1# Bootloader component (top-level project parts) 2# 3# The bootloader is not a real component that gets linked into the project. 4# Instead it is an entire standalone project (in subproject/) that gets 5# built in the upper project's build directory. This Makefile.projbuild provides 6# the glue to build the bootloader project from the original project. It 7# basically runs Make in the subproject/ directory but it needs to 8# zero some variables the ESP-IDF project.mk makefile exports first, to not 9# let them interfere. 10# 11BOOTLOADER_COMPONENT_PATH := $(COMPONENT_PATH) 12BOOTLOADER_BUILD_DIR=$(abspath $(BUILD_DIR_BASE)/bootloader) 13BOOTLOADER_BIN=$(BOOTLOADER_BUILD_DIR)/bootloader.bin 14 15# signing key path is resolved relative to the project directory 16CONFIG_SECURE_BOOT_SIGNING_KEY ?= 17SECURE_BOOT_SIGNING_KEY=$(abspath $(call dequote,$(CONFIG_SECURE_BOOT_SIGNING_KEY))) 18export SECURE_BOOT_SIGNING_KEY # used by bootloader_support component 19 20BOOTLOADER_SIGNED_BIN ?= 21 22# Has a matching value in bootloader_support esp_flash_partitions.h 23BOOTLOADER_OFFSET := 0x1000 24 25# Custom recursive make for bootloader sub-project 26# 27# NB: Some variables are cleared in the environment, not 28# overriden, because they need to be re-defined in the child 29# project. 30BOOTLOADER_MAKE= +\ 31 PROJECT_PATH= \ 32 COMPONENT_DIRS= \ 33 $(MAKE) -C $(BOOTLOADER_COMPONENT_PATH)/subproject \ 34 V=$(V) \ 35 BUILD_DIR_BASE=$(BOOTLOADER_BUILD_DIR) \ 36 TEST_COMPONENTS= \ 37 TESTS_ALL= \ 38 EXCLUDE_COMPONENTS= 39 40.PHONY: bootloader-clean bootloader-flash bootloader-list-components bootloader $(BOOTLOADER_BIN) 41 42$(BOOTLOADER_BIN): $(SDKCONFIG_MAKEFILE) 43 $(BOOTLOADER_MAKE) $@ 44 45clean: bootloader-clean 46 47bootloader-list-components: 48 $(BOOTLOADER_MAKE) list-components 49 50ifndef CONFIG_SECURE_BOOT 51# If secure boot disabled, bootloader flashing is integrated 52# with 'make flash' and no warnings are printed. 53 54bootloader: $(BOOTLOADER_BIN) | check_python_dependencies 55 @echo $(SEPARATOR) 56 @echo "Bootloader built. Default flash command is:" 57 @echo "$(ESPTOOLPY_WRITE_FLASH) $(BOOTLOADER_OFFSET) $^" 58 59ESPTOOL_ALL_FLASH_ARGS += $(BOOTLOADER_OFFSET) $(BOOTLOADER_BIN) 60UF2_ADD_BINARIES += $(BOOTLOADER_OFFSET) $(BOOTLOADER_BIN) 61 62bootloader-flash: $(BOOTLOADER_BIN) $(call prereq_if_explicit,erase_flash) | check_python_dependencies 63 $(ESPTOOLPY_WRITE_FLASH) 0x1000 $^ 64 65else ifdef CONFIG_SECURE_BOOTLOADER_ONE_TIME_FLASH 66 67# One time flashing requires user to run esptool.py command themselves, 68# and warning is printed about inability to reflash. 69# 70# The flashing command is deliberately printed without an auto-reset 71# step, so the device doesn't immediately reset to flash itself. 72 73bootloader: $(BOOTLOADER_BIN) | check_python_dependencies 74 @echo $(SEPARATOR) 75 @echo "Bootloader built. One-time flash command is:" 76 @echo "$(subst hard_reset,no_reset,$(ESPTOOLPY_WRITE_FLASH)) $(BOOTLOADER_OFFSET) $(BOOTLOADER_BIN)" 77 @echo $(SEPARATOR) 78 @echo "* IMPORTANT: After first boot, BOOTLOADER CANNOT BE RE-FLASHED on same device" 79 80else ifdef CONFIG_SECURE_BOOTLOADER_REFLASHABLE 81# Reflashable secure bootloader 82# generates a digest binary (bootloader + digest) 83 84ifdef CONFIG_SECURE_BOOTLOADER_KEY_ENCODING_192BIT 85KEY_DIGEST_LEN=192 86else 87KEY_DIGEST_LEN=256 88endif 89 90BOOTLOADER_DIGEST_BIN := $(BOOTLOADER_BUILD_DIR)/bootloader-reflash-digest.bin 91SECURE_BOOTLOADER_KEY := $(BOOTLOADER_BUILD_DIR)/secure-bootloader-key-$(KEY_DIGEST_LEN).bin 92 93ifdef CONFIG_SECURE_BOOT_BUILD_SIGNED_BINARIES 94$(SECURE_BOOTLOADER_KEY): $(SECURE_BOOT_SIGNING_KEY) | check_python_dependencies 95 $(ESPSECUREPY) digest_private_key --keylen $(KEY_DIGEST_LEN) -k $< $@ 96else 97$(SECURE_BOOTLOADER_KEY): 98 @echo "No pre-generated key for a reflashable secure bootloader is available, due to signing configuration." 99 @echo "To generate one, you can use this command:" 100 @echo "espsecure.py generate_flash_encryption_key $@" 101 @echo "then re-run make." 102 exit 1 103endif 104 105bootloader: $(BOOTLOADER_DIGEST_BIN) 106 @echo $(SEPARATOR) 107 @echo "Bootloader built and secure digest generated. First time flash command is:" 108 @echo "$(ESPEFUSEPY) burn_key secure_boot_v1 $(SECURE_BOOTLOADER_KEY)" 109 @echo "$(ESPTOOLPY_WRITE_FLASH) $(BOOTLOADER_OFFSET) $(BOOTLOADER_BIN)" 110 @echo $(SEPARATOR) 111 @echo "To reflash the bootloader after initial flash:" 112 @echo "$(ESPTOOLPY_WRITE_FLASH) 0x0 $(BOOTLOADER_DIGEST_BIN)" 113 @echo $(SEPARATOR) 114 @echo "* After first boot, only re-flashes of this kind (with same key) will be accepted." 115 @echo "* Not recommended to re-use the same secure boot keyfile on multiple production devices." 116 117$(BOOTLOADER_DIGEST_BIN): $(BOOTLOADER_BIN) $(SECURE_BOOTLOADER_KEY) | check_python_dependencies 118 @echo "DIGEST $(notdir $@)" 119 $(ESPSECUREPY) digest_secure_bootloader -k $(SECURE_BOOTLOADER_KEY) -o $@ $< 120 121else ifdef CONFIG_SECURE_BOOT_V2_ENABLED 122BOOTLOADER_SIGNED_BIN := $(BOOTLOADER_BUILD_DIR)/bootloader-signed.bin 123ifdef CONFIG_SECURE_BOOT_BUILD_SIGNED_BINARIES 124bootloader: $(BOOTLOADER_BIN) $(SDKCONFIG_MAKEFILE) | check_python_dependencies 125 $(ESPSECUREPY) sign_data --keyfile $(SECURE_BOOT_SIGNING_KEY) --version 2 \ 126 -o $(BOOTLOADER_SIGNED_BIN) $(BOOTLOADER_BIN) 127else 128bootloader: $(BOOTLOADER_BIN) $(SDKCONFIG_MAKEFILE) | check_python_dependencies 129 @echo "Bootloader not signed. Sign the bootloader before flashing." 130 @echo "To sign the bootloader, you can use this command:" 131 @echo "espsecure.py sign_data --keyfile SECURE_BOOT_SIGNING_KEY --version 2 $(BOOTLOADER_BIN)" 132endif 133 @echo $(SEPARATOR) 134 @echo "Use the following command to flash the bootloader:" 135ifdef CONFIG_SECURE_BOOT_BUILD_SIGNED_BINARIES 136 @echo "$(ESPTOOLPY_WRITE_FLASH) $(BOOTLOADER_OFFSET) $(BOOTLOADER_SIGNED_BIN)" 137else 138 @echo "$(ESPTOOLPY_WRITE_FLASH) $(BOOTLOADER_OFFSET) $(BOOTLOADER_BIN)" 139endif 140 @echo $(SEPARATOR) 141 142else # CONFIG_SECURE_BOOT && !CONFIG_SECURE_BOOTLOADER_REFLASHABLE \ 143&& !CONFIG_SECURE_BOOTLOADER_ONE_TIME_FLASH && !CONFIG_SECURE_SIGNED_APPS_RSA_SCHEME 144bootloader: 145 @echo "Invalid bootloader target: bad sdkconfig?" 146 @exit 1 147endif 148 149ifndef CONFIG_SECURE_BOOT 150# don't build bootloader by default if secure boot is enabled 151all_binaries: $(BOOTLOADER_BIN) 152endif 153 154bootloader-clean: $(SDKCONFIG_MAKEFILE) 155 $(BOOTLOADER_MAKE) app-clean 156ifdef CONFIG_SECURE_BOOTLOADER_REFLASHABLE 157 rm -f $(SECURE_BOOTLOADER_KEY) $(BOOTLOADER_DIGEST_BIN) 158endif 159ifdef CONFIG_SECURE_SIGNED_APPS_RSA_SCHEME 160ifdef CONFIG_SECURE_BOOT_BUILD_SIGNED_BINARIES 161 rm -f $(BOOTLOADER_SIGNED_BIN) 162endif 163endif 164
