| 123456789101112131415161718192021222324252627282930313233343536373839404142434445464748495051525354555657585960616263646566676869707172737475767778798081828384858687888990919293949596979899100101102103104105106107108109110111112113114115116117118119120121122123124125126127128129130131132133134135136137138139140141142143144145146147148149150151152153154155156157158159160161162163164165166167168169170171172173174175176177178179180181182183184185186187188189190191192193194195196197198199200201202203204205206207208209210211212213214215216217218219220221 |
- cmake_minimum_required(VERSION 3.5)
- if(NOT SDKCONFIG)
- message(FATAL_ERROR "Bootloader subproject expects the SDKCONFIG variable to be passed "
- "in by the parent build process.")
- endif()
- if(NOT IDF_PATH)
- message(FATAL_ERROR "Bootloader subproject expects the IDF_PATH variable to be passed "
- "in by the parent build process.")
- endif()
- if(NOT IDF_TARGET)
- message(FATAL_ERROR "Bootloader subproject expects the IDF_TARGET variable to be passed "
- "in by the parent build process.")
- endif()
- set(COMPONENTS
- bootloader
- esptool_py
- esp_hw_support
- hal
- partition_table
- soc
- bootloader_support
- log
- spi_flash
- micro-ecc
- main
- efuse
- esp_system
- newlib)
- set(BOOTLOADER_BUILD 1)
- include("${IDF_PATH}/tools/cmake/project.cmake")
- set(common_req log esp_rom esp_common esp_hw_support hal newlib)
- if(LEGACY_INCLUDE_COMMON_HEADERS)
- list(APPEND common_req soc hal)
- endif()
- idf_build_set_property(__COMPONENT_REQUIRES_COMMON "${common_req}")
- idf_build_set_property(__OUTPUT_SDKCONFIG 0)
- project(bootloader)
- idf_build_set_property(COMPILE_DEFINITIONS "-DBOOTLOADER_BUILD=1" APPEND)
- idf_build_set_property(COMPILE_OPTIONS "-fno-stack-protector" APPEND)
- idf_component_get_property(main_args esptool_py FLASH_ARGS)
- idf_component_get_property(sub_args esptool_py FLASH_SUB_ARGS)
- # String for printing flash command
- string(REPLACE ";" " " esptoolpy_write_flash
- "${ESPTOOLPY} --port=(PORT) --baud=(BAUD) ${main_args} "
- "write_flash ${sub_args}")
- string(REPLACE ";" " " espsecurepy "${ESPSECUREPY}")
- string(REPLACE ";" " " espefusepy "${ESPEFUSEPY}")
- # Suppress warning: "Manually-specified variables were not used by the project: SECURE_BOOT_SIGNING_KEY"
- set(ignore_signing_key "${SECURE_BOOT_SIGNING_KEY}")
- if(CONFIG_SECURE_BOOTLOADER_REFLASHABLE)
- if(CONFIG_SECURE_BOOTLOADER_KEY_ENCODING_192BIT)
- set(key_digest_len 192)
- else()
- set(key_digest_len 256)
- endif()
- get_filename_component(bootloader_digest_bin
- "bootloader-reflash-digest.bin"
- ABSOLUTE BASE_DIR "${CMAKE_BINARY_DIR}")
- get_filename_component(secure_bootloader_key
- "secure-bootloader-key-${key_digest_len}.bin"
- ABSOLUTE BASE_DIR "${CMAKE_BINARY_DIR}")
- add_custom_command(OUTPUT "${secure_bootloader_key}"
- COMMAND ${ESPSECUREPY} digest_private_key
- --keylen "${key_digest_len}"
- --keyfile "${SECURE_BOOT_SIGNING_KEY}"
- "${secure_bootloader_key}"
- VERBATIM)
- if(CONFIG_SECURE_BOOT_BUILD_SIGNED_BINARIES)
- add_custom_target(gen_secure_bootloader_key ALL DEPENDS "${secure_bootloader_key}")
- else()
- if(NOT EXISTS "${secure_bootloader_key}")
- message(FATAL_ERROR
- "No pre-generated key for a reflashable secure bootloader is available, "
- "due to signing configuration."
- "\nTo generate one, you can use this command:"
- "\n\t${espsecurepy} generate_flash_encryption_key ${secure_bootloader_key}"
- "\nIf a signing key is present, then instead use:"
- "\n\t${espsecurepy} digest_private_key "
- "--keylen (192/256) --keyfile KEYFILE "
- "${secure_bootloader_key}")
- endif()
- add_custom_target(gen_secure_bootloader_key)
- endif()
- add_custom_command(OUTPUT "${bootloader_digest_bin}"
- COMMAND ${CMAKE_COMMAND} -E echo "DIGEST ${bootloader_digest_bin}"
- COMMAND ${ESPSECUREPY} digest_secure_bootloader --keyfile "${secure_bootloader_key}"
- -o "${bootloader_digest_bin}" "${CMAKE_BINARY_DIR}/bootloader.bin"
- MAIN_DEPENDENCY "${CMAKE_BINARY_DIR}/.bin_timestamp"
- DEPENDS gen_secure_bootloader_key gen_project_binary
- VERBATIM)
- add_custom_target(gen_bootloader_digest_bin ALL DEPENDS "${bootloader_digest_bin}")
- endif()
- if(CONFIG_SECURE_BOOT_V2_ENABLED)
- if(CONFIG_SECURE_BOOT_BUILD_SIGNED_BINARIES)
- get_filename_component(secure_boot_signing_key
- "${SECURE_BOOT_SIGNING_KEY}" ABSOLUTE BASE_DIR "${project_dir}")
- if(NOT EXISTS "${secure_boot_signing_key}")
- message(FATAL_ERROR
- "Secure Boot Signing Key Not found."
- "\nGenerate the Secure Boot V2 RSA-PSS 3072 Key."
- "\nTo generate one, you can use this command:"
- "\n\t${espsecurepy} generate_signing_key --version 2 ${SECURE_BOOT_SIGNING_KEY}")
- endif()
- set(bootloader_unsigned_bin "bootloader-unsigned.bin")
- add_custom_command(OUTPUT ".signed_bin_timestamp"
- COMMAND ${CMAKE_COMMAND} -E copy "${CMAKE_BINARY_DIR}/${PROJECT_BIN}"
- "${CMAKE_BINARY_DIR}/${bootloader_unsigned_bin}"
- COMMAND ${ESPSECUREPY} sign_data --version 2 --keyfile "${secure_boot_signing_key}"
- -o "${CMAKE_BINARY_DIR}/${PROJECT_BIN}" "${CMAKE_BINARY_DIR}/${bootloader_unsigned_bin}"
- COMMAND ${CMAKE_COMMAND} -E echo "Generated signed binary image ${build_dir}/${PROJECT_BIN}"
- "from ${CMAKE_BINARY_DIR}/${bootloader_unsigned_bin}"
- COMMAND ${CMAKE_COMMAND} -E md5sum "${CMAKE_BINARY_DIR}/${PROJECT_BIN}"
- > "${CMAKE_BINARY_DIR}/.signed_bin_timestamp"
- DEPENDS "${build_dir}/.bin_timestamp"
- VERBATIM
- COMMENT "Generated the signed Bootloader")
- else()
- add_custom_command(OUTPUT ".signed_bin_timestamp"
- VERBATIM
- COMMENT "Bootloader generated but not signed")
- endif()
- add_custom_target(gen_signed_bootloader ALL DEPENDS "${build_dir}/.signed_bin_timestamp")
- endif()
- if(CONFIG_SECURE_BOOTLOADER_ONE_TIME_FLASH)
- add_custom_command(TARGET bootloader.elf POST_BUILD
- COMMAND ${CMAKE_COMMAND} -E echo
- "=============================================================================="
- COMMAND ${CMAKE_COMMAND} -E echo
- "Bootloader built. Secure boot enabled, so bootloader not flashed automatically."
- COMMAND ${CMAKE_COMMAND} -E echo
- "One-time flash command is:"
- COMMAND ${CMAKE_COMMAND} -E echo
- "\t${esptoolpy_write_flash} ${BOOTLOADER_OFFSET} ${CMAKE_BINARY_DIR}/bootloader.bin"
- COMMAND ${CMAKE_COMMAND} -E echo
- "* IMPORTANT: After first boot, BOOTLOADER CANNOT BE RE-FLASHED on same device"
- VERBATIM)
- elseif(CONFIG_SECURE_BOOTLOADER_REFLASHABLE)
- add_custom_command(TARGET bootloader.elf POST_BUILD
- COMMAND ${CMAKE_COMMAND} -E echo
- "=============================================================================="
- COMMAND ${CMAKE_COMMAND} -E echo
- "Bootloader built and secure digest generated."
- COMMAND ${CMAKE_COMMAND} -E echo
- "Secure boot enabled, so bootloader not flashed automatically."
- COMMAND ${CMAKE_COMMAND} -E echo
- "Burn secure boot key to efuse using:"
- COMMAND ${CMAKE_COMMAND} -E echo
- "\t${espefusepy} burn_key secure_boot_v1 ${secure_bootloader_key}"
- COMMAND ${CMAKE_COMMAND} -E echo
- "First time flash command is:"
- COMMAND ${CMAKE_COMMAND} -E echo
- "\t${esptoolpy_write_flash} ${BOOTLOADER_OFFSET} ${CMAKE_BINARY_DIR}/bootloader.bin"
- COMMAND ${CMAKE_COMMAND} -E echo
- "=============================================================================="
- COMMAND ${CMAKE_COMMAND} -E echo
- "To reflash the bootloader after initial flash:"
- COMMAND ${CMAKE_COMMAND} -E echo
- "\t${esptoolpy_write_flash} 0x0 ${bootloader_digest_bin}"
- COMMAND ${CMAKE_COMMAND} -E echo
- "=============================================================================="
- COMMAND ${CMAKE_COMMAND} -E echo
- "* After first boot, only re-flashes of this kind (with same key) will be accepted."
- COMMAND ${CMAKE_COMMAND} -E echo
- "* Not recommended to re-use the same secure boot keyfile on multiple production devices."
- DEPENDS gen_secure_bootloader_key gen_bootloader_digest_bin
- VERBATIM)
- elseif(CONFIG_SECURE_BOOT_V2_ENABLED AND (CONFIG_IDF_TARGET_ESP32S2 OR CONFIG_IDF_TARGET_ESP32C3))
- add_custom_command(TARGET bootloader.elf POST_BUILD
- COMMAND ${CMAKE_COMMAND} -E echo
- "=============================================================================="
- COMMAND ${CMAKE_COMMAND} -E echo
- "Bootloader built. Secure boot enabled, so bootloader not flashed automatically."
- COMMAND ${CMAKE_COMMAND} -E echo
- "To sign the bootloader with additional private keys."
- COMMAND ${CMAKE_COMMAND} -E echo
- "\t${espsecurepy} sign_data -k secure_boot_signing_key2.pem -v 2 \
- --append_signatures -o signed_bootloader.bin build/bootloader/bootloader.bin"
- COMMAND ${CMAKE_COMMAND} -E echo
- "Secure boot enabled, so bootloader not flashed automatically."
- COMMAND ${CMAKE_COMMAND} -E echo
- "\t${esptoolpy_write_flash} ${BOOTLOADER_OFFSET} ${CMAKE_BINARY_DIR}/bootloader.bin"
- COMMAND ${CMAKE_COMMAND} -E echo
- "=============================================================================="
- DEPENDS gen_signed_bootloader
- VERBATIM)
- elseif(CONFIG_SECURE_BOOT_V2_ENABLED)
- add_custom_command(TARGET bootloader.elf POST_BUILD
- COMMAND ${CMAKE_COMMAND} -E echo
- "=============================================================================="
- COMMAND ${CMAKE_COMMAND} -E echo
- "Bootloader built. Secure boot enabled, so bootloader not flashed automatically."
- COMMAND ${CMAKE_COMMAND} -E echo
- "Secure boot enabled, so bootloader not flashed automatically."
- COMMAND ${CMAKE_COMMAND} -E echo
- "\t${esptoolpy_write_flash} ${BOOTLOADER_OFFSET} ${CMAKE_BINARY_DIR}/bootloader.bin"
- COMMAND ${CMAKE_COMMAND} -E echo
- "=============================================================================="
- DEPENDS gen_signed_bootloader
- VERBATIM)
- endif()
|
