From 615e44f43028f522ad481346fbb98ddd12af41ce Mon Sep 17 00:00:00 2001 From: MacDue Date: Wed, 9 Mar 2022 16:29:39 +0000 Subject: [PATCH 1/2] examples/pre_encrypted_ota: readme tweaks and link to component manager --- examples/system/ota/pre_encrypted_ota/README.md | 10 ++++++++-- 1 file changed, 8 insertions(+), 2 deletions(-) diff --git a/examples/system/ota/pre_encrypted_ota/README.md b/examples/system/ota/pre_encrypted_ota/README.md index fccb4067b8..164ed5f1b7 100644 --- a/examples/system/ota/pre_encrypted_ota/README.md +++ b/examples/system/ota/pre_encrypted_ota/README.md @@ -1,11 +1,17 @@ # Encrypted Binary OTA -This example demonstrates OTA updates with pre-encrypted binary using `esp_encrypted_img` component's APIs and tool. Pre encrypted firmware binary must be hosted on OTA update server. This firmware will be fetched and then decrypted on device before being flashed. This allows firmware to remain `confidential` on the OTA update channel irrespective of underlying transport (e.g., non-TLS). +This example demonstrates OTA updates with pre-encrypted binary using `esp_encrypted_img` component's APIs and tool. + +Pre-encrypted firmware binary must be hosted on OTA update server. +This firmware will be fetched and then decrypted on device before being flashed. +This allows firmware to remain `confidential` on the OTA update channel irrespective of underlying transport (e.g., non-TLS). ## ESP Encrypted Image Abstraction Layer -This example uses `esp_encrypted_img` component hosted at https://github.com/espressif/idf-extra-components/blob/master/esp_encrypted_img through component manager. Please refer to its documentation [here](https://github.com/espressif/idf-extra-components/blob/master/esp_encrypted_img/README.md) for more details +This example uses `esp_encrypted_img` component hosted at [idf-extra-components/esp_encrypted_img](https://github.com/espressif/idf-extra-components/blob/master/esp_encrypted_img) and available though the [IDF component manager](https://components.espressif.com/component/espressif/esp_encrypted_img). + +Please refer to its documentation [here](https://github.com/espressif/idf-extra-components/blob/master/esp_encrypted_img/README.md) for more details. ## How to use the example From f17a3491e557d31430cd476b110b714f7788d26e Mon Sep 17 00:00:00 2001 From: MacDue Date: Wed, 9 Mar 2022 16:30:22 +0000 Subject: [PATCH 2/2] examples/pre_encrypted_ota: update to esp_encrypted_img 2.x.x --- .../pre_encrypted_ota/main/idf_component.yml | 2 +- .../main/pre_encrypted_ota.c | 24 +++++++++---------- 2 files changed, 13 insertions(+), 13 deletions(-) diff --git a/examples/system/ota/pre_encrypted_ota/main/idf_component.yml b/examples/system/ota/pre_encrypted_ota/main/idf_component.yml index 165565d42e..668714a2c4 100644 --- a/examples/system/ota/pre_encrypted_ota/main/idf_component.yml +++ b/examples/system/ota/pre_encrypted_ota/main/idf_component.yml @@ -1,3 +1,3 @@ dependencies: idf: ">=4.4" - espressif/esp_encrypted_img: "^1.0.0" + espressif/esp_encrypted_img: "^2.0.1" diff --git a/examples/system/ota/pre_encrypted_ota/main/pre_encrypted_ota.c b/examples/system/ota/pre_encrypted_ota/main/pre_encrypted_ota.c index 1ebca96ff9..f4d511ac2e 100644 --- a/examples/system/ota/pre_encrypted_ota/main/pre_encrypted_ota.c +++ b/examples/system/ota/pre_encrypted_ota/main/pre_encrypted_ota.c @@ -31,15 +31,15 @@ #endif static const char *TAG = "pre_encrypted_ota_example"; -extern const uint8_t server_cert_pem_start[] asm("_binary_ca_cert_pem_start"); -extern const uint8_t server_cert_pem_end[] asm("_binary_ca_cert_pem_end"); +extern const char server_cert_pem_start[] asm("_binary_ca_cert_pem_start"); +extern const char server_cert_pem_end[] asm("_binary_ca_cert_pem_end"); -extern const uint8_t rsa_private_pem_start[] asm("_binary_private_pem_start"); -extern const uint8_t rsa_private_pem_end[] asm("_binary_private_pem_end"); +extern const char rsa_private_pem_start[] asm("_binary_private_pem_start"); +extern const char rsa_private_pem_end[] asm("_binary_private_pem_end"); #define OTA_URL_SIZE 256 -static esp_decrypt_handle_t *ctx; +static esp_decrypt_handle_t decrypt_handle; static esp_err_t _decrypt_cb(decrypt_cb_arg_t *args) { @@ -47,7 +47,7 @@ static esp_err_t _decrypt_cb(decrypt_cb_arg_t *args) pre_enc_decrypt_arg_t pargs = {}; pargs.data_in = (char *) args->data_in; pargs.data_in_len = args->data_in_len; - err = esp_encrypted_img_decrypt_data(ctx, &pargs); + err = esp_encrypted_img_decrypt_data(decrypt_handle, &pargs); if (err != ESP_OK && err != ESP_ERR_NOT_FINISHED) { return err; } @@ -68,15 +68,15 @@ void pre_encrypted_ota_task(void *pvParameter) esp_err_t ota_finish_err = ESP_OK; esp_http_client_config_t config = { .url = CONFIG_EXAMPLE_FIRMWARE_UPGRADE_URL, - .cert_pem = (char *)server_cert_pem_start, + .cert_pem = server_cert_pem_start, .timeout_ms = CONFIG_EXAMPLE_OTA_RECV_TIMEOUT, .keep_alive_enable = true, }; esp_decrypt_cfg_t cfg = {}; - cfg.rsa_pub_key = (char *)rsa_private_pem_start; + cfg.rsa_pub_key = rsa_private_pem_start; cfg.rsa_pub_key_len = rsa_private_pem_end - rsa_private_pem_start; - ctx = esp_encrypted_img_decrypt_start(&cfg); - if (ctx == NULL) { + decrypt_handle = esp_encrypted_img_decrypt_start(&cfg); + if (!decrypt_handle) { ESP_LOGE(TAG, "OTA upgrade failed"); vTaskDelete(NULL); } @@ -126,11 +126,11 @@ void pre_encrypted_ota_task(void *pvParameter) ESP_LOGD(TAG, "Image bytes read: %d", esp_https_ota_get_image_len_read(https_ota_handle)); } - if (esp_https_ota_is_complete_data_received(https_ota_handle) != true) { + if (!esp_https_ota_is_complete_data_received(https_ota_handle)) { // the OTA image was not completely received and user can customise the response to this situation. ESP_LOGE(TAG, "Complete data was not received."); } else { - err = esp_encrypted_img_decrypt_end(ctx); + err = esp_encrypted_img_decrypt_end(decrypt_handle); if (err != ESP_OK) { goto ota_end; }