Summary
Production builds should disable debug interfaces to prevent unauthorized access to device memory and firmware.
Current State
- USB Serial JTAG remains enabled on ESP32-S3
- ROM download mode accessible
- Debug interfaces could allow memory inspection or firmware extraction
Proposed Changes
1. eFuse Configuration for Production
Add eFuse burning to production build/provisioning:
// Disable USB Serial JTAG
esp_efuse_write_field_bit(ESP_EFUSE_DIS_USB_JTAG);
// Disable ROM download mode (or require secure download)
esp_efuse_write_field_bit(ESP_EFUSE_DIS_DOWNLOAD_MODE);
// OR for secure download only:
esp_efuse_write_field_bit(ESP_EFUSE_ENABLE_SECURITY_DOWNLOAD);
2. Production Build Flag
Add CONFIG_PRODUCTION_BUILD that:
- Errors if
CONFIG_SE_MOCK_MODE is enabled
- Enables secure boot enforcement
- Documents required eFuse settings
3. Documentation
Update docs/SECURE_BOOT.md with:
- eFuse configuration checklist
- Warnings about irreversibility
- Verification commands
Security Impact
Without debug lockdown:
- Attacker with physical access could inspect RAM
- Storage encryption key derivation observable
- Firmware could be extracted and analyzed
With debug lockdown:
- Memory inspection blocked at hardware level
- Complements secure boot and flash encryption
- Matches production hardware wallet standards
Implementation Notes
- eFuse writes are irreversible - document clearly
- Must be done after secure boot key provisioning
- Consider staged rollout: test devices → production devices
Related Issues
Acceptance Criteria
Summary
Production builds should disable debug interfaces to prevent unauthorized access to device memory and firmware.
Current State
Proposed Changes
1. eFuse Configuration for Production
Add eFuse burning to production build/provisioning:
2. Production Build Flag
Add
CONFIG_PRODUCTION_BUILDthat:CONFIG_SE_MOCK_MODEis enabled3. Documentation
Update
docs/SECURE_BOOT.mdwith:Security Impact
Without debug lockdown:
With debug lockdown:
Implementation Notes
Related Issues
Acceptance Criteria