feat/secure_boot_v2: Adding secure boot v2 support for ESP32-ECO3

components/esptool_py/CMakeLists.txt

@@ -29,7 +29,7 @@ if(NOT BOOTLOADER_BUILD)
     set(ESPTOOLPY_CHIP "${target}")
     set(ESPTOOLPY_WITH_STUB TRUE)
 
-    if(CONFIG_SECURE_BOOT_ENABLED OR CONFIG_SECURE_FLASH_ENC_ENABLED)
+    if(CONFIG_SECURE_BOOT OR CONFIG_SECURE_FLASH_ENC_ENABLED)
         # If security enabled then override post flash option
         set(ESPTOOLPY_AFTER "no_reset")
     endif()

components/esptool_py/Makefile.projbuild

@@ -29,16 +29,22 @@ else
 ESPTOOL_WRITE_FLASH_OPTIONS := $(ESPTOOL_FLASH_OPTIONS)
 endif
 
+ifdef CONFIG_SECURE_SIGNED_APPS_RSA_SCHEME
+ESPTOOL_WRITE_FLASH_OPTIONS := --flash_mode $(ESPFLASHMODE) --flash_freq $(ESPFLASHFREQ) --flash_size keep
+endif
+
 ESPTOOL_ELF2IMAGE_OPTIONS :=
 
 ifdef CONFIG_ESP32_REV_MIN
 ESPTOOL_ELF2IMAGE_OPTIONS += --min-rev $(CONFIG_ESP32_REV_MIN)
 endif
 
-ifdef CONFIG_SECURE_BOOT_ENABLED
 ifndef CONFIG_SECURE_BOOT_ALLOW_SHORT_APP_PARTITION
 ifndef IS_BOOTLOADER_BUILD
+ifdef CONFIG_SECURE_SIGNED_APPS_ECDSA_SCHEME
 ESPTOOL_ELF2IMAGE_OPTIONS += --secure-pad
+else ifdef CONFIG_SECURE_SIGNED_APPS_RSA_SCHEME
+ESPTOOL_ELF2IMAGE_OPTIONS += --secure-pad-v2
 endif
 endif
 endif
@@ -47,6 +53,12 @@ ifndef IS_BOOTLOADER_BUILD
 ESPTOOL_ELF2IMAGE_OPTIONS += --elf-sha256-offset 0xb0
 endif
 
+ifdef CONFIG_SECURE_SIGNED_APPS_ECDSA_SCHEME
+SECURE_APPS_SIGNING_SCHEME = "1"
+else ifdef CONFIG_SECURE_SIGNED_APPS_RSA_SCHEME
+SECURE_APPS_SIGNING_SCHEME = "2"
+endif
+
 ESPTOOLPY_WRITE_FLASH=$(ESPTOOLPY_SERIAL) write_flash $(if $(CONFIG_ESPTOOLPY_COMPRESSED),-z,-u) $(ESPTOOL_WRITE_FLASH_OPTIONS)
 
 ifdef CONFIG_SECURE_FLASH_ENCRYPTION_MODE_DEVELOPMENT
@@ -61,7 +73,7 @@ ifndef IS_BOOTLOADER_BUILD
 APP_BIN_UNSIGNED := $(APP_BIN:.bin=-unsigned.bin)
 
 $(APP_BIN): $(APP_BIN_UNSIGNED) $(SECURE_BOOT_SIGNING_KEY) $(SDKCONFIG_MAKEFILE)
-	$(ESPSECUREPY) sign_data --keyfile $(SECURE_BOOT_SIGNING_KEY) -o $@ $<
+	$(ESPSECUREPY) sign_data --version $(SECURE_APPS_SIGNING_SCHEME) --keyfile $(SECURE_BOOT_SIGNING_KEY) -o $@ $<
 endif
 endif
 # non-secure boot (or bootloader), both these files are the same
@@ -77,7 +89,7 @@ endif
 ifdef CONFIG_SECURE_FLASH_ENCRYPTION_MODE_DEVELOPMENT
 encrypted-flash: all_binaries $(ESPTOOLPY_SRC) $(call prereq_if_explicit,erase_flash) partition_table_get_info | check_python_dependencies
 	@echo "Flashing binaries to serial port $(ESPPORT) (app at offset $(APP_OFFSET))..."
-ifdef CONFIG_SECURE_BOOT_ENABLED
+ifdef CONFIG_SECURE_BOOT
 	@echo "(Secure boot enabled, so bootloader not flashed automatically. See 'make bootloader' output)"
 endif
 	$(ESPTOOLPY_WRITE_FLASH_ENCRYPT) $(ESPTOOL_ALL_FLASH_ARGS)
@@ -89,7 +101,7 @@ endif
 
 flash: all_binaries $(ESPTOOLPY_SRC) $(call prereq_if_explicit,erase_flash) partition_table_get_info | check_python_dependencies
 	@echo "Flashing binaries to serial port $(ESPPORT) (app at offset $(APP_OFFSET))..."
-ifdef CONFIG_SECURE_BOOT_ENABLED
+ifdef CONFIG_SECURE_BOOT
 	@echo "(Secure boot enabled, so bootloader not flashed automatically. See 'make bootloader' output)"
 endif
 	$(ESPTOOLPY_WRITE_FLASH) $(ESPTOOL_ALL_FLASH_ARGS)

components/esptool_py/project_include.cmake

@@ -22,10 +22,13 @@ if(NOT BOOTLOADER_BUILD)
     set(esptool_elf2image_args --elf-sha256-offset 0xb0)
 endif()
 
-if(CONFIG_SECURE_BOOT_ENABLED AND
-    NOT CONFIG_SECURE_BOOT_ALLOW_SHORT_APP_PARTITION
-    AND NOT BOOTLOADER_BUILD)
-    list(APPEND esptool_elf2image_args --secure-pad)
+if(NOT CONFIG_SECURE_BOOT_ALLOW_SHORT_APP_PARTITION AND
+    NOT BOOTLOADER_BUILD)
+    if(CONFIG_SECURE_SIGNED_APPS_ECDSA_SCHEME)
+        list(APPEND esptool_elf2image_args --secure-pad)
+    elseif(CONFIG_SECURE_SIGNED_APPS_RSA_SCHEME)
+        list(APPEND esptool_elf2image_args --secure-pad-v2)
+    endif()
 endif()
 
 if(CONFIG_ESP32_REV_MIN)
@@ -38,6 +41,10 @@ if(CONFIG_ESPTOOLPY_FLASHSIZE_DETECT)
     set(ESPFLASHSIZE detect)
 endif()
 
+if(CONFIG_SECURE_SIGNED_APPS_RSA_SCHEME)
+    set(ESPFLASHSIZE keep)
+endif()
+
 idf_build_get_property(build_dir BUILD_DIR)
 
 idf_build_get_property(elf_name EXECUTABLE_NAME GENERATOR_EXPRESSION)
@@ -77,11 +84,17 @@ if(CONFIG_APP_BUILD_GENERATE_BINARIES)
     add_custom_target(app ALL DEPENDS gen_project_binary)
 endif()
 
+if(CONFIG_SECURE_SIGNED_APPS_ECDSA_SCHEME)
+    set(secure_boot_version "1")
+elseif(CONFIG_SECURE_SIGNED_APPS_RSA_SCHEME)
+    set(secure_boot_version "2")
+endif()
+
 if(NOT BOOTLOADER_BUILD AND CONFIG_SECURE_SIGNED_APPS)
     if(CONFIG_SECURE_BOOT_BUILD_SIGNED_BINARIES)
         # for locally signed secure boot image, add a signing step to get from unsigned app to signed app
         add_custom_command(OUTPUT "${build_dir}/.signed_bin_timestamp"
-            COMMAND ${ESPSECUREPY} sign_data --keyfile ${secure_boot_signing_key}
+            COMMAND ${ESPSECUREPY} sign_data --version ${secure_boot_version} --keyfile ${secure_boot_signing_key}
                 -o "${build_dir}/${PROJECT_BIN}" "${build_dir}/${unsigned_project_binary}"
             COMMAND ${CMAKE_COMMAND} -E echo "Generated signed binary image ${build_dir}/${PROJECT_BIN}"
                                     "from ${build_dir}/${unsigned_project_binary}"
@@ -103,7 +116,8 @@ if(NOT BOOTLOADER_BUILD AND CONFIG_SECURE_SIGNED_APPS)
             COMMAND ${CMAKE_COMMAND} -E echo
                 "App built but not signed. Sign app before flashing"
             COMMAND ${CMAKE_COMMAND} -E echo
-                "\t${espsecurepy} sign_data --keyfile KEYFILE ${build_dir}/${PROJECT_BIN}"
+                "\t${espsecurepy} sign_data --keyfile KEYFILE --version ${secure_boot_version} \
+                ${build_dir}/${PROJECT_BIN}"
             VERBATIM)
     endif()
 endif()
@@ -131,7 +145,7 @@ add_custom_target(monitor
 
 set(esptool_flash_main_args "--before=${CONFIG_ESPTOOLPY_BEFORE}")
 
-if(CONFIG_SECURE_BOOT_ENABLED OR CONFIG_SECURE_FLASH_ENC_ENABLED)
+if(CONFIG_SECURE_BOOT OR CONFIG_SECURE_FLASH_ENC_ENABLED)
     # If security enabled then override post flash option
     list(APPEND esptool_flash_main_args "--after=no_reset")
 else()