menu "Bootloader config" choice LOG_BOOTLOADER_LEVEL bool "Bootloader log verbosity" default LOG_BOOTLOADER_LEVEL_WARN help Specify how much output to see in bootloader logs. config LOG_BOOTLOADER_LEVEL_NONE bool "No output" config LOG_BOOTLOADER_LEVEL_ERROR bool "Error" config LOG_BOOTLOADER_LEVEL_WARN bool "Warning" config LOG_BOOTLOADER_LEVEL_INFO bool "Info" config LOG_BOOTLOADER_LEVEL_DEBUG bool "Debug" config LOG_BOOTLOADER_LEVEL_VERBOSE bool "Verbose" endchoice config LOG_BOOTLOADER_LEVEL int default 0 if LOG_BOOTLOADER_LEVEL_NONE default 1 if LOG_BOOTLOADER_LEVEL_ERROR default 2 if LOG_BOOTLOADER_LEVEL_WARN default 3 if LOG_BOOTLOADER_LEVEL_INFO default 4 if LOG_BOOTLOADER_LEVEL_DEBUG default 5 if LOG_BOOTLOADER_LEVEL_VERBOSE choice SECURE_BOOTLOADER bool "Secure bootloader" default SECURE_BOOTLOADER_DISABLED help Build a bootloader with the secure boot flag enabled. Secure bootloader can be one-time-flash (chip will only ever boot that particular bootloader), or a digest key can be used to allow the secure bootloader to be re-flashed with modifications. Secure boot also permanently disables JTAG. See docs/security/secure-boot.rst for details. config SECURE_BOOTLOADER_DISABLED bool "Disabled" config SECURE_BOOTLOADER_ONE_TIME_FLASH bool "One-time flash" help On first boot, the bootloader will generate a key which is not readable externally or by software. A digest is generated from the bootloader image itself. This digest will be verified on each subsequent boot. Enabling this option means that the bootloader cannot be changed after the first time it is booted. config SECURE_BOOTLOADER_REFLASHABLE bool "Reflashable" help Generate a reusable secure bootloader key, derived (via SHA-256) from the secure boot signing key. This allows the secure bootloader to be re-flashed by anyone with access to the secure boot signing key. This option is less secure than one-time flash, because a leak of the digest key from one device allows reflashing of any device that uses it. endchoice config SECURE_BOOT_SIGNING_KEY string "Secure boot signing key" depends on SECURE_BOOTLOADER_ENABLED default secure_boot_signing_key.pem help Path to the key file used to sign partition tables and app images for secure boot. Key file is an ECDSA private key (NIST256p curve) in PEM format. Path is evaluated relative to the project directory. You can generate a new signing key by running the following command: espsecure.py generate_signing_key secure_boot_signing_key.pem See docs/security/secure-boot.rst for details. config SECURE_BOOTLOADER_ENABLED bool default SECURE_BOOTLOADER_ONE_TIME_FLASH || SECURE_BOOTLOADER_REFLASHABLE endmenu