# Bootloader component (top-level project parts) # # The bootloader is not a real component that gets linked into the project. # Instead it is an entire standalone project (in subproject/) that gets # built in the upper project's build directory. This Makefile.projbuild provides # the glue to build the bootloader project from the original project. It # basically runs Make in the subproject/ directory but it needs to # zero some variables the ESP-IDF project.mk makefile exports first, to not # let them interfere. # BOOTLOADER_COMPONENT_PATH := $(COMPONENT_PATH) BOOTLOADER_BUILD_DIR=$(abspath $(BUILD_DIR_BASE)/bootloader) BOOTLOADER_BIN=$(BOOTLOADER_BUILD_DIR)/bootloader.bin # signing key path is resolved relative to the project directory CONFIG_SECURE_BOOT_SIGNING_KEY ?= SECURE_BOOT_SIGNING_KEY=$(abspath $(call dequote,$(CONFIG_SECURE_BOOT_SIGNING_KEY))) export SECURE_BOOT_SIGNING_KEY # used by bootloader_support component # Has a matching value in bootloader_support esp_flash_partitions.h BOOTLOADER_OFFSET := 0x1000 # Custom recursive make for bootloader sub-project # # NB: Some variables are cleared in the environment, not # overriden, because they need to be re-defined in the child # project. BOOTLOADER_MAKE= +\ PROJECT_PATH= \ COMPONENT_DIRS= \ $(MAKE) -C $(BOOTLOADER_COMPONENT_PATH)/subproject \ V=$(V) \ BUILD_DIR_BASE=$(BOOTLOADER_BUILD_DIR) \ TEST_COMPONENTS= \ TESTS_ALL= \ EXCLUDE_COMPONENTS= .PHONY: bootloader-clean bootloader-flash bootloader-list-components bootloader $(BOOTLOADER_BIN) $(BOOTLOADER_BIN): $(SDKCONFIG_MAKEFILE) $(BOOTLOADER_MAKE) $@ clean: bootloader-clean bootloader-list-components: $(BOOTLOADER_MAKE) list-components ifndef CONFIG_SECURE_BOOT_ENABLED # If secure boot disabled, bootloader flashing is integrated # with 'make flash' and no warnings are printed. bootloader: $(BOOTLOADER_BIN) | check_python_dependencies @echo $(SEPARATOR) @echo "Bootloader built. Default flash command is:" @echo "$(ESPTOOLPY_WRITE_FLASH) $(BOOTLOADER_OFFSET) $^" ESPTOOL_ALL_FLASH_ARGS += $(BOOTLOADER_OFFSET) $(BOOTLOADER_BIN) bootloader-flash: $(BOOTLOADER_BIN) $(call prereq_if_explicit,erase_flash) | check_python_dependencies $(ESPTOOLPY_WRITE_FLASH) 0x1000 $^ else ifdef CONFIG_SECURE_BOOTLOADER_ONE_TIME_FLASH # One time flashing requires user to run esptool.py command themselves, # and warning is printed about inability to reflash. # # The flashing command is deliberately printed without an auto-reset # step, so the device doesn't immediately reset to flash itself. bootloader: $(BOOTLOADER_BIN) | check_python_dependencies @echo $(SEPARATOR) @echo "Bootloader built. One-time flash command is:" @echo "$(subst hard_reset,no_reset,$(ESPTOOLPY_WRITE_FLASH)) $(BOOTLOADER_OFFSET) $(BOOTLOADER_BIN)" @echo $(SEPARATOR) @echo "* IMPORTANT: After first boot, BOOTLOADER CANNOT BE RE-FLASHED on same device" else ifdef CONFIG_SECURE_BOOTLOADER_REFLASHABLE # Reflashable secure bootloader # generates a digest binary (bootloader + digest) ifdef CONFIG_SECURE_BOOTLOADER_KEY_ENCODING_192BIT KEY_DIGEST_LEN=192 else KEY_DIGEST_LEN=256 endif BOOTLOADER_DIGEST_BIN := $(BOOTLOADER_BUILD_DIR)/bootloader-reflash-digest.bin SECURE_BOOTLOADER_KEY := $(BOOTLOADER_BUILD_DIR)/secure-bootloader-key-$(KEY_DIGEST_LEN).bin ifdef CONFIG_SECURE_BOOT_BUILD_SIGNED_BINARIES $(SECURE_BOOTLOADER_KEY): $(SECURE_BOOT_SIGNING_KEY) | check_python_dependencies $(ESPSECUREPY) digest_private_key --keylen $(KEY_DIGEST_LEN) -k $< $@ else $(SECURE_BOOTLOADER_KEY): @echo "No pre-generated key for a reflashable secure bootloader is available, due to signing configuration." @echo "To generate one, you can use this command:" @echo "espsecure.py generate_flash_encryption_key $@" @echo "then re-run make." exit 1 endif bootloader: $(BOOTLOADER_DIGEST_BIN) @echo $(SEPARATOR) @echo "Bootloader built and secure digest generated. First time flash command is:" @echo "$(ESPEFUSEPY) burn_key secure_boot $(SECURE_BOOTLOADER_KEY)" @echo "$(ESPTOOLPY_WRITE_FLASH) $(BOOTLOADER_OFFSET) $(BOOTLOADER_BIN)" @echo $(SEPARATOR) @echo "To reflash the bootloader after initial flash:" @echo "$(ESPTOOLPY_WRITE_FLASH) 0x0 $(BOOTLOADER_DIGEST_BIN)" @echo $(SEPARATOR) @echo "* After first boot, only re-flashes of this kind (with same key) will be accepted." @echo "* Not recommended to re-use the same secure boot keyfile on multiple production devices." $(BOOTLOADER_DIGEST_BIN): $(BOOTLOADER_BIN) $(SECURE_BOOTLOADER_KEY) | check_python_dependencies @echo "DIGEST $(notdir $@)" $(ESPSECUREPY) digest_secure_bootloader -k $(SECURE_BOOTLOADER_KEY) -o $@ $< else # CONFIG_SECURE_BOOT_ENABLED && !CONFIG_SECURE_BOOTLOADER_REFLASHABLE && !CONFIG_SECURE_BOOTLOADER_ONE_TIME_FLASH bootloader: @echo "Invalid bootloader target: bad sdkconfig?" @exit 1 endif ifndef CONFIG_SECURE_BOOT_ENABLED # don't build bootloader by default if secure boot is enabled all_binaries: $(BOOTLOADER_BIN) endif bootloader-clean: $(SDKCONFIG_MAKEFILE) $(BOOTLOADER_MAKE) app-clean ifdef CONFIG_SECURE_BOOTLOADER_REFLASHABLE rm -f $(SECURE_BOOTLOADER_KEY) $(BOOTLOADER_DIGEST_BIN) endif