604 Commits

Author SHA1 Message Date
Konstantin Kondrashov
d65c091ad8 fix(bootloader): Hide bootloader anti-rollback Kconfig where not supported 2026-07-06 13:58:39 +03:00
Sudeep Mohanty
ec4b87da4f fix(bootloader/cmakev2): exclude all paths matching BOOTLOADER_IGNORE_EXTRA_COMPONENT
Walk every directory contributed via BOOTLOADER_EXTRA_COMPONENT_DIRS
(both shared and direct component paths, not only those under the
application's bootloader_components/) and exclude any whose component
name matches BOOTLOADER_IGNORE_EXTRA_COMPONENT.
2026-07-01 13:17:25 +02:00
harshal.patil
100084bd61 change(bootloader): validate secure boot signing key type at configure time
The signing step (espsecure sign-data) derives the signature block type
from the key file itself, so selecting e.g. the RSA app signing scheme
with an ECDSA signing key produced a successfully built image that only
failed signature verification at boot.

Check the key at configure time and fail with a clear error when:

- the key family (RSA vs ECDSA) does not match the selected app signing
  scheme
- the ECDSA curve does not match the selected ECDSA key size for the
  ECDSA (V1/V2) schemes
- the key cannot be parsed as an unencrypted PEM private key
2026-06-29 16:59:52 +05:30
harshal.patil
6b417e9d47 fix(esp_common/esp_fault): make ESP_FAULT_ASSERT survive optimization
ESP_FAULT_ASSERT(C) was silently deleted by the optimizer when C is a cached
flag/status already proven by a preceding `if (!C) return/goto`: the compiler
folds C to a constant and drops all three checks, removing the fault-injection
protection with no warning.
2026-06-17 16:45:29 +05:30
Sudeep Mohanty
832ad05a46 ci(bootloader): silence expected SECURE_BOOT_SIGNING_KEY CMake warning
Reference SECURE_BOOT_SIGNING_KEY in the bootloader subproject so CMake
does not warn about a manually-specified-but-unused variable when the
sign-key consumers are in config-gated blocks. Ports the same fix the
v1 subproject CMakeLists already has at line 119-120.
2026-06-15 14:58:46 +02:00
Konstantin Kondrashov
ec956162ab Merge branch 'fix/idfgh-17712-bootloader-extra-components' into 'master'
fix(bootloader): discover BOOTLOADER_EXTRA_COMPONENT_DIRS in cmake v1

Closes IDFGH-17712

See merge request espressif/esp-idf!49243
2026-06-15 15:27:18 +03:00
Konstantin Kondrashov
dcd9dbc0dc fix(bootloader): handle extra component dirs in v1 subproject
Closes https://github.com/espressif/esp-idf/issues/18651
2026-06-15 10:13:09 +03:00
Mahavir Jain
efb28b55ca fix(bootloader): place esp_crypto_clk in loader IRAM section
Commit 69d548c8 ("feat(esp_security): suppoer s31 security clock
management") introduced a new esp_crypto_clk source file in esp_security
but did not add it to the bootloader loader IRAM input sections. As a
result the crypto clock code was not placed in the loader IRAM region,
causing a regression on targets that use it during bootloader load.

Add *libesp_security.a:esp_crypto_clk.* to the bootloader sections
linker fragments for all targets that carry the esp_security.a
dependency (esp32c5, esp32p4, esp32s31), placed alongside
esp_crypto_periph_clk.
2026-06-15 11:36:30 +05:30
Mahavir Jain
e1713f44fb Merge branch 'fix/sb_digest_revocation_workflow' into 'master'
change(bootloader): honor SECURE_BOOT_ALLOW_UNUSED_DIGEST_SLOTS during first boot

See merge request espressif/esp-idf!49553
2026-06-11 13:34:01 +05:30
Mahavir Jain
8da7627526 change(bootloader): honor SECURE_BOOT_ALLOW_UNUSED_DIGEST_SLOTS during first boot
Previously the bootloader unconditionally revoked unused secure boot key
digest slots while permanently enabling secure boot on the first boot,
ignoring CONFIG_SECURE_BOOT_ALLOW_UNUSED_DIGEST_SLOTS. Now the config is
honored on this path too: when set, the unused digest slots are left
un-revoked. This is safe as long as the debug and download interfaces are
disabled.

Update the Kconfig help and the Secure Boot v2 guide (en and zh_CN)
accordingly.
2026-06-10 13:09:10 +05:30
Aditya Patwardhan
ebc4806085 Merge branch 'fix/disable_secure_boot_v2_ecdsa' into 'master'
Fix/disable secure boot v2 ecdsa

See merge request espressif/esp-idf!48834
2026-06-09 23:46:11 +05:30
Aditya Patwardhan
67e10e2b56 change(secure_boot): mark ECDSA based Secure Boot V2 as insecure on affected SoCs
ECDSA based Secure Boot V2 is not functional for certain input vectors on
ESP32-C5/C61/H2/P4 and on the preview targets ESP32-H4/H21. RSA based Secure
Boot V2 is the recommended scheme where the SoC supports it. This issue will be
fixed in a future hardware ECO revision; more details will be shared through the
hardware errata document.

A new hidden Kconfig option SECURE_BOOT_V2_ECDSA_INSECURE marks the affected
mass-production SoCs (ESP32-C5/C61/H2/P4). On these SoCs, when hardware Secure
Boot V2 is enabled, the ECDSA (V2) signing scheme is no longer offered by
default; it must be turned on explicitly via SECURE_BOOT_V2_FORCE_ENABLE_ECDSA
under "Allow potentially insecure options" (CONFIG_SECURE_BOOT_INSECURE). App
signing without hardware Secure Boot is not affected. Note that ESP32-C61 has no
RSA based Secure Boot V2, so it has no Secure Boot scheme enabled by default.

The preview targets ESP32-H4 and ESP32-H21 mark ECDSA Secure Boot V2 as not
supported in their SoC capabilities instead of using the option above. As
ESP32-H4 has no other Secure Boot V2 scheme, Secure Boot is disabled entirely on
it; ESP32-H21 retains RSA based Secure Boot V2.

The security documentation keeps the ECDSA Secure Boot V2 content visible and
adds a warning describing the limitation (including that ECDSA Secure Boot V2 on
ESP32-C61 is not recommended for production). CI apps that exercise ECDSA Secure
Boot V2 on the affected SoCs set CONFIG_SECURE_BOOT_V2_FORCE_ENABLE_ECDSA
accordingly.
2026-06-09 16:55:57 +05:30
Sudeep Mohanty
3b4fbbb531 fix(cmakev2/bootloader): link bootloader_components discovered from EXTRA_COMPONENT_DIRS
idf_build_executable only links the COMPONENTS list and its
dependencies. However, bootloader_components provided by the application
get discovered, but not linked. This MR forces the extra components for
the bootloader to be linked to the bootloader binary as there is no way
for the application to specify the same.
2026-06-05 16:09:57 +02:00
Ashish Sharma
cd38d68bd1 feat(bootloader_support): remove P192 curve support 2026-04-30 18:04:00 +08:00
Marius Vikhammer
6af582c260 change(rom): add rom caps for bootloader in flash offset 2026-04-29 10:58:50 +08:00
nilesh.kale
b3243dc6de feat: enable HMAC peripheral support for ESP32-H4 2026-04-09 14:29:57 +05:30
Alexey Lapshin
a1cbc20a91 feat(bootloader): split linker scripts into memory and sections
Replaced per-target bootloader.ld.in with bootloader.memory.ld.in and
bootloader.sections.ld.in.

Common code moved to file bootloader.sections.common.ld

Unify ESP32-P4 ECO4- and ECO4+ linker scripts into one shared script
Revision-specific code is selected with CONFIG_ESP32P4_SELECTS_REV_LESS_V3
2026-04-03 11:40:33 +07:00
Frantisek Hrbata
32d31d72a3 Merge branch 'feat/cmakev2_bootloader' into 'master'
feat(cmakev2): build bootloader using the cmakev2 build system

Closes IDF-15433

See merge request espressif/esp-idf!46465
2026-04-01 10:29:05 +02:00
Laukik Hase
9e21a52202 fix(soc): Correct the ESP32-C61 ROM stack start address 2026-03-30 12:46:58 +05:30
Frantisek Hrbata
3ba07d507e fix(cmakev2/bootloader): use bootloader.bin when signing is not enabled
When CONFIG_SECURE_BOOT_V2_ENABLED=y but
CONFIG_SECURE_BOOT_BUILD_SIGNED_BINARIES is not set, produce the
binary directly as bootloader.bin instead of bootloader-unsigned.bin.

This matches the v1 behavior where the intermediate binary name is
conditional: bootloader-unsigned.bin only when build-time signing is
enabled (so the signed output can be named bootloader.bin), otherwise
the output is bootloader.bin directly.

Signed-off-by: Frantisek Hrbata <frantisek.hrbata@espressif.com>
2026-03-27 19:18:11 +08:00
Frantisek Hrbata
c6c1293d0c fix(cmakev2/project): guard compiler optimization flags with build property
The __init_project_configuration() function in cmakev2's project.cmake
unconditionally applied app-level compiler optimization flags based on
CONFIG_COMPILER_OPTIMIZATION_* Kconfig options. When the bootloader
subproject was built with cmakev2, these app-level flags leaked into the
bootloader compile command alongside the correct bootloader-specific
flags from CONFIG_BOOTLOADER_COMPILER_OPTIMIZATION_*.

For example, with the default configuration (app: DEBUG, bootloader:
SIZE), the bootloader received both "-Og -fno-shrink-wrap" (from app
config) and "-Os -freorder-blocks" (from bootloader config). While GCC
uses the last -O flag (-Os wins), the stray -fno-shrink-wrap persisted.

Introduce a SET_COMPILER_OPTIMIZATION build property that defaults to
YES when unset. Subprojects that manage their own optimization flags
(like the bootloader) can set this to NO before calling
idf_project_init() to prevent the default optimization flags from being
applied. This keeps project.cmake generic without requiring it to know
about specific subproject types.

Signed-off-by: Frantisek Hrbata <frantisek.hrbata@espressif.com>
2026-03-27 19:18:11 +08:00
Frantisek Hrbata
6416f75581 feat(bootloader): build bootloader using cmakev2
Add CMakeLists_v2.txt to the bootloader subproject, implementing the
bootloader build using the new cmakev2 IDF build framework.

The file covers the full bootloader build pipeline:
- Sets PROJECT_COMPONENTS_SOURCE to "idf_components" so that the
  subproject's built-in components (main/, components/) are treated as
  IDF components (priority 0) rather than project components (priority
  3).  This preserves the cmakev1 behaviour where user-supplied
  components in bootloader_components/ can override the built-in ones.
- Registers optional user-supplied bootloader components from the
  application project's bootloader_components/ directory, with support
  for selectively excluding individual components via
  IGNORE_EXTRA_COMPONENT.
- Bootstraps the cmakev2 framework (idf.cmake) and initialises the
  project with BOOTLOADER_BUILD and NON_OS_BUILD properties, which are
  also exposed as C preprocessor definitions.
- Sets GENERATE_SDKCONFIG to 0 to prevent the bootloader subproject
  from regenerating the main project's sdkconfig, as the bootloader
  has a different set of components and hence different Kconfig files.
- Sets the common implicit component dependencies shared by every
  bootloader component (log, esp_rom, esp_common, esp_hw_support,
  esp_libc, arch-specific component).
- Applies the compiler options specific for bootloader
- Selects the correct target-specific linker script, including a
  separate script for ESP32-P4 silicon revisions < v3.
- Links the bootloader ELF via idf_build_executable and then converts it
  to a flat binary via one of three paths depending on the secure boot
  configuration:
    * No secure boot: plain binary + size check + metadata.
    * Secure Boot V1 one-time-flash: plain binary with post-build
      instructions showing the esptool.py flash command.
    * Secure Boot V1 reflashable: derives the symmetric eFuse key from
      the ECDSA signing key, produces the reflash-digest image, and
      prints burn/flash instructions.
    * Secure Boot V2: produces an unsigned binary, optionally signs it
      with the configured signing key (RSA-PSS 3072, ECDSA P-256, or
      ECDSA P-384) via idf_sign_binary, and prints flash/multi-key
      signing instructions.
- Adds comprehensive inline documentation explaining each section's
  purpose, the rationale behind individual flags, and the relationships
  between Kconfig symbols and generated artefacts.

Signed-off-by: Frantisek Hrbata <frantisek.hrbata@espressif.com>
2026-03-27 19:18:11 +08:00
Frantisek Hrbata
413a0615bf fix(bootloader): remove CMAKE_CURRENT_LIST_DIR from bootloader_extra_component_dirs
`CMAKE_CURRENT_LIST_DIR` is actually `components/bootloader`, so it
doesn’t need to be passed via `EXTRA_COMPONENT_DIRS`: the build already
recognizes it as an esp-idf component.

In **cmakev1**, this is silently ignored: if a component with the same
name already exists, its directory is updated and the previous directory
is stored in the `COMPONENT_OVERRIDEN_DIR` component property.

In **cmakev2**, this is correctly detected and reported.

CMake Warning at /home/fhrbata/work/esp-idf/tools/cmakev2/utilities.cmake:63 (message):
   IDF: Component 'bootloader' directory '/home/fhrbata/work/esp-idf/components/bootloader'
   with higher priority 'project_extra_components' will be used instead of component directory
   '/home/fhrbata/work/esp-idf/components/bootloader' with lower priority 'idf_components'
Call Stack (most recent call first):
  /home/fhrbata/work/esp-idf/tools/cmakev2/component.cmake:625 (idf_warn)
  /home/fhrbata/work/esp-idf/tools/cmakev2/idf.cmake:411 (__init_component)
  /home/fhrbata/work/esp-idf/tools/cmakev2/project.cmake:580 (__init_components)
  CMakeLists_v2.txt:28 (idf_project_init)
  CMakeLists.txt:19 (include)

Since it doesn’t make sense to explicitly add the bootloader as an extra
component, remove it.

Signed-off-by: Frantisek Hrbata <frantisek.hrbata@espressif.com>
2026-03-27 19:18:11 +08:00
hebinglin
474d89b4c2 fix(clk): update H21 ECO1 to use 64MHz clock for mspi 2026-03-25 15:38:49 +08:00
Meet Patel
fd951bfdba Merge branch 'refactor/wdt_soc_supported_guard' into 'master'
refactor(system): wrap WDT code under SOC_WDT_SUPPORTED

Closes IDF-14860

See merge request espressif/esp-idf!46457
2026-03-25 09:47:58 +05:30
Meet Patel
c4e2fe2c8b refactor(system): guard WDT with SoC capability macros
Wrap MWDT-related code under SOC_WDT_SUPPORTED so targets without a main
watchdog can compile.

Add SOC_RTC_WDT_SUPPORTED for RTC watchdog usage (bootloader, slow-clock
paths) and regenerate Kconfig.soc_caps.in. Bootloader RWDT setup stays
under SOC_RTC_WDT_SUPPORTED; MWDT flashboot teardown stays under
SOC_WDT_SUPPORTED.

ESP_INT_WDT, ESP_TASK_WDT_EN, and BOOTLOADER_WDT_ENABLE depend on
SOC_WDT_SUPPORTED where applicable. Build xt_wdt.c only when
SOC_XT_WDT_SUPPORTED. Provide no-op panic WDT helpers when
SOC_WDT_SUPPORTED is disabled.
2026-03-24 14:57:43 +05:30
Mahavir Jain
229a8a78fb docs: clarify anti-rollback secure version bits for c2/c5 2026-03-23 16:21:26 +05:30
Ashish Sharma
d8b02883dc fix(secure_boot): marks 192 bit support curve legacy 2026-03-17 10:25:44 +08:00
Song Ruo Jing
600bf5b6d7 refactor(esp_hal_regi2c): move regi2c implementation from esp_rom to esp_hal_regi2c 2026-03-10 15:08:51 +08:00
nilesh.kale
10cbacfb19 fix(bootloader_support): added ecdsa curve validation during secure boot
This commit added ECDSA key curve validation between
curve selected in menuconfig and key provided.
2026-03-03 12:53:27 +05:30
armando
3d9e2ec948 ci(p4): use eco6 by default 2026-02-09 16:27:57 +08:00
morris
a4f6980e1f Merge branch 'refactor/create_esp_hal_security' into 'master'
refactor: Created esp_hal_security component

Closes IDF-14086

See merge request espressif/esp-idf!44253
2026-01-22 11:56:46 +08:00
Aditya Patwardhan
eb4a871eca refactor(esp_hal_security): Updated esp_hal_security build and includes 2026-01-21 10:02:44 +05:30
Xiao Xufeng
6ab0540658 fix(esp32p4): fix rom and ld misuse min_rev 2026-01-19 16:58:16 +08:00
Song Ruo Jing
215c9993bf fix(clk): update H4 to use 64MHz clock for mspi
And add pll clock ref count
2026-01-04 14:07:01 +08:00
Chen Jichang
8702d5c986 feat(clk): support clk tree on h4mp 2026-01-04 14:07:01 +08:00
Mahavir Jain
5979ca3d14 feat(bootloader): add config to force secure boot already init case
Mostly helpful in testing scenarios. The newly added config
SECURE_BOOT_REQUIRE_ALREADY_ENABLED will ensure the SB feature must
already be enabled, otherwise the bootloader simply fails to boot.
2025-12-30 10:06:51 +05:30
wuzhenghui
4125fd68ac fix(esp_system): fix rom secure boot fast wake feature for c5/c6/h2/h21 2025-12-12 16:04:20 +08:00
morris
af02c173fb refactor(soc): remove soc_caps_full.h 2025-12-04 10:48:07 +08:00
morris
3865eb1f3f Merge branch 'refactor/wdt_rom_impl' into 'master'
refactor(hal_wdt): esp_hal_wdt also maintains the ROM implementation

See merge request espressif/esp-idf!43891
2025-12-04 00:19:11 +08:00
C.S.M
0c4cf75c35 feat(esp32s31): Introduce esp32s31 hello world 2025-12-02 10:44:16 +08:00
morris
3d31f510d0 refactor(hal_wdt): esp_hal_wdt also maintains the ROM implementation 2025-12-01 23:16:09 +08:00
Harshal Patil
0debe71b3d Merge branch 'feat/flash_enc_using_key_manager' into 'master'
Support Flash Encryption using Key Manager

Closes IDF-13462 and IDF-14278

See merge request espressif/esp-idf!41879
2025-11-13 07:55:15 +05:30
harshal.patil
0c3c284819 feat(bootloader_support): Support FE XTS-AES-256 using Key Manager for ESP32-C5 2025-11-11 12:23:27 +05:30
harshal.patil
540c719c66 change(esp_key_mgr): Make Key Manager driver bootloader compatible
- Independent of heap
2025-11-11 12:23:26 +05:30
harshal.patil
8abea3c537 feat(bootloader_support): Support Flash Encryption using Key Manager 2025-11-11 12:23:25 +05:30
harshal.patil
3090e91e60 fix(esp_security): Set WR_DIS_SECURE_BOOT_SHA384_EN by default when
Flash Encryption Release mode is enabled and Secure Boot P384 scheme not is enabled.
2025-11-05 08:39:55 +05:30
harshal.patil
9840685b2d fix(build_system): Add Bootloader and Partition Table as dependencies for encrypted-flash
- If ESP-TEE is enabled, also add it as the dependency for the encrypted-flash target
2025-10-31 14:15:26 +05:30
Marius Vikhammer
a257812e14 feat(stdio): added esp_stdio component
esp_stdio contains everything the old esp_vfs_console contained (the vfs stdio glue layer)
as well as other functionality related to stdio (previously referred to as console)
2025-10-16 10:01:59 +08:00
morris
56c3dc4755 feat(wdt): graduate watch dog hal driver into a new component: esp_hal_wdt 2025-10-14 11:44:32 +08:00