mirror of
https://github.com/espressif/esp-idf.git
synced 2024-09-19 14:26:01 -04:00
Merge branch 'feat/config_to_flash_bootloader_when_sbv2_is_enabled' into 'master'
add config to flash bootloader by the command `idf.py flash` when secure boot v2 is enabled See merge request espressif/esp-idf!23848
This commit is contained in:
commit
903af13e84
@ -7,8 +7,9 @@ endif()
|
|||||||
|
|
||||||
add_dependencies(bootloader partition_table_bin)
|
add_dependencies(bootloader partition_table_bin)
|
||||||
|
|
||||||
# When secure boot is enabled, do not flash bootloader along with invocation of `idf.py flash`
|
# When secure boot is enabled and CONFIG_SECURE_BOOT_FLASH_BOOTLOADER_DEFAULT is not enabled
|
||||||
if(NOT CONFIG_SECURE_BOOT)
|
# do not flash the bootloader along with the other artifacts using the command `idf.py flash`
|
||||||
|
if(NOT CONFIG_SECURE_BOOT OR CONFIG_SECURE_BOOT_FLASH_BOOTLOADER_DEFAULT)
|
||||||
set(flash_bootloader FLASH_IN_PROJECT)
|
set(flash_bootloader FLASH_IN_PROJECT)
|
||||||
endif()
|
endif()
|
||||||
|
|
||||||
@ -18,7 +19,7 @@ esptool_py_flash_target_image(bootloader-flash bootloader
|
|||||||
"${BOOTLOADER_BUILD_DIR}/bootloader.bin")
|
"${BOOTLOADER_BUILD_DIR}/bootloader.bin")
|
||||||
|
|
||||||
# Also attach an image to the project flash target
|
# Also attach an image to the project flash target
|
||||||
if(NOT CONFIG_SECURE_BOOT)
|
if(NOT CONFIG_SECURE_BOOT OR CONFIG_SECURE_BOOT_FLASH_BOOTLOADER_DEFAULT)
|
||||||
esptool_py_flash_target_image(flash bootloader
|
esptool_py_flash_target_image(flash bootloader
|
||||||
${CONFIG_BOOTLOADER_OFFSET_IN_FLASH}
|
${CONFIG_BOOTLOADER_OFFSET_IN_FLASH}
|
||||||
"${BOOTLOADER_BUILD_DIR}/bootloader.bin")
|
"${BOOTLOADER_BUILD_DIR}/bootloader.bin")
|
||||||
|
@ -737,6 +737,23 @@ menu "Security features"
|
|||||||
This can lead to permanent bricking of the device, in case all keys are revoked
|
This can lead to permanent bricking of the device, in case all keys are revoked
|
||||||
because of signature verification failure.
|
because of signature verification failure.
|
||||||
|
|
||||||
|
config SECURE_BOOT_FLASH_BOOTLOADER_DEFAULT
|
||||||
|
bool "Flash bootloader along with other artifacts when using the default flash command"
|
||||||
|
depends on SECURE_BOOT_V2_ENABLED && SECURE_BOOT_BUILD_SIGNED_BINARIES
|
||||||
|
default N
|
||||||
|
help
|
||||||
|
When Secure Boot V2 is enabled, by default the bootloader is not flashed along with other artifacts
|
||||||
|
like the application and the partition table images, i.e. bootloader has to be seperately flashed
|
||||||
|
using the command `idf.py bootloader flash`, whereas, the application and partition table can be flashed
|
||||||
|
using the command `idf.py flash` itself.
|
||||||
|
Enabling this option allows flashing the bootloader along with the other artifacts
|
||||||
|
by invocation of the command `idf.py flash`.
|
||||||
|
|
||||||
|
If this option is enabled make sure that even the bootloader is signed using the correct secure boot key,
|
||||||
|
otherwise the bootloader signature verification would fail, as hash of the public key which is present in
|
||||||
|
the bootloader signature would not match with the digest stored into the efuses
|
||||||
|
and thus the device will not be able to boot up.
|
||||||
|
|
||||||
choice SECURE_BOOTLOADER_KEY_ENCODING
|
choice SECURE_BOOTLOADER_KEY_ENCODING
|
||||||
bool "Hardware Key Encoding"
|
bool "Hardware Key Encoding"
|
||||||
depends on SECURE_BOOTLOADER_REFLASHABLE
|
depends on SECURE_BOOTLOADER_REFLASHABLE
|
||||||
|
@ -202,7 +202,11 @@ elseif(CONFIG_SECURE_BOOTLOADER_REFLASHABLE)
|
|||||||
"* Not recommended to re-use the same secure boot keyfile on multiple production devices."
|
"* Not recommended to re-use the same secure boot keyfile on multiple production devices."
|
||||||
DEPENDS gen_secure_bootloader_key gen_bootloader_digest_bin
|
DEPENDS gen_secure_bootloader_key gen_bootloader_digest_bin
|
||||||
VERBATIM)
|
VERBATIM)
|
||||||
elseif(CONFIG_SECURE_BOOT_V2_ENABLED AND (CONFIG_IDF_TARGET_ESP32S2 OR CONFIG_IDF_TARGET_ESP32C3))
|
elseif(
|
||||||
|
CONFIG_SECURE_BOOT_V2_ENABLED AND
|
||||||
|
(CONFIG_SOC_EFUSE_SECURE_BOOT_KEY_DIGESTS GREATER 1) AND
|
||||||
|
NOT CONFIG_SECURE_BOOT_FLASH_BOOTLOADER_DEFAULT
|
||||||
|
)
|
||||||
add_custom_command(TARGET bootloader.elf POST_BUILD
|
add_custom_command(TARGET bootloader.elf POST_BUILD
|
||||||
COMMAND ${CMAKE_COMMAND} -E echo
|
COMMAND ${CMAKE_COMMAND} -E echo
|
||||||
"=============================================================================="
|
"=============================================================================="
|
||||||
@ -221,7 +225,7 @@ elseif(CONFIG_SECURE_BOOT_V2_ENABLED AND (CONFIG_IDF_TARGET_ESP32S2 OR CONFIG_ID
|
|||||||
"=============================================================================="
|
"=============================================================================="
|
||||||
DEPENDS gen_signed_bootloader
|
DEPENDS gen_signed_bootloader
|
||||||
VERBATIM)
|
VERBATIM)
|
||||||
elseif(CONFIG_SECURE_BOOT_V2_ENABLED)
|
elseif(CONFIG_SECURE_BOOT_V2_ENABLED AND NOT CONFIG_SECURE_BOOT_FLASH_BOOTLOADER_DEFAULT)
|
||||||
add_custom_command(TARGET bootloader.elf POST_BUILD
|
add_custom_command(TARGET bootloader.elf POST_BUILD
|
||||||
COMMAND ${CMAKE_COMMAND} -E echo
|
COMMAND ${CMAKE_COMMAND} -E echo
|
||||||
"=============================================================================="
|
"=============================================================================="
|
||||||
|
Loading…
Reference in New Issue
Block a user