esp-idf/components/bootloader_support/component.mk

COMPONENT_ADD_INCLUDEDIRS := include

ifdef IS_BOOTLOADER_BUILD
# share "include_bootloader" headers with bootloader main component
COMPONENT_ADD_INCLUDEDIRS += include_bootloader
else
COMPONENT_PRIV_INCLUDEDIRS := include_bootloader
endif

COMPONENT_SRCDIRS := src \
			src/secure_boot_v2 \
			src/secure_boot_v1

ifndef IS_BOOTLOADER_BUILD
COMPONENT_SRCDIRS += src/idf  # idf sub-directory contains platform agnostic IDF versions
else
COMPONENT_SRCDIRS += src/$(IDF_TARGET)  # one sub-dir per chip
ifdef CONFIG_SECURE_FLASH_ENC_ENABLED
COMPONENT_SRCDIRS += src/flash_encryption
endif
endif

ifndef IS_BOOTLOADER_BUILD
COMPONENT_OBJEXCLUDE := src/bootloader_init.o \
			src/bootloader_panic.o \
			src/bootloader_clock_loader.o \
			src/bootloader_console.o \
			src/bootloader_console_loader.o
endif

COMPONENT_OBJEXCLUDE += src/bootloader_flash_config_esp32s2.o \
			src/bootloader_flash_config_esp32s3.o \
			src/bootloader_flash_config_esp32c3.o \
			src/bootloader_efuse_esp32s2.o \
			src/bootloader_efuse_esp32s3.o \
			src/bootloader_efuse_esp32c3.o \
			src/bootloader_random_esp32s2.o \
			src/bootloader_random_esp32s3.o \
			src/bootloader_random_esp32c3.o

ifdef IS_BOOTLOADER_BUILD
	ifndef CONFIG_SECURE_SIGNED_APPS_ECDSA_SCHEME
		COMPONENT_OBJEXCLUDE += src/secure_boot_v1/secure_boot_signatures_bootloader.o
	endif

	ifndef CONFIG_SECURE_SIGNED_APPS_RSA_SCHEME
		COMPONENT_OBJEXCLUDE += src/secure_boot_v2/secure_boot_signatures_bootloader.o
	endif

	ifndef CONFIG_SECURE_BOOT_V1_ENABLED
		COMPONENT_OBJEXCLUDE += src/secure_boot_v1/secure_boot.o
	endif

	ifndef CONFIG_SECURE_BOOT_V2_ENABLED
		COMPONENT_OBJEXCLUDE += src/secure_boot_v2/secure_boot.o
	endif

	ifndef CONFIG_SECURE_BOOT
		COMPONENT_OBJEXCLUDE += src/${IDF_TARGET}/secure_boot_secure_features.o
	endif

	ifndef CONFIG_SECURE_FLASH_ENC_ENABLED
		COMPONENT_OBJEXCLUDE += src/${IDF_TARGET}/flash_encryption_secure_features.o
	endif

	COMPONENT_OBJEXCLUDE += src/secure_boot_v1/secure_boot_signatures_app.o \
				src/secure_boot_v2/secure_boot_signatures_app.o
else
	ifndef CONFIG_SECURE_SIGNED_APPS_ECDSA_SCHEME
		COMPONENT_OBJEXCLUDE += src/secure_boot_v1/secure_boot_signatures_app.o
	endif

	ifndef CONFIG_SECURE_SIGNED_APPS_RSA_SCHEME
		COMPONENT_OBJEXCLUDE += src/secure_boot_v2/secure_boot_signatures_app.o
	endif

	COMPONENT_OBJEXCLUDE += src/secure_boot_v1/secure_boot_signatures_bootloader.o \
				src/secure_boot_v1/secure_boot.o \
				src/secure_boot_v2/secure_boot_signatures_bootloader.o \
				src/secure_boot_v2/secure_boot.o
endif # IS_BOOTLOADER_BUILD

#
# Secure boot signing key support
#
ifdef CONFIG_SECURE_SIGNED_APPS

ifdef CONFIG_SECURE_SIGNED_APPS_ECDSA_SCHEME
# this path is created relative to the component build directory
SECURE_BOOT_VERIFICATION_KEY := $(abspath signature_verification_key.bin)

ifdef CONFIG_SECURE_BOOT_BUILD_SIGNED_BINARIES
# verification key derived from signing key.
$(SECURE_BOOT_VERIFICATION_KEY): $(SECURE_BOOT_SIGNING_KEY) $(SDKCONFIG_MAKEFILE)
	$(ESPSECUREPY) extract_public_key --keyfile $< $@
else
# find the configured public key file
ORIG_SECURE_BOOT_VERIFICATION_KEY := $(call resolvepath,$(call dequote,$(CONFIG_SECURE_BOOT_VERIFICATION_KEY)),$(PROJECT_PATH))

$(ORIG_SECURE_BOOT_VERIFICATION_KEY):
	@echo "Secure boot verification public key '$@' missing."
	@echo "This can be extracted from the private signing key, see"
	@echo "docs/security/secure-boot-v1.rst for details."
	exit 1

# copy it into the build dir, so the secure boot verification key has
# a predictable file name
$(SECURE_BOOT_VERIFICATION_KEY): $(ORIG_SECURE_BOOT_VERIFICATION_KEY) $(SDKCONFIG_MAKEFILE)
	$(summary) CP $< $@
	cp $< $@
endif #CONFIG_SECURE_BOOT_BUILD_SIGNED_BINARIES

COMPONENT_EXTRA_CLEAN += $(SECURE_BOOT_VERIFICATION_KEY)

COMPONENT_EMBED_FILES := $(SECURE_BOOT_VERIFICATION_KEY)

endif #CONFIG_SECURE_SIGNED_APPS_ECDSA_SCHEME
endif #CONFIG_SECURE_SIGNED_APPS
Refactor existing bootloader common functionality into bootloader_support component 2016-11-02 10:41:58 +11:00			`COMPONENT_ADD_INCLUDEDIRS := include`

			`ifdef IS_BOOTLOADER_BUILD`
bootloader_support: Rename include_priv directory to include_bootloader Old rationale for "priv" no longer applies. As reported here: https://esp32.com/viewtopic.php?f=13&t=6155&p=27151#p26601 2018-07-03 12:18:20 +10:00			`# share "include_bootloader" headers with bootloader main component`
			`COMPONENT_ADD_INCLUDEDIRS += include_bootloader`
			`else`
			`COMPONENT_PRIV_INCLUDEDIRS := include_bootloader`
Refactor existing bootloader common functionality into bootloader_support component 2016-11-02 10:41:58 +11:00			`endif`

bootloader: Fix error in Make build system when signature options is on 2021-04-10 20:45:25 +08:00			`COMPONENT_SRCDIRS := src \`
			`src/secure_boot_v2 \`
			`src/secure_boot_v1`
Refactor existing bootloader common functionality into bootloader_support component 2016-11-02 10:41:58 +11:00
make bootloader_support depend on IDF_TARGET 1. move chip-specific code(e.g. encryption) into IDF_TARGET directory 2. splict app-only code to idf directory which won't be compiled into bootloader 2019-04-16 17:01:31 +08:00			`ifndef IS_BOOTLOADER_BUILD`
			`COMPONENT_SRCDIRS += src/idf # idf sub-directory contains platform agnostic IDF versions`
			`else`
			`COMPONENT_SRCDIRS += src/$(IDF_TARGET) # one sub-dir per chip`
efuse(esp32): Deprecate esp_efuse_burn_new_values() & esp_efuse_write_random_key() These functions were used only for esp32 in secure_boot and flash encryption. Use idf efuse APIs instead of efuse regs. 2021-06-17 07:21:36 +08:00			`ifdef CONFIG_SECURE_FLASH_ENC_ENABLED`
			`COMPONENT_SRCDIRS += src/flash_encryption`
			`endif`
make bootloader_support depend on IDF_TARGET 1. move chip-specific code(e.g. encryption) into IDF_TARGET directory 2. splict app-only code to idf directory which won't be compiled into bootloader 2019-04-16 17:01:31 +08:00			`endif`

bootloader_support: exclude bootloader_init.c when building app Depending on link order of libraries, bootloader implementation of __assert_func could be linked instead of the one provided by newlib. 2018-09-30 12:27:06 +08:00			`ifndef IS_BOOTLOADER_BUILD`
bootloader: fix section placement issues found by the check script Summary of changes: - bootloader_clock split into _clock_init and _clock_loader. Only esp_clk_apb_freq is in *_clock_loader. - bootloader_common moved out of loader; functions needed in loader (or, referenced from bootloader_utility) were moved into bootloader_common_loader.c. - assert and abort moved into bootloader_panic, made part of the loader - rtc_clk and rtc_time made part of loader 2020-07-08 10:42:50 +02:00			`COMPONENT_OBJEXCLUDE := src/bootloader_init.o \`
			`src/bootloader_panic.o \`
			`src/bootloader_clock_loader.o \`
			`src/bootloader_console.o \`
			`src/bootloader_console_loader.o`
bootloader_support: exclude bootloader_init.c when building app Depending on link order of libraries, bootloader implementation of __assert_func could be linked instead of the one provided by newlib. 2018-09-30 12:27:06 +08:00			`endif`

global: rename esp32s2beta to esp32s2 2020-01-17 11:47:08 +08:00			`COMPONENT_OBJEXCLUDE += src/bootloader_flash_config_esp32s2.o \`
bootloader_support makefile: Use consistent indentation 2020-10-14 11:47:07 +11:00			`src/bootloader_flash_config_esp32s3.o \`
bootloader_support: added esp32-c3 support 2020-12-01 21:34:53 +08:00			`src/bootloader_flash_config_esp32c3.o \`
bootloader_support makefile: Use consistent indentation 2020-10-14 11:47:07 +11:00			`src/bootloader_efuse_esp32s2.o \`
			`src/bootloader_efuse_esp32s3.o \`
bootloader_support: added esp32-c3 support 2020-12-01 21:34:53 +08:00			`src/bootloader_efuse_esp32c3.o \`
bootloader_support makefile: Use consistent indentation 2020-10-14 11:47:07 +11:00			`src/bootloader_random_esp32s2.o \`
bootloader_support: added esp32-c3 support 2020-12-01 21:34:53 +08:00			`src/bootloader_random_esp32s3.o \`
			`src/bootloader_random_esp32c3.o`
Cleanup of previous merge commit 2019-08-09 15:26:49 +10:00
bootloader: Fix error in Make build system when signature options is on 2021-04-10 20:45:25 +08:00			`ifdef IS_BOOTLOADER_BUILD`
			`ifndef CONFIG_SECURE_SIGNED_APPS_ECDSA_SCHEME`
			`COMPONENT_OBJEXCLUDE += src/secure_boot_v1/secure_boot_signatures_bootloader.o`
			`endif`
secure_boot: Secure Boot V2 verify app signature on update (without Secure boot) - ESP32 ECO3, ESP32-S2/C3/S3 2021-03-05 22:22:29 +08:00
bootloader: Fix error in Make build system when signature options is on 2021-04-10 20:45:25 +08:00			`ifndef CONFIG_SECURE_SIGNED_APPS_RSA_SCHEME`
			`COMPONENT_OBJEXCLUDE += src/secure_boot_v2/secure_boot_signatures_bootloader.o`
			`endif`
efuse(esp32): Deprecate esp_efuse_burn_new_values() & esp_efuse_write_random_key() These functions were used only for esp32 in secure_boot and flash encryption. Use idf efuse APIs instead of efuse regs. 2021-06-17 07:21:36 +08:00
			`ifndef CONFIG_SECURE_BOOT_V1_ENABLED`
			`COMPONENT_OBJEXCLUDE += src/secure_boot_v1/secure_boot.o`
			`endif`

			`ifndef CONFIG_SECURE_BOOT_V2_ENABLED`
			`COMPONENT_OBJEXCLUDE += src/secure_boot_v2/secure_boot.o`
			`endif`

			`ifndef CONFIG_SECURE_BOOT`
			`COMPONENT_OBJEXCLUDE += src/${IDF_TARGET}/secure_boot_secure_features.o`
			`endif`

			`ifndef CONFIG_SECURE_FLASH_ENC_ENABLED`
			`COMPONENT_OBJEXCLUDE += src/${IDF_TARGET}/flash_encryption_secure_features.o`
			`endif`

bootloader: Fix error in Make build system when signature options is on 2021-04-10 20:45:25 +08:00			`COMPONENT_OBJEXCLUDE += src/secure_boot_v1/secure_boot_signatures_app.o \`
			`src/secure_boot_v2/secure_boot_signatures_app.o`
			`else`
			`ifndef CONFIG_SECURE_SIGNED_APPS_ECDSA_SCHEME`
			`COMPONENT_OBJEXCLUDE += src/secure_boot_v1/secure_boot_signatures_app.o`
			`endif`

			`ifndef CONFIG_SECURE_SIGNED_APPS_RSA_SCHEME`
			`COMPONENT_OBJEXCLUDE += src/secure_boot_v2/secure_boot_signatures_app.o`
			`endif`
efuse(esp32): Deprecate esp_efuse_burn_new_values() & esp_efuse_write_random_key() These functions were used only for esp32 in secure_boot and flash encryption. Use idf efuse APIs instead of efuse regs. 2021-06-17 07:21:36 +08:00
bootloader: Fix error in Make build system when signature options is on 2021-04-10 20:45:25 +08:00			`COMPONENT_OBJEXCLUDE += src/secure_boot_v1/secure_boot_signatures_bootloader.o \`
efuse(esp32): Deprecate esp_efuse_burn_new_values() & esp_efuse_write_random_key() These functions were used only for esp32 in secure_boot and flash encryption. Use idf efuse APIs instead of efuse regs. 2021-06-17 07:21:36 +08:00			`src/secure_boot_v1/secure_boot.o \`
			`src/secure_boot_v2/secure_boot_signatures_bootloader.o \`
			`src/secure_boot_v2/secure_boot.o`
bootloader: Fix error in Make build system when signature options is on 2021-04-10 20:45:25 +08:00			`endif # IS_BOOTLOADER_BUILD`
feat/secure_boot_v2: Adding secure boot v2 support for ESP32-ECO3 2020-02-25 01:21:41 +05:30
Secure boot: initial image signature support 2016-11-03 17:33:30 +11:00			`#`
			`# Secure boot signing key support`
			`#`
secure boot: Support secure boot signatures without hardware secure boot Allows OTA updates to be secured via signature checks, without requiring the overhead or complexity of a full secure boot implementation. Uses same signing mechanisms (build system and/or espsecure.py as Secure Boot). Requires: * [ ] More testing * [ ] Documentation 2018-07-19 15:15:37 +10:00			`ifdef CONFIG_SECURE_SIGNED_APPS`
Secure boot: initial image signature support 2016-11-03 17:33:30 +11:00
feat/secure_boot_v2: Adding secure boot v2 support for ESP32-ECO3 2020-02-25 01:21:41 +05:30			`ifdef CONFIG_SECURE_SIGNED_APPS_ECDSA_SCHEME`
secure boot: Derive secure bootloader key from private key Means only one key needs to be managed. 2016-11-04 16:05:00 +11:00			`# this path is created relative to the component build directory`
Secure boot: initial image signature support 2016-11-03 17:33:30 +11:00			`SECURE_BOOT_VERIFICATION_KEY := $(abspath signature_verification_key.bin)`

Secure boot: Option for app & partition table signing to happen outside build system 2016-12-19 13:06:21 +11:00			`ifdef CONFIG_SECURE_BOOT_BUILD_SIGNED_BINARIES`
			`# verification key derived from signing key.`
			`$(SECURE_BOOT_VERIFICATION_KEY): $(SECURE_BOOT_SIGNING_KEY) $(SDKCONFIG_MAKEFILE)`
Secure boot: initial image signature support 2016-11-03 17:33:30 +11:00			`$(ESPSECUREPY) extract_public_key --keyfile $< $@`
Secure boot: Option for app & partition table signing to happen outside build system 2016-12-19 13:06:21 +11:00			`else`
			`# find the configured public key file`
			`ORIG_SECURE_BOOT_VERIFICATION_KEY := $(call resolvepath,$(call dequote,$(CONFIG_SECURE_BOOT_VERIFICATION_KEY)),$(PROJECT_PATH))`

			`$(ORIG_SECURE_BOOT_VERIFICATION_KEY):`
			`@echo "Secure boot verification public key '$@' missing."`
			`@echo "This can be extracted from the private signing key, see"`
feat/secure_boot_v2: Adding secure boot v2 support for ESP32-ECO3 2020-02-25 01:21:41 +05:30			`@echo "docs/security/secure-boot-v1.rst for details."`
Secure boot: Option for app & partition table signing to happen outside build system 2016-12-19 13:06:21 +11:00			`exit 1`

			`# copy it into the build dir, so the secure boot verification key has`
			`# a predictable file name`
			`$(SECURE_BOOT_VERIFICATION_KEY): $(ORIG_SECURE_BOOT_VERIFICATION_KEY) $(SDKCONFIG_MAKEFILE)`
			`$(summary) CP $< $@`
			`cp $< $@`
make bootloader_support support esp32s2beta 2019-05-27 14:29:43 +08:00			`endif #CONFIG_SECURE_BOOT_BUILD_SIGNED_BINARIES`
secure boot: Derive secure bootloader key from private key Means only one key needs to be managed. 2016-11-04 16:05:00 +11:00
			`COMPONENT_EXTRA_CLEAN += $(SECURE_BOOT_VERIFICATION_KEY)`

			`COMPONENT_EMBED_FILES := $(SECURE_BOOT_VERIFICATION_KEY)`

feat/secure_boot_v2: Adding secure boot v2 support for ESP32-ECO3 2020-02-25 01:21:41 +05:30			`endif #CONFIG_SECURE_SIGNED_APPS_ECDSA_SCHEME`
make bootloader_support support esp32s2beta 2019-05-27 14:29:43 +08:00			`endif #CONFIG_SECURE_SIGNED_APPS`