Disable USB Serial JTAG and ROM download mode in production builds

## Summary

Production builds should disable debug interfaces to prevent unauthorized access to device memory and firmware.

## Current State

- USB Serial JTAG remains enabled on ESP32-S3
- ROM download mode accessible
- Debug interfaces could allow memory inspection or firmware extraction

## Proposed Changes

### 1. eFuse Configuration for Production

Add eFuse burning to production build/provisioning:

```c
// Disable USB Serial JTAG
esp_efuse_write_field_bit(ESP_EFUSE_DIS_USB_JTAG);

// Disable ROM download mode (or require secure download)
esp_efuse_write_field_bit(ESP_EFUSE_DIS_DOWNLOAD_MODE);
// OR for secure download only:
esp_efuse_write_field_bit(ESP_EFUSE_ENABLE_SECURITY_DOWNLOAD);
```

### 2. Production Build Flag

Add `CONFIG_PRODUCTION_BUILD` that:
- Errors if `CONFIG_SE_MOCK_MODE` is enabled
- Enables secure boot enforcement
- Documents required eFuse settings

### 3. Documentation

Update `docs/SECURE_BOOT.md` with:
- eFuse configuration checklist
- Warnings about irreversibility
- Verification commands

## Security Impact

Without debug lockdown:
- Attacker with physical access could inspect RAM
- Storage encryption key derivation observable
- Firmware could be extracted and analyzed

With debug lockdown:
- Memory inspection blocked at hardware level
- Complements secure boot and flash encryption
- Matches production hardware wallet standards

## Implementation Notes

- eFuse writes are **irreversible** - document clearly
- Must be done after secure boot key provisioning
- Consider staged rollout: test devices → production devices

## Related Issues

- #89 Secure Element Phase 3: Production Lock Configuration
- #88 Secure Element Phase 2: Unlocked Hardware Testing

## Acceptance Criteria

- [ ] Production sdkconfig variant disables debug in software
- [ ] Documentation for eFuse provisioning procedure
- [ ] CI check that production build fails with mock SE enabled
- [ ] Verification command to check device lockdown status

Provide feedback

Saved searches

Use saved searches to filter your results more quickly

Disable USB Serial JTAG and ROM download mode in production builds #136

Summary

Current State

Proposed Changes

1. eFuse Configuration for Production

2. Production Build Flag

3. Documentation

Security Impact

Implementation Notes

Related Issues

Acceptance Criteria

Metadata

Assignees

Labels

Type

Projects

Milestone

Relationships

Development

Disable USB Serial JTAG and ROM download mode in production builds #136

Description

Summary

Current State

Proposed Changes

1. eFuse Configuration for Production

2. Production Build Flag

3. Documentation

Security Impact

Implementation Notes

Related Issues

Acceptance Criteria

Metadata

Metadata

Assignees

Labels

Type

Projects

Milestone

Relationships

Development

Issue actions