From 873901e7aababb3e183766bd5f476eaddb8b1cc0 Mon Sep 17 00:00:00 2001 From: "harshal.patil" Date: Fri, 19 May 2023 13:04:47 +0530 Subject: [PATCH] bootloader: add a config to enable flashing of bootloader using the command `idf.py flash` when secure boot v2 is enabled. --- components/bootloader/CMakeLists.txt | 7 ++++--- components/bootloader/Kconfig.projbuild | 17 +++++++++++++++++ components/bootloader/subproject/CMakeLists.txt | 8 ++++++-- 3 files changed, 27 insertions(+), 5 deletions(-) diff --git a/components/bootloader/CMakeLists.txt b/components/bootloader/CMakeLists.txt index b17b6e7ef1..063af86e22 100644 --- a/components/bootloader/CMakeLists.txt +++ b/components/bootloader/CMakeLists.txt @@ -7,8 +7,9 @@ endif() add_dependencies(bootloader partition_table_bin) -# When secure boot is enabled, do not flash bootloader along with invocation of `idf.py flash` -if(NOT CONFIG_SECURE_BOOT) +# When secure boot is enabled and CONFIG_SECURE_BOOT_FLASH_BOOTLOADER_DEFAULT is not enabled +# do not flash the bootloader along with the other artifacts using the command `idf.py flash` +if(NOT CONFIG_SECURE_BOOT OR CONFIG_SECURE_BOOT_FLASH_BOOTLOADER_DEFAULT) set(flash_bootloader FLASH_IN_PROJECT) endif() @@ -18,7 +19,7 @@ esptool_py_flash_target_image(bootloader-flash bootloader "${BOOTLOADER_BUILD_DIR}/bootloader.bin") # Also attach an image to the project flash target -if(NOT CONFIG_SECURE_BOOT) +if(NOT CONFIG_SECURE_BOOT OR CONFIG_SECURE_BOOT_FLASH_BOOTLOADER_DEFAULT) esptool_py_flash_target_image(flash bootloader ${CONFIG_BOOTLOADER_OFFSET_IN_FLASH} "${BOOTLOADER_BUILD_DIR}/bootloader.bin") diff --git a/components/bootloader/Kconfig.projbuild b/components/bootloader/Kconfig.projbuild index 339d636d78..a4d2fb6457 100644 --- a/components/bootloader/Kconfig.projbuild +++ b/components/bootloader/Kconfig.projbuild @@ -737,6 +737,23 @@ menu "Security features" This can lead to permanent bricking of the device, in case all keys are revoked because of signature verification failure. + config SECURE_BOOT_FLASH_BOOTLOADER_DEFAULT + bool "Flash bootloader along with other artifacts when using the default flash command" + depends on SECURE_BOOT_V2_ENABLED && SECURE_BOOT_BUILD_SIGNED_BINARIES + default N + help + When Secure Boot V2 is enabled, by default the bootloader is not flashed along with other artifacts + like the application and the partition table images, i.e. bootloader has to be seperately flashed + using the command `idf.py bootloader flash`, whereas, the application and partition table can be flashed + using the command `idf.py flash` itself. + Enabling this option allows flashing the bootloader along with the other artifacts + by invocation of the command `idf.py flash`. + + If this option is enabled make sure that even the bootloader is signed using the correct secure boot key, + otherwise the bootloader signature verification would fail, as hash of the public key which is present in + the bootloader signature would not match with the digest stored into the efuses + and thus the device will not be able to boot up. + choice SECURE_BOOTLOADER_KEY_ENCODING bool "Hardware Key Encoding" depends on SECURE_BOOTLOADER_REFLASHABLE diff --git a/components/bootloader/subproject/CMakeLists.txt b/components/bootloader/subproject/CMakeLists.txt index 2daf4d90eb..ae5de6814c 100644 --- a/components/bootloader/subproject/CMakeLists.txt +++ b/components/bootloader/subproject/CMakeLists.txt @@ -202,7 +202,11 @@ elseif(CONFIG_SECURE_BOOTLOADER_REFLASHABLE) "* Not recommended to re-use the same secure boot keyfile on multiple production devices." DEPENDS gen_secure_bootloader_key gen_bootloader_digest_bin VERBATIM) -elseif(CONFIG_SECURE_BOOT_V2_ENABLED AND (CONFIG_IDF_TARGET_ESP32S2 OR CONFIG_IDF_TARGET_ESP32C3)) +elseif( + CONFIG_SECURE_BOOT_V2_ENABLED AND + (CONFIG_SOC_EFUSE_SECURE_BOOT_KEY_DIGESTS GREATER 1) AND + NOT CONFIG_SECURE_BOOT_FLASH_BOOTLOADER_DEFAULT + ) add_custom_command(TARGET bootloader.elf POST_BUILD COMMAND ${CMAKE_COMMAND} -E echo "==============================================================================" @@ -221,7 +225,7 @@ elseif(CONFIG_SECURE_BOOT_V2_ENABLED AND (CONFIG_IDF_TARGET_ESP32S2 OR CONFIG_ID "==============================================================================" DEPENDS gen_signed_bootloader VERBATIM) -elseif(CONFIG_SECURE_BOOT_V2_ENABLED) +elseif(CONFIG_SECURE_BOOT_V2_ENABLED AND NOT CONFIG_SECURE_BOOT_FLASH_BOOTLOADER_DEFAULT) add_custom_command(TARGET bootloader.elf POST_BUILD COMMAND ${CMAKE_COMMAND} -E echo "=============================================================================="