This is an automated email from the ASF dual-hosted git repository.
github-bot pushed a commit to branch asf-site
in repository https://gitbox.apache.org/repos/asf/incubator-nuttx-website.git
The following commit(s) were added to refs/heads/asf-site by this push:
new 71c8eca Publishing web: 6758fc5efbbf5ed16c807ccdfb012d94d1db201a
docs: d5a157636110ab738ae1c888f97bd3f805d12ebb
71c8eca is described below
commit 71c8ecafeb363e36017ec147e0d67ae908732bde
Author: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>
AuthorDate: Tue Sep 20 00:18:25 2022 +0000
Publishing web: 6758fc5efbbf5ed16c807ccdfb012d94d1db201a docs:
d5a157636110ab738ae1c888f97bd3f805d12ebb
---
content/docs/10.0.0/index.html | 2 +-
content/docs/10.0.1/index.html | 2 +-
content/docs/10.1.0/index.html | 2 +-
content/docs/10.2.0/index.html | 2 +-
content/docs/10.3.0/index.html | 2 +-
.../_sources/platforms/xtensa/esp32/index.rst.txt | 103 +++++++++++++++++++
content/docs/latest/index.html | 2 +-
content/docs/latest/objects.inv | Bin 37250 -> 37339 bytes
.../xtensa/esp32/boards/esp32-devkitc/index.html | 1 +
.../esp32/boards/esp32-wrover-kit/index.html | 1 +
.../docs/latest/platforms/xtensa/esp32/index.html | 113 +++++++++++++++++++++
content/docs/latest/searchindex.js | 2 +-
content/feed.xml | 4 +-
13 files changed, 227 insertions(+), 9 deletions(-)
diff --git a/content/docs/10.0.0/index.html b/content/docs/10.0.0/index.html
index 46dc22d..222e2e9 100644
--- a/content/docs/10.0.0/index.html
+++ b/content/docs/10.0.0/index.html
@@ -207,7 +207,7 @@ by following these <a class="reference internal"
href="contributing/documentatio
<div class="section" id="nuttx-documentation">
<h1>NuttX Documentation<a class="headerlink" href="#nuttx-documentation"
title="Permalink to this headline">¶</a></h1>
<p>NuttX is a real-time operating system (RTOS) with an emphasis on standards
compliance and small footprint. Scalable from 8-bit to 32-bit microcontroller
environments, the primary governing standards in NuttX are Posix and ANSI
standards. Additional standard APIs from Unix and other common RTOS’s (such as
VxWorks) are adopted for functionality not available under these standards, or
for functionality that is not appropriate for deeply-embedded environments
(such as fork()).</p>
-<p>Last Updated: 19 September 22 at 00:11</p>
+<p>Last Updated: 20 September 22 at 00:15</p>
<div class="toctree-wrapper compound">
<p class="caption"><span class="caption-text">Table of Contents</span></p>
<ul class="current">
diff --git a/content/docs/10.0.1/index.html b/content/docs/10.0.1/index.html
index ab13929..e354959 100644
--- a/content/docs/10.0.1/index.html
+++ b/content/docs/10.0.1/index.html
@@ -217,7 +217,7 @@ by following these <a class="reference internal"
href="contributing/documentatio
<div class="section" id="nuttx-documentation">
<h1>NuttX Documentation<a class="headerlink" href="#nuttx-documentation"
title="Permalink to this headline">¶</a></h1>
<p>NuttX is a real-time operating system (RTOS) with an emphasis on standards
compliance and small footprint. Scalable from 8-bit to 32-bit microcontroller
environments, the primary governing standards in NuttX are Posix and ANSI
standards. Additional standard APIs from Unix and other common RTOS’s (such as
VxWorks) are adopted for functionality not available under these standards, or
for functionality that is not appropriate for deeply-embedded environments
(such as fork()).</p>
-<p>Last Updated: 19 September 22 at 00:11</p>
+<p>Last Updated: 20 September 22 at 00:16</p>
<div class="toctree-wrapper compound">
<p class="caption"><span class="caption-text">Table of Contents</span></p>
<ul class="current">
diff --git a/content/docs/10.1.0/index.html b/content/docs/10.1.0/index.html
index c1af796..b0e3ab6 100644
--- a/content/docs/10.1.0/index.html
+++ b/content/docs/10.1.0/index.html
@@ -217,7 +217,7 @@ by following these <a class="reference internal"
href="contributing/documentatio
<div class="section" id="nuttx-documentation">
<h1>NuttX Documentation<a class="headerlink" href="#nuttx-documentation"
title="Permalink to this headline">¶</a></h1>
<p>NuttX is a real-time operating system (RTOS) with an emphasis on standards
compliance and small footprint. Scalable from 8-bit to 64-bit microcontroller
environments, the primary governing standards in NuttX are POSIX and ANSI
standards. Additional standard APIs from Unix and other common RTOS’s (such as
VxWorks) are adopted for functionality not available under these standards, or
for functionality that is not appropriate for deeply-embedded environments
(such as fork()).</p>
-<p>Last Updated: 19 September 22 at 00:12</p>
+<p>Last Updated: 20 September 22 at 00:16</p>
<div class="toctree-wrapper compound">
<p class="caption"><span class="caption-text">Table of Contents</span></p>
<ul class="current">
diff --git a/content/docs/10.2.0/index.html b/content/docs/10.2.0/index.html
index 1aeac72..1178397 100644
--- a/content/docs/10.2.0/index.html
+++ b/content/docs/10.2.0/index.html
@@ -218,7 +218,7 @@ by following these <a class="reference internal"
href="contributing/documentatio
<div class="section" id="nuttx-documentation">
<h1>NuttX Documentation<a class="headerlink" href="#nuttx-documentation"
title="Permalink to this headline">¶</a></h1>
<p>NuttX is a real-time operating system (RTOS) with an emphasis on standards
compliance and small footprint. Scalable from 8-bit to 64-bit microcontroller
environments, the primary governing standards in NuttX are POSIX and ANSI
standards. Additional standard APIs from Unix and other common RTOS’s (such as
VxWorks) are adopted for functionality not available under these standards, or
for functionality that is not appropriate for deeply-embedded environments
(such as fork()).</p>
-<p>Last Updated: 19 September 22 at 00:12</p>
+<p>Last Updated: 20 September 22 at 00:16</p>
<div class="toctree-wrapper compound">
<p class="caption"><span class="caption-text">Table of Contents</span></p>
<ul class="current">
diff --git a/content/docs/10.3.0/index.html b/content/docs/10.3.0/index.html
index 1aeac72..b2b8222 100644
--- a/content/docs/10.3.0/index.html
+++ b/content/docs/10.3.0/index.html
@@ -218,7 +218,7 @@ by following these <a class="reference internal"
href="contributing/documentatio
<div class="section" id="nuttx-documentation">
<h1>NuttX Documentation<a class="headerlink" href="#nuttx-documentation"
title="Permalink to this headline">¶</a></h1>
<p>NuttX is a real-time operating system (RTOS) with an emphasis on standards
compliance and small footprint. Scalable from 8-bit to 64-bit microcontroller
environments, the primary governing standards in NuttX are POSIX and ANSI
standards. Additional standard APIs from Unix and other common RTOS’s (such as
VxWorks) are adopted for functionality not available under these standards, or
for functionality that is not appropriate for deeply-embedded environments
(such as fork()).</p>
-<p>Last Updated: 19 September 22 at 00:12</p>
+<p>Last Updated: 20 September 22 at 00:17</p>
<div class="toctree-wrapper compound">
<p class="caption"><span class="caption-text">Table of Contents</span></p>
<ul class="current">
diff --git a/content/docs/latest/_sources/platforms/xtensa/esp32/index.rst.txt
b/content/docs/latest/_sources/platforms/xtensa/esp32/index.rst.txt
index c6e2612..7cb1a25 100644
--- a/content/docs/latest/_sources/platforms/xtensa/esp32/index.rst.txt
+++ b/content/docs/latest/_sources/platforms/xtensa/esp32/index.rst.txt
@@ -368,6 +368,109 @@ A QEMU-compatible ``nuttx.merged.bin`` binary image will
be created. It can be r
$ qemu-system-xtensa -nographic -machine esp32 -drive
file=nuttx.merged.bin,if=mtd,format=raw
+Secure Boot and Flash Encryption
+================================
+
+Secure Boot
+-----------
+
+Secure Boot protects a device from running any unauthorized (i.e., unsigned)
code by checking that
+each piece of software that is being booted is signed. On an ESP32, these
pieces of software include
+the second stage bootloader and each application binary. Note that the first
stage bootloader does not
+require signing as it is ROM code thus cannot be changed. This is achieved
using specific hardware in
+conjunction with MCUboot (read more about MCUboot `here
<https://docs.mcuboot.com/>`_).
+
+The Secure Boot process on the ESP32 involves the following steps performed:
+
+1. The first stage bootloader verifies the second stage bootloader's RSA-PSS
signature. If the verification is successful,
+ the first stage bootloader loads and executes the second stage bootloader.
+
+2. When the second stage bootloader loads a particular application image, the
application's signature (RSA, ECDSA or ED25519) is verified
+ by MCUboot.
+ If the verification is successful, the application image is executed.
+
+.. warning:: Once enabled, Secure Boot will not boot a modified bootloader.
The bootloader will only boot an
+ application firmware image if it has a verified digital signature. There
are implications for reflashing
+ updated images once Secure Boot is enabled. You can find more information
about the ESP32's Secure boot
+ `here
<https://docs.espressif.com/projects/esp-idf/en/latest/esp32/security/secure-boot-v2.html>`_.
+
+.. note:: As the bootloader image is built on top of the Hardware Abstraction
Layer component
+ of `ESP-IDF <https://github.com/espressif/esp-idf>`_, the
+ `API port by Espressif <https://docs.mcuboot.com/readme-espressif.html>`_
will be used
+ by MCUboot rather than the original NuttX port.
+
+Flash Encryption
+----------------
+
+Flash encryption is intended for encrypting the contents of the ESP32's
off-chip flash memory. Once this feature is enabled,
+firmware is flashed as plaintext, and then the data is encrypted in place on
the first boot. As a result, physical readout
+of flash will not be sufficient to recover most flash contents.
+
+.. warning:: After enabling Flash Encryption, an encryption key is generated
internally by the device and
+ cannot be accessed by the user for re-encrypting data and re-flashing the
system, hence it will be permanently encrypted.
+ Re-flashing an encrypted system is complicated and not always possible. You
can find more information about the ESP32's Flash Encryption
+ `here
<https://docs.espressif.com/projects/esp-idf/en/latest/esp32/security/flash-encryption.html>`_.
+
+Prerequisites
+-------------
+
+First of all, we need to install ``imgtool`` (a MCUboot utiliy application to
manipulate binary images) and
+``esptool`` (the ESP32 toolkit)::
+
+ $ pip install imgtool esptool
+
+We also need to make sure that the python modules are added to ``PATH``::
+
+ $ echo "PATH=$PATH:/home/$USER/.local/bin" >> ~/.bashrc
+
+Now, we will create a folder to store the generated keys (such as
``~/signing_keys``)::
+
+ $ mkdir ~/signing_keys && cd ~/signing_keys
+
+With all set up, we can now generate keys to sign the bootloader and
application binary images,
+respectively, of the compiled project::
+
+ $ espsecure.py generate_signing_key --version 2 bootloader_signing_key.pem
+ $ imgtool keygen --key app_signing_key.pem --type rsa-3072
+
+.. important:: The contents of the key files must be stored securely and kept
secret.
+
+Enabling Secure Boot and Flash Encryption
+-----------------------------------------
+
+To enable Secure Boot for the current project, go to the project's NuttX
directory, execute ``make menuconfig`` and the following steps::
+
+1. Enable experimental features in :menuselection:`Build Setup --> Show
experimental options`;
+2. Enable MCUboot in :menuselection:`Application Configuration --> Bootloader
Utilities --> MCUboot`;
+3. Change image type to ``MCUboot-bootable format`` in :menuselection:`System
Type --> Application Image Configuration --> Application Image Format`;
+4. Enable building MCUboot from the source code by selecting ``Build binaries
from source``;
+ in :menuselection:`System Type --> Application Image Configuration -->
Source for bootloader binaries`;
+5. Enable Secure Boot in :menuselection:`System Type --> Application Image
Configuration --> Enable hardware Secure Boot in bootloader`;
+6. If you want to protect the SPI Bus against data sniffing, you can enable
Flash Encryption in
+ :menuselection:`System Type --> Application Image Configuration --> Enable
Flash Encryption on boot`.
+
+Now you can design an update and confirm agent to your application. Check the
`MCUboot design guide <https://docs.mcuboot.com/design.html>`_ and the
+`MCUboot Espressif port documentation
<https://docs.mcuboot.com/readme-espressif.html>`_ for
+more information on how to apply MCUboot. Also check some `notes about the
NuttX MCUboot port
<https://github.com/mcu-tools/mcuboot/blob/main/docs/readme-nuttx.md>`_,
+the `MCUboot porting guide
<https://github.com/mcu-tools/mcuboot/blob/main/docs/PORTING.md>`_ and some
+`examples of MCUboot applied in Nuttx applications
<https://github.com/apache/incubator-nuttx-apps/tree/master/examples/mcuboot>`_.
+
+After you developed an application which implements all desired functions, you
need to flash it into the primary image slot
+of the device (it will automatically be in the confirmed state, you can learn
more about image
+confirmation `here <https://docs.mcuboot.com/design.html#image-swapping>`_).
+To flash to the primary image slot, select ``Application image primary slot``
in
+:menuselection:`System Type --> Application Image Configuration --> Target
slot for image flashing`
+and compile it using ``make -j ESPSEC_KEYDIR=~/signing_keys``.
+
+When creating update images, make sure to change :menuselection:`System Type
--> Application Image Configuration --> Target slot for image flashing`
+to ``Application image secondary slot``.
+
+.. important:: When deploying your application, make sure to disable UART
Download Mode by selecting ``Permanently disabled`` in
+ :menuselection:`System Type --> Application Image Configuration --> UART
ROM download mode`
+ and change usage mode to ``Release`` in `System Type --> Application Image
Configuration --> Enable usage mode`.
+ **After disabling UART Download Mode you will not be able to flash other
images through UART.**
+
+
Things to Do
============
diff --git a/content/docs/latest/index.html b/content/docs/latest/index.html
index 1aeac72..b2b8222 100644
--- a/content/docs/latest/index.html
+++ b/content/docs/latest/index.html
@@ -218,7 +218,7 @@ by following these <a class="reference internal"
href="contributing/documentatio
<div class="section" id="nuttx-documentation">
<h1>NuttX Documentation<a class="headerlink" href="#nuttx-documentation"
title="Permalink to this headline">¶</a></h1>
<p>NuttX is a real-time operating system (RTOS) with an emphasis on standards
compliance and small footprint. Scalable from 8-bit to 64-bit microcontroller
environments, the primary governing standards in NuttX are POSIX and ANSI
standards. Additional standard APIs from Unix and other common RTOS’s (such as
VxWorks) are adopted for functionality not available under these standards, or
for functionality that is not appropriate for deeply-embedded environments
(such as fork()).</p>
-<p>Last Updated: 19 September 22 at 00:12</p>
+<p>Last Updated: 20 September 22 at 00:17</p>
<div class="toctree-wrapper compound">
<p class="caption"><span class="caption-text">Table of Contents</span></p>
<ul class="current">
diff --git a/content/docs/latest/objects.inv b/content/docs/latest/objects.inv
index 7850f53..c01d1a8 100644
Binary files a/content/docs/latest/objects.inv and
b/content/docs/latest/objects.inv differ
diff --git
a/content/docs/latest/platforms/xtensa/esp32/boards/esp32-devkitc/index.html
b/content/docs/latest/platforms/xtensa/esp32/boards/esp32-devkitc/index.html
index 9dd5274..40a3716 100644
--- a/content/docs/latest/platforms/xtensa/esp32/boards/esp32-devkitc/index.html
+++ b/content/docs/latest/platforms/xtensa/esp32/boards/esp32-devkitc/index.html
@@ -148,6 +148,7 @@
<li class="toctree-l4"><a class="reference internal"
href="../../index.html#wi-fi-softap">Wi-Fi SoftAP</a></li>
<li class="toctree-l4"><a class="reference internal"
href="../../index.html#bluetooth">Bluetooth</a></li>
<li class="toctree-l4"><a class="reference internal"
href="../../index.html#using-qemu">Using QEMU</a></li>
+<li class="toctree-l4"><a class="reference internal"
href="../../index.html#secure-boot-and-flash-encryption">Secure Boot and Flash
Encryption</a></li>
<li class="toctree-l4"><a class="reference internal"
href="../../index.html#things-to-do">Things to Do</a></li>
<li class="toctree-l4 current"><a class="reference internal"
href="../../index.html#supported-boards">Supported Boards</a><ul
class="current">
<li class="toctree-l5 current"><a class="current reference internal"
href="#">ESP32 DevKitC</a></li>
diff --git
a/content/docs/latest/platforms/xtensa/esp32/boards/esp32-wrover-kit/index.html
b/content/docs/latest/platforms/xtensa/esp32/boards/esp32-wrover-kit/index.html
index 54bde3e..e2385de 100644
---
a/content/docs/latest/platforms/xtensa/esp32/boards/esp32-wrover-kit/index.html
+++
b/content/docs/latest/platforms/xtensa/esp32/boards/esp32-wrover-kit/index.html
@@ -148,6 +148,7 @@
<li class="toctree-l4"><a class="reference internal"
href="../../index.html#wi-fi-softap">Wi-Fi SoftAP</a></li>
<li class="toctree-l4"><a class="reference internal"
href="../../index.html#bluetooth">Bluetooth</a></li>
<li class="toctree-l4"><a class="reference internal"
href="../../index.html#using-qemu">Using QEMU</a></li>
+<li class="toctree-l4"><a class="reference internal"
href="../../index.html#secure-boot-and-flash-encryption">Secure Boot and Flash
Encryption</a></li>
<li class="toctree-l4"><a class="reference internal"
href="../../index.html#things-to-do">Things to Do</a></li>
<li class="toctree-l4 current"><a class="reference internal"
href="../../index.html#supported-boards">Supported Boards</a><ul
class="current">
<li class="toctree-l5"><a class="reference internal"
href="../esp32-devkitc/index.html">ESP32 DevKitC</a></li>
diff --git a/content/docs/latest/platforms/xtensa/esp32/index.html
b/content/docs/latest/platforms/xtensa/esp32/index.html
index 4a4e3a9..faaf948 100644
--- a/content/docs/latest/platforms/xtensa/esp32/index.html
+++ b/content/docs/latest/platforms/xtensa/esp32/index.html
@@ -162,6 +162,13 @@
<li class="toctree-l4"><a class="reference internal"
href="#wi-fi-softap">Wi-Fi SoftAP</a></li>
<li class="toctree-l4"><a class="reference internal"
href="#bluetooth">Bluetooth</a></li>
<li class="toctree-l4"><a class="reference internal" href="#using-qemu">Using
QEMU</a></li>
+<li class="toctree-l4"><a class="reference internal"
href="#secure-boot-and-flash-encryption">Secure Boot and Flash
Encryption</a><ul>
+<li class="toctree-l5"><a class="reference internal"
href="#secure-boot">Secure Boot</a></li>
+<li class="toctree-l5"><a class="reference internal"
href="#flash-encryption">Flash Encryption</a></li>
+<li class="toctree-l5"><a class="reference internal"
href="#prerequisites">Prerequisites</a></li>
+<li class="toctree-l5"><a class="reference internal"
href="#enabling-secure-boot-and-flash-encryption">Enabling Secure Boot and
Flash Encryption</a></li>
+</ul>
+</li>
<li class="toctree-l4"><a class="reference internal"
href="#things-to-do">Things to Do</a></li>
<li class="toctree-l4"><a class="reference internal"
href="#supported-boards">Supported Boards</a><ul>
<li class="toctree-l5"><a class="reference internal"
href="boards/esp32-devkitc/index.html">ESP32 DevKitC</a></li>
@@ -951,6 +958,112 @@ and place them in a directory, say <code class="docutils
literal notranslate"><s
</pre></div>
</div>
</div>
+<div class="section" id="secure-boot-and-flash-encryption">
+<h2>Secure Boot and Flash Encryption<a class="headerlink"
href="#secure-boot-and-flash-encryption" title="Permalink to this
headline">¶</a></h2>
+<div class="section" id="secure-boot">
+<h3>Secure Boot<a class="headerlink" href="#secure-boot" title="Permalink to
this headline">¶</a></h3>
+<p>Secure Boot protects a device from running any unauthorized (i.e.,
unsigned) code by checking that
+each piece of software that is being booted is signed. On an ESP32, these
pieces of software include
+the second stage bootloader and each application binary. Note that the first
stage bootloader does not
+require signing as it is ROM code thus cannot be changed. This is achieved
using specific hardware in
+conjunction with MCUboot (read more about MCUboot <a class="reference
external" href="https://docs.mcuboot.com/";>here</a>).</p>
+<p>The Secure Boot process on the ESP32 involves the following steps
performed:</p>
+<ol class="arabic simple">
+<li><p>The first stage bootloader verifies the second stage bootloader’s
RSA-PSS signature. If the verification is successful,
+the first stage bootloader loads and executes the second stage
bootloader.</p></li>
+<li><p>When the second stage bootloader loads a particular application image,
the application’s signature (RSA, ECDSA or ED25519) is verified
+by MCUboot.
+If the verification is successful, the application image is executed.</p></li>
+</ol>
+<div class="admonition warning">
+<p class="admonition-title">Warning</p>
+<p>Once enabled, Secure Boot will not boot a modified bootloader. The
bootloader will only boot an
+application firmware image if it has a verified digital signature. There are
implications for reflashing
+updated images once Secure Boot is enabled. You can find more information
about the ESP32’s Secure boot
+<a class="reference external"
href="https://docs.espressif.com/projects/esp-idf/en/latest/esp32/security/secure-boot-v2.html";>here</a>.</p>
+</div>
+<div class="admonition note">
+<p class="admonition-title">Note</p>
+<p>As the bootloader image is built on top of the Hardware Abstraction Layer
component
+of <a class="reference external"
href="https://github.com/espressif/esp-idf";>ESP-IDF</a>, the
+<a class="reference external"
href="https://docs.mcuboot.com/readme-espressif.html";>API port by Espressif</a>
will be used
+by MCUboot rather than the original NuttX port.</p>
+</div>
+</div>
+<div class="section" id="flash-encryption">
+<h3>Flash Encryption<a class="headerlink" href="#flash-encryption"
title="Permalink to this headline">¶</a></h3>
+<p>Flash encryption is intended for encrypting the contents of the ESP32’s
off-chip flash memory. Once this feature is enabled,
+firmware is flashed as plaintext, and then the data is encrypted in place on
the first boot. As a result, physical readout
+of flash will not be sufficient to recover most flash contents.</p>
+<div class="admonition warning">
+<p class="admonition-title">Warning</p>
+<p>After enabling Flash Encryption, an encryption key is generated internally
by the device and
+cannot be accessed by the user for re-encrypting data and re-flashing the
system, hence it will be permanently encrypted.
+Re-flashing an encrypted system is complicated and not always possible. You
can find more information about the ESP32’s Flash Encryption
+<a class="reference external"
href="https://docs.espressif.com/projects/esp-idf/en/latest/esp32/security/flash-encryption.html";>here</a>.</p>
+</div>
+</div>
+<div class="section" id="prerequisites">
+<h3>Prerequisites<a class="headerlink" href="#prerequisites" title="Permalink
to this headline">¶</a></h3>
+<p>First of all, we need to install <code class="docutils literal
notranslate"><span class="pre">imgtool</span></code> (a MCUboot utiliy
application to manipulate binary images) and
+<code class="docutils literal notranslate"><span
class="pre">esptool</span></code> (the ESP32 toolkit):</p>
+<div class="highlight-none notranslate"><div
class="highlight"><pre><span></span>$ pip install imgtool esptool
+</pre></div>
+</div>
+<p>We also need to make sure that the python modules are added to <code
class="docutils literal notranslate"><span class="pre">PATH</span></code>:</p>
+<div class="highlight-none notranslate"><div
class="highlight"><pre><span></span>$ echo
"PATH=$PATH:/home/$USER/.local/bin" >> ~/.bashrc
+</pre></div>
+</div>
+<p>Now, we will create a folder to store the generated keys (such as <code
class="docutils literal notranslate"><span
class="pre">~/signing_keys</span></code>):</p>
+<div class="highlight-none notranslate"><div
class="highlight"><pre><span></span>$ mkdir ~/signing_keys && cd
~/signing_keys
+</pre></div>
+</div>
+<p>With all set up, we can now generate keys to sign the bootloader and
application binary images,
+respectively, of the compiled project:</p>
+<div class="highlight-none notranslate"><div
class="highlight"><pre><span></span>$ espsecure.py generate_signing_key
--version 2 bootloader_signing_key.pem
+$ imgtool keygen --key app_signing_key.pem --type rsa-3072
+</pre></div>
+</div>
+<div class="admonition important">
+<p class="admonition-title">Important</p>
+<p>The contents of the key files must be stored securely and kept secret.</p>
+</div>
+</div>
+<div class="section" id="enabling-secure-boot-and-flash-encryption">
+<h3>Enabling Secure Boot and Flash Encryption<a class="headerlink"
href="#enabling-secure-boot-and-flash-encryption" title="Permalink to this
headline">¶</a></h3>
+<p>To enable Secure Boot for the current project, go to the project’s NuttX
directory, execute <code class="docutils literal notranslate"><span
class="pre">make</span> <span class="pre">menuconfig</span></code> and the
following steps:</p>
+<ol class="arabic simple">
+<li><p>Enable experimental features in <span class="menuselection">Build Setup
‣ Show experimental options</span>;</p></li>
+<li><p>Enable MCUboot in <span class="menuselection">Application Configuration
‣ Bootloader Utilities ‣ MCUboot</span>;</p></li>
+<li><p>Change image type to <code class="docutils literal notranslate"><span
class="pre">MCUboot-bootable</span> <span class="pre">format</span></code> in
<span class="menuselection">System Type ‣ Application Image Configuration ‣
Application Image Format</span>;</p></li>
+<li><p>Enable building MCUboot from the source code by selecting <code
class="docutils literal notranslate"><span class="pre">Build</span> <span
class="pre">binaries</span> <span class="pre">from</span> <span
class="pre">source</span></code>;
+in <span class="menuselection">System Type ‣ Application Image Configuration ‣
Source for bootloader binaries</span>;</p></li>
+<li><p>Enable Secure Boot in <span class="menuselection">System Type ‣
Application Image Configuration ‣ Enable hardware Secure Boot in
bootloader</span>;</p></li>
+<li><p>If you want to protect the SPI Bus against data sniffing, you can
enable Flash Encryption in
+<span class="menuselection">System Type ‣ Application Image Configuration ‣
Enable Flash Encryption on boot</span>.</p></li>
+</ol>
+<p>Now you can design an update and confirm agent to your application. Check
the <a class="reference external"
href="https://docs.mcuboot.com/design.html";>MCUboot design guide</a> and the
+<a class="reference external"
href="https://docs.mcuboot.com/readme-espressif.html";>MCUboot Espressif port
documentation</a> for
+more information on how to apply MCUboot. Also check some <a class="reference
external"
href="https://github.com/mcu-tools/mcuboot/blob/main/docs/readme-nuttx.md";>notes
about the NuttX MCUboot port</a>,
+the <a class="reference external"
href="https://github.com/mcu-tools/mcuboot/blob/main/docs/PORTING.md";>MCUboot
porting guide</a> and some
+<a class="reference external"
href="https://github.com/apache/incubator-nuttx-apps/tree/master/examples/mcuboot";>examples
of MCUboot applied in Nuttx applications</a>.</p>
+<p>After you developed an application which implements all desired functions,
you need to flash it into the primary image slot
+of the device (it will automatically be in the confirmed state, you can learn
more about image
+confirmation <a class="reference external"
href="https://docs.mcuboot.com/design.html#image-swapping";>here</a>).
+To flash to the primary image slot, select <code class="docutils literal
notranslate"><span class="pre">Application</span> <span
class="pre">image</span> <span class="pre">primary</span> <span
class="pre">slot</span></code> in
+<span class="menuselection">System Type ‣ Application Image Configuration ‣
Target slot for image flashing</span>
+and compile it using <code class="docutils literal notranslate"><span
class="pre">make</span> <span class="pre">-j</span> <span
class="pre">ESPSEC_KEYDIR=~/signing_keys</span></code>.</p>
+<p>When creating update images, make sure to change <span
class="menuselection">System Type ‣ Application Image Configuration ‣ Target
slot for image flashing</span>
+to <code class="docutils literal notranslate"><span
class="pre">Application</span> <span class="pre">image</span> <span
class="pre">secondary</span> <span class="pre">slot</span></code>.</p>
+<div class="admonition important">
+<p class="admonition-title">Important</p>
+<p>When deploying your application, make sure to disable UART Download Mode by
selecting <code class="docutils literal notranslate"><span
class="pre">Permanently</span> <span class="pre">disabled</span></code> in
+<span class="menuselection">System Type ‣ Application Image Configuration ‣
UART ROM download mode</span>
+and change usage mode to <code class="docutils literal notranslate"><span
class="pre">Release</span></code> in <cite>System Type –> Application Image
Configuration –> Enable usage mode</cite>.
+<strong>After disabling UART Download Mode you will not be able to flash other
images through UART.</strong></p>
+</div>
+</div>
+</div>
<div class="section" id="things-to-do">
<h2>Things to Do<a class="headerlink" href="#things-to-do" title="Permalink to
this headline">¶</a></h2>
<ol class="arabic">
diff --git a/content/docs/latest/searchindex.js
b/content/docs/latest/searchindex.js
index b966ed5..225cc7d 100644
--- a/content/docs/latest/searchindex.js
+++ b/content/docs/latest/searchindex.js
@@ -1 +1 @@
-Search.setIndex({docnames:["applications/index","applications/nsh/builtin","applications/nsh/commands","applications/nsh/config","applications/nsh/customizing","applications/nsh/index","applications/nsh/installation","applications/nsh/login","applications/nsh/nsh","components/binfmt","components/drivers/block/index","components/drivers/character/analog","components/drivers/character/can","components/drivers/character/foc","components/drivers/character/index","components/drivers/character
[...]
\ No newline at end of file
+Search.setIndex({docnames:["applications/index","applications/nsh/builtin","applications/nsh/commands","applications/nsh/config","applications/nsh/customizing","applications/nsh/index","applications/nsh/installation","applications/nsh/login","applications/nsh/nsh","components/binfmt","components/drivers/block/index","components/drivers/character/analog","components/drivers/character/can","components/drivers/character/foc","components/drivers/character/index","components/drivers/character
[...]
\ No newline at end of file
diff --git a/content/feed.xml b/content/feed.xml
index c7f9596..244f210 100644
--- a/content/feed.xml
+++ b/content/feed.xml
@@ -5,8 +5,8 @@
<description></description>
<link>/</link>
<atom:link href="/feed.xml" rel="self" type="application/rss+xml"/>
- <pubDate>Mon, 19 Sep 2022 00:14:05 +0000</pubDate>
- <lastBuildDate>Mon, 19 Sep 2022 00:14:05 +0000</lastBuildDate>
+ <pubDate>Tue, 20 Sep 2022 00:18:22 +0000</pubDate>
+ <lastBuildDate>Tue, 20 Sep 2022 00:18:22 +0000</lastBuildDate>
<generator>Jekyll v3.8.5</generator>
<item>
