Files
esp-idf/tools/test_apps
Aditya Patwardhan 67e10e2b56 change(secure_boot): mark ECDSA based Secure Boot V2 as insecure on affected SoCs
ECDSA based Secure Boot V2 is not functional for certain input vectors on
ESP32-C5/C61/H2/P4 and on the preview targets ESP32-H4/H21. RSA based Secure
Boot V2 is the recommended scheme where the SoC supports it. This issue will be
fixed in a future hardware ECO revision; more details will be shared through the
hardware errata document.

A new hidden Kconfig option SECURE_BOOT_V2_ECDSA_INSECURE marks the affected
mass-production SoCs (ESP32-C5/C61/H2/P4). On these SoCs, when hardware Secure
Boot V2 is enabled, the ECDSA (V2) signing scheme is no longer offered by
default; it must be turned on explicitly via SECURE_BOOT_V2_FORCE_ENABLE_ECDSA
under "Allow potentially insecure options" (CONFIG_SECURE_BOOT_INSECURE). App
signing without hardware Secure Boot is not affected. Note that ESP32-C61 has no
RSA based Secure Boot V2, so it has no Secure Boot scheme enabled by default.

The preview targets ESP32-H4 and ESP32-H21 mark ECDSA Secure Boot V2 as not
supported in their SoC capabilities instead of using the option above. As
ESP32-H4 has no other Secure Boot V2 scheme, Secure Boot is disabled entirely on
it; ESP32-H21 retains RSA based Secure Boot V2.

The security documentation keeps the ECDSA Secure Boot V2 content visible and
adds a warning describing the limitation (including that ECDSA Secure Boot V2 on
ESP32-C61 is not recommended for production). CI apps that exercise ECDSA Secure
Boot V2 on the affected SoCs set CONFIG_SECURE_BOOT_V2_FORCE_ENABLE_ECDSA
accordingly.
2026-06-09 16:55:57 +05:30
..

Test Apps

This directory contains a set of ESP-IDF projects to be used as tests only, which aim to exercise various configuration of components to check completely arbitrary functionality should it be building only, executing under various conditions or combination with other components, including custom test frameworks.

The test apps are not intended to demonstrate the ESP-IDF functionality in any way.

Test Apps projects

Test applications are treated the same way as ESP-IDF examples, so each project directory shall contain

  • Build recipe in cmake and the main component with app sources
  • Configuration files, sdkconfig.ci and similar (see below)
  • Python test scripts, pytest_....py (optional)

Test Apps layout

The test apps should be grouped into subdirectories by category. Categories are:

  • protocols contains test of protocol interactions.
  • network contains system network tests
  • system contains tests on the internal chip features, debugging and development tools.
  • security contains tests on the chip security features.

CI Behavior

Configuration Files

For each project in test_apps (and also examples):

  • If a file sdkconfig.ci exists then it's built as the default CI config.
  • If any additional files sdkconfig.ci.<CONFIG> exist then these are built as alternative configs, with the specified <CONFIG> name.

The CI system expects to see at least a "default" config, so add sdkconfig.ci before adding any sdkconfig.ci.CONFIG files.

  • By default, every CI configurations is built for every target SoC (an m * n configuration matrix). However if any sdkconfig.ci.* file contains a line of the form CONFIG_IDF_TARGET="targetname" then that CI config is only built for that one target. This only works in sdkconfig.ci.CONFIG, not in the default sdkconfig.ci.
  • Each configuration is also built with the contents of any sdkconfig.defaults file or a file named sdkconfig.defaults.<TARGET> appended. (Same as a normal ESP-IDF project build.)

Test Apps local execution

Some of the examples have pytest_....py scripts that are using the pytest as the test framework. For detailed information, please refer to the "Run the Tests Locally" Section under ESP-IDF tests in Pytest documentation