secure boot: Derive secure bootloader key from private key

Means only one key needs to be managed.

components/bootloader/Kconfig.projbuild

@@ -54,29 +54,14 @@ config SECURE_BOOTLOADER_ONE_TIME_FLASH
 config SECURE_BOOTLOADER_REFLASHABLE
     bool "Reflashable"
     help
-        Generate the bootloader digest key on the computer instead of inside
-        the chip. Allows the secure bootloader to be re-flashed by using the
-        same key.
+        Generate a reusable secure bootloader key, derived (via SHA-256) from the secure boot signing key.
 
-        This option is less secure than one-time flash, because a leak of the digest key allows reflashing of any device that uses it.
+		This allows the secure bootloader to be re-flashed by anyone with access to the secure boot signing key.
+
+        This option is less secure than one-time flash, because a leak of the digest key from one device allows reflashing of any device that uses it.
 
 endchoice
 
-config SECURE_BOOTLOADER_KEY_FILE
-    string "Secure bootloader key file"
-    depends on SECURE_BOOTLOADER_REFLASHABLE
-    default secure_boot_key.bin
-    help
-       Path to the key file for a reflashable secure bootloader digest.
-       File must contain 32 randomly generated bytes.
-
-       Path is evaluated relative to the project directory.
-
-       You can generate a new key by running the following command:
-       espsecure.py generate_key secure_boot_key.bin
-
-       See docs/security/secure-boot.rst for details.
-
 config SECURE_BOOT_SIGNING_KEY
      string "Secure boot signing key"
 	 depends on SECURE_BOOTLOADER_ENABLED

components/bootloader/Makefile.projbuild

@@ -15,8 +15,7 @@ BOOTLOADER_BUILD_DIR=$(abspath $(BUILD_DIR_BASE)/bootloader)
 BOOTLOADER_BIN=$(BOOTLOADER_BUILD_DIR)/bootloader.bin
 BOOTLOADER_SDKCONFIG=$(BOOTLOADER_BUILD_DIR)/sdkconfig
 
-# both signing key paths are resolved relative to the project directory
-SECURE_BOOTLOADER_KEY=$(abspath $(call dequote,$(CONFIG_SECURE_BOOTLOADER_KEY_FILE)))
+# signing key path is resolved relative to the project directory
 SECURE_BOOT_SIGNING_KEY=$(abspath $(call dequote,$(CONFIG_SECURE_BOOT_SIGNING_KEY)))
 export SECURE_BOOT_SIGNING_KEY  # used by bootloader_support component
 
@@ -31,10 +30,6 @@ BOOTLOADER_MAKE=+$(MAKE) -C $(BOOTLOADER_COMPONENT_PATH)/src \
 $(BOOTLOADER_BIN): | $(BOOTLOADER_BUILD_DIR)/sdkconfig
 	$(Q) $(BOOTLOADER_MAKE) $@
 
-bootloader-clean:
-	$(Q) $(BOOTLOADER_MAKE) app-clean config-clean
-	$(Q) rm -f $(BOOTLOADER_SDKCONFIG) $(BOOTLOADER_SDKCONFIG).old
-
 clean: bootloader-clean
 
 ifdef CONFIG_SECURE_BOOTLOADER_DISABLED
@@ -66,7 +61,11 @@ else ifdef CONFIG_SECURE_BOOTLOADER_REFLASHABLE
 # Reflashable secure bootloader
 # generates a digest binary (bootloader + digest)
 
-BOOTLOADER_DIGEST_BIN=$(BOOTLOADER_BUILD_DIR)/bootloader-reflash-digest.bin
+BOOTLOADER_DIGEST_BIN := $(BOOTLOADER_BUILD_DIR)/bootloader-reflash-digest.bin
+SECURE_BOOTLOADER_KEY := $(BOOTLOADER_BUILD_DIR)/secure-bootloader-key.bin
+
+$(SECURE_BOOTLOADER_KEY): $(SECURE_BOOT_SIGNING_KEY)
+	$(Q) $(ESPSECUREPY) digest_private_key -k $< $@
 
 bootloader: $(BOOTLOADER_DIGEST_BIN)
 	@echo $(SEPARATOR)
@@ -84,20 +83,16 @@ $(BOOTLOADER_DIGEST_BIN): $(BOOTLOADER_BIN) $(SECURE_BOOTLOADER_KEY)
 	@echo "DIGEST $(notdir $@)"
 	$(Q) $(ESPSECUREPY) digest_secure_bootloader -k $(SECURE_BOOTLOADER_KEY) -o $@ $<
 
-$(SECURE_BOOTLOADER_KEY):
-	@echo $(SEPARATOR)
-	@echo "Need to generate secure boot signing key. Run following command:"
-	@echo "$(ESPSECUREPY) generate_key $@"
-	@echo "Keep key file safe after generating."
-	@echo "(See secure boot documentation for caveats & alternatives.)")
-	@exit 1
-
 else
 bootloader:
 	@echo "Invalid bootloader target: bad sdkconfig?"
 	@exit 1
 endif
 
+bootloader-clean:
+	$(Q) $(BOOTLOADER_MAKE) app-clean config-clean
+	$(Q) rm -f $(BOOTLOADER_SDKCONFIG) $(BOOTLOADER_SDKCONFIG).old $(SECURE_BOOTLOADER_KEY) $(BOOTLOADER_DIGEST_BIN)
+
 all_binaries: $(BOOTLOADER_BIN)
 
 # synchronise the project level config to the bootloader's

components/bootloader_support/Makefile.projbuild

@@ -1,3 +0,0 @@
-# projbuild file for bootloader support
-# (included in bootloader & main app)
-

components/bootloader_support/component.mk

@@ -17,10 +17,9 @@ COMPONENT_SRCDIRS := src
 #
 ifdef CONFIG_SECURE_BOOTLOADER_ENABLED
 
+# this path is created relative to the component build directory
 SECURE_BOOT_VERIFICATION_KEY := $(abspath signature_verification_key.bin)
 
-COMPONENT_EMBED_FILES := $(SECURE_BOOT_VERIFICATION_KEY)
-
 $(SECURE_BOOT_SIGNING_KEY):
 	@echo "Need to generate secure boot signing key."
 	@echo "One way is to run this command:"
@@ -31,6 +30,11 @@ $(SECURE_BOOT_SIGNING_KEY):
 
 $(SECURE_BOOT_VERIFICATION_KEY): $(SECURE_BOOT_SIGNING_KEY)
 	$(ESPSECUREPY) extract_public_key --keyfile $< $@
+
+COMPONENT_EXTRA_CLEAN += $(SECURE_BOOT_VERIFICATION_KEY)
+
+COMPONENT_EMBED_FILES := $(SECURE_BOOT_VERIFICATION_KEY)
+
 endif
 
 include $(IDF_PATH)/make/component_common.mk

components/esptool_py/esptool

@@ -1 +1 @@
-Subproject commit 68ed7c7a4e4409899f10dddda1e02b20e5cb32f0
+Subproject commit 98e5dbfa78fa53cebcb4c56530e683f889bf21c3

make/project.mk

@@ -306,6 +306,9 @@ app-clean: $(addsuffix -clean,$(notdir $(COMPONENT_PATHS_BUILDABLE)))
 	$(summary) RM $(APP_ELF)
 	$(Q) rm -f $(APP_ELF) $(APP_BIN) $(APP_MAP)
 
-clean: app-clean
+# NB: this ordering is deliberate (app-clean before config-clean),
+# so config remains valid during all component clean targets
+config-clean: app-clean
+clean: config-clean
 
 

make/project_config.mk

@@ -59,7 +59,6 @@ $(AUTO_CONF_REGEN_TARGET) $(BUILD_DIR_BASE)/include/sdkconfig.h: $(SDKCONFIG) $(
 # sometimes you can get an infinite make loop on Windows where sdkconfig always gets regenerated newer
 # than the target(!)
 
-clean: config-clean
 .PHONY: config-clean
 config-clean:
 	$(summary RM CONFIG)