mirror of
https://github.com/espressif/esp-idf.git
synced 2024-10-05 20:47:46 -04:00
f8b191cfae
Because address space is mapped in 64KB pages, it was possible for unauthenticated data after the app .bin to become mapped into the flash cache address space. This problem is solved by 2 changes: * "esptool elf2image --secure-pad" will pad the image so that the signature block ends close to the 64KB boundary. Due to alignment constraints it will be 12 bytes too short after signing (but with flash encryption, these 12 bytes are still encrypted as part of the last block and can't be arbitrarily changed). * By default, secure boot now requires all app partitions to be a multiple of 64KB in size.
93 lines
3.4 KiB
Makefile
93 lines
3.4 KiB
Makefile
#
|
|
# Partition table
|
|
#
|
|
# The partition table is not a real component that gets linked into
|
|
# the project. Instead, it is a standalone project to generate
|
|
# the partition table binary as part of the build process. This
|
|
# binary is then added to the list of files for esptool.py to flash.
|
|
#
|
|
.PHONY: partition_table partition_table-flash partition_table-clean partition_table_get_info
|
|
|
|
PARTITION_MD5_OPT :=
|
|
ifndef CONFIG_PARTITION_TABLE_MD5
|
|
PARTITION_MD5_OPT := "--disable-md5sum"
|
|
endif
|
|
|
|
PARTITION_FLASHSIZE_OPT :=
|
|
ifneq ("$(CONFIG_ESPTOOLPY_FLASHSIZE)", "")
|
|
PARTITION_FLASHSIZE_OPT := --flash-size $(CONFIG_ESPTOOLPY_FLASHSIZE)
|
|
endif
|
|
|
|
PARTITION_SECURE_OPT :=
|
|
ifdef CONFIG_SECURE_BOOT_ENABLED
|
|
ifndef CONFIG_SECURE_BOOT_ALLOW_SHORT_APP_PARTITION
|
|
PARTITION_SECURE_OPT += --secure
|
|
endif
|
|
endif
|
|
|
|
# Address of partition table
|
|
PARTITION_TABLE_OFFSET := $(CONFIG_PARTITION_TABLE_OFFSET)
|
|
PARTITION_TABLE_OFFSET_ARG := --offset $(PARTITION_TABLE_OFFSET)
|
|
|
|
GEN_ESP32PART := $(PYTHON) $(COMPONENT_PATH)/gen_esp32part.py -q $(PARTITION_MD5_OPT) $(PARTITION_FLASHSIZE_OPT) $(PARTITION_TABLE_OFFSET_ARG) $(PARTITION_SECURE_OPT)
|
|
GET_PART_INFO := $(COMPONENT_PATH)/parttool.py -q
|
|
|
|
# if CONFIG_PARTITION_TABLE_FILENAME is unset, means we haven't re-generated config yet...
|
|
ifneq ("$(CONFIG_PARTITION_TABLE_FILENAME)","")
|
|
|
|
ifndef PARTITION_TABLE_CSV_PATH
|
|
# Path to partition CSV file is relative to project path for custom
|
|
# partition CSV files, but relative to component dir otherwise.
|
|
PARTITION_TABLE_ROOT := $(call dequote,$(if $(CONFIG_PARTITION_TABLE_CUSTOM),$(PROJECT_PATH),$(COMPONENT_PATH)))
|
|
PARTITION_TABLE_CSV_PATH := $(call dequote,$(abspath $(PARTITION_TABLE_ROOT)/$(call dequote,$(CONFIG_PARTITION_TABLE_FILENAME))))
|
|
endif
|
|
|
|
PARTITION_TABLE_CSV_NAME := $(notdir $(PARTITION_TABLE_CSV_PATH))
|
|
|
|
PARTITION_TABLE_BIN := $(BUILD_DIR_BASE)/$(PARTITION_TABLE_CSV_NAME:.csv=.bin)
|
|
|
|
ifdef CONFIG_SECURE_BOOT_BUILD_SIGNED_BINARIES
|
|
PARTITION_TABLE_BIN_UNSIGNED := $(PARTITION_TABLE_BIN:.bin=-unsigned.bin)
|
|
# add an extra signing step for secure partition table
|
|
$(PARTITION_TABLE_BIN): $(PARTITION_TABLE_BIN_UNSIGNED) $(SDKCONFIG_MAKEFILE) $(SECURE_BOOT_SIGNING_KEY)
|
|
$(ESPSECUREPY) sign_data --keyfile $(SECURE_BOOT_SIGNING_KEY) -o $@ $<
|
|
else
|
|
# secure bootloader disabled, both files are the same
|
|
PARTITION_TABLE_BIN_UNSIGNED := $(PARTITION_TABLE_BIN)
|
|
endif
|
|
|
|
$(PARTITION_TABLE_BIN_UNSIGNED): $(PARTITION_TABLE_CSV_PATH) $(SDKCONFIG_MAKEFILE)
|
|
@echo "Building partitions from $(PARTITION_TABLE_CSV_PATH)..."
|
|
$(GEN_ESP32PART) $< $@
|
|
|
|
all_binaries: $(PARTITION_TABLE_BIN) partition_table_get_info
|
|
|
|
partition_table_get_info: $(PARTITION_TABLE_BIN)
|
|
$(eval PHY_DATA_OFFSET:=$(shell $(GET_PART_INFO) --type data --subtype phy --offset $(PARTITION_TABLE_BIN)))
|
|
$(eval APP_OFFSET:=$(shell $(GET_PART_INFO) --default-boot-partition --offset $(PARTITION_TABLE_BIN)))
|
|
|
|
export APP_OFFSET
|
|
export PHY_DATA_OFFSET
|
|
|
|
PARTITION_TABLE_FLASH_CMD = $(ESPTOOLPY_SERIAL) write_flash $(PARTITION_TABLE_OFFSET) $(PARTITION_TABLE_BIN)
|
|
ESPTOOL_ALL_FLASH_ARGS += $(PARTITION_TABLE_OFFSET) $(PARTITION_TABLE_BIN)
|
|
|
|
partition_table: $(PARTITION_TABLE_BIN) partition_table_get_info
|
|
@echo "Partition table binary generated. Contents:"
|
|
@echo $(SEPARATOR)
|
|
$(GEN_ESP32PART) $<
|
|
@echo $(SEPARATOR)
|
|
@echo "Partition flashing command:"
|
|
@echo "$(PARTITION_TABLE_FLASH_CMD)"
|
|
|
|
partition_table-flash: $(PARTITION_TABLE_BIN)
|
|
@echo "Flashing partition table..."
|
|
$(PARTITION_TABLE_FLASH_CMD)
|
|
|
|
partition_table-clean:
|
|
rm -f $(PARTITION_TABLE_BIN)
|
|
|
|
clean: partition_table-clean
|
|
|
|
endif
|