ec5904846b
Some checks failed
ClearGrow Controller CI / Run Unit Tests (push) Has been cancelled
ClearGrow Controller CI / Build Development Firmware (push) Has been cancelled
ClearGrow Controller CI / Build Production Firmware (push) Has been cancelled
ClearGrow Controller CI / CI Status Summary (push) Has been cancelled
113 lines
4.3 KiB
Plaintext
113 lines
4.3 KiB
Plaintext
# ClearGrow Controller - PRODUCTION Security Configuration
|
|
# ============================================================================
|
|
#
|
|
# This file contains security settings for PRODUCTION builds only.
|
|
# It is designed to be used WITH sdkconfig.defaults, not as a replacement.
|
|
#
|
|
# Usage:
|
|
# idf.py -D SDKCONFIG_DEFAULTS="sdkconfig.defaults;sdkconfig.defaults.prod" build
|
|
#
|
|
# WARNING: These settings enable ONE-WAY security features that PERMANENTLY
|
|
# modify the ESP32-S3's eFuse configuration. Once enabled:
|
|
# - Flash encryption CANNOT be disabled
|
|
# - Secure boot CANNOT be disabled
|
|
# - Device can ONLY run signed, encrypted firmware
|
|
#
|
|
# DO NOT use these settings during development!
|
|
#
|
|
# ============================================================================
|
|
|
|
# Production partition table with nvs_key partition
|
|
CONFIG_PARTITION_TABLE_CUSTOM_FILENAME="partitions_prod.csv"
|
|
|
|
# ============================================================================
|
|
# Flash Encryption
|
|
# ============================================================================
|
|
# Encrypts all flash contents using hardware AES-256-XTS
|
|
# Protects firmware and data from physical readout attacks
|
|
|
|
CONFIG_SECURE_FLASH_ENC_ENABLED=y
|
|
|
|
# Release mode: Keys burned to eFuse, encryption is permanent
|
|
# Development mode would allow re-flashing but is less secure
|
|
CONFIG_SECURE_FLASH_ENCRYPTION_MODE_RELEASE=y
|
|
|
|
# Encrypt all partitions by default (recommended)
|
|
CONFIG_SECURE_FLASH_ENCRYPTION_AES_XTS=y
|
|
|
|
# Generate keys on first boot and burn to eFuse
|
|
CONFIG_SECURE_FLASH_ENCRYPTION_KEYSIZE_256=y
|
|
|
|
# ============================================================================
|
|
# NVS Encryption
|
|
# ============================================================================
|
|
# Encrypts NVS partition contents using keys stored in nvs_key partition
|
|
# Provides defense-in-depth for sensitive data (WiFi credentials, etc.)
|
|
|
|
CONFIG_NVS_ENCRYPTION=y
|
|
|
|
# ============================================================================
|
|
# Secure Boot V2
|
|
# ============================================================================
|
|
# Verifies firmware signature using RSA-PSS or ECDSA before execution
|
|
# Prevents running tampered or unsigned firmware
|
|
|
|
CONFIG_SECURE_BOOT=y
|
|
CONFIG_SECURE_BOOT_V2_ENABLED=y
|
|
|
|
# Use RSA-3072 for secure boot signatures (stronger than RSA-2048)
|
|
CONFIG_SECURE_BOOT_V2_RSA_SUPPORTED=y
|
|
CONFIG_SECURE_BOOT_SIGNING_KEY="secure_boot_signing_key.pem"
|
|
|
|
# Allow OTA updates with signed firmware
|
|
CONFIG_SECURE_BOOT_ALLOW_JTAG=n
|
|
CONFIG_SECURE_BOOT_ALLOW_ROM_BASIC=n
|
|
CONFIG_SECURE_BOOT_ALLOW_SHORT_APP_PARTITION=n
|
|
|
|
# ============================================================================
|
|
# eFuse Protection
|
|
# ============================================================================
|
|
# Prevent reading encryption keys via JTAG or software
|
|
|
|
CONFIG_EFUSE_VIRTUAL=n
|
|
CONFIG_EFUSE_CODE_SCHEME_COMPAT_3_4=y
|
|
|
|
# ============================================================================
|
|
# JTAG Debugging
|
|
# ============================================================================
|
|
# Disable JTAG in production to prevent debugging attacks
|
|
|
|
CONFIG_SECURE_BOOT_ALLOW_JTAG=n
|
|
|
|
# ============================================================================
|
|
# Additional Hardening
|
|
# ============================================================================
|
|
|
|
# Disable ROM BASIC interpreter (potential attack vector)
|
|
CONFIG_SECURE_BOOT_ALLOW_ROM_BASIC=n
|
|
|
|
# Enable stack canaries for buffer overflow detection
|
|
CONFIG_COMPILER_STACK_CHECK_MODE_STRONG=y
|
|
|
|
# Enable address sanitizer checks (slight performance impact)
|
|
# CONFIG_COMPILER_SANITIZE_ADDRESS=y # Uncomment for extra safety
|
|
|
|
# Production logging - reduce verbosity
|
|
CONFIG_LOG_DEFAULT_LEVEL_WARN=y
|
|
CONFIG_LOG_MAXIMUM_LEVEL_INFO=y
|
|
|
|
# ============================================================================
|
|
# Build Verification
|
|
# ============================================================================
|
|
# These options help verify production build is correct
|
|
|
|
# Ensure app is built for secure boot
|
|
CONFIG_SECURE_BOOT_BUILD_SIGNED_BINARIES=y
|
|
|
|
# ============================================================================
|
|
# Network API Security
|
|
# ============================================================================
|
|
# Disable HTTP by default in production (HTTPS only)
|
|
|
|
CONFIG_NETWORK_API_PRODUCTION_MODE=y
|