Added:
* set a secure version in app/bootloader.
* description anti-rollback to ota part
* emulate the secure_version write and read operations
* efuse_em partition.
* a description about a rollback for native_ota_example.
Closes: TW26335
In some cases, linker could choose to use ROM functions instead of the
ones defined in IDF.
For functions used in ROM stub table, this would lead to infinite
recursion when the corresponding function was called from ROM.
For crypto functions, some of these were modified in IDF, and
incompatible with ROM counterparts.
It is possible to utilize some of the routines related to otadata
partition validation, after firmware image is downloaded to RAM. Hence
these routines should be part of app cpu cache, so that they do not
get overwritten by firmware.
Signed-off-by: Mahavir Jain <mahavir@espressif.com>
Allows OTA updates to be secured via signature checks, without requiring the overhead or complexity
of a full secure boot implementation.
Uses same signing mechanisms (build system and/or espsecure.py as Secure Boot).
Requires:
* [ ] More testing
* [ ] Documentation
* Fixes some "noreturn" functions in bootloader utils which did return (causing fatal CPU
exceptions).
* Marks bootloader entry as "noreturn", preventing "user code done" from stalling boot
Partial fix for https://github.com/espressif/esp-idf/issues/1814 TW20016
(Comprehensive fix for this issue will be enabling WDT during bootloader, coming shortly.)
Because address space is mapped in 64KB pages, it was possible for unauthenticated data after the
app .bin to become mapped into the flash cache address space.
This problem is solved by 2 changes:
* "esptool elf2image --secure-pad" will pad the image so that the signature block ends close to the
64KB boundary. Due to alignment constraints it will be 12 bytes too short after signing (but
with flash encryption, these 12 bytes are still encrypted as part of the last block and can't be
arbitrarily changed).
* By default, secure boot now requires all app partitions to be a multiple of 64KB in size.
When 2nd stage bootloader loads the ROM bootloader, it prints a
message similar to "entry 0x40080xxx", which idf_monitor decodes
(using application ELF file) as one of the reset vectors (xxx is <
400h). This moves the iram_seg of bootloader 1k up to prevent overlap
of bootloader .text and application vectors, making the output look
nicer. There is still a chance that the entry point decodes as some
symbol in application ELF file, but at least it won't have
"Exception" in its name.
Allows you to move the partition table, it gives more space for the bootloader.
Added a new utility - parttool.py. This utility can search for the offset and/or size of the partitions by name and type/subtype. Use for getting APP_OFFSET and PHY_DATA_OFFSET.
The linker(esp32.bootloader.ld) made changes that allow you to write a custom bootloader code more.
TW14125
Added feature:
- reset firmware to Factory app.(by long pressing of the button)
- boot Test app. (by long pressing of the button)
- Added feature erase data partitions from factory reset.
TW10281
TW10280
Refactor IDF "project" functionality under a wrapping of the default
"project" command, so we can tweak it a bit...
Will need more testing in other environments.
Need to make the bootloader modular so that users can redefine its functional part.
- refactoring and moving functions to the bootloader_support component
- Changed function to `void` bootloader_utility_load_image(...);
TW19596
This commit adds support for CPU max freqeuency rating
bits in CPU. Bootloader will now print an error if attempting
to 160MHz rated ESP32 at 240MHz.
EFUSE_CHIP_VER_RESERVE has been replaced by the
frequency rating bits. Dependancies on EFUSE_CHIP_VER_RESERVE
have been changed to use EFUSE_CHIP_VER_PKG
Since 9a8c0392, XTAL frequency is set to 40MHz by default, and users
of 26MHz boards need to select 26MHz manually. Most users are not aware
of this change, and existing getting started guides do not mention that
XTAL frequency needs to be set for some boards. So users are left with
garbage output from UART without any clue what to check.
This change adds a warning in case specific XTAL frequency was set, and
it does not match automatically detected one. This should help users
fix the issue.
Fix warnings where undefined vars are used.
Make Kconfig emit "FOO=" for unset bool options
To ensure make variables are always defined, even if empty.
When writing auto.conf, include symbols disabled by dependency to make sure all make variables are always defined.
Fixesespressif/esp-idf#137
Cherry-picked from https://github.com/espressif/esp-idf/pull/138
Regression introduced in 43e231c.
Thanks to @yanbe for pointing out issue in https://github.com/espressif/esp-idf/pull/955
This is a different fix, tries to keep the behaviour that 43e231c was aiming to correct (unnecessarily testing an
invalid slot more than once.)
Makes app image booting more reliable (256-bit rather than 8-bit verification.)
Some measurements, time to boot a 655KB app.bin file and run to app_main() execution.
(All for rev 1 silicon, ie no 340ms spurious WDT delay.)
80MHz QIO mode:
before = 300ms
after = 140ms
40MHz DIO mode:
before = 712ms
after = 577ms
40MHz DIO mode, secure boot enabled
before = 1380ms
after = 934ms
(Secure boot involves two ECC signature verifications (partition table, app) that take approx 300ms each with 80MHz CPU.)
For config-only components, component.mk should now contain "COMPONENT_CONFIG_ONLY := 1"
Also refactored some of the generation of linker paths, library list. This required cleaning up the way the bootloader
project works, it's now mostly independent from the parent.
Currently the last 128KB of DRAM is reserved for the bootloader & early boot stacks. This means if >192KB of static DRAM
is allocated, the only available heap is this region - which is disabled until the scheduler starts. As a result, you
get either heap corruption on early boot if the static data overlaps startup heap (leading to very weird errors), or
FreeRTOS will fail to start when it can't malloc() anything.
Long term fix is to move the stacks & bootloader data to the very end of RAM, and only reserve that part for early
boot. This is a little fiddly because of also wanting to make sure this memory is not preemptively fragmented when it
gets reintroduced to the heap. This will become more important if/when we have more static allocation options in the
future.
For now, these errors make it clear why the boot has failed.
Ref TW13909
In ESP32 rev. 0, switching between 240MHz and 80MHz (even via an
intermediate frequency of 40MHz) may cause the chip to lock up.
The bootloader used to enable 80MHz CPU clock at startup, which could
cause lock up after software reset. With this change, if 240MHz CPU
clock is enabled in menuconfig, bootloader will also use 240MHz to avoid
lock-up.
1. When dual core cpu run access DPORT register, must do protection.
2. If access DPORT register, must use DPORT_REG_READ/DPORT_REG_WRITE and DPORT_XXX register operation macro.
add support for 32k XTAL as RTC_SLOW_CLK source
- RTC_CNTL_SLOWCLK_FREQ define is removed; rtc_clk_slow_freq_get_hz
function can be used instead to get an approximate RTC_SLOW_CLK
frequency
- Clock calibration is performed at startup. The value is saved and used
for timekeeping and when entering deep sleep.
- When using the 32k XTAL, startup code will wait for the oscillator to
start up. This can be possibly optimized by starting a separate task
to wait for oscillator startup, and performing clock switch in that
task.
- Fix a bug that 32k XTAL would be disabled in rtc_clk_init.
- Fix a rounding error in rtc_clk_cal, which caused systematic frequency
error.
- Fix an overflow bug which caused rtc_clk_cal to timeout early if the
slow_clk_cycles argument would exceed certain value
- Improve 32k XTAL oscillator startup time by introducing bootstrapping
code, which uses internal pullup/pulldown resistors on 32K_N/32K_P
pins to set better initial conditions for the oscillator.
Ref TW11683.
Ref https://esp32.com/viewtopic.php?f=13&t=1570
Fixes https://github.com/espressif/esp-idf/issues/337.
See merge request !696
- RTC_CNTL_SLOWCLK_FREQ define is removed; rtc_clk_slow_freq_get_hz
function can be used instead to get an approximate RTC_SLOW_CLK
frequency
- Clock calibration is performed at startup. The value is saved and used
for timekeeping and when entering deep sleep.
- When using the 32k XTAL, startup code will wait for the oscillator to
start up. This can be possibly optimized by starting a separate task
to wait for oscillator startup, and performing clock switch in that
task.
- Fix a bug that 32k XTAL would be disabled in rtc_clk_init.
- Fix a rounding error in rtc_clk_cal, which caused systematic frequency
error.
- Fix an overflow bug which caused rtc_clk_cal to timeout early if the
slow_clk_cycles argument would exceed certain value
- Improve 32k XTAL oscillator startup time by introducing bootstrapping
code, which uses internal pullup/pulldown resistors on 32K_N/32K_P
pins to set better initial conditions for the oscillator.
Confusion here is that original ROM has two functions:
* SPIReadModeCnfig() - sets mode, calls enable_qio_mode/disable_qio_mode
* SPIMasterReadModeCnfig() - As above, but doesn't set QIO mode in status register
However we never want to use the ROM method to set/clear QIO mode flag, as not all flash chips work this way. Instead we
do it in flash_qio_mode.c in bootloader.
So in both cases (ROM or "patched ROM") we now call SPIMasterReadModeCnfig(), which is now named
esp_rom_spiflash_config_readmode().
Introduce soc component, add source of rtc_clk and rtc_pm libraries
This MR adds parts of the RTC library source code (initialization, clock selection functions, sleep functions). WiFi-related power management functions are kept inside the precompiled library. Most of RTC library APIs have been renamed.
Default CPU frequency option in Kconfig is set to 160MHz, pending qualification of 240MHz mode at high temperatures.
Register header files are moved into the new soc component, which will contain chip-specific header files and low-level non-RTOS-aware APIs (such as rtc_ APIs). Some of the files from ESP32 component were also moved: cpu_util.c, brownout.c, and the corresponding header files. Further refactoring of ESP32 component into more meaningful layers (chip-specific low level functions; chip-specific RTOS aware functions; framework-specific RTOS-related functions) will be done in future MRs.
See merge request !633
1) fixed SPI_read_status: added check for flash busy flag in matrix mode
2) fixed SPI_page_program: enable write before writing data to SPI FIFO
3) SPI flash ROM funcs replacement is controlled via menuconfig option
When idf_monitor is launched from make, it gets modified TEST_COMPONENTS
variable which contains full paths to the test components instead of the
names. This causes TEST_COMPONENT_PATHS to be empty and the unit test
app gets built without any test components.
This change introduces an internal TEST_COMPONENTS_LIST variable which
gets set either from $(COMPONENTS) if TESTS_ALL is 1, and from
TEST_COMOPONENTS otherwise.
Bootloader makefile is also fixed to avoid propagating TESTS_ALL to the
bootloader build step.
Partition/SPI/OTA docs & OTA new functionality
* Update partition, SPI flash & OTA docs to reflect functionality changes
* Refactor OTA implementation to perform checks mentioned in API doc
* Add new functions to OTA API: esp_ota_get_running_partition() & esp_ota_get_next_update_partition() functions
* Add spi_flash_cache2phys() & spi_flash_phys2cache() functions to support esp_ota_get_running_partition()
See merge request !513
1. Add disable PHY and RF when WiFi and BT are both disabled(including call sniffer disable API).
2. Do not init PHY and RF when cpu start. Init PHY and RF when call Wifi or BT start APIs(including sniffer enable API).
3. Add a temporary lib: librtc_clk.a and will delete it when CPU frequency switching function is done.
4. Add an function to get OS tick rate.
5. Do not put the whole pp.a in iram0, only put lmac.o, ieee80211_misc.o, ets_time.o and wdev.o in iram0.
Docs: Document flash encryption disable steps, clean up flash encryption & secure boot docs
Generate clean up of flash encryption & secure boot docs
Including steps for disabling flash encryption (for people who accidentally enable it).
See merge request !500
Also add steps to disable flash encryption, as some people seem to
accidentally enable it.
Explicitly mark the flash encryption and secure boot as "READ DOCS
FIRST" in menuconfig.
build system: add IDF_VER environment variable and preprocessor define
This adds an `IDF_VER` preprocessor define which is obtained from `git describe`.
Looks like `v1.0-275-g0efaa4f` for non-release version or `v2.0` for a tagged (release) version.
See merge request !403
Enable bootloader entropy source for RNG
Enables an entropy source when bootloader starts up, which both seeds the RNG for use before WiFi/BT stack is enabled and provides an adequate RNG for secure boot & flash encryption key generation.
A prerequisite was enabling 80MHz operation, so the CPU is now set to 80MHz as soon as second stage bootloader starts running.
See merge request !363
Modify bootloader dram_seg from address 0x3ffc0000 to 0x3fff0000, len from
0x20000 to 0x10000. Please be notified that this is just a workaround for
fixing app data overwrite bootloader data issue!
Flash encryption support
Flash encryption support in build system, tooling
To come in future MR:
* On-device key generation on first boot (for production devices), need to finalise testing of bootloader entropy seeding.
* spi_flash_encrypted_write to support non-32-byte block writes (at least optionally.)
* I think a lot of the bootloader_support component can possibly be rolled into "spiflash" and other components, to use a common API.
See merge request !240
This change adds a set of menuconfig options to set custom UART#, baud rate, and pins, for console output.
Setting happens in bootloader startup code for PRO CPU, and in application startup code for APP CPU.
Ref. TW8146
* App access functions are all flash encryption-aware
* Documentation for flash encryption
* Partition read/write is flash aware
* New encrypted write function
rename nvs host test folder, modify .gitlab-ci.yml
remove unit-test-app build
re-format unit test files
remove extra newlines in project.mk
some refactoring for unit test part in project.mk
add build files of unit-test-app in gitignore
add README.md for unit test app
correct headings in README.md
remove files and make minor tweaks in unit test app
update .gitlab-ci.yml to use unit test app
delete unused lines in component_wrapper.mk
delete periph_i2s.h and lcd test
add text floating point in components/esp32/test/Kconfig
correct idf test build paths in .gitlab-ci.yml