1set(BOOTLOADER_OFFSET ${CONFIG_BOOTLOADER_OFFSET_IN_FLASH})
2
3# Do not generate flash file when building bootloader
4if(BOOTLOADER_BUILD OR NOT CONFIG_APP_BUILD_BOOTLOADER)
5    return()
6endif()
7
8# Glue to build the bootloader subproject binary as an external
9# cmake project under this one
10#
11#
12idf_build_get_property(build_dir BUILD_DIR)
13set(BOOTLOADER_BUILD_DIR "${build_dir}/bootloader")
14set(BOOTLOADER_ELF_FILE "${BOOTLOADER_BUILD_DIR}/bootloader.elf")
15set(bootloader_binary_files
16    "${BOOTLOADER_ELF_FILE}"
17    "${BOOTLOADER_BUILD_DIR}/bootloader.bin"
18    "${BOOTLOADER_BUILD_DIR}/bootloader.map"
19    )
20
21idf_build_get_property(project_dir PROJECT_DIR)
22
23# There are some additional processing when CONFIG_SECURE_SIGNED_APPS. This happens
24# when either CONFIG_SECURE_BOOT_V1_ENABLED or CONFIG_SECURE_BOOT_BUILD_SIGNED_BINARIES.
25# For both cases, the user either sets binaries to be signed during build or not
26# using CONFIG_SECURE_BOOT_BUILD_SIGNED_BINARIES.
27#
28# Regardless, pass the main project's keys (signing/verification) to the bootloader subproject
29# via config.
30if(CONFIG_SECURE_SIGNED_APPS)
31    add_custom_target(gen_secure_boot_keys)
32
33    if(CONFIG_SECURE_SIGNED_APPS_ECDSA_SCHEME)
34        set(secure_apps_signing_version "1")
35    elseif(CONFIG_SECURE_SIGNED_APPS_RSA_SCHEME OR CONFIG_SECURE_SIGNED_APPS_ECDSA_V2_SCHEME)
36        set(secure_apps_signing_version "2")
37    endif()
38
39    if(CONFIG_SECURE_BOOT_V1_ENABLED)
40        # Check that the configuration is sane
41        if((CONFIG_SECURE_BOOTLOADER_REFLASHABLE AND CONFIG_SECURE_BOOTLOADER_ONE_TIME_FLASH) OR
42            (NOT CONFIG_SECURE_BOOTLOADER_REFLASHABLE AND NOT CONFIG_SECURE_BOOTLOADER_ONE_TIME_FLASH))
43            fail_at_build_time(bootloader "Invalid bootloader target: bad sdkconfig?")
44        endif()
45
46        if(CONFIG_SECURE_BOOTLOADER_REFLASHABLE)
47            set(bootloader_binary_files
48                ${bootloader_binary_files}
49                "${BOOTLOADER_BUILD_DIR}/bootloader-reflash-digest.bin"
50                "${BOOTLOADER_BUILD_DIR}/secure-bootloader-key-192.bin"
51                "${BOOTLOADER_BUILD_DIR}/secure-bootloader-key-256.bin"
52                )
53        endif()
54    endif()
55
56    # Since keys are usually given relative to main project dir, get the absolute paths to the keys
57    # for use by the bootloader subproject. Replace the values in config with these absolute paths,
58    # so that bootloader subproject does not need to assume main project dir to obtain path to the keys.
59    if(CONFIG_SECURE_BOOT_BUILD_SIGNED_BINARIES)
60        get_filename_component(secure_boot_signing_key
61            "${CONFIG_SECURE_BOOT_SIGNING_KEY}"
62            ABSOLUTE BASE_DIR "${project_dir}")
63
64        if(NOT EXISTS ${secure_boot_signing_key})
65            # If the signing key is not found, create a phony gen_secure_boot_signing_key target that
66            # fails the build. fail_at_build_time causes a cmake run next time
67            # (to pick up a new signing key if one exists, etc.)
68            if(CONFIG_SECURE_SIGNED_APPS_RSA_SCHEME)
69                fail_at_build_time(gen_secure_boot_signing_key
70                    "Secure Boot Signing Key ${CONFIG_SECURE_BOOT_SIGNING_KEY} does not exist. Generate using:"
71                    "\tespsecure.py generate_signing_key --version ${secure_apps_signing_version} \
72                    ${CONFIG_SECURE_BOOT_SIGNING_KEY}")
73            else()
74                if(CONFIG_SECURE_BOOT_ECDSA_KEY_LEN_192_BITS)
75                    set(scheme "ecdsa192")
76                elseif(CONFIG_SECURE_BOOT_ECDSA_KEY_LEN_256_BITS)
77                    set(scheme "ecdsa256")
78                endif()
79                fail_at_build_time(gen_secure_boot_signing_key
80                    "Secure Boot Signing Key ${CONFIG_SECURE_BOOT_SIGNING_KEY} does not exist. Generate using:"
81                    "\tespsecure.py generate_signing_key --version ${secure_apps_signing_version} \
82                    --scheme ${scheme} ${CONFIG_SECURE_BOOT_SIGNING_KEY}")
83            endif()
84        else()
85            add_custom_target(gen_secure_boot_signing_key)
86        endif()
87
88        set(SECURE_BOOT_SIGNING_KEY ${secure_boot_signing_key}) # needed by some other components
89        set(sign_key_arg "-DSECURE_BOOT_SIGNING_KEY=${secure_boot_signing_key}")
90        set(ver_key_arg)
91
92        add_dependencies(gen_secure_boot_keys gen_secure_boot_signing_key)
93    elseif(CONFIG_SECURE_SIGNED_APPS_ECDSA_SCHEME)
94
95        get_filename_component(secure_boot_verification_key
96            ${CONFIG_SECURE_BOOT_VERIFICATION_KEY}
97            ABSOLUTE BASE_DIR "${project_dir}")
98
99        if(NOT EXISTS ${secure_boot_verification_key})
100            # If the verification key is not found, create a phony gen_secure_boot_verification_key target that
101            # fails the build. fail_at_build_time causes a cmake run next time
102            # (to pick up a new verification key if one exists, etc.)
103            fail_at_build_time(gen_secure_boot_verification_key
104                "Secure Boot Verification Public Key ${CONFIG_SECURE_BOOT_VERIFICATION_KEY} does not exist."
105                "\tThis can be extracted from the private signing key."
106                "\tSee docs/security/secure-boot-v1.rst for details.")
107        else()
108            add_custom_target(gen_secure_boot_verification_key)
109        endif()
110
111        set(sign_key_arg)
112        set(ver_key_arg "-DSECURE_BOOT_VERIFICATION_KEY=${secure_boot_verification_key}")
113
114        add_dependencies(gen_secure_boot_keys gen_secure_boot_verification_key)
115    endif()
116else()
117    set(sign_key_arg)
118    set(ver_key_arg)
119endif()
120
121idf_build_get_property(idf_path IDF_PATH)
122idf_build_get_property(idf_target IDF_TARGET)
123idf_build_get_property(sdkconfig SDKCONFIG)
124idf_build_get_property(python PYTHON)
125idf_build_get_property(extra_cmake_args EXTRA_CMAKE_ARGS)
126
127externalproject_add(bootloader
128    SOURCE_DIR "${CMAKE_CURRENT_LIST_DIR}/subproject"
129    BINARY_DIR "${BOOTLOADER_BUILD_DIR}"
130    CMAKE_ARGS  -DSDKCONFIG=${sdkconfig} -DIDF_PATH=${idf_path} -DIDF_TARGET=${idf_target}
131                -DPYTHON_DEPS_CHECKED=1 -DPYTHON=${python}
132                -DEXTRA_COMPONENT_DIRS=${CMAKE_CURRENT_LIST_DIR}
133                -DPROJECT_SOURCE_DIR=${PROJECT_SOURCE_DIR}
134                ${sign_key_arg} ${ver_key_arg}
135                ${extra_cmake_args}
136    INSTALL_COMMAND ""
137    BUILD_ALWAYS 1  # no easy way around this...
138    BUILD_BYPRODUCTS ${bootloader_binary_files}
139    )
140
141if(CONFIG_SECURE_SIGNED_APPS)
142    add_dependencies(bootloader gen_secure_boot_keys)
143endif()
144
145# this is a hack due to an (annoying) shortcoming in cmake, it can't
146# extend the 'clean' target to the external project
147# see thread: https://cmake.org/pipermail/cmake/2016-December/064660.html
148#
149# So for now we just have the top-level build remove the final build products...
150set_property(DIRECTORY "${CMAKE_CURRENT_SOURCE_DIR}" APPEND PROPERTY
151    ADDITIONAL_CLEAN_FILES
152    ${bootloader_binary_files})
153