Walk every directory contributed via BOOTLOADER_EXTRA_COMPONENT_DIRS
(both shared and direct component paths, not only those under the
application's bootloader_components/) and exclude any whose component
name matches BOOTLOADER_IGNORE_EXTRA_COMPONENT.
The signing step (espsecure sign-data) derives the signature block type
from the key file itself, so selecting e.g. the RSA app signing scheme
with an ECDSA signing key produced a successfully built image that only
failed signature verification at boot.
Check the key at configure time and fail with a clear error when:
- the key family (RSA vs ECDSA) does not match the selected app signing
scheme
- the ECDSA curve does not match the selected ECDSA key size for the
ECDSA (V1/V2) schemes
- the key cannot be parsed as an unencrypted PEM private key
ESP_FAULT_ASSERT(C) was silently deleted by the optimizer when C is a cached
flag/status already proven by a preceding `if (!C) return/goto`: the compiler
folds C to a constant and drops all three checks, removing the fault-injection
protection with no warning.
Reference SECURE_BOOT_SIGNING_KEY in the bootloader subproject so CMake
does not warn about a manually-specified-but-unused variable when the
sign-key consumers are in config-gated blocks. Ports the same fix the
v1 subproject CMakeLists already has at line 119-120.
Commit 69d548c8 ("feat(esp_security): suppoer s31 security clock
management") introduced a new esp_crypto_clk source file in esp_security
but did not add it to the bootloader loader IRAM input sections. As a
result the crypto clock code was not placed in the loader IRAM region,
causing a regression on targets that use it during bootloader load.
Add *libesp_security.a:esp_crypto_clk.* to the bootloader sections
linker fragments for all targets that carry the esp_security.a
dependency (esp32c5, esp32p4, esp32s31), placed alongside
esp_crypto_periph_clk.
Previously the bootloader unconditionally revoked unused secure boot key
digest slots while permanently enabling secure boot on the first boot,
ignoring CONFIG_SECURE_BOOT_ALLOW_UNUSED_DIGEST_SLOTS. Now the config is
honored on this path too: when set, the unused digest slots are left
un-revoked. This is safe as long as the debug and download interfaces are
disabled.
Update the Kconfig help and the Secure Boot v2 guide (en and zh_CN)
accordingly.
ECDSA based Secure Boot V2 is not functional for certain input vectors on
ESP32-C5/C61/H2/P4 and on the preview targets ESP32-H4/H21. RSA based Secure
Boot V2 is the recommended scheme where the SoC supports it. This issue will be
fixed in a future hardware ECO revision; more details will be shared through the
hardware errata document.
A new hidden Kconfig option SECURE_BOOT_V2_ECDSA_INSECURE marks the affected
mass-production SoCs (ESP32-C5/C61/H2/P4). On these SoCs, when hardware Secure
Boot V2 is enabled, the ECDSA (V2) signing scheme is no longer offered by
default; it must be turned on explicitly via SECURE_BOOT_V2_FORCE_ENABLE_ECDSA
under "Allow potentially insecure options" (CONFIG_SECURE_BOOT_INSECURE). App
signing without hardware Secure Boot is not affected. Note that ESP32-C61 has no
RSA based Secure Boot V2, so it has no Secure Boot scheme enabled by default.
The preview targets ESP32-H4 and ESP32-H21 mark ECDSA Secure Boot V2 as not
supported in their SoC capabilities instead of using the option above. As
ESP32-H4 has no other Secure Boot V2 scheme, Secure Boot is disabled entirely on
it; ESP32-H21 retains RSA based Secure Boot V2.
The security documentation keeps the ECDSA Secure Boot V2 content visible and
adds a warning describing the limitation (including that ECDSA Secure Boot V2 on
ESP32-C61 is not recommended for production). CI apps that exercise ECDSA Secure
Boot V2 on the affected SoCs set CONFIG_SECURE_BOOT_V2_FORCE_ENABLE_ECDSA
accordingly.
idf_build_executable only links the COMPONENTS list and its
dependencies. However, bootloader_components provided by the application
get discovered, but not linked. This MR forces the extra components for
the bootloader to be linked to the bootloader binary as there is no way
for the application to specify the same.
Replaced per-target bootloader.ld.in with bootloader.memory.ld.in and
bootloader.sections.ld.in.
Common code moved to file bootloader.sections.common.ld
Unify ESP32-P4 ECO4- and ECO4+ linker scripts into one shared script
Revision-specific code is selected with CONFIG_ESP32P4_SELECTS_REV_LESS_V3
When CONFIG_SECURE_BOOT_V2_ENABLED=y but
CONFIG_SECURE_BOOT_BUILD_SIGNED_BINARIES is not set, produce the
binary directly as bootloader.bin instead of bootloader-unsigned.bin.
This matches the v1 behavior where the intermediate binary name is
conditional: bootloader-unsigned.bin only when build-time signing is
enabled (so the signed output can be named bootloader.bin), otherwise
the output is bootloader.bin directly.
Signed-off-by: Frantisek Hrbata <frantisek.hrbata@espressif.com>
The __init_project_configuration() function in cmakev2's project.cmake
unconditionally applied app-level compiler optimization flags based on
CONFIG_COMPILER_OPTIMIZATION_* Kconfig options. When the bootloader
subproject was built with cmakev2, these app-level flags leaked into the
bootloader compile command alongside the correct bootloader-specific
flags from CONFIG_BOOTLOADER_COMPILER_OPTIMIZATION_*.
For example, with the default configuration (app: DEBUG, bootloader:
SIZE), the bootloader received both "-Og -fno-shrink-wrap" (from app
config) and "-Os -freorder-blocks" (from bootloader config). While GCC
uses the last -O flag (-Os wins), the stray -fno-shrink-wrap persisted.
Introduce a SET_COMPILER_OPTIMIZATION build property that defaults to
YES when unset. Subprojects that manage their own optimization flags
(like the bootloader) can set this to NO before calling
idf_project_init() to prevent the default optimization flags from being
applied. This keeps project.cmake generic without requiring it to know
about specific subproject types.
Signed-off-by: Frantisek Hrbata <frantisek.hrbata@espressif.com>
Add CMakeLists_v2.txt to the bootloader subproject, implementing the
bootloader build using the new cmakev2 IDF build framework.
The file covers the full bootloader build pipeline:
- Sets PROJECT_COMPONENTS_SOURCE to "idf_components" so that the
subproject's built-in components (main/, components/) are treated as
IDF components (priority 0) rather than project components (priority
3). This preserves the cmakev1 behaviour where user-supplied
components in bootloader_components/ can override the built-in ones.
- Registers optional user-supplied bootloader components from the
application project's bootloader_components/ directory, with support
for selectively excluding individual components via
IGNORE_EXTRA_COMPONENT.
- Bootstraps the cmakev2 framework (idf.cmake) and initialises the
project with BOOTLOADER_BUILD and NON_OS_BUILD properties, which are
also exposed as C preprocessor definitions.
- Sets GENERATE_SDKCONFIG to 0 to prevent the bootloader subproject
from regenerating the main project's sdkconfig, as the bootloader
has a different set of components and hence different Kconfig files.
- Sets the common implicit component dependencies shared by every
bootloader component (log, esp_rom, esp_common, esp_hw_support,
esp_libc, arch-specific component).
- Applies the compiler options specific for bootloader
- Selects the correct target-specific linker script, including a
separate script for ESP32-P4 silicon revisions < v3.
- Links the bootloader ELF via idf_build_executable and then converts it
to a flat binary via one of three paths depending on the secure boot
configuration:
* No secure boot: plain binary + size check + metadata.
* Secure Boot V1 one-time-flash: plain binary with post-build
instructions showing the esptool.py flash command.
* Secure Boot V1 reflashable: derives the symmetric eFuse key from
the ECDSA signing key, produces the reflash-digest image, and
prints burn/flash instructions.
* Secure Boot V2: produces an unsigned binary, optionally signs it
with the configured signing key (RSA-PSS 3072, ECDSA P-256, or
ECDSA P-384) via idf_sign_binary, and prints flash/multi-key
signing instructions.
- Adds comprehensive inline documentation explaining each section's
purpose, the rationale behind individual flags, and the relationships
between Kconfig symbols and generated artefacts.
Signed-off-by: Frantisek Hrbata <frantisek.hrbata@espressif.com>
`CMAKE_CURRENT_LIST_DIR` is actually `components/bootloader`, so it
doesn’t need to be passed via `EXTRA_COMPONENT_DIRS`: the build already
recognizes it as an esp-idf component.
In **cmakev1**, this is silently ignored: if a component with the same
name already exists, its directory is updated and the previous directory
is stored in the `COMPONENT_OVERRIDEN_DIR` component property.
In **cmakev2**, this is correctly detected and reported.
CMake Warning at /home/fhrbata/work/esp-idf/tools/cmakev2/utilities.cmake:63 (message):
IDF: Component 'bootloader' directory '/home/fhrbata/work/esp-idf/components/bootloader'
with higher priority 'project_extra_components' will be used instead of component directory
'/home/fhrbata/work/esp-idf/components/bootloader' with lower priority 'idf_components'
Call Stack (most recent call first):
/home/fhrbata/work/esp-idf/tools/cmakev2/component.cmake:625 (idf_warn)
/home/fhrbata/work/esp-idf/tools/cmakev2/idf.cmake:411 (__init_component)
/home/fhrbata/work/esp-idf/tools/cmakev2/project.cmake:580 (__init_components)
CMakeLists_v2.txt:28 (idf_project_init)
CMakeLists.txt:19 (include)
Since it doesn’t make sense to explicitly add the bootloader as an extra
component, remove it.
Signed-off-by: Frantisek Hrbata <frantisek.hrbata@espressif.com>
Wrap MWDT-related code under SOC_WDT_SUPPORTED so targets without a main
watchdog can compile.
Add SOC_RTC_WDT_SUPPORTED for RTC watchdog usage (bootloader, slow-clock
paths) and regenerate Kconfig.soc_caps.in. Bootloader RWDT setup stays
under SOC_RTC_WDT_SUPPORTED; MWDT flashboot teardown stays under
SOC_WDT_SUPPORTED.
ESP_INT_WDT, ESP_TASK_WDT_EN, and BOOTLOADER_WDT_ENABLE depend on
SOC_WDT_SUPPORTED where applicable. Build xt_wdt.c only when
SOC_XT_WDT_SUPPORTED. Provide no-op panic WDT helpers when
SOC_WDT_SUPPORTED is disabled.
Mostly helpful in testing scenarios. The newly added config
SECURE_BOOT_REQUIRE_ALREADY_ENABLED will ensure the SB feature must
already be enabled, otherwise the bootloader simply fails to boot.
esp_stdio contains everything the old esp_vfs_console contained (the vfs stdio glue layer)
as well as other functionality related to stdio (previously referred to as console)