From 2592a0534d04de98ff88b47a1040c905a373b3a6 Mon Sep 17 00:00:00 2001 From: KonstantinKondrashov Date: Thu, 15 Oct 2020 16:48:23 +0800 Subject: [PATCH 1/2] bootloader: Secure_boot name replaced by secure_boot_v1 & secure_boot_v2 - espefuse.py burn_key secure_boot is no longer used. - Secure boot V1: espefuse.py burn_key secure_boot_v1 file.bin - Secure boot V2: espefuse.py burn_key secure_boot_v2 file.bin --- components/bootloader/Makefile.projbuild | 2 +- components/bootloader/subproject/CMakeLists.txt | 2 +- components/esptool_py/esptool | 2 +- docs/en/security/secure-boot-v1.rst | 2 +- 4 files changed, 4 insertions(+), 4 deletions(-) diff --git a/components/bootloader/Makefile.projbuild b/components/bootloader/Makefile.projbuild index 60c1626caa..ffd8f43c85 100644 --- a/components/bootloader/Makefile.projbuild +++ b/components/bootloader/Makefile.projbuild @@ -102,7 +102,7 @@ endif bootloader: $(BOOTLOADER_DIGEST_BIN) @echo $(SEPARATOR) @echo "Bootloader built and secure digest generated. First time flash command is:" - @echo "$(ESPEFUSEPY) burn_key secure_boot $(SECURE_BOOTLOADER_KEY)" + @echo "$(ESPEFUSEPY) burn_key secure_boot_v1 $(SECURE_BOOTLOADER_KEY)" @echo "$(ESPTOOLPY_WRITE_FLASH) $(BOOTLOADER_OFFSET) $(BOOTLOADER_BIN)" @echo $(SEPARATOR) @echo "To reflash the bootloader after initial flash:" diff --git a/components/bootloader/subproject/CMakeLists.txt b/components/bootloader/subproject/CMakeLists.txt index 5d967bd9a7..7cab186da3 100644 --- a/components/bootloader/subproject/CMakeLists.txt +++ b/components/bootloader/subproject/CMakeLists.txt @@ -147,7 +147,7 @@ elseif(CONFIG_SECURE_BOOTLOADER_REFLASHABLE) COMMAND ${CMAKE_COMMAND} -E echo "Burn secure boot key to efuse using:" COMMAND ${CMAKE_COMMAND} -E echo - "\t${espefusepy} burn_key secure_boot ${secure_bootloader_key}" + "\t${espefusepy} burn_key secure_boot_v1 ${secure_bootloader_key}" COMMAND ${CMAKE_COMMAND} -E echo "First time flash command is:" COMMAND ${CMAKE_COMMAND} -E echo diff --git a/components/esptool_py/esptool b/components/esptool_py/esptool index 10225816df..456384ca33 160000 --- a/components/esptool_py/esptool +++ b/components/esptool_py/esptool @@ -1 +1 @@ -Subproject commit 10225816df4c9c1b078e677e8a75a87778786ad1 +Subproject commit 456384ca330f7bee6510d1690f89465845d705e8 diff --git a/docs/en/security/secure-boot-v1.rst b/docs/en/security/secure-boot-v1.rst index c85b4bdf92..1dba04cb4d 100644 --- a/docs/en/security/secure-boot-v1.rst +++ b/docs/en/security/secure-boot-v1.rst @@ -144,7 +144,7 @@ To enable a reflashable bootloader: 2. Follow the steps shown above to choose a signing key file, and generate the key file. -3. Run ``idf.py bootloader``. A binary key file will be created, derived from the private key that is used for signing. Two sets of flashing steps will be printed - the first set of steps includes an ``espefuse.py burn_key`` command which is used to write the bootloader key to efuse. (Flashing this key is a one-time-only process.) The second set of steps can be used to reflash the bootloader with a pre-calculated digest (generated during the build process). +3. Run ``idf.py bootloader``. A binary key file will be created, derived from the private key that is used for signing. Two sets of flashing steps will be printed - the first set of steps includes an ``espefuse.py burn_key secure_boot_v1 path_to/secure-bootloader-key-xxx.bin`` command which is used to write the bootloader key to efuse. (Flashing this key is a one-time-only process.) The second set of steps can be used to reflash the bootloader with a pre-calculated digest (generated during the build process). 4. Resume from :ref:`Step 6 of the one-time flashing process `, to flash the bootloader and enable secure boot. Watch the console log output closely to ensure there were no errors in the secure boot configuration. From 03c72909a39a105a4ab7f116df50a6cb01e0912a Mon Sep 17 00:00:00 2001 From: Angus Gratton Date: Thu, 5 Nov 2020 10:37:03 +1100 Subject: [PATCH 2/2] esptool: Update to v3.0 release version --- .gitlab-ci.yml | 2 +- components/esptool_py/esptool | 2 +- requirements.txt | 5 ++++- 3 files changed, 6 insertions(+), 3 deletions(-) diff --git a/.gitlab-ci.yml b/.gitlab-ci.yml index 4d65439b14..a34aa37207 100644 --- a/.gitlab-ci.yml +++ b/.gitlab-ci.yml @@ -45,7 +45,7 @@ variables: CI_TARGET_TEST_CONFIG_FILE: "$CI_PROJECT_DIR/tools/ci/config/target-test.yml" # Versioned esp-idf-doc env image to use for all document building jobs - ESP_IDF_DOC_ENV_IMAGE: "$CI_DOCKER_REGISTRY/esp-idf-doc-env:v5" + ESP_IDF_DOC_ENV_IMAGE: "$CI_DOCKER_REGISTRY/esp-idf-doc-env:v7" # before each job, we need to check if this job is filtered by bot stage/job filter diff --git a/components/esptool_py/esptool b/components/esptool_py/esptool index 456384ca33..4fa0bd7b0d 160000 --- a/components/esptool_py/esptool +++ b/components/esptool_py/esptool @@ -1 +1 @@ -Subproject commit 456384ca330f7bee6510d1690f89465845d705e8 +Subproject commit 4fa0bd7b0d1f69f5ff22b043adc07c5e562a8931 diff --git a/requirements.txt b/requirements.txt index c410758a2c..76e9c6b549 100644 --- a/requirements.txt +++ b/requirements.txt @@ -16,8 +16,11 @@ gdbgui==0.13.2.0 # Windows is not supported since 0.14.0.0. See https://github.com/cs01/gdbgui/issues/348 pygdbmi<=0.9.0.2 # The pygdbmi required max version 0.9.0.2 since 0.9.0.3 is not copatible with latest gdbgui (>=0.13.2.0) -reedsolo==1.5.3 + +# esptool requirements (see components/esptool_py/esptool/setup.py) +reedsolo>=1.5.3,<=1.5.4 bitstring>=3.1.6 +ecdsa>=0.16.0 # windows-curses are required in Windows command line but cannot be installed in MSYS2. A requirement like # "windows-curses; sys_platform == 'win32'" would want to install the package on both of them. There is no environment