Currently, when the venv is installed or updated, we attempt to
automatically update pip and setuptools within the venv. Unfortunately,
the setuptools package is installed or updated without adhering to the
constraints file, which restricts the setuptools version due to
https://github.com/pypa/setuptools/issues/4480. Resolve this issue by
applying the constraints file to the installation and update of both pip
and setuptools.
Signed-off-by: Frantisek Hrbata <frantisek.hrbata@espressif.com>
Bugfix/nvs Improved handling of BLOB during unreliable power environment and concurrent data access scenarios (v5.0)
See merge request espressif/esp-idf!29322
Removed rogue semicolon from SMARTCONFIG_START_CONFIG_DEFAULT() macro. This
fixes build issues when this macro is used via C++ brace initialization.
Closes https://github.com/espressif/esp-idf/pull/12867
[Darian Leung: Updated commit message]
Signed-off-by: Darian Leung <darian@espressif.com>
Some additional checks related to secure version of the application in
anti-rollback case have been added to avoid any attempts to boot lower
security version but valid application (e.g., passive partition image).
- Read secure_version under sha256 protection
- First check has been added in the bootloader to ensure correct secure
version after application verification and loading stage. This check
happens before setting up the flash cache mapping and handling over
the final control to application. This check ensures that application
was not swapped (e.g., to lower security version but valid image) just
before the load stage in bootloader.
- Second check has been added in the application startup code to ensure
that currently booting app has higher security version than the one
programmed in the eFuse for anti-rollback scenario. This will ensure
that only the legit application boots-up on the device for
anti-rollback case.
Currently sbom manifest is checked only in .gitmodules and
this check is done in pre-commit and also in CI. Meaning it's running
three times(pre-commit before push if user has it enabled, in CI
as there is the pre-commit run again and again with test in CI). Since
esp-idf-sbom contains a full manifest validation support and pre-commit
plugin for it, let's use it. This removes all the current sbom testing
and replaces it with a signle pre-commit plugin which validates all
manifests files(sbom.yml, idf_component.yml, .gitmodules and also
referenced manifests) in repository. Note that this checks all
manifests, not only ones which were modified. The check is reasonably
fast though, so it should not cause any problem. The reason for
validating all manifest files is that we want to make sure that the sbom
information in .gitmodules is updated too and that the hash
recorded in .gitmodules is up-to-date. Meaning submodule update
would not trigger this plugin, because no manifest was changed.
Signed-off-by: Frantisek Hrbata <frantisek.hrbata@espressif.com>
