alex/esp-idf
1
0
Fork 0
mirror of https://github.com/espressif/esp-idf.git synced 2025-09-30 19:19:21 +00:00
Code Issues Packages Projects Releases Wiki Activity

Merge branch 'master' into feature/cmake

Browse Source
This commit is contained in:
Angus Gratton
2018-09-05 10:35:04 +08:00
committed by Angus Gratton
parent 6fa52ca8fe 6d865c6104
commit b355854d4d
137 changed files with 4236 additions and 1175 deletions
Download Patch File Download Diff File Expand all files Collapse all files

100
components/bootloader/Kconfig.projbuild
View File

@@ -127,14 +127,96 @@ config BOOTLOADER_HOLD_TIME_GPIO
The GPIO must be held low continuously for this period of time after reset
before a factory reset or test partition boot (as applicable) is performed.
config BOOTLOADER_WDT_ENABLE
bool "Use RTC watchdog in start code"
default y
help
Tracks the execution time of startup code.
If the execution time is exceeded, the RTC_WDT will restart system.
It is also useful to prevent a lock up in start code caused by an unstable power source.
NOTE: Tracks the execution time starts from the bootloader code - re-set timeout, while selecting the source for slow_clk - and ends calling app_main.
Re-set timeout is needed due to WDT uses a SLOW_CLK clock source. After changing a frequency slow_clk a time of WDT needs to re-set for new frequency.
slow_clk depends on ESP32_RTC_CLOCK_SOURCE (INTERNAL_RC or EXTERNAL_CRYSTAL).
config BOOTLOADER_WDT_DISABLE_IN_USER_CODE
bool "Allows RTC watchdog disable in user code"
depends on BOOTLOADER_WDT_ENABLE
default n
help
If it is set, the client must itself reset or disable rtc_wdt in their code (app_main()).
Otherwise rtc_wdt will be disabled before calling app_main function.
Use function rtc_wdt_feed() for resetting counter of rtc_wdt.
Use function rtc_wdt_disable() for disabling rtc_wdt.
config BOOTLOADER_WDT_TIME_MS
int "Timeout for RTC watchdog (ms)"
depends on BOOTLOADER_WDT_ENABLE
default 9000
range 0 120000
help
Verify that this parameter is correct and more then the execution time.
Pay attention to options such as reset to factory, trigger test partition and encryption on boot
- these options can increase the execution time.
Note: RTC_WDT will reset while encryption operations will be performed.
endmenu # Bootloader
menu "Security features"
# These three are the actual options to check in code,
# selected by the displayed options
config SECURE_SIGNED_ON_BOOT
bool
default y
depends on SECURE_BOOT_ENABLED || SECURE_SIGNED_ON_BOOT_NO_SECURE_BOOT
config SECURE_SIGNED_ON_UPDATE
bool
default y
depends on SECURE_BOOT_ENABLED || SECURE_SIGNED_ON_UPDATE_NO_SECURE_BOOT
config SECURE_SIGNED_APPS
bool
default y
depends on SECURE_SIGNED_ON_BOOT || SECURE_SIGNED_ON_UPDATE
config SECURE_SIGNED_APPS_NO_SECURE_BOOT
bool "Require signed app images"
default n
depends on !SECURE_BOOT_ENABLED
help
Require apps to be signed to verify their integrity.
This option uses the same app signature scheme as hardware secure boot, but unlike hardware secure boot it does not prevent the bootloader from being physically updated. This means that the device can be secured against remote network access, but not physical access. Compared to using hardware Secure Boot this option is much simpler to implement.
config SECURE_SIGNED_ON_BOOT_NO_SECURE_BOOT
bool "Bootloader verifies app signatures"
default n
depends on SECURE_SIGNED_APPS_NO_SECURE_BOOT
help
If this option is set, the bootloader will be compiled with code to verify that an app is signed before booting it.
If hardware secure boot is enabled, this option is always enabled and cannot be disabled.
If hardware secure boot is not enabled, this option doesn't add significant security by itself so most users will want to leave it disabled.
config SECURE_SIGNED_ON_UPDATE_NO_SECURE_BOOT
bool "Verify app signature on update"
default y
depends on SECURE_SIGNED_APPS_NO_SECURE_BOOT
help
If this option is set, any OTA updated apps will have the signature verified before being considered valid.
When enabled, the signature is automatically checked whenever the esp_ota_ops.h APIs are used for OTA updates,
or esp_image_format.h APIs are used to verify apps.
If hardware secure boot is enabled, this option is always enabled and cannot be disabled.
If hardware secure boot is not enabled, this option still adds significant security against network-based attackers by preventing spoofing of OTA updates.
config SECURE_BOOT_ENABLED
bool "Enable secure boot in bootloader (READ DOCS FIRST)"
default N
bool "Enable hardware secure boot in bootloader (READ DOCS FIRST)"
default n
help
Build a bootloader which enables secure boot on first boot.
@@ -169,12 +251,12 @@ endchoice
config SECURE_BOOT_BUILD_SIGNED_BINARIES
bool "Sign binaries during build"
depends on SECURE_BOOT_ENABLED
depends on SECURE_SIGNED_APPS
default y
help
Once secure boot is enabled, bootloader will only boot if partition table and app image are signed.
Once secure boot or signed app requirement is enabled, app images are required to be signed.
If enabled, these binary files are signed as part of the build process. The file named in "Secure boot private signing key" will be used to sign the image.
If enabled (default), these binary files are signed as part of the build process. The file named in "Secure boot private signing key" will be used to sign the image.
If disabled, unsigned app/partition data will be built. They must be signed manually using espsecure.py (for example, on a remote signing server.)
@@ -183,7 +265,7 @@ config SECURE_BOOT_SIGNING_KEY
depends on SECURE_BOOT_BUILD_SIGNED_BINARIES
default secure_boot_signing_key.pem
help
Path to the key file used to sign partition tables and app images for secure boot. Once secure boot is enabled, bootloader will only boot if partition table and app image are signed.
Path to the key file used to sign app images.
Key file is an ECDSA private key (NIST256p curve) in PEM format.
@@ -196,11 +278,11 @@ config SECURE_BOOT_SIGNING_KEY
config SECURE_BOOT_VERIFICATION_KEY
string "Secure boot public signature verification key"
depends on SECURE_BOOT_ENABLED && !SECURE_BOOT_BUILD_SIGNED_BINARIES
depends on SECURE_SIGNED_APPS && !SECURE_BOOT_BUILD_SIGNED_BINARIES
default signature_verification_key.bin
help
Path to a public key file used to verify signed images. This key is compiled into the bootloader,
and may also be used to verify signatures on OTA images after download.
Path to a public key file used to verify signed images. This key is compiled into the bootloader and/or app,
to verify app images.
Key file is in raw binary format, and can be extracted from a
PEM formatted private key using the espsecure.py

2
components/bootloader/Makefile.projbuild
View File

@@ -56,7 +56,7 @@ bootloader: $(BOOTLOADER_BIN) | check_python_dependencies
ESPTOOL_ALL_FLASH_ARGS += $(BOOTLOADER_OFFSET) $(BOOTLOADER_BIN)
bootloader-flash: $(BOOTLOADER_BIN) $(call prereq_if_explicit,erase_flash) check_python_dependencies
bootloader-flash: $(BOOTLOADER_BIN) $(call prereq_if_explicit,erase_flash) | check_python_dependencies
$(ESPTOOLPY_WRITE_FLASH) 0x1000 $^
else ifdef CONFIG_SECURE_BOOTLOADER_ONE_TIME_FLASH

5
components/bootloader/subproject/main/esp32.bootloader.ld
View File

@@ -36,11 +36,12 @@ SECTIONS
{
. = ALIGN (16);
_stext = .;
_text_start = ABSOLUTE(.);
_loader_text_start = ABSOLUTE(.);
*(.stub .gnu.warning .gnu.linkonce.literal.* .gnu.linkonce.t.*.literal .gnu.linkonce.t.*)
*(.iram1 .iram1.*) /* catch stray IRAM_ATTR */
*liblog.a:(.literal .text .literal.* .text.*)
*libgcc.a:(.literal .text .literal.* .text.*)
*libbootloader_support.a:bootloader_common.*(.literal .text .literal.* .text.*)
*libbootloader_support.a:bootloader_flash.*(.literal .text .literal.* .text.*)
*libbootloader_support.a:bootloader_random.*(.literal .text .literal.* .text.*)
*libbootloader_support.a:bootloader_utility.*(.literal .text .literal.* .text.*)
@@ -56,7 +57,7 @@ SECTIONS
*(.fini.literal)
*(.fini)
*(.gnu.version)
_text_end = ABSOLUTE(.);
_loader_text_end = ABSOLUTE(.);
_etext = .;
} > iram_loader_seg