CMake : Secure Boot support added

components/bootloader/project_include.cmake

@@ -1,3 +1,24 @@
+# This is for tracking the top level project path
+if(BOOTLOADER_BUILD)
+    set(main_project_path "${CMAKE_BINARY_DIR}/../..")
+else()
+    set(main_project_path "${PROJECT_PATH}")
+endif()
+
+get_filename_component(secure_boot_signing_key
+    "${CONFIG_SECURE_BOOT_SIGNING_KEY}"
+    ABSOLUTE BASE_DIR "${main_project_path}")
+if(NOT EXISTS ${secure_boot_signing_key})
+    # If the signing key is not found, create a phony gen_secure_boot_signing_key target that
+    # fails the build. fail_at_build_time also touches CMakeCache.txt to cause a cmake run next time
+    # (to pick up a new signing key if one exists, etc.)
+    fail_at_build_time(gen_secure_boot_signing_key
+        "Secure Boot Signing Key ${CONFIG_SECURE_BOOT_SIGNING_KEY} does not exist. Generate using:"
+        "\tespsecure.py generate_signing_key ${CONFIG_SECURE_BOOT_SIGNING_KEY}")
+else()
+    add_custom_target(gen_secure_boot_signing_key)
+endif()
+
 if(BOOTLOADER_BUILD)
     return()  # don't keep recursing!
 endif()
@@ -13,16 +34,34 @@ set(bootloader_binary_files
     "${bootloader_build_dir}/bootloader.map"
     )
 
-externalproject_add(bootloader
-    # TODO: support overriding the bootloader in COMPONENT_PATHS
-    SOURCE_DIR "${IDF_PATH}/components/bootloader/subproject"
-    BINARY_DIR "${bootloader_build_dir}"
-    CMAKE_ARGS  -DSDKCONFIG=${SDKCONFIG} -DIDF_PATH=${IDF_PATH} -DEXTRA_COMPONENT_DIRS=${COMPONENT_DIRS}
-                -DTESTS_ALL=0 -DTEST_COMPONENTS=""
-    INSTALL_COMMAND ""
-    BUILD_ALWAYS 1  # no easy way around this...
-    BUILD_BYPRODUCTS ${bootloader_binary_files}
-    )
+# These additional files may get generated
+if(CONFIG_SECURE_BOOTLOADER_REFLASHABLE)
+    set(bootloader_binary_files
+        ${bootloader_binary_files}
+        "${bootloader_build_dir}/bootloader-reflash-digest.bin"
+        "${bootloader_build_dir}/secure-bootloader-key-192.bin"
+        "${bootloader_build_dir}/secure-bootloader-key-256.bin"
+        )
+endif()
+
+if((NOT CONFIG_SECURE_BOOT_ENABLED) OR
+    CONFIG_SECURE_BOOTLOADER_REFLASHABLE OR
+    CONFIG_SECURE_BOOTLOADER_ONE_TIME_FLASH)
+    externalproject_add(bootloader
+        # TODO: support overriding the bootloader in COMPONENT_PATHS
+        SOURCE_DIR "${IDF_PATH}/components/bootloader/subproject"
+        BINARY_DIR "${bootloader_build_dir}"
+        CMAKE_ARGS  -DSDKCONFIG=${SDKCONFIG} -DIDF_PATH=${IDF_PATH} -DEXTRA_COMPONENT_DIRS=${COMPONENT_DIRS}
+                    -DTESTS_ALL=0 -DTEST_COMPONENTS=""
+                    -DSECURE_BOOT_SIGNING_KEY=${secure_boot_signing_key}
+        INSTALL_COMMAND ""
+        BUILD_ALWAYS 1  # no easy way around this...
+        BUILD_BYPRODUCTS ${bootloader_binary_files}
+        DEPENDS gen_secure_boot_signing_key
+        )
+else()
+    fail_at_build_time(bootloader "Invalid bootloader target: bad sdkconfig?")
+endif()
 
 # this is a hack due to an (annoying) shortcoming in cmake, it can't
 # extend the 'clean' target to the external project

components/bootloader/subproject/CMakeLists.txt

@@ -26,3 +26,104 @@ target_linker_script(bootloader.elf
 target_linker_script(bootloader.elf ${ESP32_BOOTLOADER_LINKER_SCRIPTS})
 
 target_link_libraries(bootloader.elf gcc)
+
+set(secure_boot_signing_key ${SECURE_BOOT_SIGNING_KEY})
+
+string(REPLACE ";" " " espsecurepy "${ESPSECUREPY}")
+string(REPLACE ";" " " espefusepy "${ESPEFUSEPY}")
+set(esptoolpy_write_flash "${ESPTOOLPY_WRITE_FLASH_STR}")
+
+if(CONFIG_SECURE_BOOTLOADER_REFLASHABLE)
+    if(CONFIG_SECURE_BOOTLOADER_KEY_ENCODING_192BIT)
+        set(key_digest_len 192)
+    else()
+        set(key_digest_len 256)
+    endif()
+
+    get_filename_component(bootloader_digest_bin
+        "bootloader-reflash-digest.bin"
+        ABSOLUTE BASE_DIR "${CMAKE_BINARY_DIR}")
+
+    get_filename_component(secure_bootloader_key
+        "secure-bootloader-key-${key_digest_len}.bin"
+        ABSOLUTE BASE_DIR "${CMAKE_BINARY_DIR}")
+
+    add_custom_command(OUTPUT "${secure_bootloader_key}"
+        COMMAND ${ESPSECUREPY} digest_private_key
+            --keylen "${key_digest_len}"
+            --keyfile "${secure_boot_signing_key}"
+            "${secure_bootloader_key}"
+        VERBATIM)
+
+    if(CONFIG_SECURE_BOOT_BUILD_SIGNED_BINARIES)
+        add_custom_target(gen_secure_bootloader_key ALL DEPENDS "${secure_bootloader_key}")
+    else()
+        if(NOT EXISTS "${secure_bootloader_key}")
+            message(FATAL_ERROR
+                "No pre-generated key for a reflashable secure bootloader is available, "
+                "due to signing configuration."
+                "\nTo generate one, you can use this command:"
+                "\n\t${espsecurepy} generate_flash_encryption_key ${secure_bootloader_key}"
+                "\nIf a signing key is present, then instead use:"
+                "\n\t${ESPSECUREPY} digest_private_key "
+                "--keylen (192/256) --keyfile KEYFILE "
+                "${secure_bootloader_key}")
+        endif()
+        add_custom_target(gen_secure_bootloader_key)
+    endif()
+
+    add_custom_command(OUTPUT "${bootloader_digest_bin}"
+        COMMAND ${CMAKE_COMMAND} -E echo "DIGEST ${bootloader_digest_bin}"
+        COMMAND ${ESPSECUREPY} digest_secure_bootloader --keyfile "${secure_bootloader_key}"
+            -o "${bootloader_digest_bin}" "${CMAKE_BINARY_DIR}/bootloader.bin"
+        DEPENDS gen_secure_bootloader_key "${CMAKE_BINARY_DIR}/bootloader.bin"
+        VERBATIM)
+
+    add_custom_target (gen_bootloader_digest_bin ALL DEPENDS "${bootloader_digest_bin}")
+endif()
+
+if(CONFIG_SECURE_BOOTLOADER_ONE_TIME_FLASH)
+    add_custom_command(TARGET bootloader POST_BUILD
+        COMMAND ${CMAKE_COMMAND} -E echo
+            "=============================================================================="
+        COMMAND ${CMAKE_COMMAND} -E echo
+            "Bootloader built. Secure boot enabled, so bootloader not flashed automatically."
+        COMMAND ${CMAKE_COMMAND} -E echo
+            "One-time flash command is:"
+        COMMAND ${CMAKE_COMMAND} -E echo
+            "\t${esptoolpy_write_flash} ${BOOTLOADER_OFFSET} ${CMAKE_BINARY_DIR}/bootloader.bin"
+        COMMAND ${CMAKE_COMMAND} -E echo
+            "* IMPORTANT: After first boot, BOOTLOADER CANNOT BE RE-FLASHED on same device"
+        VERBATIM)
+
+elseif(CONFIG_SECURE_BOOTLOADER_REFLASHABLE)
+    add_custom_command(TARGET bootloader POST_BUILD
+        COMMAND ${CMAKE_COMMAND} -E echo
+            "=============================================================================="
+        COMMAND ${CMAKE_COMMAND} -E echo
+            "Bootloader built and secure digest generated."
+        COMMAND ${CMAKE_COMMAND} -E echo
+            "Secure boot enabled, so bootloader not flashed automatically."
+        COMMAND ${CMAKE_COMMAND} -E echo
+            "Burn secure boot key to efuse using:"
+        COMMAND ${CMAKE_COMMAND} -E echo
+            "\t${espefusepy} burn_key secure_boot ${secure_bootloader_key}"
+        COMMAND ${CMAKE_COMMAND} -E echo
+            "First time flash command is:"
+        COMMAND ${CMAKE_COMMAND} -E echo
+            "\t${esptoolpy_write_flash} ${BOOTLOADER_OFFSET} ${CMAKE_BINARY_DIR}/bootloader.bin"
+        COMMAND ${CMAKE_COMMAND} -E echo
+            "=============================================================================="
+        COMMAND ${CMAKE_COMMAND} -E echo
+            "To reflash the bootloader after initial flash:"
+        COMMAND ${CMAKE_COMMAND} -E echo
+            "\t${esptoolpy_write_flash} 0x0 ${bootloader_digest_bin}"
+        COMMAND ${CMAKE_COMMAND} -E echo
+            "=============================================================================="
+        COMMAND ${CMAKE_COMMAND} -E echo
+            "* After first boot, only re-flashes of this kind (with same key) will be accepted."
+        COMMAND ${CMAKE_COMMAND} -E echo
+            "* Not recommended to re-use the same secure boot keyfile on multiple production devices."
+        DEPENDS gen_secure_bootloader_key gen_bootloader_digest_bin
+        VERBATIM)
+endif()