and all ECDSA to be disabled if secure boot is not enabled
Previously if ECDSA disabled in config then secure_boot_signatures.c would
fail to build (whether or not secure boot was enabled).
To avoid breaking apps that might be using the signature scheme with custom OTA
without enabling secure boot signatures in config, this change just disables
this functionality if unavailable in mbedTLS config.
Possible fix for root cause of https://github.com/espressif/esp-idf/pull/3703
This saves time when waking up from deep sleep, but potentially decreases
the security of the system. If the application able to modify itself
(especially areas that are loaded into RAM) in flash while running
without crashing or is modifies the cached bits of information about
what was last booted from the bootloader, this could cause security
issues if the user does a "deep sleep reset" since the full validation
is skipped.
Signed-off-by: Tim Nordell <tim.nordell@nimbelink.com>
Do not include bootloader in flash target when secure boot is enabled.
Emit signing warning on all cases where signed apps are enabled (secure
boot and signed images)
Follow convention of capital letters for SECURE_BOOT_SIGNING_KEY variable, since it is
relevant to other components, not just bootloader.
Pass signing key and verification key via config, not requiring
bootloader to know parent app dir.
Misc. variables name corrections
This MR improves existing flash encryption document to provide simplified steps
Adds two new modes for user: Development & Release
Adds a simple example
Supports encrypted write through make command
esptool_py defines command `esptool_py_flash_project_args` that
generates arg file for esptool.py. Two of the arguments are the offset
and image, which are not being used when a template file is given.
This commit makes variables OFFSET and IMAGE available to the template
file, which will holds the value of the offset and image arguments to
`esptool_py_flash_project_args`.
!4452 used setting LINK_LIBRARIES and INTERFACE_LINK_LIBRARIES to link
components built under ESP-IDF build system. However, LINK_LIBRARIES does
not produce behavior same as linking PRIVATE. This MR uses the new
signature for target_link_libraries directly instead. This also moves
setting dependencies during component registration rather than after all
components have been processed.
The consequence is that internally, components have to use the new
signature form as well. This does not affect linking the components to
external targets, such as with idf_as_lib example. This only affects
linking additional libraries to ESP-IDF libraries outside component processing (after
idf_build_process), which is not even possible for CMake<v3.13 as
target_link_libraries is not valid for targets not created in current
directory. See https://cmake.org/cmake/help/v3.13/policy/CMP0079.html#policy:CMP0079
Removes the need to know/guess the paths to these libraries. Once we are gcc 8 only, we
can remove -nostdlib and no additional arguments are needed for system libraries.
The catch is: any time IDF overrides a symbol in the toolchain sysroot, we need
an undefined linker marker to make sure this symbol is seen by linker.
Issue is that when users creates a custom bootloader from
$IDF_PATH/components/bootloader. Parent project build uses the copy but
bootloader subproject build uses the original still. The issue is solved
by passing the custom bootloader as extra component directory so
bootloader build knows to use the new copy (itself) in the build.
This MR removes the common dependency from every IDF components to the SOC component.
Currently, in the ``idf_functions.cmake`` script, we include the header path of SOC component by default for all components.
But for better code organization (or maybe also benifits to the compiling speed), we may remove the dependency to SOC components for most components except the driver and kernel related components.
In CMAKE, we have two kinds of header visibilities (set by include path visibility):
(Assume component A --(depends on)--> B, B is the current component)
1. public (``COMPONENT_ADD_INCLUDEDIRS``): means this path is visible to other depending components (A) (visible to A and B)
2. private (``COMPONENT_PRIV_INCLUDEDIRS``): means this path is only visible to source files inside the component (visible to B only)
and we have two kinds of depending ways:
(Assume component A --(depends on)--> B --(depends on)--> C, B is the current component)
1. public (```COMPONENT_REQUIRES```): means B can access to public include path of C. All other components rely on you (A) will also be available for the public headers. (visible to A, B)
2. private (``COMPONENT_PRIV_REQUIRES``): means B can access to public include path of C, but don't propagate this relation to other components (A). (visible to B)
1. remove the common requirement in ``idf_functions.cmake``, this makes the SOC components invisible to all other components by default.
2. if a component (for example, DRIVER) really needs the dependency to SOC, add a private dependency to SOC for it.
3. some other components that don't really depends on the SOC may still meet some errors saying "can't find header soc/...", this is because it's depended component (DRIVER) incorrectly include the header of SOC in its public headers. Moving all this kind of #include into source files, or private headers
4. Fix the include requirements for some file which miss sufficient #include directives. (Previously they include some headers by the long long long header include link)
This is a breaking change. Previous code may depends on the long include chain.
You may need to include the following headers for some files after this commit:
- soc/soc.h
- soc/soc_memory_layout.h
- driver/gpio.h
- esp_sleep.h
The major broken include chain includes:
1. esp_system.h no longer includes esp_sleep.h. The latter includes driver/gpio.h and driver/touch_pad.h.
2. ets_sys.h no longer includes soc/soc.h
3. freertos/portmacro.h no longer includes soc/soc_memory_layout.h
some peripheral headers no longer includes their hw related headers, e.g. rom/gpio.h no longer includes soc/gpio_pins.h and soc/gpio_reg.h
BREAKING CHANGE
1. separate rom include files and linkscript to esp_rom
2. modefiy "include rom/xxx.h" to "include esp32/rom/xxx.h"
3. Forward compatible
4. update mqtt
Added:
* set a secure version in app/bootloader.
* description anti-rollback to ota part
* emulate the secure_version write and read operations
* efuse_em partition.
* a description about a rollback for native_ota_example.
Closes: TW26335
In some cases, linker could choose to use ROM functions instead of the
ones defined in IDF.
For functions used in ROM stub table, this would lead to infinite
recursion when the corresponding function was called from ROM.
For crypto functions, some of these were modified in IDF, and
incompatible with ROM counterparts.
It is possible to utilize some of the routines related to otadata
partition validation, after firmware image is downloaded to RAM. Hence
these routines should be part of app cpu cache, so that they do not
get overwritten by firmware.
Signed-off-by: Mahavir Jain <mahavir@espressif.com>
Allows OTA updates to be secured via signature checks, without requiring the overhead or complexity
of a full secure boot implementation.
Uses same signing mechanisms (build system and/or espsecure.py as Secure Boot).
Requires:
* [ ] More testing
* [ ] Documentation
* Fixes some "noreturn" functions in bootloader utils which did return (causing fatal CPU
exceptions).
* Marks bootloader entry as "noreturn", preventing "user code done" from stalling boot
Partial fix for https://github.com/espressif/esp-idf/issues/1814 TW20016
(Comprehensive fix for this issue will be enabling WDT during bootloader, coming shortly.)
Because address space is mapped in 64KB pages, it was possible for unauthenticated data after the
app .bin to become mapped into the flash cache address space.
This problem is solved by 2 changes:
* "esptool elf2image --secure-pad" will pad the image so that the signature block ends close to the
64KB boundary. Due to alignment constraints it will be 12 bytes too short after signing (but
with flash encryption, these 12 bytes are still encrypted as part of the last block and can't be
arbitrarily changed).
* By default, secure boot now requires all app partitions to be a multiple of 64KB in size.
When 2nd stage bootloader loads the ROM bootloader, it prints a
message similar to "entry 0x40080xxx", which idf_monitor decodes
(using application ELF file) as one of the reset vectors (xxx is <
400h). This moves the iram_seg of bootloader 1k up to prevent overlap
of bootloader .text and application vectors, making the output look
nicer. There is still a chance that the entry point decodes as some
symbol in application ELF file, but at least it won't have
"Exception" in its name.
Allows you to move the partition table, it gives more space for the bootloader.
Added a new utility - parttool.py. This utility can search for the offset and/or size of the partitions by name and type/subtype. Use for getting APP_OFFSET and PHY_DATA_OFFSET.
The linker(esp32.bootloader.ld) made changes that allow you to write a custom bootloader code more.
TW14125
Added feature:
- reset firmware to Factory app.(by long pressing of the button)
- boot Test app. (by long pressing of the button)
- Added feature erase data partitions from factory reset.
TW10281
TW10280
Refactor IDF "project" functionality under a wrapping of the default
"project" command, so we can tweak it a bit...
Will need more testing in other environments.
Need to make the bootloader modular so that users can redefine its functional part.
- refactoring and moving functions to the bootloader_support component
- Changed function to `void` bootloader_utility_load_image(...);
TW19596
This commit adds support for CPU max freqeuency rating
bits in CPU. Bootloader will now print an error if attempting
to 160MHz rated ESP32 at 240MHz.
EFUSE_CHIP_VER_RESERVE has been replaced by the
frequency rating bits. Dependancies on EFUSE_CHIP_VER_RESERVE
have been changed to use EFUSE_CHIP_VER_PKG
Since 9a8c0392, XTAL frequency is set to 40MHz by default, and users
of 26MHz boards need to select 26MHz manually. Most users are not aware
of this change, and existing getting started guides do not mention that
XTAL frequency needs to be set for some boards. So users are left with
garbage output from UART without any clue what to check.
This change adds a warning in case specific XTAL frequency was set, and
it does not match automatically detected one. This should help users
fix the issue.
Fix warnings where undefined vars are used.
Make Kconfig emit "FOO=" for unset bool options
To ensure make variables are always defined, even if empty.
When writing auto.conf, include symbols disabled by dependency to make sure all make variables are always defined.
Fixesespressif/esp-idf#137
Cherry-picked from https://github.com/espressif/esp-idf/pull/138
Regression introduced in 43e231c.
Thanks to @yanbe for pointing out issue in https://github.com/espressif/esp-idf/pull/955
This is a different fix, tries to keep the behaviour that 43e231c was aiming to correct (unnecessarily testing an
invalid slot more than once.)
Makes app image booting more reliable (256-bit rather than 8-bit verification.)
Some measurements, time to boot a 655KB app.bin file and run to app_main() execution.
(All for rev 1 silicon, ie no 340ms spurious WDT delay.)
80MHz QIO mode:
before = 300ms
after = 140ms
40MHz DIO mode:
before = 712ms
after = 577ms
40MHz DIO mode, secure boot enabled
before = 1380ms
after = 934ms
(Secure boot involves two ECC signature verifications (partition table, app) that take approx 300ms each with 80MHz CPU.)
For config-only components, component.mk should now contain "COMPONENT_CONFIG_ONLY := 1"
Also refactored some of the generation of linker paths, library list. This required cleaning up the way the bootloader
project works, it's now mostly independent from the parent.
Currently the last 128KB of DRAM is reserved for the bootloader & early boot stacks. This means if >192KB of static DRAM
is allocated, the only available heap is this region - which is disabled until the scheduler starts. As a result, you
get either heap corruption on early boot if the static data overlaps startup heap (leading to very weird errors), or
FreeRTOS will fail to start when it can't malloc() anything.
Long term fix is to move the stacks & bootloader data to the very end of RAM, and only reserve that part for early
boot. This is a little fiddly because of also wanting to make sure this memory is not preemptively fragmented when it
gets reintroduced to the heap. This will become more important if/when we have more static allocation options in the
future.
For now, these errors make it clear why the boot has failed.
Ref TW13909
In ESP32 rev. 0, switching between 240MHz and 80MHz (even via an
intermediate frequency of 40MHz) may cause the chip to lock up.
The bootloader used to enable 80MHz CPU clock at startup, which could
cause lock up after software reset. With this change, if 240MHz CPU
clock is enabled in menuconfig, bootloader will also use 240MHz to avoid
lock-up.
1. When dual core cpu run access DPORT register, must do protection.
2. If access DPORT register, must use DPORT_REG_READ/DPORT_REG_WRITE and DPORT_XXX register operation macro.
add support for 32k XTAL as RTC_SLOW_CLK source
- RTC_CNTL_SLOWCLK_FREQ define is removed; rtc_clk_slow_freq_get_hz
function can be used instead to get an approximate RTC_SLOW_CLK
frequency
- Clock calibration is performed at startup. The value is saved and used
for timekeeping and when entering deep sleep.
- When using the 32k XTAL, startup code will wait for the oscillator to
start up. This can be possibly optimized by starting a separate task
to wait for oscillator startup, and performing clock switch in that
task.
- Fix a bug that 32k XTAL would be disabled in rtc_clk_init.
- Fix a rounding error in rtc_clk_cal, which caused systematic frequency
error.
- Fix an overflow bug which caused rtc_clk_cal to timeout early if the
slow_clk_cycles argument would exceed certain value
- Improve 32k XTAL oscillator startup time by introducing bootstrapping
code, which uses internal pullup/pulldown resistors on 32K_N/32K_P
pins to set better initial conditions for the oscillator.
Ref TW11683.
Ref https://esp32.com/viewtopic.php?f=13&t=1570
Fixes https://github.com/espressif/esp-idf/issues/337.
See merge request !696
- RTC_CNTL_SLOWCLK_FREQ define is removed; rtc_clk_slow_freq_get_hz
function can be used instead to get an approximate RTC_SLOW_CLK
frequency
- Clock calibration is performed at startup. The value is saved and used
for timekeeping and when entering deep sleep.
- When using the 32k XTAL, startup code will wait for the oscillator to
start up. This can be possibly optimized by starting a separate task
to wait for oscillator startup, and performing clock switch in that
task.
- Fix a bug that 32k XTAL would be disabled in rtc_clk_init.
- Fix a rounding error in rtc_clk_cal, which caused systematic frequency
error.
- Fix an overflow bug which caused rtc_clk_cal to timeout early if the
slow_clk_cycles argument would exceed certain value
- Improve 32k XTAL oscillator startup time by introducing bootstrapping
code, which uses internal pullup/pulldown resistors on 32K_N/32K_P
pins to set better initial conditions for the oscillator.
Confusion here is that original ROM has two functions:
* SPIReadModeCnfig() - sets mode, calls enable_qio_mode/disable_qio_mode
* SPIMasterReadModeCnfig() - As above, but doesn't set QIO mode in status register
However we never want to use the ROM method to set/clear QIO mode flag, as not all flash chips work this way. Instead we
do it in flash_qio_mode.c in bootloader.
So in both cases (ROM or "patched ROM") we now call SPIMasterReadModeCnfig(), which is now named
esp_rom_spiflash_config_readmode().
Introduce soc component, add source of rtc_clk and rtc_pm libraries
This MR adds parts of the RTC library source code (initialization, clock selection functions, sleep functions). WiFi-related power management functions are kept inside the precompiled library. Most of RTC library APIs have been renamed.
Default CPU frequency option in Kconfig is set to 160MHz, pending qualification of 240MHz mode at high temperatures.
Register header files are moved into the new soc component, which will contain chip-specific header files and low-level non-RTOS-aware APIs (such as rtc_ APIs). Some of the files from ESP32 component were also moved: cpu_util.c, brownout.c, and the corresponding header files. Further refactoring of ESP32 component into more meaningful layers (chip-specific low level functions; chip-specific RTOS aware functions; framework-specific RTOS-related functions) will be done in future MRs.
See merge request !633
1) fixed SPI_read_status: added check for flash busy flag in matrix mode
2) fixed SPI_page_program: enable write before writing data to SPI FIFO
3) SPI flash ROM funcs replacement is controlled via menuconfig option
When idf_monitor is launched from make, it gets modified TEST_COMPONENTS
variable which contains full paths to the test components instead of the
names. This causes TEST_COMPONENT_PATHS to be empty and the unit test
app gets built without any test components.
This change introduces an internal TEST_COMPONENTS_LIST variable which
gets set either from $(COMPONENTS) if TESTS_ALL is 1, and from
TEST_COMOPONENTS otherwise.
Bootloader makefile is also fixed to avoid propagating TESTS_ALL to the
bootloader build step.
Partition/SPI/OTA docs & OTA new functionality
* Update partition, SPI flash & OTA docs to reflect functionality changes
* Refactor OTA implementation to perform checks mentioned in API doc
* Add new functions to OTA API: esp_ota_get_running_partition() & esp_ota_get_next_update_partition() functions
* Add spi_flash_cache2phys() & spi_flash_phys2cache() functions to support esp_ota_get_running_partition()
See merge request !513
1. Add disable PHY and RF when WiFi and BT are both disabled(including call sniffer disable API).
2. Do not init PHY and RF when cpu start. Init PHY and RF when call Wifi or BT start APIs(including sniffer enable API).
3. Add a temporary lib: librtc_clk.a and will delete it when CPU frequency switching function is done.
4. Add an function to get OS tick rate.
5. Do not put the whole pp.a in iram0, only put lmac.o, ieee80211_misc.o, ets_time.o and wdev.o in iram0.
Docs: Document flash encryption disable steps, clean up flash encryption & secure boot docs
Generate clean up of flash encryption & secure boot docs
Including steps for disabling flash encryption (for people who accidentally enable it).
See merge request !500
Also add steps to disable flash encryption, as some people seem to
accidentally enable it.
Explicitly mark the flash encryption and secure boot as "READ DOCS
FIRST" in menuconfig.
build system: add IDF_VER environment variable and preprocessor define
This adds an `IDF_VER` preprocessor define which is obtained from `git describe`.
Looks like `v1.0-275-g0efaa4f` for non-release version or `v2.0` for a tagged (release) version.
See merge request !403
Enable bootloader entropy source for RNG
Enables an entropy source when bootloader starts up, which both seeds the RNG for use before WiFi/BT stack is enabled and provides an adequate RNG for secure boot & flash encryption key generation.
A prerequisite was enabling 80MHz operation, so the CPU is now set to 80MHz as soon as second stage bootloader starts running.
See merge request !363
Modify bootloader dram_seg from address 0x3ffc0000 to 0x3fff0000, len from
0x20000 to 0x10000. Please be notified that this is just a workaround for
fixing app data overwrite bootloader data issue!