE_SECURE_BOOT_FIRMWARE "Enable Secure Boot through the firmware" OFF)
+if(ENABLE_SECURE_BOOT_FIRMWARE)
+    add_definitions(-DENABLE_SECURE_BOOT_FIRMWARE)
+    message(STATUS "Secure boot firmware:\t enabled")
+
+    option(SECURE_BOOT_BOOTKEY_INDEX "Enable Secure Boot through the firmware" OFF)
+    if(SECURE_BOOT_BOOTKEY_INDEX)
+        add_definitions(-DSECURE_BOOT_BOOTKEY_INDEX=${SECURE_BOOT_BOOTKEY_INDEX})
+        message(STATUS "Secure boot bootkey index:\t ${SECURE_BOOT_BOOTKEY_INDEX}")
+    endif(SECURE_BOOT_BOOTKEY_INDEX)
+
+    option(ENABLE_SECURE_BOOT_LOCK_FIRMWARE "Enable Secure Boot Lock through the firmware" OFF)
+    if(ENABLE_SECURE_BOOT_LOCK_FIRMWARE)
+        add_definitions(-DENABLE_SECURE_BOOT_LOCK_FIRMWARE)
+        message(STATUS "Secure boot lock firmware:\t enabled")
+    else()
+        message(STATUS "Secure boot lock firmware:\t disabled")
+    endif(ENABLE_SECURE_BOOT_LOCK_FIRMWARE)
+else()
+    message(STATUS "Secure boot firmware:\t disabled")
+endif(ENABLE_SECURE_BOOT_FIRMWARE)
+
 set(MBEDTLS_SOURCES
     ${CMAKE_CURRENT_LIST_DIR}/mbedtls/library/aes.c
     ${CMAKE_CURRENT_LIST_DIR}/mbedtls/library/asn1parse.c
diff --git a/src/fs/otp.c b/src/fs/otp.c
index 07c765c..5c98517 100644
--- a/src/fs/otp.c
+++ b/src/fs/otp.c
@@ -116,6 +116,52 @@ void init_otp_files() {
     otp_key_1 = otp_buffer(OTP_KEY_1);
 
     otp_lock_page(page);
+#ifdef ENABLE_SECURE_BOOT_FIRMWARE
+    uint8_t BOOTKEY[] = "\xe1\xd1\x6b\xa7\x64\xab\xd7\x12\xd4\xef\x6e\x3e\xdd\x74\x4e\xd5\x63\x8c\x26\xb\x77\x1c\xf9\x81\x51\x11\xb\xaf\xac\x9b\xc8\x71";
+#ifndef SECURE_BOOT_BOOTKEY_INDEX
+#define SECURE_BOOT_BOOTKEY_INDEX 0
+#endif
+    if (is_empty_otp_buffer(OTP_DATA_BOOTKEY0_0_ROW + 0x10*SECURE_BOOT_BOOTKEY_INDEX, 32)) {
+        otp_write_data(OTP_DATA_BOOTKEY0_0_ROW + 0x10*SECURE_BOOT_BOOTKEY_INDEX, BOOTKEY, sizeof(BOOTKEY));
+    }
+
+    uint8_t *boot_flags1 = otp_buffer_raw(OTP_DATA_BOOT_FLAGS1_ROW);
+    uint8_t flagsb1[] = { boot_flags1[0] | (1 << (SECURE_BOOT_BOOTKEY_INDEX + OTP_DATA_BOOT_FLAGS1_KEY_VALID_LSB)), boot_flags1[1], boot_flags1[2], 0x00 };
+#ifdef ENABLE_SECURE_BOOT_LOCK_FIRMWARE
+    flagsb1[1] |= ((OTP_DATA_BOOT_FLAGS1_KEY_INVALID_BITS >> OTP_DATA_BOOT_FLAGS1_KEY_INVALID_LSB) & (~(1 << SECURE_BOOT_BOOTKEY_INDEX)));
+#endif
+    otp_write_data_raw(OTP_DATA_BOOT_FLAGS1_ROW, flagsb1, sizeof(flagsb1));
+    otp_write_data_raw(OTP_DATA_BOOT_FLAGS1_R1_ROW, flagsb1, sizeof(flagsb1));
+    otp_write_data_raw(OTP_DATA_BOOT_FLAGS1_R2_ROW, flagsb1, sizeof(flagsb1));
+
+    uint8_t *crit1 = otp_buffer_raw(OTP_DATA_CRIT1_ROW);
+    uint8_t flagsc1[] = { crit1[0] | (1 << OTP_DATA_CRIT1_SECURE_BOOT_ENABLE_LSB), crit1[1], crit1[2], 0x00 };
+#ifdef ENABLE_SECURE_BOOT_LOCK_FIRMWARE
+    flagsc1[0] |= (1 << OTP_DATA_CRIT1_DEBUG_DISABLE_LSB);
+    flagsc1[0] |= (1 << OTP_DATA_CRIT1_GLITCH_DETECTOR_ENABLE_LSB);
+    flagsc1[0] |= (3 << OTP_DATA_CRIT1_GLITCH_DETECTOR_SENS_LSB);
+#endif
+    otp_write_data_raw(OTP_DATA_CRIT1_ROW, flagsc1, sizeof(flagsc1));
+    otp_write_data_raw(OTP_DATA_CRIT1_R1_ROW, flagsc1, sizeof(flagsc1));
+    otp_write_data_raw(OTP_DATA_CRIT1_R2_ROW, flagsc1, sizeof(flagsc1));
+    otp_write_data_raw(OTP_DATA_CRIT1_R3_ROW, flagsc1, sizeof(flagsc1));
+    otp_write_data_raw(OTP_DATA_CRIT1_R4_ROW, flagsc1, sizeof(flagsc1));
+    otp_write_data_raw(OTP_DATA_CRIT1_R5_ROW, flagsc1, sizeof(flagsc1));
+    otp_write_data_raw(OTP_DATA_CRIT1_R6_ROW, flagsc1, sizeof(flagsc1));
+    otp_write_data_raw(OTP_DATA_CRIT1_R7_ROW, flagsc1, sizeof(flagsc1));
+
+#ifdef ENABLE_SECURE_BOOT_LOCK_FIRMWARE
+    uint8_t *page1 = otp_buffer_raw(OTP_DATA_PAGE1_LOCK1_ROW);
+    uint8_t page1v = page1[0] | (OTP_DATA_PAGE1_LOCK1_LOCK_BL_VALUE_READ_ONLY << OTP_DATA_PAGE1_LOCK1_LOCK_BL_LSB);
+    uint8_t flagsp1[] = { page1v, page1v, page1v, 0x00 };
+    otp_write_data_raw(OTP_DATA_PAGE1_LOCK1_ROW, flagsp1, sizeof(flagsp1));
+    uint8_t *page2 = otp_buffer_raw(OTP_DATA_PAGE2_LOCK1_ROW);
+    uint8_t page2v = page2[0] | (OTP_DATA_PAGE2_LOCK1_LOCK_BL_VALUE_READ_ONLY << OTP_DATA_PAGE2_LOCK1_LOCK_BL_LSB);
+    uint8_t flagsp2[] = { page2v, page2v, page2v, 0x00 };
+    otp_write_data_raw(OTP_DATA_PAGE2_LOCK1_ROW, flagsp2, sizeof(flagsp2));
+#endif
+
+#endif
 
 #elif defined(ESP_PLATFORM)
     if (esp_efuse_key_block_unused(OTP_KEY_1)) {