This is an automated email from the ASF dual-hosted git repository. simbit18 pushed a commit to branch master in repository https://gitbox.apache.org/repos/asf/nuttx.git
commit 49d6177c68ee661d8bad5e3275c6ec9666c48a86 Author: Filipe Cavalcanti <[email protected]> AuthorDate: Tue Oct 21 11:41:46 2025 -0300 espressif: automate build system for flash enc Modifies Kconfig and build tools to support flash encryption and E-Fuse burning when flash encryption is enabled. Signed-off-by: Filipe Cavalcanti <[email protected]> --- arch/risc-v/src/common/espressif/Kconfig | 38 +++++++++++++ arch/xtensa/src/common/espressif/Kconfig | 39 +++++++++++++ arch/xtensa/src/esp32/Kconfig.security | 39 +++++++++++++ arch/xtensa/src/esp32s2/Kconfig.security | 39 +++++++++++++ tools/esp32/Config.mk | 90 +++++++++++++++++++++++++----- tools/esp32s2/Config.mk | 92 +++++++++++++++++++++++++++---- tools/esp32s3/Config.mk | 93 ++++++++++++++++++++++++++++--- tools/espressif/Config.mk | 95 ++++++++++++++++++++++++++++++-- 8 files changed, 489 insertions(+), 36 deletions(-) diff --git a/arch/risc-v/src/common/espressif/Kconfig b/arch/risc-v/src/common/espressif/Kconfig index 3f987cb87e1..9eb97689bbe 100644 --- a/arch/risc-v/src/common/espressif/Kconfig +++ b/arch/risc-v/src/common/espressif/Kconfig @@ -299,6 +299,44 @@ choice ESPRESSIF_SECURE_FLASH_ENCRYPTION_MODE endchoice +config ESPRESSIF_SECURE_FLASH_ENC_USE_HOST_KEY + bool "Require user provided encryption key for flash encryption" + default y + ---help--- + This option enables the requirement of a host generated flash encryption key. + + If not selected, a random key will be generated by the bootloader on first boot. + In this case, the user will not have access to the key and will be unable to reuse it. + +if ESPRESSIF_SECURE_FLASH_ENC_USE_HOST_KEY + +config ESPRESSIF_SECURE_FLASH_ENC_HOST_KEY_NAME + string "Path to flash encryption key" + default "flash_enc_key.bin" + ---help--- + Path to the key file used to encrypt the flash. + + This key is in a binary format and is generated by espsecure application. + + Path is evaluated relative to the NuttX root directory. + + You can generate a new signing key by running the following command: + $ espsecure.py generate_flash_encryption_key <key_name> + +endif # ESPRESSIF_SECURE_FLASH_ENC_USE_HOST_KEY + +config ESPRESSIF_SECURE_FLASH_ENC_FLASH_DEVICE_ENCRYPTED + bool "Device is already encrypted" + default n + depends on ESPRESSIF_SECURE_FLASH_ENCRYPTION_MODE_DEVELOPMENT + depends on !ESPRESSIF_EFUSE_VIRTUAL + ---help--- + Append --encrypt to esptool.py write_flash command. + + This option is useful when the device already has a flash encryption key, + and the user wants to simply flash a new firmware to it, using the key already present. + It requires that the DEVELOPMENT mode is set. It is not possible to reflash in RELEASE mode. + endif # ESPRESSIF_SECURE_FLASH_ENC_ENABLED endmenu # Bootloader and Image Configuration diff --git a/arch/xtensa/src/common/espressif/Kconfig b/arch/xtensa/src/common/espressif/Kconfig index e04955f10c4..958317f4936 100644 --- a/arch/xtensa/src/common/espressif/Kconfig +++ b/arch/xtensa/src/common/espressif/Kconfig @@ -458,6 +458,45 @@ choice ESPRESSIF_SECURE_FLASH_ENCRYPTION_MODE endchoice +config ESPRESSIF_SECURE_FLASH_ENC_USE_HOST_KEY + bool "Require user provided encryption key for flash encryption" + default y + ---help--- + This option enables the requirement of a host generated flash encryption key. + + If not selected, a random key will be generated by the bootloader on first boot. + In this case, the user will not have access to the key and will be unable to reuse it. + +if ESPRESSIF_SECURE_FLASH_ENC_USE_HOST_KEY + +config ESPRESSIF_SECURE_FLASH_ENC_HOST_KEY_NAME + string "Path to flash encryption key" + default "flash_enc_key.bin" + ---help--- + Path to the key file used to encrypt the flash. + + This key is in a binary format and is generated by espsecure application. + + Path is evaluated relative to the NuttX root directory. + + You can generate a new signing key by running the following command: + $ espsecure.py generate_flash_encryption_key <key_name> + +endif # ESPRESSIF_SECURE_FLASH_ENC_USE_HOST_KEY + +config ESPRESSIF_SECURE_FLASH_ENC_FLASH_DEVICE_ENCRYPTED + bool "Device is already encrypted" + default n + depends on ESPRESSIF_SECURE_FLASH_ENCRYPTION_MODE_DEVELOPMENT + depends on !ESPRESSIF_EFUSE_VIRTUAL + ---help--- + Append --encrypt to esptool.py write_flash command. + + This option is useful when the device already has a flash encryption key, + and the user wants to simply flash a new firmware to it, using the key already present. + If requires that the DEVELOPMENT mode is set, it is not possible to reflash + in RELEASE mode. + endif # ESPRESSIF_SECURE_FLASH_ENC_ENABLED endmenu # Bootloader and Image Configuration diff --git a/arch/xtensa/src/esp32/Kconfig.security b/arch/xtensa/src/esp32/Kconfig.security index b7ab5316120..3395d2c0797 100644 --- a/arch/xtensa/src/esp32/Kconfig.security +++ b/arch/xtensa/src/esp32/Kconfig.security @@ -140,6 +140,45 @@ choice ESP32_SECURE_FLASH_ENCRYPTION_MODE endchoice +config ESP32_SECURE_FLASH_ENC_USE_HOST_KEY + bool "Require user provided encryption key for flash encryption" + default y + ---help--- + This option enables the requirement of a host generated flash encryption key. + + If not selected, a random key will be generated by the bootloader on first boot. + In this case, the user will not have access to the key and will be unable to reuse it. + +if ESP32_SECURE_FLASH_ENC_USE_HOST_KEY + +config ESP32_SECURE_FLASH_ENC_HOST_KEY_NAME + string "Path to flash encryption key" + default "flash_enc_key.bin" + ---help--- + Path to the key file used to encrypt the flash. + + This key is in a binary format and is generated by espsecure application. + + Path is evaluated relative to the NuttX root directory. + + You can generate a new signing key by running the following command: + $ espsecure.py generate_flash_encryption_key <key_name> + +endif # ESP32_SECURE_FLASH_ENC_USE_HOST_KEY + +config ESP32_SECURE_FLASH_ENC_FLASH_DEVICE_ENCRYPTED + bool "Device is already encrypted" + default n + depends on ESP32_SECURE_FLASH_ENCRYPTION_MODE_DEVELOPMENT + depends on !ESPRESSIF_EFUSE_VIRTUAL + ---help--- + Append --encrypt to esptool.py write_flash command. + + This option is useful when the device already has a flash encryption key, + and the user wants to simply flash a new firmware to it, using the key already present. + If requires that the DEVELOPMENT mode is set, it is not possible to reflash + in RELEASE mode. + endif # ESP32_SECURE_FLASH_ENC_ENABLED menu "Potentially insecure options" diff --git a/arch/xtensa/src/esp32s2/Kconfig.security b/arch/xtensa/src/esp32s2/Kconfig.security index 0cc90e53088..d2e80905fcc 100644 --- a/arch/xtensa/src/esp32s2/Kconfig.security +++ b/arch/xtensa/src/esp32s2/Kconfig.security @@ -145,6 +145,45 @@ choice ESP32S2_SECURE_FLASH_ENCRYPTION_MODE endchoice +config ESP32S2_SECURE_FLASH_ENC_USE_HOST_KEY + bool "Require user provided encryption key for flash encryption" + default y + ---help--- + This option enables the requirement of a host generated flash encryption key. + + If not selected, a random key will be generated by the bootloader on first boot. + In this case, the user will not have access to the key and will be unable to reuse it. + +if ESP32S2_SECURE_FLASH_ENC_USE_HOST_KEY + +config ESP32S2_SECURE_FLASH_ENC_HOST_KEY_NAME + string "Path to flash encryption key" + default "flash_enc_key.bin" + ---help--- + Path to the key file used to encrypt the flash. + + This key is in a binary format and is generated by espsecure application. + + Path is evaluated relative to the NuttX root directory. + + You can generate a new signing key by running the following command: + $ espsecure.py generate_flash_encryption_key <key_name> + +endif # ESP32S2_SECURE_FLASH_ENC_USE_HOST_KEY + +config ESP32S2_SECURE_FLASH_ENC_FLASH_DEVICE_ENCRYPTED + bool "Device is already encrypted" + default n + depends on ESP32S2_SECURE_FLASH_ENCRYPTION_MODE_DEVELOPMENT + depends on !ESPRESSIF_EFUSE_VIRTUAL + ---help--- + Append --encrypt to esptool.py write_flash command. + + This option is useful when the device already has a flash encryption key, + and the user wants to simply flash a new firmware to it, using the key already present. + If requires that the DEVELOPMENT mode is set, it is not possible to reflash + in RELEASE mode. + endif # ESP32S2_SECURE_FLASH_ENC_ENABLED menu "Potentially insecure options" diff --git a/tools/esp32/Config.mk b/tools/esp32/Config.mk index ebb8210b41d..1465ea2f984 100644 --- a/tools/esp32/Config.mk +++ b/tools/esp32/Config.mk @@ -58,6 +58,10 @@ else ESPTOOL_WRITEFLASH_OPTS := -fs $(FLASH_SIZE) -fm dio -ff $(FLASH_FREQ) endif +ifeq ($(CONFIG_ESP32_SECURE_FLASH_ENC_FLASH_DEVICE_ENCRYPTED),y) + ESPTOOL_WRITEFLASH_OPTS += --encrypt +endif + ifneq ($(CONFIG_ESP32_SECURE_BOOT)$(CONFIG_ESP32_SECURE_FLASH_ENC_ENABLED),) ESPTOOL_RESET_OPTS += --after no_reset endif @@ -94,7 +98,7 @@ ifdef ESPTOOL_BINDIR FLASH_BL := $(BL_OFFSET) $(BOOTLOADER) - ifneq ($(CONFIG_ESP32_SECURE_BOOT)$(CONFIG_ESP32_SECURE_FLASH_ENC_ENABLED),) + ifneq ($(CONFIG_ESP32_SECURE_BOOT),) ESPTOOL_BINS := else ESPTOOL_BINS := $(FLASH_BL) @@ -124,7 +128,13 @@ else ifeq ($(CONFIG_ESP32_APP_FORMAT_MCUBOOT),y) APP_IMAGE := nuttx.bin endif - FLASH_APP := $(APP_OFFSET) $(APP_IMAGE) + FLASH_APP := $(APP_OFFSET) $(APP_IMAGE) + + ifeq ($(CONFIG_ESP32_SECURE_FLASH_ENC_ENABLED),y) + ifeq ($(CONFIG_ESPRESSIF_SPIFLASH),y) + ENC_APP := $(CONFIG_ESP32_STORAGE_MTD_OFFSET) enc_mtd.bin + endif + endif ifeq ($(CONFIG_ESP32_SECURE_FLASH_ENC_ENABLED),y) IMGTOOL_ALIGN_ARGS := --align 32 --max-align 32 @@ -144,7 +154,7 @@ else ESPTOOL_BINDIR := . endif -ESPTOOL_BINS += $(FLASH_APP) +ESPTOOL_BINS += $(FLASH_APP) $(ENC_APP) ifeq ($(CONFIG_BUILD_PROTECTED),y) ESPTOOL_BINS += $(CONFIG_ESP32_USER_IMAGE_OFFSET) nuttx_user.bin @@ -157,6 +167,68 @@ YELLOW = \033[1;33m BOLD = \033[1m RST = \033[0m +# Flash encryption procedure + +define FLASH_ENC + $(Q) echo -e "$(YELLOW)Flash Encryption is enabled!$(RST)"; + + $(Q) if [ "$(CONFIG_ESPRESSIF_EFUSE_VIRTUAL)" = "y" ]; then \ + echo -e "$(YELLOW)WARN: Virtual E-Fuses are enabled! E-Fuses will not be burned. $(RST)"; \ + fi + + $(Q) if [ "$(CONFIG_ESP32_SECURE_FLASH_ENC_USE_HOST_KEY)" = "y" ]; then \ + if [ ! -f "$(CONFIG_ESP32_SECURE_FLASH_ENC_HOST_KEY_NAME)" ]; then \ + echo -e "$(RED)FLASH ENCRYPTION error: Key file '$(CONFIG_ESP32_SECURE_FLASH_ENC_HOST_KEY_NAME)' not found.$(RST)"; \ + echo -e "$(YELLOW)Generate the encryption key using: espsecure.py generate_flash_encryption_key <key_name.bin>$(RST)"; \ + echo -e "$(YELLOW)Refer to the documentation on flash encryption before proceeding.$(RST)"; \ + exit 1; \ + fi; \ + fi + + $(Q) if [ "$(CONFIG_ESPRESSIF_SPIFLASH)" = "y" ]; then \ + echo "Applying encryption to user MTD partition on flash."; \ + if [ ! -f "$(CONFIG_ESP32_SECURE_FLASH_ENC_HOST_KEY_NAME)" ]; then \ + echo -e "$(RED)Flash encryption key is required for user MTD partition encryption. Key file: '$(CONFIG_ESP32_SECURE_FLASH_ENC_HOST_KEY_NAME)'$(RST)"; \ + echo -e "$(RED)Make sure CONFIG_ESP32_SECURE_FLASH_ENC_HOST_KEY_NAME is set or disable SPI Flash.$(RST)"; \ + exit 1; \ + fi; \ + size_int=$$(( $(CONFIG_ESP32_STORAGE_MTD_SIZE) )); \ + echo -e "Encrypting user MTD partition offset: $(CONFIG_ESP32_STORAGE_MTD_OFFSET), size: $(CONFIG_ESP32_STORAGE_MTD_SIZE) ($$size_int)"; \ + dd if=/dev/zero ibs=1 count=$$size_int | LC_ALL=C tr "\000" "\377" > blank_mtd.bin; \ + espsecure.py encrypt_flash_data --keyfile $(CONFIG_ESP32_SECURE_FLASH_ENC_HOST_KEY_NAME) --address 0 --output enc_mtd.bin blank_mtd.bin; \ + rm blank_mtd.bin; \ + fi + +endef + +# BURN_EFUSES -- Burn the flash encryption key E-Fuses if: not already burned, not virtual, not device already encrypted + +define BURN_EFUSES + $(Q) if [ "$(CONFIG_ESP32_SECURE_FLASH_ENC_FLASH_DEVICE_ENCRYPTED)" = "y" ]; then \ + echo -e "$(YELLOW)WARN: Device is already encrypted. Skipping flash encryption key burning. $(RST)"; \ + elif [ "$(CONFIG_ESPRESSIF_EFUSE_VIRTUAL)" = "y" ]; then \ + echo -e "$(YELLOW)WARN: Virtual E-Fuses are enabled! Skipping flash encryption key burning. $(RST)"; \ + else \ + if [ "$(CONFIG_ESP32_SECURE_FLASH_ENC_USE_HOST_KEY)" = "y" ]; then \ + echo -e "$(YELLOW)Proceeding will burn the flash encryption key E-Fuses using: $(CONFIG_ESP32_SECURE_FLASH_ENC_HOST_KEY_NAME).$(RST)"; \ + else \ + echo -e "$(YELLOW)Proceeding will burn a *randomly generated* flash encryption key (NOT user-provided).$(RST)"; \ + fi; \ + echo -e "$(YELLOW)This operation is NOT REVERSIBLE! Make sure to have read the documentation.$(RST)"; \ + efuse_summary=$$(espefuse.py --port $(ESPTOOL_PORT) summary | grep -A 1 BLOCK1); \ + if echo "$$efuse_summary" | grep -q '?? ??'; then \ + echo -e "$(YELLOW)Encryption key already burned. Skipping...$(RST)"; \ + else \ + echo -e "$(YELLOW)Burning flash encryption key...$(RST)"; \ + if [ -z "$(NOCHECK)" ] ; then \ + espefuse.py --port $(ESPTOOL_PORT) burn_key flash_encryption $(CONFIG_ESP32_SECURE_FLASH_ENC_HOST_KEY_NAME); \ + else \ + espefuse.py --do-not-confirm --port $(ESPTOOL_PORT) burn_key flash_encryption $(CONFIG_ESP32_SECURE_FLASH_ENC_HOST_KEY_NAME); \ + fi; \ + fi; \ + fi +endef + # Functions for printing help messages define HELP_SIGN_APP @@ -167,14 +239,6 @@ define HELP_SIGN_APP $(Q) echo "" endef -define HELP_FLASH_BOOTLOADER - $(Q) echo "" - $(Q) echo "$(YELLOW)Security features enabled, so bootloader not flashed automatically.$(RST)" - $(Q) echo "Use the following command to flash the bootloader:" - $(Q) echo " esptool.py $(ESPTOOL_OPTS) write_flash $(ESPTOOL_WRITEFLASH_OPTS) $(FLASH_BL)" - $(Q) echo "" -endef - # MERGEBIN -- Merge raw binary files into a single file define MERGEBIN @@ -290,6 +354,7 @@ endif define POSTBUILD $(call MKIMAGE) $(if $(CONFIG_ESPRESSIF_BOOTLOADER_MCUBOOT),$(call MAKE_VIRTUAL_EFUSE_BIN)) + $(if $(CONFIG_ESP32_SECURE_FLASH_ENC_ENABLED),$(call FLASH_ENC)) $(if $(CONFIG_ESP32_MERGE_BINS),$(call MERGEBIN)) endef @@ -306,8 +371,7 @@ define FLASH exit 1; \ fi + $(if $(CONFIG_ESP32_SECURE_FLASH_ENC_ENABLED),$(call BURN_EFUSES)) $(eval ESPTOOL_OPTS := -c esp32 -p $(ESPTOOL_PORT) -b $(ESPTOOL_BAUD) $(ESPTOOL_RESET_OPTS)) esptool.py $(ESPTOOL_OPTS) write_flash $(ESPTOOL_WRITEFLASH_OPTS) $(ESPTOOL_BINS) - - $(if $(CONFIG_ESP32_SECURE_BOOT)$(CONFIG_ESP32_SECURE_FLASH_ENC_ENABLED),$(call HELP_FLASH_BOOTLOADER)) endef diff --git a/tools/esp32s2/Config.mk b/tools/esp32s2/Config.mk index b8402f9c8d4..a98615b5671 100644 --- a/tools/esp32s2/Config.mk +++ b/tools/esp32s2/Config.mk @@ -58,6 +58,10 @@ else ESPTOOL_WRITEFLASH_OPTS := -fs $(FLASH_SIZE) -fm dio -ff $(FLASH_FREQ) endif +ifeq ($(CONFIG_ESP32S2_SECURE_FLASH_ENC_FLASH_DEVICE_ENCRYPTED),y) + ESPTOOL_WRITEFLASH_OPTS += --encrypt +endif + ifneq ($(CONFIG_ESP32S2_SECURE_BOOT)$(CONFIG_ESP32S2_SECURE_FLASH_ENC_ENABLED),) ESPTOOL_RESET_OPTS += --after no_reset endif @@ -86,7 +90,7 @@ ifdef ESPTOOL_BINDIR FLASH_BL := $(BL_OFFSET) $(BOOTLOADER) - ifneq ($(CONFIG_ESP32S2_SECURE_BOOT)$(CONFIG_ESP32S2_SECURE_FLASH_ENC_ENABLED),) + ifneq ($(CONFIG_ESP32S2_SECURE_BOOT),) ESPTOOL_BINS := else ESPTOOL_BINS := $(FLASH_BL) @@ -114,6 +118,12 @@ ifeq ($(CONFIG_ESP32S2_APP_FORMAT_MCUBOOT),y) FLASH_APP := $(APP_OFFSET) $(APP_IMAGE) + ifeq ($(CONFIG_ESP32S2_SECURE_FLASH_ENC_ENABLED),y) + ifeq ($(CONFIG_ESPRESSIF_SPIFLASH),y) + ENC_APP := $(CONFIG_ESPRESSIF_STORAGE_MTD_OFFSET) enc_mtd.bin + endif + endif + ifeq ($(CONFIG_ESP32S2_SECURE_FLASH_ENC_ENABLED),y) IMGTOOL_ALIGN_ARGS := --align 32 --max-align 32 else @@ -132,7 +142,7 @@ else ESPTOOL_BINDIR := . endif -ESPTOOL_BINS += $(FLASH_APP) +ESPTOOL_BINS += $(FLASH_APP) $(ENC_APP) # Commands for colored and formatted output @@ -151,12 +161,73 @@ define HELP_SIGN_APP $(Q) echo "" endef -define HELP_FLASH_BOOTLOADER - $(Q) echo "" - $(Q) echo "$(YELLOW)Security features enabled, so bootloader not flashed automatically.$(RST)" - $(Q) echo "Use the following command to flash the bootloader:" - $(Q) echo " esptool.py $(ESPTOOL_OPTS) write_flash $(ESPTOOL_WRITEFLASH_OPTS) $(FLASH_BL)" - $(Q) echo "" +# Commands for colored and formatted output + +RED = \033[1;31m +YELLOW = \033[1;33m +BOLD = \033[1m +RST = \033[0m + +# Flash encryption procedure + +define FLASH_ENC + $(Q) echo -e "$(YELLOW)Flash Encryption is enabled!$(RST)"; + + $(Q) if [ "$(CONFIG_ESPRESSIF_EFUSE_VIRTUAL)" = "y" ]; then \ + echo -e "$(YELLOW)WARN: Virtual E-Fuses are enabled! E-Fuses will not be burned. $(RST)"; \ + fi + + $(Q) if [ "$(CONFIG_ESP32S2_SECURE_FLASH_ENC_USE_HOST_KEY)" = "y" ]; then \ + if [ ! -f "$(CONFIG_ESP32S2_SECURE_FLASH_ENC_HOST_KEY_NAME)" ]; then \ + echo -e "$(RED)FLASH ENCRYPTION error: Key file '$(CONFIG_ESP32S2_SECURE_FLASH_ENC_HOST_KEY_NAME)' not found.$(RST)"; \ + echo -e "$(YELLOW)Generate the encryption key using: espsecure.py generate_flash_encryption_key <key_name.bin>$(RST)"; \ + echo -e "$(YELLOW)Refer to the documentation on flash encryption before proceeding.$(RST)"; \ + exit 1; \ + fi; \ + fi + + $(Q) if [ "$(CONFIG_ESPRESSIF_SPIFLASH)" = "y" ]; then \ + echo "Applying encryption to user MTD partition on flash."; \ + if [ ! -f "$(CONFIG_ESP32S2_SECURE_FLASH_ENC_HOST_KEY_NAME)" ]; then \ + echo -e "$(RED)Flash encryption key is required for user MTD partition encryption. Key file: '$(CONFIG_ESP32S2_SECURE_FLASH_ENC_HOST_KEY_NAME)'$(RST)"; \ + echo -e "$(RED)Make sure CONFIG_ESP32S2_SECURE_FLASH_ENC_HOST_KEY_NAME is set or disable SPI Flash.$(RST)"; \ + exit 1; \ + fi; \ + size_int=$$(( $(CONFIG_ESPRESSIF_STORAGE_MTD_SIZE) )); \ + echo -e "Encrypting user MTD partition offset: $(CONFIG_ESPRESSIF_STORAGE_MTD_OFFSET), size: $(CONFIG_ESPRESSIF_STORAGE_MTD_SIZE) ($$size_int)"; \ + dd if=/dev/zero ibs=1 count=$$size_int | LC_ALL=C tr "\000" "\377" > blank_mtd.bin; \ + espsecure.py encrypt_flash_data --aes_xts --keyfile $(CONFIG_ESP32S2_SECURE_FLASH_ENC_HOST_KEY_NAME) --address 0 --output enc_mtd.bin blank_mtd.bin; \ + rm blank_mtd.bin; \ + fi + +endef + +# BURN_EFUSES -- Burn the flash encryption key E-Fuses if: not already burned, not virtual, not device already encrypted + +define BURN_EFUSES + $(Q) if [ "$(CONFIG_ESP32S2_SECURE_FLASH_ENC_FLASH_DEVICE_ENCRYPTED)" = "y" ]; then \ + echo -e "$(YELLOW)WARN: Device is already encrypted. Skipping flash encryption key burning. $(RST)"; \ + elif [ "$(CONFIG_ESPRESSIF_EFUSE_VIRTUAL)" = "y" ]; then \ + echo -e "$(YELLOW)WARN: Virtual E-Fuses are enabled! Skipping flash encryption key burning. $(RST)"; \ + else \ + if [ "$(CONFIG_ESP32S2_SECURE_FLASH_ENC_USE_HOST_KEY)" = "y" ]; then \ + echo -e "$(YELLOW)Proceeding will burn the flash encryption key E-Fuses using: $(CONFIG_ESP32S2_SECURE_FLASH_ENC_HOST_KEY_NAME).$(RST)"; \ + else \ + echo -e "$(YELLOW)Proceeding will burn a *randomly generated* flash encryption key (NOT user-provided).$(RST)"; \ + fi; \ + echo -e "$(YELLOW)This operation is NOT REVERSIBLE! Make sure to have read the documentation.$(RST)"; \ + efuse_summary=$$(espefuse.py --port $(ESPTOOL_PORT) summary | grep -A 1 BLOCK1); \ + if echo "$$efuse_summary" | grep -q '?? ??'; then \ + echo -e "$(YELLOW)Encryption key already burned. Skipping...$(RST)"; \ + else \ + echo -e "$(YELLOW)Burning flash encryption key...$(RST)"; \ + if [ -z "$(NOCHECK)" ] ; then \ + espefuse.py --port $(ESPTOOL_PORT) burn_key BLOCK_KEY0 $(CONFIG_ESP32S2_SECURE_FLASH_ENC_HOST_KEY_NAME) XTS_AES_128_KEY; \ + else \ + espefuse.py --do-not-confirm --port $(ESPTOOL_PORT) burn_key BLOCK_KEY0 $(CONFIG_ESP32S2_SECURE_FLASH_ENC_HOST_KEY_NAME) XTS_AES_128_KEY; \ + fi; \ + fi; \ + fi endef # MERGEBIN -- Merge raw binary files into a single file @@ -251,6 +322,7 @@ endif define POSTBUILD $(call MKIMAGE) $(if $(CONFIG_ESPRESSIF_BOOTLOADER_MCUBOOT),$(call MAKE_VIRTUAL_EFUSE_BIN)) + $(if $(CONFIG_ESP32S2_SECURE_FLASH_ENC_ENABLED),$(call FLASH_ENC)) $(if $(CONFIG_ESP32S2_MERGE_BINS),$(call MERGEBIN)) endef @@ -266,8 +338,8 @@ define FLASH echo "USAGE: make flash ESPTOOL_PORT=<port> [ ESPTOOL_BAUD=<baud> ] [ ESPTOOL_BINDIR=<dir> ]"; \ exit 1; \ fi + + $(if $(CONFIG_ESP32S2_SECURE_FLASH_ENC_ENABLED),$(call BURN_EFUSES)) $(eval ESPTOOL_OPTS := -c esp32s2 -p $(ESPTOOL_PORT) -b $(ESPTOOL_BAUD) $(ESPTOOL_RESET_OPTS) $(if $(CONFIG_ESP32S2_ESPTOOLPY_NO_STUB),--no-stub)) esptool.py $(ESPTOOL_OPTS) write_flash $(ESPTOOL_WRITEFLASH_OPTS) $(ESPTOOL_BINS) - - $(if $(CONFIG_ESP32S2_SECURE_BOOT)$(CONFIG_ESP32S2_SECURE_FLASH_ENC_ENABLED),$(call HELP_FLASH_BOOTLOADER)) endef diff --git a/tools/esp32s3/Config.mk b/tools/esp32s3/Config.mk index ee9717e5fcc..538049a6393 100644 --- a/tools/esp32s3/Config.mk +++ b/tools/esp32s3/Config.mk @@ -107,11 +107,19 @@ else ifeq ($(CONFIG_ESP32S3_APP_FORMAT_MCUBOOT),y) APP_IMAGE := nuttx.bin FLASH_APP := $(APP_OFFSET) $(APP_IMAGE) -ifeq ($(CONFIG_ESPRESSIF_SECURE_FLASH_ENC_ENABLED),y) - IMGTOOL_ALIGN_ARGS := --align 32 --max-align 32 -else - IMGTOOL_ALIGN_ARGS := --align 4 -endif + + ifeq ($(CONFIG_ESPRESSIF_SECURE_FLASH_ENC_ENABLED),y) + ifeq ($(CONFIG_ESPRESSIF_SPIFLASH),y) + ENC_APP := $(CONFIG_ESP32S3_STORAGE_MTD_OFFSET) enc_mtd.bin + endif + endif + + ifeq ($(CONFIG_ESPRESSIF_SECURE_FLASH_ENC_ENABLED),y) + IMGTOOL_ALIGN_ARGS := --align 32 --max-align 32 + else + IMGTOOL_ALIGN_ARGS := --align 4 + endif + IMGTOOL_SIGN_ARGS := --pad $(VERIFIED) $(IMGTOOL_ALIGN_ARGS) -v 0 -s auto \ -H $(CONFIG_ESP32S3_APP_MCUBOOT_HEADER_SIZE) --pad-header \ -S $(CONFIG_ESP32S3_OTA_SLOT_SIZE) @@ -124,7 +132,7 @@ else ESPTOOL_BINDIR := . endif -ESPTOOL_BINS += $(FLASH_APP) +ESPTOOL_BINS += $(FLASH_APP) $(ENC_APP) ifeq ($(CONFIG_BUILD_PROTECTED),y) # Check the operating system @@ -138,6 +146,75 @@ ifeq ($(CONFIG_BUILD_PROTECTED),y) endif endif +# Commands for colored and formatted output + +RED = \033[1;31m +YELLOW = \033[1;33m +BOLD = \033[1m +RST = \033[0m + +# Flash encryption procedure + +define FLASH_ENC + $(Q) echo -e "$(YELLOW)Flash Encryption is enabled!$(RST)"; + + $(Q) if [ "$(CONFIG_ESPRESSIF_EFUSE_VIRTUAL)" = "y" ]; then \ + echo -e "$(YELLOW)WARN: Virtual E-Fuses are enabled! E-Fuses will not be burned. $(RST)"; \ + fi + + $(Q) if [ "$(CONFIG_ESPRESSIF_SECURE_FLASH_ENC_USE_HOST_KEY)" = "y" ]; then \ + if [ ! -f "$(CONFIG_ESPRESSIF_SECURE_FLASH_ENC_HOST_KEY_NAME)" ]; then \ + echo -e "$(RED)FLASH ENCRYPTION error: Key file '$(CONFIG_ESPRESSIF_SECURE_FLASH_ENC_HOST_KEY_NAME)' not found.$(RST)"; \ + echo -e "$(YELLOW)Generate the encryption key using: espsecure.py generate_flash_encryption_key <key_name.bin>$(RST)"; \ + echo -e "$(YELLOW)Refer to the documentation on flash encryption before proceeding.$(RST)"; \ + exit 1; \ + fi; \ + fi + + $(Q) if [ "$(CONFIG_ESPRESSIF_SPIFLASH)" = "y" ]; then \ + echo "Applying encryption to user MTD partition on flash."; \ + if [ ! -f "$(CONFIG_ESPRESSIF_SECURE_FLASH_ENC_HOST_KEY_NAME)" ]; then \ + echo -e "$(RED)Flash encryption key is required for user MTD partition encryption. Key file: '$(CONFIG_ESPRESSIF_SECURE_FLASH_ENC_HOST_KEY_NAME)'$(RST)"; \ + echo -e "$(RED)Make sure CONFIG_ESPRESSIF_SECURE_FLASH_ENC_HOST_KEY_NAME is set or disable SPI Flash.$(RST)"; \ + exit 1; \ + fi; \ + size_int=$$(( $(CONFIG_ESP32S3_STORAGE_MTD_SIZE) )); \ + echo -e "Encrypting user MTD partition offset: $(CONFIG_ESP32S3_STORAGE_MTD_OFFSET), size: $(CONFIG_ESP32S3_STORAGE_MTD_SIZE) ($$size_int)"; \ + dd if=/dev/zero ibs=1 count=$$size_int | LC_ALL=C tr "\000" "\377" > blank_mtd.bin; \ + espsecure.py encrypt_flash_data --aes_xts --keyfile $(CONFIG_ESPRESSIF_SECURE_FLASH_ENC_HOST_KEY_NAME) --address 0 --output enc_mtd.bin blank_mtd.bin; \ + rm blank_mtd.bin; \ + fi + +endef + +# BURN_EFUSES -- Burn the flash encryption key E-Fuses if: not already burned, not virtual, not device already encrypted + +define BURN_EFUSES + $(Q) if [ "$(CONFIG_ESPRESSIF_SECURE_FLASH_ENC_FLASH_DEVICE_ENCRYPTED)" = "y" ]; then \ + echo -e "$(YELLOW)WARN: Device is already encrypted. Skipping flash encryption key burning. $(RST)"; \ + elif [ "$(CONFIG_ESPRESSIF_EFUSE_VIRTUAL)" = "y" ]; then \ + echo -e "$(YELLOW)WARN: Virtual E-Fuses are enabled! Skipping flash encryption key burning. $(RST)"; \ + else \ + if [ "$(CONFIG_ESPRESSIF_SECURE_FLASH_ENC_USE_HOST_KEY)" = "y" ]; then \ + echo -e "$(YELLOW)Proceeding will burn the flash encryption key E-Fuses using: $(CONFIG_ESPRESSIF_SECURE_FLASH_ENC_HOST_KEY_NAME).$(RST)"; \ + else \ + echo -e "$(YELLOW)Proceeding will burn a *randomly generated* flash encryption key (NOT user-provided).$(RST)"; \ + fi; \ + echo -e "$(YELLOW)This operation is NOT REVERSIBLE! Make sure to have read the documentation.$(RST)"; \ + efuse_summary=$$(espefuse.py --port $(ESPTOOL_PORT) summary | grep -A 1 BLOCK1); \ + if echo "$$efuse_summary" | grep -q '?? ??'; then \ + echo -e "$(YELLOW)Encryption key already burned. Skipping...$(RST)"; \ + else \ + echo -e "$(YELLOW)Burning flash encryption key...$(RST)"; \ + if [ -z "$(NOCHECK)" ] ; then \ + espefuse.py --port $(ESPTOOL_PORT) burn_key BLOCK_KEY0 $(CONFIG_ESPRESSIF_SECURE_FLASH_ENC_HOST_KEY_NAME) XTS_AES_128_KEY; \ + else \ + espefuse.py --do-not-confirm --port $(ESPTOOL_PORT) burn_key BLOCK_KEY0 $(CONFIG_ESPRESSIF_SECURE_FLASH_ENC_HOST_KEY_NAME) XTS_AES_128_KEY; \ + fi; \ + fi; \ + fi +endef + # MERGEBIN -- Merge raw binary files into a single file define MERGEBIN @@ -157,7 +234,7 @@ define MERGEBIN $(ESPTOOL_FLASH_OPTS) \ ) \ ) - esptool.py -c esp32s3 merge_bin --output nuttx.merged.bin $(ESPTOOL_MERGEBIN_OPTS) $(ESPTOOL_BINS) + esptool.py -c esp32s3 merge_bin $(ESPTOOL_MERGEBIN_OPTS) --output nuttx.merged.bin $(ESPTOOL_BINS) $(Q) echo nuttx.merged.bin >> nuttx.manifest $(Q) echo "Generated: nuttx.merged.bin" endef @@ -220,6 +297,7 @@ endif define POSTBUILD $(call MKIMAGE) $(if $(CONFIG_ESPRESSIF_BOOTLOADER_MCUBOOT),$(call MAKE_VIRTUAL_EFUSE_BIN)) + $(if $(CONFIG_ESPRESSIF_SECURE_FLASH_ENC_ENABLED),$(call FLASH_ENC)) $(if $(CONFIG_ESP32S3_MERGE_BINS),$(call MERGEBIN)) endef @@ -235,6 +313,7 @@ define FLASH echo "USAGE: make flash ESPTOOL_PORT=<port> [ ESPTOOL_BAUD=<baud> ] [ ESPTOOL_BINDIR=<dir> ]"; \ exit 1; \ fi + $(if $(CONFIG_ESPRESSIF_SECURE_FLASH_ENC_ENABLED),$(call BURN_EFUSES)) $(eval ESPTOOL_OPTS := -c esp32s3 -p $(ESPTOOL_PORT) -b $(ESPTOOL_BAUD) $(if $(CONFIG_ESP32S3_ESPTOOLPY_NO_STUB),--no-stub)) esptool.py $(ESPTOOL_OPTS) write_flash $(ESPTOOL_WRITEFLASH_OPTS) $(ESPTOOL_BINS) endef diff --git a/tools/espressif/Config.mk b/tools/espressif/Config.mk index 17b1fc68708..807de5abd41 100644 --- a/tools/espressif/Config.mk +++ b/tools/espressif/Config.mk @@ -68,6 +68,10 @@ else ESPTOOL_WRITEFLASH_OPTS := -fs $(FLASH_SIZE) -fm dio -ff $(FLASH_FREQ) endif +ifeq ($(CONFIG_ESPRESSIF_SECURE_FLASH_ENC_FLASH_DEVICE_ENCRYPTED),y) + ESPTOOL_WRITEFLASH_OPTS += --encrypt +endif + # Configure the variables according to build environment ESPTOOL_MIN_VERSION := 4.8.0 @@ -101,11 +105,19 @@ ifeq ($(CONFIG_ESPRESSIF_BOOTLOADER_MCUBOOT),y) APP_IMAGE := nuttx.bin FLASH_APP := $(APP_OFFSET) $(APP_IMAGE) -ifeq ($(CONFIG_ESPRESSIF_SECURE_FLASH_ENC_ENABLED),y) - IMGTOOL_ALIGN_ARGS := --align 32 --max-align 32 -else - IMGTOOL_ALIGN_ARGS := --align 4 -endif + + ifeq ($(CONFIG_ESPRESSIF_SECURE_FLASH_ENC_ENABLED),y) + ifeq ($(CONFIG_ESPRESSIF_SPIFLASH),y) + ENC_APP := $(CONFIG_ESPRESSIF_STORAGE_MTD_OFFSET) enc_mtd.bin + endif + endif + + ifeq ($(CONFIG_ESPRESSIF_SECURE_FLASH_ENC_ENABLED),y) + IMGTOOL_ALIGN_ARGS := --align 32 --max-align 32 + else + IMGTOOL_ALIGN_ARGS := --align 4 + endif + IMGTOOL_SIGN_ARGS := --pad $(VERIFIED) $(IMGTOOL_ALIGN_ARGS) -v $(CONFIG_ESPRESSIF_MCUBOOT_SIGN_IMAGE_VERSION) -s auto \ -H $(CONFIG_ESPRESSIF_APP_MCUBOOT_HEADER_SIZE) --pad-header \ -S $(CONFIG_ESPRESSIF_OTA_SLOT_SIZE) @@ -116,7 +128,76 @@ else ifeq ($(CONFIG_ESPRESSIF_SIMPLE_BOOT),y) ESPTOOL_BINDIR := . endif -ESPTOOL_BINS += $(FLASH_APP) +ESPTOOL_BINS += $(FLASH_APP) $(ENC_APP) + +# Commands for colored and formatted output + +RED = \033[1;31m +YELLOW = \033[1;33m +BOLD = \033[1m +RST = \033[0m + +# Flash encryption procedure + +define FLASH_ENC + $(Q) echo -e "$(YELLOW)Flash Encryption is enabled!$(RST)"; + + $(Q) if [ "$(CONFIG_ESPRESSIF_EFUSE_VIRTUAL)" = "y" ]; then \ + echo -e "$(YELLOW)WARN: Virtual E-Fuses are enabled! E-Fuses will not be burned. $(RST)"; \ + fi + + $(Q) if [ "$(CONFIG_ESPRESSIF_SECURE_FLASH_ENC_USE_HOST_KEY)" = "y" ]; then \ + if [ ! -f "$(CONFIG_ESPRESSIF_SECURE_FLASH_ENC_HOST_KEY_NAME)" ]; then \ + echo -e "$(RED)FLASH ENCRYPTION error: Key file '$(CONFIG_ESPRESSIF_SECURE_FLASH_ENC_HOST_KEY_NAME)' not found.$(RST)"; \ + echo -e "$(YELLOW)Generate the encryption key using: espsecure.py generate_flash_encryption_key <key_name.bin>$(RST)"; \ + echo -e "$(YELLOW)Refer to the documentation on flash encryption before proceeding.$(RST)"; \ + exit 1; \ + fi; \ + fi + + $(Q) if [ "$(CONFIG_ESPRESSIF_SPIFLASH)" = "y" ]; then \ + echo "Applying encryption to user MTD partition on flash."; \ + if [ ! -f "$(CONFIG_ESPRESSIF_SECURE_FLASH_ENC_HOST_KEY_NAME)" ]; then \ + echo -e "$(RED)Flash encryption key is required for user MTD partition encryption. Key file: '$(CONFIG_ESPRESSIF_SECURE_FLASH_ENC_HOST_KEY_NAME)'$(RST)"; \ + echo -e "$(RED)Make sure CONFIG_ESPRESSIF_SECURE_FLASH_ENC_HOST_KEY_NAME is set or disable SPI Flash.$(RST)"; \ + exit 1; \ + fi; \ + size_int=$$(( $(CONFIG_ESPRESSIF_STORAGE_MTD_SIZE) )); \ + echo -e "Encrypting user MTD partition offset: $(CONFIG_ESPRESSIF_STORAGE_MTD_OFFSET), size: $(CONFIG_ESPRESSIF_STORAGE_MTD_SIZE) ($$size_int)"; \ + dd if=/dev/zero ibs=1 count=$$size_int | LC_ALL=C tr "\000" "\377" > blank_mtd.bin; \ + espsecure.py encrypt_flash_data --aes_xts --keyfile $(CONFIG_ESPRESSIF_SECURE_FLASH_ENC_HOST_KEY_NAME) --address 0 --output enc_mtd.bin blank_mtd.bin; \ + rm blank_mtd.bin; \ + fi + +endef + +# BURN_EFUSES -- Burn the flash encryption key E-Fuses if: not already burned, not virtual, not device already encrypted + +define BURN_EFUSES + $(Q) if [ "$(CONFIG_ESPRESSIF_SECURE_FLASH_ENC_FLASH_DEVICE_ENCRYPTED)" = "y" ]; then \ + echo -e "$(YELLOW)WARN: Device is already encrypted. Skipping flash encryption key burning. $(RST)"; \ + elif [ "$(CONFIG_ESPRESSIF_EFUSE_VIRTUAL)" = "y" ]; then \ + echo -e "$(YELLOW)WARN: Virtual E-Fuses are enabled! Skipping flash encryption key burning. $(RST)"; \ + else \ + if [ "$(CONFIG_ESPRESSIF_SECURE_FLASH_ENC_USE_HOST_KEY)" = "y" ]; then \ + echo -e "$(YELLOW)Proceeding will burn the flash encryption key E-Fuses using: $(CONFIG_ESPRESSIF_SECURE_FLASH_ENC_HOST_KEY_NAME).$(RST)"; \ + else \ + echo -e "$(YELLOW)Proceeding will burn a *randomly generated* flash encryption key (NOT user-provided).$(RST)"; \ + fi; \ + echo -e "$(YELLOW)This operation is NOT REVERSIBLE! Make sure to have read the documentation.$(RST)"; \ + efuse_summary=$$(espefuse.py --port $(ESPTOOL_PORT) summary | grep -A 1 BLOCK1); \ + if echo "$$efuse_summary" | grep -q '?? ??'; then \ + echo -e "$(YELLOW)Encryption key already burned. Skipping...$(RST)"; \ + else \ + echo -e "$(YELLOW)Burning flash encryption key...$(RST)"; \ + if [ -z "$(NOCHECK)" ] ; then \ + espefuse.py --port $(ESPTOOL_PORT) burn_key BLOCK_KEY0 $(CONFIG_ESPRESSIF_SECURE_FLASH_ENC_HOST_KEY_NAME) XTS_AES_128_KEY; \ + else \ + espefuse.py --do-not-confirm --port $(ESPTOOL_PORT) burn_key BLOCK_KEY0 $(CONFIG_ESPRESSIF_SECURE_FLASH_ENC_HOST_KEY_NAME) XTS_AES_128_KEY; \ + fi; \ + fi; \ + fi +endef # MERGEBIN -- Merge raw binary files into a single file @@ -172,6 +253,7 @@ endif define POSTBUILD $(call MKIMAGE) $(if $(CONFIG_ESPRESSIF_BOOTLOADER_MCUBOOT),$(call MAKE_VIRTUAL_EFUSE_BIN)) + $(if $(CONFIG_ESPRESSIF_SECURE_FLASH_ENC_ENABLED),$(call FLASH_ENC)) $(if $(CONFIG_ESPRESSIF_MERGE_BINS),$(call MERGEBIN)) endef @@ -188,6 +270,7 @@ define FLASH exit 1; \ fi + $(if $(CONFIG_ESPRESSIF_SECURE_FLASH_ENC_ENABLED),$(call BURN_EFUSES)) $(eval ESPTOOL_OPTS := -c $(CHIP_SERIES) -p $(ESPTOOL_PORT) -b $(ESPTOOL_BAUD) $(if $(CONFIG_ESPRESSIF_ESPTOOLPY_NO_STUB),--no-stub)) $(eval WRITEFLASH_OPTS := $(if $(CONFIG_ESPRESSIF_MERGE_BINS),$(ESPTOOL_WRITEFLASH_OPTS) 0x0 nuttx.merged.bin,$(ESPTOOL_WRITEFLASH_OPTS) $(ESPTOOL_BINS))) esptool.py $(ESPTOOL_OPTS) write_flash $(WRITEFLASH_OPTS)
