Secure boot: Option for app & partition table signing to happen outside build system

2025-11-03 00:21:44 +01:00 · 2016-12-19 13:06:21 +11:00
parent d246836cfc
commit d6fafd00db
8 changed files with 94 additions and 10 deletions
--- a/components/bootloader/Kconfig.projbuild
+++ b/components/bootloader/Kconfig.projbuild
@@ -69,9 +69,20 @@ config SECURE_BOOTLOADER_REFLASHABLE

 endchoice

-config SECURE_BOOT_SIGNING_KEY
-     string "Secure boot signing key"
+config SECURE_BOOT_BUILD_SIGNED_BINARIES
+     bool "Sign binaries during build"
     depends on SECURE_BOOT_ENABLED
+     default y
+     help
+        Once secure boot is enabled, bootloader will only boot if partition table and app image are signed.
+
+        If enabled, these binary files are signed as part of the build process. The file named in "Secure boot private signing key" will be used to sign the image.
+
+        If disabled, unsigned app/partition data will be built. They must be signed manually using espsecure.py (for example, on a remote signing server.)
+
+config SECURE_BOOT_SIGNING_KEY
+     string "Secure boot private signing key"
+     depends on SECURE_BOOT_BUILD_SIGNED_BINARIES
     default secure_boot_signing_key.pem
     help
        Path to the key file used to sign partition tables and app images for secure boot. Once secure boot is enabled, bootloader will only boot if partition table and app image are signed.
@@ -85,6 +96,20 @@ config SECURE_BOOT_SIGNING_KEY

        See docs/security/secure-boot.rst for details.

+config SECURE_BOOT_VERIFICATION_KEY
+    string "Secure boot public signature verification key"
+    depends on SECURE_BOOT_ENABLED && !SECURE_BOOT_BUILD_SIGNED_BINARIES
+    default signature_verification_key.bin
+    help
+       Path to a public key file used to verify signed images. This key is compiled into the bootloader,
+       and may also be used to verify signatures on OTA images after download.
+
+       Key file is in raw binary format, and can be extracted from a
+       PEM formatted private key using the espsecure.py
+       extract_public_key command.
+
+       See docs/security/secure-boot.rst for details.
+
 config SECURE_BOOT_INSECURE
    bool "Allow potentially insecure options"
    depends on SECURE_BOOT_ENABLED
--- a/components/bootloader/Makefile.projbuild
+++ b/components/bootloader/Makefile.projbuild
@@ -65,8 +65,17 @@ else ifdef CONFIG_SECURE_BOOTLOADER_REFLASHABLE
 BOOTLOADER_DIGEST_BIN := $(BOOTLOADER_BUILD_DIR)/bootloader-reflash-digest.bin
 SECURE_BOOTLOADER_KEY := $(BOOTLOADER_BUILD_DIR)/secure-bootloader-key.bin

+ifdef CONFIG_SECURE_BOOT_BUILD_SIGNED_BINARIES
 $(SECURE_BOOTLOADER_KEY): $(SECURE_BOOT_SIGNING_KEY)
-	$(Q) $(ESPSECUREPY) digest_private_key -k $< $@
+	$(ESPSECUREPY) digest_private_key -k $< $@
+else
+$(SECURE_BOOTLOADER_KEY):
+	@echo "No pre-generated key for a reflashable secure bootloader is available, due to signing configuration."
+	@echo "To generate one, you can use this command:"
+	@echo "espsecure.py generate_flash_encryption_key $@"
+	@echo "then re-run make."
+	exit 1
+endif

 bootloader: $(BOOTLOADER_DIGEST_BIN)
 	@echo $(SEPARATOR)