This is an automated email from the ASF dual-hosted git repository. xiaoxiang pushed a commit to branch master in repository https://gitbox.apache.org/repos/asf/incubator-nuttx.git
commit 6c3223289ffd8e0515719fd638bb6d742a6d5437 Author: Gustavo Henrique Nihei <[email protected]> AuthorDate: Fri Oct 29 11:10:41 2021 -0300 xtensa/esp32: Add Secure Boot support on top of MCUboot This adds the capabitlity of building signed images on NuttX. Signed-off-by: Gustavo Henrique Nihei <[email protected]> --- arch/xtensa/src/esp32/Bootloader.mk | 115 +++++++++++++++++--- arch/xtensa/src/esp32/Kconfig | 2 + arch/xtensa/src/esp32/Kconfig.security | 188 +++++++++++++++++++++++++++++++++ tools/esp32/Config.mk | 107 ++++++++++++++++--- 4 files changed, 383 insertions(+), 29 deletions(-) diff --git a/arch/xtensa/src/esp32/Bootloader.mk b/arch/xtensa/src/esp32/Bootloader.mk index 4d06770..3de2f64 100644 --- a/arch/xtensa/src/esp32/Bootloader.mk +++ b/arch/xtensa/src/esp32/Bootloader.mk @@ -31,25 +31,80 @@ BOOTLOADER_CONFIG = $(CHIPDIR)/bootloader.conf $(BOOTLOADER_SRCDIR): $(Q) git clone $(BOOTLOADER_URL) $(BOOTLOADER_SRCDIR) -b $(BOOTLOADER_VERSION) +# Commands for colored and formatted output + +RED = \033[1;31m +YELLOW = \033[1;33m +BOLD = \033[1m +RST = \033[0m + $(BOOTLOADER_CONFIG): $(TOPDIR)/.config +ifeq ($(CONFIG_ESP32_SECURE_BOOT),y) + $(Q) if [ -z "$(ESPSEC_KEYDIR)" ]; then \ + echo ""; \ + echo "$(RED)bootloader error:$(RST) Missing argument for secure boot keys directory."; \ + echo "USAGE: make bootloader ESPSEC_KEYDIR=<dir>"; \ + echo ""; \ + exit 1; \ + fi +endif $(Q) echo "Creating Bootloader configuration" $(Q) { \ - [ "$(CONFIG_ESP32_FLASH_2M)" = "y" ] && echo "CONFIG_ESPTOOLPY_FLASHSIZE_2MB=y"; \ - [ "$(CONFIG_ESP32_FLASH_4M)" = "y" ] && echo "CONFIG_ESPTOOLPY_FLASHSIZE_4MB=y"; \ - [ "$(CONFIG_ESP32_FLASH_8M)" = "y" ] && echo "CONFIG_ESPTOOLPY_FLASHSIZE_8MB=y"; \ - [ "$(CONFIG_ESP32_FLASH_16M)" = "y" ] && echo "CONFIG_ESPTOOLPY_FLASHSIZE_16MB=y"; \ - [ "$(CONFIG_ESP32_FLASH_MODE_DIO)" = "y" ] && echo "CONFIG_ESPTOOLPY_FLASHMODE_DIO=y"; \ - [ "$(CONFIG_ESP32_FLASH_MODE_DOUT)" = "y" ] && echo "CONFIG_ESPTOOLPY_FLASHMODE_DOUT=y"; \ - [ "$(CONFIG_ESP32_FLASH_MODE_QIO)" = "y" ] && echo "CONFIG_ESPTOOLPY_FLASHMODE_QIO=y"; \ - [ "$(CONFIG_ESP32_FLASH_MODE_QOUT)" = "y" ] && echo "CONFIG_ESPTOOLPY_FLASHMODE_QOUT=y"; \ - [ "$(CONFIG_ESP32_FLASH_FREQ_80M)" = "y" ] && echo "CONFIG_ESPTOOLPY_FLASHFREQ_80M=y"; \ - [ "$(CONFIG_ESP32_FLASH_FREQ_40M)" = "y" ] && echo "CONFIG_ESPTOOLPY_FLASHFREQ_40M=y"; \ - [ "$(CONFIG_ESP32_FLASH_FREQ_26M)" = "y" ] && echo "CONFIG_ESPTOOLPY_FLASHFREQ_26M=y"; \ - [ "$(CONFIG_ESP32_FLASH_FREQ_20M)" = "y" ] && echo "CONFIG_ESPTOOLPY_FLASHFREQ_20M=y"; \ - true; \ + $(if $(CONFIG_ESP32_FLASH_2M), echo "CONFIG_ESPTOOLPY_FLASHSIZE_2MB=y";) \ + $(if $(CONFIG_ESP32_FLASH_4M), echo "CONFIG_ESPTOOLPY_FLASHSIZE_4MB=y";) \ + $(if $(CONFIG_ESP32_FLASH_8M), echo "CONFIG_ESPTOOLPY_FLASHSIZE_8MB=y";) \ + $(if $(CONFIG_ESP32_FLASH_16M), echo "CONFIG_ESPTOOLPY_FLASHSIZE_16MB=y";) \ + $(if $(CONFIG_ESP32_FLASH_MODE_DIO), echo "CONFIG_ESPTOOLPY_FLASHMODE_DIO=y";) \ + $(if $(CONFIG_ESP32_FLASH_MODE_DOUT), echo "CONFIG_ESPTOOLPY_FLASHMODE_DOUT=y";) \ + $(if $(CONFIG_ESP32_FLASH_MODE_QIO), echo "CONFIG_ESPTOOLPY_FLASHMODE_QIO=y";) \ + $(if $(CONFIG_ESP32_FLASH_MODE_QOUT), echo "CONFIG_ESPTOOLPY_FLASHMODE_QOUT=y";) \ + $(if $(CONFIG_ESP32_FLASH_FREQ_80M), echo "CONFIG_ESPTOOLPY_FLASHFREQ_80M=y";) \ + $(if $(CONFIG_ESP32_FLASH_FREQ_40M), echo "CONFIG_ESPTOOLPY_FLASHFREQ_40M=y";) \ + $(if $(CONFIG_ESP32_FLASH_FREQ_26M), echo "CONFIG_ESPTOOLPY_FLASHFREQ_26M=y";) \ + $(if $(CONFIG_ESP32_FLASH_FREQ_20M), echo "CONFIG_ESPTOOLPY_FLASHFREQ_20M=y";) \ } > $(BOOTLOADER_CONFIG) ifeq ($(CONFIG_ESP32_APP_FORMAT_MCUBOOT),y) + $(eval KEYDIR := $(TOPDIR)/$(ESPSEC_KEYDIR)) + $(eval APP_SIGN_KEY := $(abspath $(KEYDIR)/$(subst ",,$(CONFIG_ESP32_SECURE_BOOT_APP_SIGNING_KEY)))) $(Q) { \ + $(if $(CONFIG_ESP32_SECURE_BOOT), \ + echo "CONFIG_SECURE_BOOT=y"; \ + echo "CONFIG_SECURE_BOOT_V2_ENABLED=y"; \ + echo "CONFIG_ESP_SIGN_KEY_FILE=$(APP_SIGN_KEY)"; \ + ) \ + $(if $(CONFIG_ESP32_SECURE_SIGNED_APPS_SCHEME_RSA_2048), \ + echo "CONFIG_ESP_USE_MBEDTLS=y"; \ + echo "CONFIG_ESP_SIGN_RSA=y"; \ + echo "CONFIG_ESP_SIGN_RSA_LEN=2048"; \ + ) \ + $(if $(CONFIG_ESP32_SECURE_SIGNED_APPS_SCHEME_RSA_3072), \ + echo "CONFIG_ESP_USE_MBEDTLS=y"; \ + echo "CONFIG_ESP_SIGN_RSA=y"; \ + echo "CONFIG_ESP_SIGN_RSA_LEN=3072"; \ + ) \ + $(if $(CONFIG_ESP32_SECURE_SIGNED_APPS_SCHEME_ECDSA_P256), \ + echo "CONFIG_ESP_USE_TINYCRYPT=y"; \ + echo "CONFIG_ESP_SIGN_EC256=y"; \ + ) \ + $(if $(CONFIG_ESP32_SECURE_SIGNED_APPS_SCHEME_ED25519), \ + echo "CONFIG_ESP_USE_TINYCRYPT=y"; \ + echo "CONFIG_ESP_SIGN_ED25519=y"; \ + ) \ + $(if $(CONFIG_ESP32_SECURE_BOOT_ALLOW_ROM_BASIC), \ + echo "CONFIG_SECURE_BOOT_ALLOW_ROM_BASIC=y"; \ + ) \ + $(if $(CONFIG_ESP32_SECURE_BOOT_ALLOW_JTAG), \ + echo "CONFIG_SECURE_BOOT_ALLOW_JTAG=y"; \ + ) \ + $(if $(CONFIG_ESP32_SECURE_BOOT_ALLOW_EFUSE_RD_DIS), \ + echo "CONFIG_SECURE_BOOT_V2_ALLOW_EFUSE_RD_DIS=y"; \ + ) \ + $(if $(CONFIG_ESP32_SECURE_DISABLE_ROM_DL_MODE), \ + echo "CONFIG_SECURE_DISABLE_ROM_DL_MODE=y"; \ + ) \ + $(if $(CONFIG_ESP32_SECURE_INSECURE_ALLOW_DL_MODE), \ + echo "CONFIG_SECURE_INSECURE_ALLOW_DL_MODE=y"; \ + ) \ echo "CONFIG_ESP_BOOTLOADER_SIZE=0xF000"; \ echo "CONFIG_ESP_APPLICATION_PRIMARY_START_ADDRESS=$(CONFIG_ESP32_OTA_PRIMARY_SLOT_OFFSET)"; \ echo "CONFIG_ESP_APPLICATION_SIZE=$(CONFIG_ESP32_OTA_SLOT_SIZE)"; \ @@ -68,15 +123,43 @@ endif ifeq ($(CONFIG_ESP32_APP_FORMAT_MCUBOOT),y) -bootloader: $(BOOTLOADER_SRCDIR) $(BOOTLOADER_CONFIG) - $(Q) echo "Building Bootloader binaries" +BOOTLOADER_BIN = $(TOPDIR)/mcuboot-esp32.bin +BOOTLOADER_SIGNED_BIN = $(TOPDIR)/mcuboot-esp32.signed.bin + +$(BOOTLOADER_BIN): $(BOOTLOADER_CONFIG) + $(Q) echo "Building Bootloader" $(Q) $(BOOTLOADER_SRCDIR)/build_mcuboot.sh -c esp32 -s -f $(BOOTLOADER_CONFIG) $(call COPYFILE, $(BOOTLOADER_SRCDIR)/$(BOOTLOADER_OUTDIR)/mcuboot-esp32.bin, $(TOPDIR)) +bootloader: $(BOOTLOADER_CONFIG) $(BOOTLOADER_SRCDIR) $(BOOTLOADER_BIN) +ifeq ($(CONFIG_ESP32_SECURE_BOOT),y) + $(eval KEYDIR := $(TOPDIR)/$(ESPSEC_KEYDIR)) + $(eval BOOTLOADER_SIGN_KEY := $(abspath $(KEYDIR)/$(subst ",,$(CONFIG_ESP32_SECURE_BOOT_BOOTLOADER_SIGNING_KEY)))) +ifeq ($(CONFIG_ESP32_SECURE_BOOT_BUILD_SIGNED_BINARIES),y) + $(Q) if [ ! -f "$(BOOTLOADER_SIGN_KEY)" ]; then \ + echo ""; \ + echo "$(RED)bootloader error:$(RST) Bootloader signing key $(BOLD)$(CONFIG_ESP32_SECURE_BOOT_BOOTLOADER_SIGNING_KEY)$(RST) does not exist."; \ + echo "Generate using:"; \ + echo " espsecure.py generate_signing_key --version 2 $(CONFIG_ESP32_SECURE_BOOT_BOOTLOADER_SIGNING_KEY)"; \ + echo ""; \ + exit 1; \ + fi + $(Q) echo "Signing Bootloader" + espsecure.py sign_data --version 2 --keyfile $(BOOTLOADER_SIGN_KEY) -o $(BOOTLOADER_SIGNED_BIN) $(BOOTLOADER_BIN) +else + $(Q) echo "" + $(Q) echo "$(YELLOW)Bootloader not signed. Sign the bootloader before flashing.$(RST)" + $(Q) echo "To sign the bootloader, you can use this command:" + $(Q) echo " espsecure.py sign_data --version 2 --keyfile $(BOOTLOADER_SIGN_KEY) -o mcuboot-esp32.signed.bin mcuboot-esp32.bin" + $(Q) echo "" +endif +endif + clean_bootloader: $(call DELDIR, $(BOOTLOADER_SRCDIR)) $(call DELFILE, $(BOOTLOADER_CONFIG)) - $(call DELFILE, $(TOPDIR)/mcuboot-esp32.bin) + $(call DELFILE, $(BOOTLOADER_BIN)) + $(if $(CONFIG_ESP32_SECURE_BOOT_BUILD_SIGNED_BINARIES), $(call DELFILE, $(BOOTLOADER_SIGNED_BIN))) else ifeq ($(CONFIG_ESP32_APP_FORMAT_LEGACY),y) diff --git a/arch/xtensa/src/esp32/Kconfig b/arch/xtensa/src/esp32/Kconfig index 207c9c2..55178c1 100644 --- a/arch/xtensa/src/esp32/Kconfig +++ b/arch/xtensa/src/esp32/Kconfig @@ -1360,6 +1360,8 @@ config ESP32_PARTITION_TABLE_OFFSET default 0x8000 depends on ESP32_APP_FORMAT_LEGACY +source "arch/xtensa/src/esp32/Kconfig.security" + endmenu # Application Image Configuration config ESP32_AUTO_SLEEP diff --git a/arch/xtensa/src/esp32/Kconfig.security b/arch/xtensa/src/esp32/Kconfig.security new file mode 100644 index 0000000..c1a863c --- /dev/null +++ b/arch/xtensa/src/esp32/Kconfig.security @@ -0,0 +1,188 @@ +# +# For a description of the syntax of this configuration file, +# see the file kconfig-language.txt in the NuttX tools repository. +# + +comment "Secure Boot" + +config ESP32_SECURE_BOOT + bool "Enable hardware Secure Boot in bootloader (READ HELP FIRST)" + default n + depends on ESP32_APP_FORMAT_MCUBOOT + ---help--- + Build a bootloader which enables Secure Boot on first boot. + + Once enabled, Secure Boot will not boot a modified bootloader. The bootloader will only boot an + application firmware image if it has a verified digital signature. There are implications for reflashing + updated images once Secure Boot is enabled. + + When enabling Secure Boot, JTAG and ROM BASIC Interpreter are permanently disabled by default. + +if ESP32_SECURE_BOOT + +comment "Secure Boot support requires building bootloader from source (ESP32_BOOTLOADER_BUILD_FROM_SOURCE)" + depends on !ESP32_BOOTLOADER_BUILD_FROM_SOURCE + +config ESP32_SECURE_BOOT_BUILD_SIGNED_BINARIES + bool "Sign binaries during build" + default y + ---help--- + Once Secure Boot is enabled, bootloader and application images are required to be signed. + + If enabled (default), these binary files are signed as part of the build process. + The files named in "Bootloader private signing key" and "Application private signing key" will + be used to sign the bootloader and application images, respectively. + + If disabled, unsigned firmware images will be built. + They must be then signed manually using imgtool (e.g., on a remote signing server). + +config ESP32_SECURE_BOOT_BOOTLOADER_SIGNING_KEY + string "Bootloader private signing key" + default "bootloader_signing_key.pem" + ---help--- + Path to the key file used to sign the bootloader image. + + Key file is an RSA private key in PEM format. + + Path is evaluated relative to the directory indicated by the ESPSEC_KEYDIR environment + variable. + + You can generate a new signing key by running the following command: + $ espsecure.py generate_signing_key --version 2 bootloader_signing_key.pem + + See the Secure Boot section of the ESP-IDF Programmer's Guide for this version for details. + +choice ESP32_SECURE_SIGNED_APPS_SCHEME + prompt "Application image signing scheme" + default ESP32_SECURE_SIGNED_APPS_SCHEME_RSA_3072 + ---help--- + Select the secure application signing scheme. + + config ESP32_SECURE_SIGNED_APPS_SCHEME_RSA_2048 + bool "RSA-2048" + + config ESP32_SECURE_SIGNED_APPS_SCHEME_RSA_3072 + bool "RSA-3072" + + config ESP32_SECURE_SIGNED_APPS_SCHEME_ECDSA_P256 + bool "ECDSA-P256" + + config ESP32_SECURE_SIGNED_APPS_SCHEME_ED25519 + bool "ED25519" + +endchoice + +config ESP32_SECURE_BOOT_APP_SIGNING_KEY + string "Application private signing key" + default "app_signing_key.pem" + ---help--- + Path to the key file used to sign NuttX application images. + + Key file is in PEM format and its type shall be specified by the configuration defined in + "Application image signing scheme". + + Path is evaluated relative to the directory indicated by the ESPSEC_KEYDIR environment + variable. + + You can generate a new signing key by running the following command: + $ imgtool keygen --key app_signing_key.pem --type <ESP32_SECURE_SIGNED_APPS_SCHEME> + +config ESP32_SECURE_BOOT_INSECURE + bool "Allow potentially insecure options" + default n + ---help--- + You can disable some of the default protections offered by Secure Boot, in order to enable testing or a + custom combination of security features. + + Only enable these options if you are very sure. + + Refer to the Secure Boot section of the ESP-IDF Programmer's Guide for this version before enabling. + +endif # ESP32_SECURE_BOOT + +menu "Potentially insecure options" + visible if ESP32_SECURE_BOOT_INSECURE + + # NOTE: Options in this menu NEED to have ESP32_SECURE_BOOT_INSECURE + # and/or ESP32_SECURE_FLASH_ENCRYPTION_MODE_DEVELOPMENT in "depends on", as the menu + # itself doesn't enable/disable its children (if it's not set, + # it's possible for the insecure menu to be disabled but the insecure option + # to remain on which is very bad.) + +config ESP32_SECURE_BOOT_ALLOW_ROM_BASIC + bool "Leave ROM BASIC Interpreter available on reset" + default n + depends on ESP32_SECURE_BOOT_INSECURE + ---help--- + By default, the BASIC ROM Console starts on reset if no valid bootloader is + read from the flash. + + When either Flash Encryption or Secure Boot are enabled, the default is to + disable this BASIC fallback mode permanently via eFuse. + + If this option is set, this eFuse is not burned and the BASIC ROM Console may + remain accessible. Only set this option in testing environments. + +config ESP32_SECURE_BOOT_ALLOW_JTAG + bool "Allow JTAG Debugging" + default n + depends on ESP32_SECURE_BOOT_INSECURE + ---help--- + If not set (default), the bootloader will permanently disable JTAG (across entire chip) on first boot + when either Secure Boot or Flash Encryption is enabled. + + Setting this option leaves JTAG on for debugging, which negates all protections of Flash Encryption + and some of the protections of Secure Boot. + + Only set this option in testing environments. + +config ESP32_SECURE_BOOT_ALLOW_EFUSE_RD_DIS + bool "Allow additional read protecting of efuses" + default n + depends on ESP32_SECURE_BOOT_INSECURE + ---help--- + If not set (default, recommended), on first boot the bootloader will burn the WR_DIS_RD_DIS + efuse when Secure Boot is enabled. This prevents any more efuses from being read protected. + + If this option is set, it will remain possible to write the EFUSE_RD_DIS efuse field after Secure + Boot is enabled. This may allow an attacker to read-protect the BLK2 efuse (for ESP32) and + BLOCK4-BLOCK10 (i.e. BLOCK_KEY0-BLOCK_KEY5)(for other chips) holding the public key digest, causing an + immediate denial of service and possibly allowing an additional fault injection attack to + bypass the signature protection. + + NOTE: Once a BLOCK is read-protected, the application will read all zeros from that block + + NOTE: If UART ROM download mode "Permanently disabled (recommended)" is set, + then it is __NOT__ possible to read/write efuses using espefuse.py utility. + However, efuse can be read/written from the application. + +endmenu # Potentially insecure options + +choice ESP32_SECURE_UART_ROM_DL_MODE + bool "UART ROM download mode" + default ESP32_SECURE_INSECURE_ALLOW_DL_MODE + depends on ESP32_SECURE_BOOT + + config ESP32_SECURE_DISABLE_ROM_DL_MODE + bool "Permanently disabled (recommended)" + ---help--- + If set, during startup the app will burn an eFuse bit to permanently disable the UART ROM + Download Mode. This prevents any future use of esptool.py, espefuse.py and similar tools. + + Once disabled, if the SoC is booted with strapping pins set for ROM Download Mode + then an error is printed instead. + + It is recommended to enable this option in any production application where Flash + Encryption and/or Secure Boot is enabled and access to Download Mode is not required. + + It is also possible to permanently disable Download Mode by calling + esp_efuse_disable_rom_download_mode() at runtime. + + config ESP32_SECURE_INSECURE_ALLOW_DL_MODE + bool "Enabled (not recommended)" + ---help--- + This is a potentially insecure option. + Enabling this option will allow the full UART download mode to stay enabled. + This option SHOULD NOT BE ENABLED for production use cases. + +endchoice diff --git a/tools/esp32/Config.mk b/tools/esp32/Config.mk index 5f0c867..01fee0b 100644 --- a/tools/esp32/Config.mk +++ b/tools/esp32/Config.mk @@ -58,6 +58,10 @@ else ESPTOOL_WRITEFLASH_OPTS := -fs $(FLASH_SIZE) -fm dio -ff $(FLASH_FREQ) endif +ifeq ($(CONFIG_ESP32_SECURE_BOOT),y) + ESPTOOL_RESET_OPTS += --after no_reset +endif + ESPTOOL_FLASH_OPTS := -fs $(FLASH_SIZE) -fm $(FLASH_MODE) -ff $(FLASH_FREQ) # Configure the variables according to build environment @@ -73,9 +77,15 @@ ifdef ESPTOOL_BINDIR ESPTOOL_BINS := $(FLASH_BL) $(FLASH_PT) else ifeq ($(CONFIG_ESP32_APP_FORMAT_MCUBOOT),y) BL_OFFSET := 0x1000 - BOOTLOADER := $(ESPTOOL_BINDIR)/mcuboot-esp32.bin - FLASH_BL := $(BL_OFFSET) $(BOOTLOADER) - ESPTOOL_BINS := $(FLASH_BL) + ifeq ($(CONFIG_ESP32_SECURE_BOOT),y) + BOOTLOADER := $(ESPTOOL_BINDIR)/mcuboot-esp32.signed.bin + FLASH_BL := $(BL_OFFSET) $(BOOTLOADER) + ESPTOOL_BINS := + else + BOOTLOADER := $(ESPTOOL_BINDIR)/mcuboot-esp32.bin + FLASH_BL := $(BL_OFFSET) $(BOOTLOADER) + ESPTOOL_BINS := $(FLASH_BL) + endif endif endif @@ -92,12 +102,23 @@ else ifeq ($(CONFIG_ESP32_APP_FORMAT_MCUBOOT),y) APP_OFFSET := $(CONFIG_ESP32_OTA_SECONDARY_SLOT_OFFSET) endif - APP_IMAGE := nuttx.signed.bin + ifeq ($(CONFIG_ESP32_SECURE_BOOT),y) + APP_IMAGE := nuttx.signed.bin + else + APP_IMAGE := nuttx.bin + endif FLASH_APP := $(APP_OFFSET) $(APP_IMAGE) endif ESPTOOL_BINS += $(FLASH_APP) +# Commands for colored and formatted output + +RED = \033[1;31m +YELLOW = \033[1;33m +BOLD = \033[1m +RST = \033[0m + # MERGEBIN -- Merge raw binary files into a single file define MERGEBIN @@ -126,11 +147,11 @@ define MERGEBIN fi endef -# SIGNBIN -- Sign the binary image file +# SIGNBIN -- Create the signed binary image file for Secure Boot ifeq ($(CONFIG_ESP32_APP_FORMAT_MCUBOOT),y) define SIGNBIN - $(Q) echo "MKIMAGE: ESP32 binary" + $(Q) echo "SIGNBIN: ESP32 signed binary" $(Q) if ! imgtool version 1>/dev/null 2>&1; then \ echo ""; \ echo "imgtool not found. Please run: \"pip install imgtool\""; \ @@ -138,16 +159,34 @@ define SIGNBIN echo "Run make again to create the nuttx.signed.bin image."; \ exit 1; \ fi - imgtool sign --pad --pad-sig $(VERIFIED) --align 4 -v 0 \ + $(Q) if [ -z "$(ESPSEC_KEYDIR)" ]; then \ + echo "SIGNBIN error: Missing argument for secure boot keys directory."; \ + echo "USAGE: make ESPSEC_KEYDIR=<dir>"; \ + exit 1; \ + fi + + $(eval APP_SIGN_KEY := $(ESPSEC_KEYDIR)/$(subst ",,$(CONFIG_ESP32_SECURE_BOOT_APP_SIGNING_KEY))) + $(Q) if [ ! -f "$(APP_SIGN_KEY)" ]; then \ + echo ""; \ + echo "$(RED)SIGNBIN error:$(RST) Application signing key $(BOLD)$(CONFIG_ESP32_SECURE_BOOT_APP_SIGNING_KEY)$(RST) does not exist."; \ + echo "Generate using:"; \ + echo " imgtool keygen --key $(CONFIG_ESP32_SECURE_BOOT_APP_SIGNING_KEY) --type <ESP32_SECURE_SIGNED_APPS_SCHEME>"; \ + echo ""; \ + exit 1; \ + fi + $(if $(CONFIG_ESP32_SECURE_BOOT_BUILD_SIGNED_BINARIES), \ + $(eval IMGTOOL_KEY_ARGS := -k $(APP_SIGN_KEY) --public-key-format hash)) + + imgtool sign $(IMGTOOL_KEY_ARGS) --pad $(VERIFIED) --align 4 -v 0 -s auto \ -H $(CONFIG_ESP32_APP_MCUBOOT_HEADER_SIZE) --pad-header \ -S $(CONFIG_ESP32_OTA_SLOT_SIZE) \ - nuttx.bin nuttx.signed.bin + nuttx.hex nuttx.signed.bin $(Q) echo nuttx.signed.bin >> nuttx.manifest $(Q) echo "Generated: nuttx.signed.bin (MCUboot compatible)" endef endif -# ELF2IMAGE -- Convert an ELF file into a binary file in Espressif application image format +# ELF2IMAGE -- Convert an ELF file into a compatible binary file ifeq ($(CONFIG_ESP32_APP_FORMAT_LEGACY),y) define ELF2IMAGE @@ -166,19 +205,57 @@ define ELF2IMAGE esptool.py -c esp32 elf2image $(ESPTOOL_FLASH_OPTS) -o nuttx.bin nuttx $(Q) echo "Generated: nuttx.bin (ESP32 compatible)" endef +else +define ELF2IMAGE + $(Q) echo "MKIMAGE: ESP32 binary" + $(Q) if ! imgtool version 1>/dev/null 2>&1; then \ + echo ""; \ + echo "imgtool not found. Please run: \"pip install imgtool\""; \ + echo ""; \ + echo "Run make again to create the nuttx.signed.bin image."; \ + exit 1; \ + fi + imgtool sign --pad $(VERIFIED) --align 4 -v 0 -s auto \ + -H $(CONFIG_ESP32_APP_MCUBOOT_HEADER_SIZE) --pad-header \ + -S $(CONFIG_ESP32_OTA_SLOT_SIZE) \ + nuttx.hex nuttx.bin + $(Q) echo "Generated: nuttx.bin (MCUboot compatible)" +endef endif +define HELP_SIGN_APP + $(Q) echo "" + $(Q) echo "$(YELLOW)Application not signed. Sign the application before flashing.$(RST)" + $(Q) echo "To sign the application, you can use this command:" + $(Q) echo " imgtool sign -k $(ESPSEC_KEYDIR)/$(CONFIG_ESP32_SECURE_BOOT_APP_SIGNING_KEY) --public-key-format hash --pad $(VERIFIED) --align 4 -v 0 -s auto -H $(CONFIG_ESP32_APP_MCUBOOT_HEADER_SIZE) --pad-header -S $(CONFIG_ESP32_OTA_SLOT_SIZE) nuttx.hex nuttx.signed.bin" + $(Q) echo "" +endef + +define HELP_FLASH_BOOTLOADER + $(Q) echo "" + $(Q) echo "$(YELLOW)Secure boot enabled, so bootloader not flashed automatically.$(RST)" + $(Q) echo "Use the following command to flash the bootloader:" + $(Q) echo " esptool.py $(ESPTOOL_OPTS) write_flash $(ESPTOOL_WRITEFLASH_OPTS) $(FLASH_BL)" + $(Q) echo "" +endef + # POSTBUILD -- Perform post build operations ifeq ($(CONFIG_ESP32_APP_FORMAT_MCUBOOT),y) define POSTBUILD - $(call SIGNBIN) - $(if $(CONFIG_ESP32_MERGE_BINS), $(call MERGEBIN), ) + $(if $(CONFIG_ESP32_SECURE_BOOT), \ + $(if $(CONFIG_ESP32_SECURE_BOOT_BUILD_SIGNED_BINARIES), \ + $(call SIGNBIN), \ + $(call HELP_SIGN_APP) \ + ), \ + $(call ELF2IMAGE) \ + ) + $(if $(CONFIG_ESP32_MERGE_BINS),$(call MERGEBIN)) endef else ifeq ($(CONFIG_ESP32_APP_FORMAT_LEGACY),y) define POSTBUILD $(call ELF2IMAGE) - $(if $(CONFIG_ESP32_MERGE_BINS), $(call MERGEBIN), ) + $(if $(CONFIG_ESP32_MERGE_BINS),$(call MERGEBIN)) endef endif @@ -194,5 +271,9 @@ define FLASH echo "USAGE: make flash ESPTOOL_PORT=<port> [ ESPTOOL_BAUD=<baud> ] [ ESPTOOL_BINDIR=<dir> ]"; \ exit 1; \ fi - esptool.py -c esp32 -p $(ESPTOOL_PORT) -b $(ESPTOOL_BAUD) write_flash $(ESPTOOL_WRITEFLASH_OPTS) $(ESPTOOL_BINS) + + $(eval ESPTOOL_OPTS := -c esp32 -p $(ESPTOOL_PORT) -b $(ESPTOOL_BAUD) $(ESPTOOL_RESET_OPTS)) + esptool.py $(ESPTOOL_OPTS) write_flash $(ESPTOOL_WRITEFLASH_OPTS) $(ESPTOOL_BINS) + + $(if $(CONFIG_ESP32_SECURE_BOOT),$(call HELP_FLASH_BOOTLOADER)) endef
