Bootloader protection of flash memory may also be turned on by setting the SECURE_BY_DEFAULT compile flag, either through an argument to make, or by setting flag in sam_ba_monitor.h.

ksmith3036 · ksmith3036 · commit 9cb10ad181f5 · 2020-12-23T12:24:56.000+01:00
diff --git a/bootloaders/zero/Makefile b/bootloaders/zero/Makefile
@@ -71,11 +71,14 @@ else
   CFLAGS+=-Os -DDEBUG=0 -flto
 endif
 
+ifdef SECURE_BY_DEFAULT
+  CFLAGS+=-DSECURE_BY_DEFAULT=1
+endif
+
 ELF=$(NAME).elf
 BIN=$(NAME).bin
 HEX=$(NAME).hex
 
-
 INCLUDES=-I"$(MODULE_PATH)/tools/CMSIS/4.5.0/CMSIS/Include/" -I"$(MODULE_PATH)/tools/CMSIS-Atmel/1.2.0/CMSIS/Device/ATMEL/"
 
 # -----------------------------------------------------------------------------
diff --git a/bootloaders/zero/sam_ba_monitor.c b/bootloaders/zero/sam_ba_monitor.c
@@ -84,7 +84,11 @@ const t_monitor_if usbcdc_if =
 /* The pointer to the interface object use by the monitor */
 t_monitor_if * ptr_monitor_if;
 
+#ifdef SECURE_BY_DEFAULT
+bool b_security_enabled = true;
+#else
 bool b_security_enabled = false;
+#endif
 
 /* b_terminal_mode mode (ascii) or hex mode */
 volatile bool b_terminal_mode = false;
@@ -225,6 +229,7 @@ void sam_ba_putdata_term(uint8_t* data, uint32_t length)
   return;
 }
 
+#ifndef SECURE_BY_DEFAULT
 volatile uint32_t sp;
 void call_applet(uint32_t address)
 {
@@ -247,6 +252,7 @@ void call_applet(uint32_t address)
   /* Jump to application Reset Handler in the application */
   asm("bx %0"::"r"(app_start_address));
 }
+#endif
 
 uint32_t current_number;
 uint32_t erased_from = 0;
@@ -413,6 +419,7 @@ static void sam_ba_monitor_loop(void)
 
         sam_ba_putdata_term((uint8_t*) &current_number, 4);
       }
+#ifndef SECURE_BY_DEFAULT
       else if (!b_security_enabled && command == 'G')  // Execute code. Will not allow when security is enabled.
       {
         call_applet(current_number);
@@ -423,6 +430,7 @@ static void sam_ba_monitor_loop(void)
           ptr_monitor_if->put_c(0x6);
         }
       }
+#endif
       else if (command == 'T') // Turn on terminal mode
       {
         b_terminal_mode = 1;
@@ -711,7 +719,12 @@ void sam_ba_monitor_run(void)
   PAGES = NVMCTRL->PARAM.bit.NVMP;
   MAX_FLASH = PAGE_SIZE * PAGES;
 
+#ifdef SECURE_BY_DEFAULT
+  b_security_enabled = true;
+#else
   b_security_enabled = NVMCTRL->STATUS.bit.SB != 0;
+#endif
+
   ptr_data = NULL;
   command = 'z';
   while (1)
diff --git a/bootloaders/zero/sam_ba_monitor.h b/bootloaders/zero/sam_ba_monitor.h
@@ -36,6 +36,9 @@
 /* Selects USB as the communication interface of the monitor */
 #define SIZEBUFMAX                  64
 
+// Set this flag to let the bootloader enforce read restrictions of flash memory, even if security bit is not set
+//#define SECURE_BY_DEFAULT
+
 /**
  * \brief Initialize the monitor
  *

Original file line number	Diff line number	Diff line change
`@@ -36,6 +36,9 @@`
`36`	`36`	`/* Selects USB as the communication interface of the monitor */`
`37`	`37`	`#define SIZEBUFMAX 64`
`38`	`38`
	`39`	`+// Set this flag to let the bootloader enforce read restrictions of flash memory, even if security bit is not set`
	`40`	`+//#define SECURE_BY_DEFAULT`
	`41`	`+`
`39`	`42`	`/**`
`40`	`43`	`* \brief Initialize the monitor`
`41`	`44`	`*`