1# Bootloader component (top-level project parts) 2# 3# The bootloader is not a real component that gets linked into the project. 4# Instead it is an entire standalone project (in subproject/) that gets 5# built in the upper project's build directory. This Makefile.projbuild provides 6# the glue to build the bootloader project from the original project. It 7# basically runs Make in the subproject/ directory but it needs to 8# zero some variables the ESP-IDF project.mk makefile exports first, to not 9# let them interfere. 10# 11BOOTLOADER_COMPONENT_PATH := $(COMPONENT_PATH) 12BOOTLOADER_BUILD_DIR=$(abspath $(BUILD_DIR_BASE)/bootloader) 13BOOTLOADER_BIN=$(BOOTLOADER_BUILD_DIR)/bootloader.bin 14 15# signing key path is resolved relative to the project directory 16CONFIG_SECURE_BOOT_SIGNING_KEY ?= 17SECURE_BOOT_SIGNING_KEY=$(abspath $(call dequote,$(CONFIG_SECURE_BOOT_SIGNING_KEY))) 18export SECURE_BOOT_SIGNING_KEY # used by bootloader_support component 19 20BOOTLOADER_SIGNED_BIN ?= 21 22# Has a matching value in bootloader_support esp_flash_partitions.h 23BOOTLOADER_OFFSET := 0x1000 24 25# Custom recursive make for bootloader sub-project 26# 27# NB: Some variables are cleared in the environment, not 28# overriden, because they need to be re-defined in the child 29# project. 30# 31# Pass PROJECT_PATH variable, it will let the subproject look 32# for user defined bootloader component(s). 33BOOTLOADER_MAKE= +\ 34 PROJECT_PATH= \ 35 COMPONENT_DIRS= \ 36 $(MAKE) -C $(BOOTLOADER_COMPONENT_PATH)/subproject \ 37 V=$(V) \ 38 BUILD_DIR_BASE=$(BOOTLOADER_BUILD_DIR) \ 39 TEST_COMPONENTS= \ 40 TESTS_ALL= \ 41 EXCLUDE_COMPONENTS= \ 42 PROJECT_SOURCE_DIR=$(PROJECT_PATH) 43 44.PHONY: bootloader-clean bootloader-flash bootloader-list-components bootloader $(BOOTLOADER_BIN) 45 46$(BOOTLOADER_BIN): $(SDKCONFIG_MAKEFILE) 47 $(BOOTLOADER_MAKE) $@ 48 49clean: bootloader-clean 50 51bootloader-list-components: 52 $(BOOTLOADER_MAKE) list-components 53 54ifndef CONFIG_SECURE_BOOT 55# If secure boot disabled, bootloader flashing is integrated 56# with 'make flash' and no warnings are printed. 57 58bootloader: $(BOOTLOADER_BIN) | check_python_dependencies 59 @echo $(SEPARATOR) 60 @echo "Bootloader built. Default flash command is:" 61 @echo "$(ESPTOOLPY_WRITE_FLASH) $(BOOTLOADER_OFFSET) $^" 62 63ESPTOOL_ALL_FLASH_ARGS += $(BOOTLOADER_OFFSET) $(BOOTLOADER_BIN) 64UF2_ADD_BINARIES += $(BOOTLOADER_OFFSET) $(BOOTLOADER_BIN) 65 66bootloader-flash: $(BOOTLOADER_BIN) $(call prereq_if_explicit,erase_flash) | check_python_dependencies 67 $(ESPTOOLPY_WRITE_FLASH) 0x1000 $^ 68 69else ifdef CONFIG_SECURE_BOOTLOADER_ONE_TIME_FLASH 70 71# One time flashing requires user to run esptool.py command themselves, 72# and warning is printed about inability to reflash. 73# 74# The flashing command is deliberately printed without an auto-reset 75# step, so the device doesn't immediately reset to flash itself. 76 77bootloader: $(BOOTLOADER_BIN) | check_python_dependencies 78 @echo $(SEPARATOR) 79 @echo "Bootloader built. One-time flash command is:" 80 @echo "$(subst hard_reset,no_reset,$(ESPTOOLPY_WRITE_FLASH)) $(BOOTLOADER_OFFSET) $(BOOTLOADER_BIN)" 81 @echo $(SEPARATOR) 82 @echo "* IMPORTANT: After first boot, BOOTLOADER CANNOT BE RE-FLASHED on same device" 83 84else ifdef CONFIG_SECURE_BOOTLOADER_REFLASHABLE 85# Reflashable secure bootloader 86# generates a digest binary (bootloader + digest) 87 88ifdef CONFIG_SECURE_BOOTLOADER_KEY_ENCODING_192BIT 89KEY_DIGEST_LEN=192 90else 91KEY_DIGEST_LEN=256 92endif 93 94BOOTLOADER_DIGEST_BIN := $(BOOTLOADER_BUILD_DIR)/bootloader-reflash-digest.bin 95SECURE_BOOTLOADER_KEY := $(BOOTLOADER_BUILD_DIR)/secure-bootloader-key-$(KEY_DIGEST_LEN).bin 96 97ifdef CONFIG_SECURE_BOOT_BUILD_SIGNED_BINARIES 98$(SECURE_BOOTLOADER_KEY): $(SECURE_BOOT_SIGNING_KEY) | check_python_dependencies 99 $(ESPSECUREPY) digest_private_key --keylen $(KEY_DIGEST_LEN) -k $< $@ 100else 101$(SECURE_BOOTLOADER_KEY): 102 @echo "No pre-generated key for a reflashable secure bootloader is available, due to signing configuration." 103 @echo "To generate one, you can use this command:" 104 @echo "espsecure.py generate_flash_encryption_key $@" 105 @echo "then re-run make." 106 exit 1 107endif 108 109bootloader: $(BOOTLOADER_DIGEST_BIN) 110 @echo $(SEPARATOR) 111 @echo "Bootloader built and secure digest generated. First time flash command is:" 112 @echo "$(ESPEFUSEPY) burn_key secure_boot_v1 $(SECURE_BOOTLOADER_KEY)" 113 @echo "$(ESPTOOLPY_WRITE_FLASH) $(BOOTLOADER_OFFSET) $(BOOTLOADER_BIN)" 114 @echo $(SEPARATOR) 115 @echo "To reflash the bootloader after initial flash:" 116 @echo "$(ESPTOOLPY_WRITE_FLASH) 0x0 $(BOOTLOADER_DIGEST_BIN)" 117 @echo $(SEPARATOR) 118 @echo "* After first boot, only re-flashes of this kind (with same key) will be accepted." 119 @echo "* Not recommended to re-use the same secure boot keyfile on multiple production devices." 120 121$(BOOTLOADER_DIGEST_BIN): $(BOOTLOADER_BIN) $(SECURE_BOOTLOADER_KEY) | check_python_dependencies 122 @echo "DIGEST $(notdir $@)" 123 $(ESPSECUREPY) digest_secure_bootloader -k $(SECURE_BOOTLOADER_KEY) -o $@ $< 124 125else ifdef CONFIG_SECURE_BOOT_V2_ENABLED 126BOOTLOADER_SIGNED_BIN := $(BOOTLOADER_BUILD_DIR)/bootloader-signed.bin 127ifdef CONFIG_SECURE_BOOT_BUILD_SIGNED_BINARIES 128bootloader: $(BOOTLOADER_BIN) $(SDKCONFIG_MAKEFILE) | check_python_dependencies 129 $(ESPSECUREPY) sign_data --keyfile $(SECURE_BOOT_SIGNING_KEY) --version 2 \ 130 -o $(BOOTLOADER_SIGNED_BIN) $(BOOTLOADER_BIN) 131else 132bootloader: $(BOOTLOADER_BIN) $(SDKCONFIG_MAKEFILE) | check_python_dependencies 133 @echo "Bootloader not signed. Sign the bootloader before flashing." 134 @echo "To sign the bootloader, you can use this command:" 135 @echo "espsecure.py sign_data --keyfile SECURE_BOOT_SIGNING_KEY --version 2 $(BOOTLOADER_BIN)" 136endif 137 @echo $(SEPARATOR) 138 @echo "Use the following command to flash the bootloader:" 139ifdef CONFIG_SECURE_BOOT_BUILD_SIGNED_BINARIES 140 @echo "$(ESPTOOLPY_WRITE_FLASH) $(BOOTLOADER_OFFSET) $(BOOTLOADER_SIGNED_BIN)" 141else 142 @echo "$(ESPTOOLPY_WRITE_FLASH) $(BOOTLOADER_OFFSET) $(BOOTLOADER_BIN)" 143endif 144 @echo $(SEPARATOR) 145 146else # CONFIG_SECURE_BOOT && !CONFIG_SECURE_BOOTLOADER_REFLASHABLE \ 147&& !CONFIG_SECURE_BOOTLOADER_ONE_TIME_FLASH && !CONFIG_SECURE_SIGNED_APPS_RSA_SCHEME 148bootloader: 149 @echo "Invalid bootloader target: bad sdkconfig?" 150 @exit 1 151endif 152 153ifndef CONFIG_SECURE_BOOT 154# don't build bootloader by default if secure boot is enabled 155all_binaries: $(BOOTLOADER_BIN) 156endif 157 158bootloader-clean: $(SDKCONFIG_MAKEFILE) 159 $(BOOTLOADER_MAKE) app-clean 160ifdef CONFIG_SECURE_BOOTLOADER_REFLASHABLE 161 rm -f $(SECURE_BOOTLOADER_KEY) $(BOOTLOADER_DIGEST_BIN) 162endif 163ifdef CONFIG_SECURE_SIGNED_APPS_RSA_SCHEME 164ifdef CONFIG_SECURE_BOOT_BUILD_SIGNED_BINARIES 165 rm -f $(BOOTLOADER_SIGNED_BIN) 166endif 167endif 168
