mirror of
https://github.com/espressif/esp-idf.git
synced 2024-10-05 20:47:46 -04:00
64f3893cb9
Means only one key needs to be managed.
86 lines
2.9 KiB
Plaintext
86 lines
2.9 KiB
Plaintext
menu "Bootloader config"
|
|
choice LOG_BOOTLOADER_LEVEL
|
|
bool "Bootloader log verbosity"
|
|
default LOG_BOOTLOADER_LEVEL_WARN
|
|
help
|
|
Specify how much output to see in bootloader logs.
|
|
|
|
config LOG_BOOTLOADER_LEVEL_NONE
|
|
bool "No output"
|
|
config LOG_BOOTLOADER_LEVEL_ERROR
|
|
bool "Error"
|
|
config LOG_BOOTLOADER_LEVEL_WARN
|
|
bool "Warning"
|
|
config LOG_BOOTLOADER_LEVEL_INFO
|
|
bool "Info"
|
|
config LOG_BOOTLOADER_LEVEL_DEBUG
|
|
bool "Debug"
|
|
config LOG_BOOTLOADER_LEVEL_VERBOSE
|
|
bool "Verbose"
|
|
endchoice
|
|
|
|
config LOG_BOOTLOADER_LEVEL
|
|
int
|
|
default 0 if LOG_BOOTLOADER_LEVEL_NONE
|
|
default 1 if LOG_BOOTLOADER_LEVEL_ERROR
|
|
default 2 if LOG_BOOTLOADER_LEVEL_WARN
|
|
default 3 if LOG_BOOTLOADER_LEVEL_INFO
|
|
default 4 if LOG_BOOTLOADER_LEVEL_DEBUG
|
|
default 5 if LOG_BOOTLOADER_LEVEL_VERBOSE
|
|
|
|
choice SECURE_BOOTLOADER
|
|
bool "Secure bootloader"
|
|
default SECURE_BOOTLOADER_DISABLED
|
|
help
|
|
Build a bootloader with the secure boot flag enabled.
|
|
|
|
Secure bootloader can be one-time-flash (chip will only ever
|
|
boot that particular bootloader), or a digest key can be used
|
|
to allow the secure bootloader to be re-flashed with
|
|
modifications. Secure boot also permanently disables JTAG.
|
|
|
|
See docs/security/secure-boot.rst for details.
|
|
|
|
config SECURE_BOOTLOADER_DISABLED
|
|
bool "Disabled"
|
|
|
|
config SECURE_BOOTLOADER_ONE_TIME_FLASH
|
|
bool "One-time flash"
|
|
help
|
|
On first boot, the bootloader will generate a key which is not readable externally or by software. A digest is generated from the bootloader image itself. This digest will be verified on each subsequent boot.
|
|
|
|
Enabling this option means that the bootloader cannot be changed after the first time it is booted.
|
|
|
|
config SECURE_BOOTLOADER_REFLASHABLE
|
|
bool "Reflashable"
|
|
help
|
|
Generate a reusable secure bootloader key, derived (via SHA-256) from the secure boot signing key.
|
|
|
|
This allows the secure bootloader to be re-flashed by anyone with access to the secure boot signing key.
|
|
|
|
This option is less secure than one-time flash, because a leak of the digest key from one device allows reflashing of any device that uses it.
|
|
|
|
endchoice
|
|
|
|
config SECURE_BOOT_SIGNING_KEY
|
|
string "Secure boot signing key"
|
|
depends on SECURE_BOOTLOADER_ENABLED
|
|
default secure_boot_signing_key.pem
|
|
help
|
|
Path to the key file used to sign partition tables and app images for secure boot.
|
|
|
|
Key file is an ECDSA private key (NIST256p curve) in PEM format.
|
|
|
|
Path is evaluated relative to the project directory.
|
|
|
|
You can generate a new signing key by running the following command:
|
|
espsecure.py generate_signing_key secure_boot_signing_key.pem
|
|
|
|
See docs/security/secure-boot.rst for details.
|
|
|
|
config SECURE_BOOTLOADER_ENABLED
|
|
bool
|
|
default SECURE_BOOTLOADER_ONE_TIME_FLASH || SECURE_BOOTLOADER_REFLASHABLE
|
|
|
|
endmenu
|