bootloader: Combine loading from flash & verifying to save boot time

Still needs updating to account for secure boot.

components/bootloader_support/include/esp_image_format.h

@@ -11,11 +11,11 @@
 // WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
 // See the License for the specific language governing permissions and
 // limitations under the License.
-#ifndef __ESP32_IMAGE_FORMAT_H
-#define __ESP32_IMAGE_FORMAT_H
+#pragma once
 
 #include <stdbool.h>
 #include <esp_err.h>
+#include "esp_flash_partitions.h"
 
 #define ESP_ERR_IMAGE_BASE       0x2000
 #define ESP_ERR_IMAGE_FLASH_FAIL (ESP_ERR_IMAGE_BASE + 1)
@@ -73,62 +73,56 @@ typedef struct {
     uint32_t data_len;
 } esp_image_segment_header_t;
 
+#define ESP_IMAGE_MAX_SEGMENTS 16
+
+/* Structure to hold on-flash image metadata */
+typedef struct {
+  uint32_t start_addr;   /* Start address of image */
+  esp_image_header_t image; /* Header for entire image */
+  esp_image_segment_header_t segments[ESP_IMAGE_MAX_SEGMENTS]; /* Per-segment header data */
+  uint32_t segment_data[ESP_IMAGE_MAX_SEGMENTS]; /* Data offsets for each segment */
+  uint32_t image_length;
+
+} esp_image_metadata_t;
+
+/* Mode selection for esp_image_load() */
+typedef enum {
+    ESP_IMAGE_VERIFY,        /* Verify image contents, load metadata. Print errorsors. */
+    ESP_IMAGE_VERIFY_SILENT, /* Verify image contents, load metadata. Don't print errors. */
+#ifdef BOOTLOADER_BUILD
+    ESP_IMAGE_LOAD,          /* Verify image contents, load to memory. Print errors. */
+#endif
+} esp_image_load_mode_t;
 
 /**
- * @brief Read an ESP image header from flash.
+ * @brief Verify and (optionally, in bootloader mode) load an app image.
  *
  * If encryption is enabled, data will be transparently decrypted.
  *
- * @param src_addr Address in flash to load image header. Must be 4 byte aligned.
- * @param log_errors Log error output if image header appears invalid.
- * @param[out] image_header Pointer to an esp_image_header_t struture to be filled with data. If the function fails, contents are undefined.
- *
- * @return ESP_OK if image header was loaded, ESP_ERR_IMAGE_FLASH_FAIL
- * if a SPI flash error occurs, ESP_ERR_IMAGE_INVALID if the image header
- * appears invalid.
- */
-esp_err_t esp_image_load_header(uint32_t src_addr, bool log_errors, esp_image_header_t *image_header);
-
-/**
- * @brief Read the segment header and data offset of a segment in the image.
- *
- * If encryption is enabled, data will be transparently decrypted.
- *
- * @param index Index of the segment to load information for.
- * @param src_addr Base address in flash of the image.
- * @param[in] image_header Pointer to the flash image header, already loaded by @ref esp_image_load_header().
- * @param log_errors Log errors reading the segment header.
- * @param[out] segment_header Pointer to a segment header structure to be filled with data. If the function fails, contents are undefined.
- * @param[out] segment_data_offset Pointer to the data offset of the segment.
- *
- * @return ESP_OK if segment_header & segment_data_offset were loaded successfully, ESP_ERR_IMAGE_FLASH_FAIL if a SPI flash error occurs, ESP_ERR_IMAGE_INVALID if the image header appears invalid, ESP_ERR_INVALID_ARG if the index is invalid.
- */
-esp_err_t esp_image_load_segment_header(uint8_t index, uint32_t src_addr, const esp_image_header_t *image_header, bool log_errors, esp_image_segment_header_t *segment_header, uint32_t *segment_data_offset);
-
-
-/**
- * @brief Non-cryptographically validate app image integrity. On success, length of image is provided to caller.
- *
- * If the image has a secure boot signature appended, the signature is not checked and this length is not included in the
- * output value.
+ * @param part Partition to load the app from.
+ * @param[out] data Pointer to the metadata structure to be filled in by this function. 'start_addr' member should be set (to the start address of the image.) Other fields will all be initialised by this function.
+ * @param log_errors Log errors reading the image.
  *
  * Image validation checks:
  * - Magic byte
- * - No single segment longer than 16MB
- * - Total image no longer than 16MB
+ * - Partition smaller than 16MB
+ * - All segments & image fit in partition
  * - 8 bit image checksum is valid
+ * - (Signature) if signature verification is enabled
  *
- * If flash encryption is enabled, the image will be tranpsarently decrypted.
- *
- * @param src_addr Offset of the start of the image in flash. Must be 4 byte aligned.
- * @param allow_decrypt If true and flash encryption is enabled, the image will be transparently decrypted.
- * @param log_errors Log errors verifying the image.
- * @param[out] length Length of the image, set to a value if the image is valid. Can be null.
- *
- * @return ESP_OK if image is valid, ESP_FAIL or ESP_ERR_IMAGE_INVALID on errors.
- *
+ * @return ESP_OK if image metadata was loaded successfully, ESP_ERR_IMAGE_FLASH_FAIL if a SPI flash error occurs, ESP_ERR_IMAGE_INVALID if the image appears invalid, ESP_ERR_INVALID_ARG if the data pointer is invalid.
  */
-esp_err_t esp_image_basic_verify(uint32_t src_addr, bool log_errors, uint32_t *length);
+esp_err_t esp_image_load(esp_image_load_mode_t mode, const esp_partition_pos_t *part, esp_image_metadata_t *data);
+
+/**
+ * @brief Verify the bootloader image.
+ *
+ * @param[out] If result is ESP_OK and this pointer is non-NULL, it
+ * will be set to the length of the bootloader image.
+ *
+ * @return As per esp_image_load_metadata().
+ */
+esp_err_t esp_image_verify_bootloader(uint32_t *length);
 
 
 typedef struct {
@@ -139,5 +133,3 @@ typedef struct {
     uint32_t irom_load_addr;
     uint32_t irom_size;
 } esp_image_flash_mapping_t;
-
-#endif