You are viewing a plain text version of this content. The canonical link for it is here.
Posted to commits@nuttx.apache.org by xi...@apache.org on 2021/12/21 13:02:51 UTC
[incubator-nuttx] 01/05: xtensa/esp32: Add Secure Boot support on top of MCUboot
This is an automated email from the ASF dual-hosted git repository.
xiaoxiang pushed a commit to branch master
in repository https://gitbox.apache.org/repos/asf/incubator-nuttx.git
commit 6c3223289ffd8e0515719fd638bb6d742a6d5437
Author: Gustavo Henrique Nihei <gu...@espressif.com>
AuthorDate: Fri Oct 29 11:10:41 2021 -0300
xtensa/esp32: Add Secure Boot support on top of MCUboot
This adds the capabitlity of building signed images on NuttX.
Signed-off-by: Gustavo Henrique Nihei <gu...@espressif.com>
---
arch/xtensa/src/esp32/Bootloader.mk | 115 +++++++++++++++++---
arch/xtensa/src/esp32/Kconfig | 2 +
arch/xtensa/src/esp32/Kconfig.security | 188 +++++++++++++++++++++++++++++++++
tools/esp32/Config.mk | 107 ++++++++++++++++---
4 files changed, 383 insertions(+), 29 deletions(-)
diff --git a/arch/xtensa/src/esp32/Bootloader.mk b/arch/xtensa/src/esp32/Bootloader.mk
index 4d06770..3de2f64 100644
--- a/arch/xtensa/src/esp32/Bootloader.mk
+++ b/arch/xtensa/src/esp32/Bootloader.mk
@@ -31,25 +31,80 @@ BOOTLOADER_CONFIG = $(CHIPDIR)/bootloader.conf
$(BOOTLOADER_SRCDIR):
$(Q) git clone $(BOOTLOADER_URL) $(BOOTLOADER_SRCDIR) -b $(BOOTLOADER_VERSION)
+# Commands for colored and formatted output
+
+RED = \033[1;31m
+YELLOW = \033[1;33m
+BOLD = \033[1m
+RST = \033[0m
+
$(BOOTLOADER_CONFIG): $(TOPDIR)/.config
+ifeq ($(CONFIG_ESP32_SECURE_BOOT),y)
+ $(Q) if [ -z "$(ESPSEC_KEYDIR)" ]; then \
+ echo ""; \
+ echo "$(RED)bootloader error:$(RST) Missing argument for secure boot keys directory."; \
+ echo "USAGE: make bootloader ESPSEC_KEYDIR=<dir>"; \
+ echo ""; \
+ exit 1; \
+ fi
+endif
$(Q) echo "Creating Bootloader configuration"
$(Q) { \
- [ "$(CONFIG_ESP32_FLASH_2M)" = "y" ] && echo "CONFIG_ESPTOOLPY_FLASHSIZE_2MB=y"; \
- [ "$(CONFIG_ESP32_FLASH_4M)" = "y" ] && echo "CONFIG_ESPTOOLPY_FLASHSIZE_4MB=y"; \
- [ "$(CONFIG_ESP32_FLASH_8M)" = "y" ] && echo "CONFIG_ESPTOOLPY_FLASHSIZE_8MB=y"; \
- [ "$(CONFIG_ESP32_FLASH_16M)" = "y" ] && echo "CONFIG_ESPTOOLPY_FLASHSIZE_16MB=y"; \
- [ "$(CONFIG_ESP32_FLASH_MODE_DIO)" = "y" ] && echo "CONFIG_ESPTOOLPY_FLASHMODE_DIO=y"; \
- [ "$(CONFIG_ESP32_FLASH_MODE_DOUT)" = "y" ] && echo "CONFIG_ESPTOOLPY_FLASHMODE_DOUT=y"; \
- [ "$(CONFIG_ESP32_FLASH_MODE_QIO)" = "y" ] && echo "CONFIG_ESPTOOLPY_FLASHMODE_QIO=y"; \
- [ "$(CONFIG_ESP32_FLASH_MODE_QOUT)" = "y" ] && echo "CONFIG_ESPTOOLPY_FLASHMODE_QOUT=y"; \
- [ "$(CONFIG_ESP32_FLASH_FREQ_80M)" = "y" ] && echo "CONFIG_ESPTOOLPY_FLASHFREQ_80M=y"; \
- [ "$(CONFIG_ESP32_FLASH_FREQ_40M)" = "y" ] && echo "CONFIG_ESPTOOLPY_FLASHFREQ_40M=y"; \
- [ "$(CONFIG_ESP32_FLASH_FREQ_26M)" = "y" ] && echo "CONFIG_ESPTOOLPY_FLASHFREQ_26M=y"; \
- [ "$(CONFIG_ESP32_FLASH_FREQ_20M)" = "y" ] && echo "CONFIG_ESPTOOLPY_FLASHFREQ_20M=y"; \
- true; \
+ $(if $(CONFIG_ESP32_FLASH_2M), echo "CONFIG_ESPTOOLPY_FLASHSIZE_2MB=y";) \
+ $(if $(CONFIG_ESP32_FLASH_4M), echo "CONFIG_ESPTOOLPY_FLASHSIZE_4MB=y";) \
+ $(if $(CONFIG_ESP32_FLASH_8M), echo "CONFIG_ESPTOOLPY_FLASHSIZE_8MB=y";) \
+ $(if $(CONFIG_ESP32_FLASH_16M), echo "CONFIG_ESPTOOLPY_FLASHSIZE_16MB=y";) \
+ $(if $(CONFIG_ESP32_FLASH_MODE_DIO), echo "CONFIG_ESPTOOLPY_FLASHMODE_DIO=y";) \
+ $(if $(CONFIG_ESP32_FLASH_MODE_DOUT), echo "CONFIG_ESPTOOLPY_FLASHMODE_DOUT=y";) \
+ $(if $(CONFIG_ESP32_FLASH_MODE_QIO), echo "CONFIG_ESPTOOLPY_FLASHMODE_QIO=y";) \
+ $(if $(CONFIG_ESP32_FLASH_MODE_QOUT), echo "CONFIG_ESPTOOLPY_FLASHMODE_QOUT=y";) \
+ $(if $(CONFIG_ESP32_FLASH_FREQ_80M), echo "CONFIG_ESPTOOLPY_FLASHFREQ_80M=y";) \
+ $(if $(CONFIG_ESP32_FLASH_FREQ_40M), echo "CONFIG_ESPTOOLPY_FLASHFREQ_40M=y";) \
+ $(if $(CONFIG_ESP32_FLASH_FREQ_26M), echo "CONFIG_ESPTOOLPY_FLASHFREQ_26M=y";) \
+ $(if $(CONFIG_ESP32_FLASH_FREQ_20M), echo "CONFIG_ESPTOOLPY_FLASHFREQ_20M=y";) \
} > $(BOOTLOADER_CONFIG)
ifeq ($(CONFIG_ESP32_APP_FORMAT_MCUBOOT),y)
+ $(eval KEYDIR := $(TOPDIR)/$(ESPSEC_KEYDIR))
+ $(eval APP_SIGN_KEY := $(abspath $(KEYDIR)/$(subst ",,$(CONFIG_ESP32_SECURE_BOOT_APP_SIGNING_KEY))))
$(Q) { \
+ $(if $(CONFIG_ESP32_SECURE_BOOT), \
+ echo "CONFIG_SECURE_BOOT=y"; \
+ echo "CONFIG_SECURE_BOOT_V2_ENABLED=y"; \
+ echo "CONFIG_ESP_SIGN_KEY_FILE=$(APP_SIGN_KEY)"; \
+ ) \
+ $(if $(CONFIG_ESP32_SECURE_SIGNED_APPS_SCHEME_RSA_2048), \
+ echo "CONFIG_ESP_USE_MBEDTLS=y"; \
+ echo "CONFIG_ESP_SIGN_RSA=y"; \
+ echo "CONFIG_ESP_SIGN_RSA_LEN=2048"; \
+ ) \
+ $(if $(CONFIG_ESP32_SECURE_SIGNED_APPS_SCHEME_RSA_3072), \
+ echo "CONFIG_ESP_USE_MBEDTLS=y"; \
+ echo "CONFIG_ESP_SIGN_RSA=y"; \
+ echo "CONFIG_ESP_SIGN_RSA_LEN=3072"; \
+ ) \
+ $(if $(CONFIG_ESP32_SECURE_SIGNED_APPS_SCHEME_ECDSA_P256), \
+ echo "CONFIG_ESP_USE_TINYCRYPT=y"; \
+ echo "CONFIG_ESP_SIGN_EC256=y"; \
+ ) \
+ $(if $(CONFIG_ESP32_SECURE_SIGNED_APPS_SCHEME_ED25519), \
+ echo "CONFIG_ESP_USE_TINYCRYPT=y"; \
+ echo "CONFIG_ESP_SIGN_ED25519=y"; \
+ ) \
+ $(if $(CONFIG_ESP32_SECURE_BOOT_ALLOW_ROM_BASIC), \
+ echo "CONFIG_SECURE_BOOT_ALLOW_ROM_BASIC=y"; \
+ ) \
+ $(if $(CONFIG_ESP32_SECURE_BOOT_ALLOW_JTAG), \
+ echo "CONFIG_SECURE_BOOT_ALLOW_JTAG=y"; \
+ ) \
+ $(if $(CONFIG_ESP32_SECURE_BOOT_ALLOW_EFUSE_RD_DIS), \
+ echo "CONFIG_SECURE_BOOT_V2_ALLOW_EFUSE_RD_DIS=y"; \
+ ) \
+ $(if $(CONFIG_ESP32_SECURE_DISABLE_ROM_DL_MODE), \
+ echo "CONFIG_SECURE_DISABLE_ROM_DL_MODE=y"; \
+ ) \
+ $(if $(CONFIG_ESP32_SECURE_INSECURE_ALLOW_DL_MODE), \
+ echo "CONFIG_SECURE_INSECURE_ALLOW_DL_MODE=y"; \
+ ) \
echo "CONFIG_ESP_BOOTLOADER_SIZE=0xF000"; \
echo "CONFIG_ESP_APPLICATION_PRIMARY_START_ADDRESS=$(CONFIG_ESP32_OTA_PRIMARY_SLOT_OFFSET)"; \
echo "CONFIG_ESP_APPLICATION_SIZE=$(CONFIG_ESP32_OTA_SLOT_SIZE)"; \
@@ -68,15 +123,43 @@ endif
ifeq ($(CONFIG_ESP32_APP_FORMAT_MCUBOOT),y)
-bootloader: $(BOOTLOADER_SRCDIR) $(BOOTLOADER_CONFIG)
- $(Q) echo "Building Bootloader binaries"
+BOOTLOADER_BIN = $(TOPDIR)/mcuboot-esp32.bin
+BOOTLOADER_SIGNED_BIN = $(TOPDIR)/mcuboot-esp32.signed.bin
+
+$(BOOTLOADER_BIN): $(BOOTLOADER_CONFIG)
+ $(Q) echo "Building Bootloader"
$(Q) $(BOOTLOADER_SRCDIR)/build_mcuboot.sh -c esp32 -s -f $(BOOTLOADER_CONFIG)
$(call COPYFILE, $(BOOTLOADER_SRCDIR)/$(BOOTLOADER_OUTDIR)/mcuboot-esp32.bin, $(TOPDIR))
+bootloader: $(BOOTLOADER_CONFIG) $(BOOTLOADER_SRCDIR) $(BOOTLOADER_BIN)
+ifeq ($(CONFIG_ESP32_SECURE_BOOT),y)
+ $(eval KEYDIR := $(TOPDIR)/$(ESPSEC_KEYDIR))
+ $(eval BOOTLOADER_SIGN_KEY := $(abspath $(KEYDIR)/$(subst ",,$(CONFIG_ESP32_SECURE_BOOT_BOOTLOADER_SIGNING_KEY))))
+ifeq ($(CONFIG_ESP32_SECURE_BOOT_BUILD_SIGNED_BINARIES),y)
+ $(Q) if [ ! -f "$(BOOTLOADER_SIGN_KEY)" ]; then \
+ echo ""; \
+ echo "$(RED)bootloader error:$(RST) Bootloader signing key $(BOLD)$(CONFIG_ESP32_SECURE_BOOT_BOOTLOADER_SIGNING_KEY)$(RST) does not exist."; \
+ echo "Generate using:"; \
+ echo " espsecure.py generate_signing_key --version 2 $(CONFIG_ESP32_SECURE_BOOT_BOOTLOADER_SIGNING_KEY)"; \
+ echo ""; \
+ exit 1; \
+ fi
+ $(Q) echo "Signing Bootloader"
+ espsecure.py sign_data --version 2 --keyfile $(BOOTLOADER_SIGN_KEY) -o $(BOOTLOADER_SIGNED_BIN) $(BOOTLOADER_BIN)
+else
+ $(Q) echo ""
+ $(Q) echo "$(YELLOW)Bootloader not signed. Sign the bootloader before flashing.$(RST)"
+ $(Q) echo "To sign the bootloader, you can use this command:"
+ $(Q) echo " espsecure.py sign_data --version 2 --keyfile $(BOOTLOADER_SIGN_KEY) -o mcuboot-esp32.signed.bin mcuboot-esp32.bin"
+ $(Q) echo ""
+endif
+endif
+
clean_bootloader:
$(call DELDIR, $(BOOTLOADER_SRCDIR))
$(call DELFILE, $(BOOTLOADER_CONFIG))
- $(call DELFILE, $(TOPDIR)/mcuboot-esp32.bin)
+ $(call DELFILE, $(BOOTLOADER_BIN))
+ $(if $(CONFIG_ESP32_SECURE_BOOT_BUILD_SIGNED_BINARIES), $(call DELFILE, $(BOOTLOADER_SIGNED_BIN)))
else ifeq ($(CONFIG_ESP32_APP_FORMAT_LEGACY),y)
diff --git a/arch/xtensa/src/esp32/Kconfig b/arch/xtensa/src/esp32/Kconfig
index 207c9c2..55178c1 100644
--- a/arch/xtensa/src/esp32/Kconfig
+++ b/arch/xtensa/src/esp32/Kconfig
@@ -1360,6 +1360,8 @@ config ESP32_PARTITION_TABLE_OFFSET
default 0x8000
depends on ESP32_APP_FORMAT_LEGACY
+source "arch/xtensa/src/esp32/Kconfig.security"
+
endmenu # Application Image Configuration
config ESP32_AUTO_SLEEP
diff --git a/arch/xtensa/src/esp32/Kconfig.security b/arch/xtensa/src/esp32/Kconfig.security
new file mode 100644
index 0000000..c1a863c
--- /dev/null
+++ b/arch/xtensa/src/esp32/Kconfig.security
@@ -0,0 +1,188 @@
+#
+# For a description of the syntax of this configuration file,
+# see the file kconfig-language.txt in the NuttX tools repository.
+#
+
+comment "Secure Boot"
+
+config ESP32_SECURE_BOOT
+ bool "Enable hardware Secure Boot in bootloader (READ HELP FIRST)"
+ default n
+ depends on ESP32_APP_FORMAT_MCUBOOT
+ ---help---
+ Build a bootloader which enables Secure Boot on first boot.
+
+ Once enabled, Secure Boot will not boot a modified bootloader. The bootloader will only boot an
+ application firmware image if it has a verified digital signature. There are implications for reflashing
+ updated images once Secure Boot is enabled.
+
+ When enabling Secure Boot, JTAG and ROM BASIC Interpreter are permanently disabled by default.
+
+if ESP32_SECURE_BOOT
+
+comment "Secure Boot support requires building bootloader from source (ESP32_BOOTLOADER_BUILD_FROM_SOURCE)"
+ depends on !ESP32_BOOTLOADER_BUILD_FROM_SOURCE
+
+config ESP32_SECURE_BOOT_BUILD_SIGNED_BINARIES
+ bool "Sign binaries during build"
+ default y
+ ---help---
+ Once Secure Boot is enabled, bootloader and application images are required to be signed.
+
+ If enabled (default), these binary files are signed as part of the build process.
+ The files named in "Bootloader private signing key" and "Application private signing key" will
+ be used to sign the bootloader and application images, respectively.
+
+ If disabled, unsigned firmware images will be built.
+ They must be then signed manually using imgtool (e.g., on a remote signing server).
+
+config ESP32_SECURE_BOOT_BOOTLOADER_SIGNING_KEY
+ string "Bootloader private signing key"
+ default "bootloader_signing_key.pem"
+ ---help---
+ Path to the key file used to sign the bootloader image.
+
+ Key file is an RSA private key in PEM format.
+
+ Path is evaluated relative to the directory indicated by the ESPSEC_KEYDIR environment
+ variable.
+
+ You can generate a new signing key by running the following command:
+ $ espsecure.py generate_signing_key --version 2 bootloader_signing_key.pem
+
+ See the Secure Boot section of the ESP-IDF Programmer's Guide for this version for details.
+
+choice ESP32_SECURE_SIGNED_APPS_SCHEME
+ prompt "Application image signing scheme"
+ default ESP32_SECURE_SIGNED_APPS_SCHEME_RSA_3072
+ ---help---
+ Select the secure application signing scheme.
+
+ config ESP32_SECURE_SIGNED_APPS_SCHEME_RSA_2048
+ bool "RSA-2048"
+
+ config ESP32_SECURE_SIGNED_APPS_SCHEME_RSA_3072
+ bool "RSA-3072"
+
+ config ESP32_SECURE_SIGNED_APPS_SCHEME_ECDSA_P256
+ bool "ECDSA-P256"
+
+ config ESP32_SECURE_SIGNED_APPS_SCHEME_ED25519
+ bool "ED25519"
+
+endchoice
+
+config ESP32_SECURE_BOOT_APP_SIGNING_KEY
+ string "Application private signing key"
+ default "app_signing_key.pem"
+ ---help---
+ Path to the key file used to sign NuttX application images.
+
+ Key file is in PEM format and its type shall be specified by the configuration defined in
+ "Application image signing scheme".
+
+ Path is evaluated relative to the directory indicated by the ESPSEC_KEYDIR environment
+ variable.
+
+ You can generate a new signing key by running the following command:
+ $ imgtool keygen --key app_signing_key.pem --type <ESP32_SECURE_SIGNED_APPS_SCHEME>
+
+config ESP32_SECURE_BOOT_INSECURE
+ bool "Allow potentially insecure options"
+ default n
+ ---help---
+ You can disable some of the default protections offered by Secure Boot, in order to enable testing or a
+ custom combination of security features.
+
+ Only enable these options if you are very sure.
+
+ Refer to the Secure Boot section of the ESP-IDF Programmer's Guide for this version before enabling.
+
+endif # ESP32_SECURE_BOOT
+
+menu "Potentially insecure options"
+ visible if ESP32_SECURE_BOOT_INSECURE
+
+ # NOTE: Options in this menu NEED to have ESP32_SECURE_BOOT_INSECURE
+ # and/or ESP32_SECURE_FLASH_ENCRYPTION_MODE_DEVELOPMENT in "depends on", as the menu
+ # itself doesn't enable/disable its children (if it's not set,
+ # it's possible for the insecure menu to be disabled but the insecure option
+ # to remain on which is very bad.)
+
+config ESP32_SECURE_BOOT_ALLOW_ROM_BASIC
+ bool "Leave ROM BASIC Interpreter available on reset"
+ default n
+ depends on ESP32_SECURE_BOOT_INSECURE
+ ---help---
+ By default, the BASIC ROM Console starts on reset if no valid bootloader is
+ read from the flash.
+
+ When either Flash Encryption or Secure Boot are enabled, the default is to
+ disable this BASIC fallback mode permanently via eFuse.
+
+ If this option is set, this eFuse is not burned and the BASIC ROM Console may
+ remain accessible. Only set this option in testing environments.
+
+config ESP32_SECURE_BOOT_ALLOW_JTAG
+ bool "Allow JTAG Debugging"
+ default n
+ depends on ESP32_SECURE_BOOT_INSECURE
+ ---help---
+ If not set (default), the bootloader will permanently disable JTAG (across entire chip) on first boot
+ when either Secure Boot or Flash Encryption is enabled.
+
+ Setting this option leaves JTAG on for debugging, which negates all protections of Flash Encryption
+ and some of the protections of Secure Boot.
+
+ Only set this option in testing environments.
+
+config ESP32_SECURE_BOOT_ALLOW_EFUSE_RD_DIS
+ bool "Allow additional read protecting of efuses"
+ default n
+ depends on ESP32_SECURE_BOOT_INSECURE
+ ---help---
+ If not set (default, recommended), on first boot the bootloader will burn the WR_DIS_RD_DIS
+ efuse when Secure Boot is enabled. This prevents any more efuses from being read protected.
+
+ If this option is set, it will remain possible to write the EFUSE_RD_DIS efuse field after Secure
+ Boot is enabled. This may allow an attacker to read-protect the BLK2 efuse (for ESP32) and
+ BLOCK4-BLOCK10 (i.e. BLOCK_KEY0-BLOCK_KEY5)(for other chips) holding the public key digest, causing an
+ immediate denial of service and possibly allowing an additional fault injection attack to
+ bypass the signature protection.
+
+ NOTE: Once a BLOCK is read-protected, the application will read all zeros from that block
+
+ NOTE: If UART ROM download mode "Permanently disabled (recommended)" is set,
+ then it is __NOT__ possible to read/write efuses using espefuse.py utility.
+ However, efuse can be read/written from the application.
+
+endmenu # Potentially insecure options
+
+choice ESP32_SECURE_UART_ROM_DL_MODE
+ bool "UART ROM download mode"
+ default ESP32_SECURE_INSECURE_ALLOW_DL_MODE
+ depends on ESP32_SECURE_BOOT
+
+ config ESP32_SECURE_DISABLE_ROM_DL_MODE
+ bool "Permanently disabled (recommended)"
+ ---help---
+ If set, during startup the app will burn an eFuse bit to permanently disable the UART ROM
+ Download Mode. This prevents any future use of esptool.py, espefuse.py and similar tools.
+
+ Once disabled, if the SoC is booted with strapping pins set for ROM Download Mode
+ then an error is printed instead.
+
+ It is recommended to enable this option in any production application where Flash
+ Encryption and/or Secure Boot is enabled and access to Download Mode is not required.
+
+ It is also possible to permanently disable Download Mode by calling
+ esp_efuse_disable_rom_download_mode() at runtime.
+
+ config ESP32_SECURE_INSECURE_ALLOW_DL_MODE
+ bool "Enabled (not recommended)"
+ ---help---
+ This is a potentially insecure option.
+ Enabling this option will allow the full UART download mode to stay enabled.
+ This option SHOULD NOT BE ENABLED for production use cases.
+
+endchoice
diff --git a/tools/esp32/Config.mk b/tools/esp32/Config.mk
index 5f0c867..01fee0b 100644
--- a/tools/esp32/Config.mk
+++ b/tools/esp32/Config.mk
@@ -58,6 +58,10 @@ else
ESPTOOL_WRITEFLASH_OPTS := -fs $(FLASH_SIZE) -fm dio -ff $(FLASH_FREQ)
endif
+ifeq ($(CONFIG_ESP32_SECURE_BOOT),y)
+ ESPTOOL_RESET_OPTS += --after no_reset
+endif
+
ESPTOOL_FLASH_OPTS := -fs $(FLASH_SIZE) -fm $(FLASH_MODE) -ff $(FLASH_FREQ)
# Configure the variables according to build environment
@@ -73,9 +77,15 @@ ifdef ESPTOOL_BINDIR
ESPTOOL_BINS := $(FLASH_BL) $(FLASH_PT)
else ifeq ($(CONFIG_ESP32_APP_FORMAT_MCUBOOT),y)
BL_OFFSET := 0x1000
- BOOTLOADER := $(ESPTOOL_BINDIR)/mcuboot-esp32.bin
- FLASH_BL := $(BL_OFFSET) $(BOOTLOADER)
- ESPTOOL_BINS := $(FLASH_BL)
+ ifeq ($(CONFIG_ESP32_SECURE_BOOT),y)
+ BOOTLOADER := $(ESPTOOL_BINDIR)/mcuboot-esp32.signed.bin
+ FLASH_BL := $(BL_OFFSET) $(BOOTLOADER)
+ ESPTOOL_BINS :=
+ else
+ BOOTLOADER := $(ESPTOOL_BINDIR)/mcuboot-esp32.bin
+ FLASH_BL := $(BL_OFFSET) $(BOOTLOADER)
+ ESPTOOL_BINS := $(FLASH_BL)
+ endif
endif
endif
@@ -92,12 +102,23 @@ else ifeq ($(CONFIG_ESP32_APP_FORMAT_MCUBOOT),y)
APP_OFFSET := $(CONFIG_ESP32_OTA_SECONDARY_SLOT_OFFSET)
endif
- APP_IMAGE := nuttx.signed.bin
+ ifeq ($(CONFIG_ESP32_SECURE_BOOT),y)
+ APP_IMAGE := nuttx.signed.bin
+ else
+ APP_IMAGE := nuttx.bin
+ endif
FLASH_APP := $(APP_OFFSET) $(APP_IMAGE)
endif
ESPTOOL_BINS += $(FLASH_APP)
+# Commands for colored and formatted output
+
+RED = \033[1;31m
+YELLOW = \033[1;33m
+BOLD = \033[1m
+RST = \033[0m
+
# MERGEBIN -- Merge raw binary files into a single file
define MERGEBIN
@@ -126,11 +147,11 @@ define MERGEBIN
fi
endef
-# SIGNBIN -- Sign the binary image file
+# SIGNBIN -- Create the signed binary image file for Secure Boot
ifeq ($(CONFIG_ESP32_APP_FORMAT_MCUBOOT),y)
define SIGNBIN
- $(Q) echo "MKIMAGE: ESP32 binary"
+ $(Q) echo "SIGNBIN: ESP32 signed binary"
$(Q) if ! imgtool version 1>/dev/null 2>&1; then \
echo ""; \
echo "imgtool not found. Please run: \"pip install imgtool\""; \
@@ -138,16 +159,34 @@ define SIGNBIN
echo "Run make again to create the nuttx.signed.bin image."; \
exit 1; \
fi
- imgtool sign --pad --pad-sig $(VERIFIED) --align 4 -v 0 \
+ $(Q) if [ -z "$(ESPSEC_KEYDIR)" ]; then \
+ echo "SIGNBIN error: Missing argument for secure boot keys directory."; \
+ echo "USAGE: make ESPSEC_KEYDIR=<dir>"; \
+ exit 1; \
+ fi
+
+ $(eval APP_SIGN_KEY := $(ESPSEC_KEYDIR)/$(subst ",,$(CONFIG_ESP32_SECURE_BOOT_APP_SIGNING_KEY)))
+ $(Q) if [ ! -f "$(APP_SIGN_KEY)" ]; then \
+ echo ""; \
+ echo "$(RED)SIGNBIN error:$(RST) Application signing key $(BOLD)$(CONFIG_ESP32_SECURE_BOOT_APP_SIGNING_KEY)$(RST) does not exist."; \
+ echo "Generate using:"; \
+ echo " imgtool keygen --key $(CONFIG_ESP32_SECURE_BOOT_APP_SIGNING_KEY) --type <ESP32_SECURE_SIGNED_APPS_SCHEME>"; \
+ echo ""; \
+ exit 1; \
+ fi
+ $(if $(CONFIG_ESP32_SECURE_BOOT_BUILD_SIGNED_BINARIES), \
+ $(eval IMGTOOL_KEY_ARGS := -k $(APP_SIGN_KEY) --public-key-format hash))
+
+ imgtool sign $(IMGTOOL_KEY_ARGS) --pad $(VERIFIED) --align 4 -v 0 -s auto \
-H $(CONFIG_ESP32_APP_MCUBOOT_HEADER_SIZE) --pad-header \
-S $(CONFIG_ESP32_OTA_SLOT_SIZE) \
- nuttx.bin nuttx.signed.bin
+ nuttx.hex nuttx.signed.bin
$(Q) echo nuttx.signed.bin >> nuttx.manifest
$(Q) echo "Generated: nuttx.signed.bin (MCUboot compatible)"
endef
endif
-# ELF2IMAGE -- Convert an ELF file into a binary file in Espressif application image format
+# ELF2IMAGE -- Convert an ELF file into a compatible binary file
ifeq ($(CONFIG_ESP32_APP_FORMAT_LEGACY),y)
define ELF2IMAGE
@@ -166,19 +205,57 @@ define ELF2IMAGE
esptool.py -c esp32 elf2image $(ESPTOOL_FLASH_OPTS) -o nuttx.bin nuttx
$(Q) echo "Generated: nuttx.bin (ESP32 compatible)"
endef
+else
+define ELF2IMAGE
+ $(Q) echo "MKIMAGE: ESP32 binary"
+ $(Q) if ! imgtool version 1>/dev/null 2>&1; then \
+ echo ""; \
+ echo "imgtool not found. Please run: \"pip install imgtool\""; \
+ echo ""; \
+ echo "Run make again to create the nuttx.signed.bin image."; \
+ exit 1; \
+ fi
+ imgtool sign --pad $(VERIFIED) --align 4 -v 0 -s auto \
+ -H $(CONFIG_ESP32_APP_MCUBOOT_HEADER_SIZE) --pad-header \
+ -S $(CONFIG_ESP32_OTA_SLOT_SIZE) \
+ nuttx.hex nuttx.bin
+ $(Q) echo "Generated: nuttx.bin (MCUboot compatible)"
+endef
endif
+define HELP_SIGN_APP
+ $(Q) echo ""
+ $(Q) echo "$(YELLOW)Application not signed. Sign the application before flashing.$(RST)"
+ $(Q) echo "To sign the application, you can use this command:"
+ $(Q) echo " imgtool sign -k $(ESPSEC_KEYDIR)/$(CONFIG_ESP32_SECURE_BOOT_APP_SIGNING_KEY) --public-key-format hash --pad $(VERIFIED) --align 4 -v 0 -s auto -H $(CONFIG_ESP32_APP_MCUBOOT_HEADER_SIZE) --pad-header -S $(CONFIG_ESP32_OTA_SLOT_SIZE) nuttx.hex nuttx.signed.bin"
+ $(Q) echo ""
+endef
+
+define HELP_FLASH_BOOTLOADER
+ $(Q) echo ""
+ $(Q) echo "$(YELLOW)Secure boot enabled, so bootloader not flashed automatically.$(RST)"
+ $(Q) echo "Use the following command to flash the bootloader:"
+ $(Q) echo " esptool.py $(ESPTOOL_OPTS) write_flash $(ESPTOOL_WRITEFLASH_OPTS) $(FLASH_BL)"
+ $(Q) echo ""
+endef
+
# POSTBUILD -- Perform post build operations
ifeq ($(CONFIG_ESP32_APP_FORMAT_MCUBOOT),y)
define POSTBUILD
- $(call SIGNBIN)
- $(if $(CONFIG_ESP32_MERGE_BINS), $(call MERGEBIN), )
+ $(if $(CONFIG_ESP32_SECURE_BOOT), \
+ $(if $(CONFIG_ESP32_SECURE_BOOT_BUILD_SIGNED_BINARIES), \
+ $(call SIGNBIN), \
+ $(call HELP_SIGN_APP) \
+ ), \
+ $(call ELF2IMAGE) \
+ )
+ $(if $(CONFIG_ESP32_MERGE_BINS),$(call MERGEBIN))
endef
else ifeq ($(CONFIG_ESP32_APP_FORMAT_LEGACY),y)
define POSTBUILD
$(call ELF2IMAGE)
- $(if $(CONFIG_ESP32_MERGE_BINS), $(call MERGEBIN), )
+ $(if $(CONFIG_ESP32_MERGE_BINS),$(call MERGEBIN))
endef
endif
@@ -194,5 +271,9 @@ define FLASH
echo "USAGE: make flash ESPTOOL_PORT=<port> [ ESPTOOL_BAUD=<baud> ] [ ESPTOOL_BINDIR=<dir> ]"; \
exit 1; \
fi
- esptool.py -c esp32 -p $(ESPTOOL_PORT) -b $(ESPTOOL_BAUD) write_flash $(ESPTOOL_WRITEFLASH_OPTS) $(ESPTOOL_BINS)
+
+ $(eval ESPTOOL_OPTS := -c esp32 -p $(ESPTOOL_PORT) -b $(ESPTOOL_BAUD) $(ESPTOOL_RESET_OPTS))
+ esptool.py $(ESPTOOL_OPTS) write_flash $(ESPTOOL_WRITEFLASH_OPTS) $(ESPTOOL_BINS)
+
+ $(if $(CONFIG_ESP32_SECURE_BOOT),$(call HELP_FLASH_BOOTLOADER))
endef