espressif: Add CI jobs for Secure boot enabled images
Signed-off-by: Gustavo Henrique Nihei <gustavo.nihei@espressif.com>
diff --git a/.github/workflows/espressif.yaml b/.github/workflows/espressif.yaml
index 2df4de2..0aac747 100644
--- a/.github/workflows/espressif.yaml
+++ b/.github/workflows/espressif.yaml
@@ -15,9 +15,12 @@
strategy:
matrix:
targets: [esp32, esp32s2, esp32c3]
+ features:
+ - "sign-rsa2048,sign-rsa3072,sign-ec256,sign-ed25519"
runs-on: ubuntu-latest
env:
MCUBOOT_TARGET: ${{ matrix.targets }}
+ MCUBOOT_FEATURES: ${{ matrix.features }}
steps:
- uses: actions/checkout@v2
with:
diff --git a/boot/espressif/secureboot-sign-ec256.conf b/boot/espressif/secureboot-sign-ec256.conf
new file mode 100644
index 0000000..cbd588d
--- /dev/null
+++ b/boot/espressif/secureboot-sign-ec256.conf
@@ -0,0 +1,19 @@
+# SPDX-FileCopyrightText: 2021 Espressif Systems (Shanghai) CO LTD
+#
+# SPDX-License-Identifier: Apache-2.0
+
+CONFIG_SECURE_SIGNED_ON_BOOT=1
+CONFIG_SECURE_SIGNED_APPS_RSA_SCHEME=1
+CONFIG_SECURE_BOOT=1
+CONFIG_SECURE_BOOT_V2_ENABLED=1
+CONFIG_SECURE_BOOT_SUPPORTS_RSA=1
+CONFIG_ESP_SIGN_KEY_FILE=root-ec-p256.pem
+CONFIG_ESP_USE_TINYCRYPT=1
+CONFIG_ESP_SIGN_EC256=1
+CONFIG_ESP_BOOTLOADER_SIZE=0xF000
+CONFIG_ESP_APPLICATION_PRIMARY_START_ADDRESS=0x10000
+CONFIG_ESP_APPLICATION_SIZE=0x100000
+CONFIG_ESP_APPLICATION_SECONDARY_START_ADDRESS=0x110000
+CONFIG_ESP_MCUBOOT_WDT_ENABLE=1
+CONFIG_ESP_SCRATCH_OFFSET=0x210000
+CONFIG_ESP_SCRATCH_SIZE=0x40000
diff --git a/boot/espressif/secureboot-sign-ed25519.conf b/boot/espressif/secureboot-sign-ed25519.conf
new file mode 100644
index 0000000..a086fb6
--- /dev/null
+++ b/boot/espressif/secureboot-sign-ed25519.conf
@@ -0,0 +1,19 @@
+# SPDX-FileCopyrightText: 2021 Espressif Systems (Shanghai) CO LTD
+#
+# SPDX-License-Identifier: Apache-2.0
+
+CONFIG_SECURE_SIGNED_ON_BOOT=1
+CONFIG_SECURE_SIGNED_APPS_RSA_SCHEME=1
+CONFIG_SECURE_BOOT=1
+CONFIG_SECURE_BOOT_V2_ENABLED=1
+CONFIG_SECURE_BOOT_SUPPORTS_RSA=1
+CONFIG_ESP_SIGN_KEY_FILE=root-ed25519.pem
+CONFIG_ESP_USE_TINYCRYPT=1
+CONFIG_ESP_SIGN_ED25519=1
+CONFIG_ESP_BOOTLOADER_SIZE=0xF000
+CONFIG_ESP_APPLICATION_PRIMARY_START_ADDRESS=0x10000
+CONFIG_ESP_APPLICATION_SIZE=0x100000
+CONFIG_ESP_APPLICATION_SECONDARY_START_ADDRESS=0x110000
+CONFIG_ESP_MCUBOOT_WDT_ENABLE=1
+CONFIG_ESP_SCRATCH_OFFSET=0x210000
+CONFIG_ESP_SCRATCH_SIZE=0x40000
diff --git a/boot/espressif/secureboot-sign-rsa2048.conf b/boot/espressif/secureboot-sign-rsa2048.conf
new file mode 100644
index 0000000..a0f5464
--- /dev/null
+++ b/boot/espressif/secureboot-sign-rsa2048.conf
@@ -0,0 +1,20 @@
+# SPDX-FileCopyrightText: 2021 Espressif Systems (Shanghai) CO LTD
+#
+# SPDX-License-Identifier: Apache-2.0
+
+CONFIG_SECURE_SIGNED_ON_BOOT=1
+CONFIG_SECURE_SIGNED_APPS_RSA_SCHEME=1
+CONFIG_SECURE_BOOT=1
+CONFIG_SECURE_BOOT_V2_ENABLED=1
+CONFIG_SECURE_BOOT_SUPPORTS_RSA=1
+CONFIG_ESP_SIGN_KEY_FILE=root-rsa-2048.pem
+CONFIG_ESP_USE_MBEDTLS=1
+CONFIG_ESP_SIGN_RSA=1
+CONFIG_ESP_SIGN_RSA_LEN=2048
+CONFIG_ESP_BOOTLOADER_SIZE=0xF000
+CONFIG_ESP_APPLICATION_PRIMARY_START_ADDRESS=0x10000
+CONFIG_ESP_APPLICATION_SIZE=0x100000
+CONFIG_ESP_APPLICATION_SECONDARY_START_ADDRESS=0x110000
+CONFIG_ESP_MCUBOOT_WDT_ENABLE=1
+CONFIG_ESP_SCRATCH_OFFSET=0x210000
+CONFIG_ESP_SCRATCH_SIZE=0x40000
diff --git a/boot/espressif/secureboot-sign-rsa3072.conf b/boot/espressif/secureboot-sign-rsa3072.conf
new file mode 100644
index 0000000..0aa6be7
--- /dev/null
+++ b/boot/espressif/secureboot-sign-rsa3072.conf
@@ -0,0 +1,20 @@
+# SPDX-FileCopyrightText: 2021 Espressif Systems (Shanghai) CO LTD
+#
+# SPDX-License-Identifier: Apache-2.0
+
+CONFIG_SECURE_SIGNED_ON_BOOT=1
+CONFIG_SECURE_SIGNED_APPS_RSA_SCHEME=1
+CONFIG_SECURE_BOOT=1
+CONFIG_SECURE_BOOT_V2_ENABLED=1
+CONFIG_SECURE_BOOT_SUPPORTS_RSA=1
+CONFIG_ESP_SIGN_KEY_FILE=root-rsa-3072.pem
+CONFIG_ESP_USE_MBEDTLS=1
+CONFIG_ESP_SIGN_RSA=1
+CONFIG_ESP_SIGN_RSA_LEN=3072
+CONFIG_ESP_BOOTLOADER_SIZE=0xF000
+CONFIG_ESP_APPLICATION_PRIMARY_START_ADDRESS=0x10000
+CONFIG_ESP_APPLICATION_SIZE=0x100000
+CONFIG_ESP_APPLICATION_SECONDARY_START_ADDRESS=0x110000
+CONFIG_ESP_MCUBOOT_WDT_ENABLE=1
+CONFIG_ESP_SCRATCH_OFFSET=0x210000
+CONFIG_ESP_SCRATCH_SIZE=0x40000
diff --git a/ci/espressif_install.sh b/ci/espressif_install.sh
index 2528968..db32200 100755
--- a/ci/espressif_install.sh
+++ b/ci/espressif_install.sh
@@ -9,8 +9,13 @@
set -eo pipefail
+install_imgtool() {
+ pip install imgtool
+}
+
install_idf() {
"${IDF_PATH}"/install.sh
}
+install_imgtool
install_idf
diff --git a/ci/espressif_run.sh b/ci/espressif_run.sh
index 8f136c1..669c15e 100755
--- a/ci/espressif_run.sh
+++ b/ci/espressif_run.sh
@@ -9,15 +9,23 @@
set -eo pipefail
-build_mcuboot() {
- local target=${MCUBOOT_TARGET}
- local build_dir=".build-${target}"
- local toolchain_file="${ESPRESSIF_ROOT}/tools/toolchain-${target}.cmake"
- local mcuboot_config="${ESPRESSIF_ROOT}/bootloader.conf"
-
+prepare_environment() {
# Prepare the environment for ESP-IDF
. "${IDF_PATH}"/export.sh
+}
+
+build_mcuboot() {
+ local target=${MCUBOOT_TARGET}
+ local feature=${1}
+ local toolchain_file="${ESPRESSIF_ROOT}/tools/toolchain-${target}.cmake"
+ local mcuboot_config="${ESPRESSIF_ROOT}/bootloader.conf"
+ local build_dir=".build-${target}"
+
+ if [ -n "${feature}" ]; then
+ mcuboot_config="${ESPRESSIF_ROOT}/secureboot-${feature}.conf"
+ build_dir=".build-${target}-${feature}"
+ fi
# Build MCUboot for selected target
@@ -31,4 +39,13 @@
cmake --build "${build_dir}"/
}
-build_mcuboot
+prepare_environment
+
+if [ -n "${MCUBOOT_FEATURES}" ]; then
+ IFS=','
+ read -ra feature_list <<< "${MCUBOOT_FEATURES}"
+ for feature in "${feature_list[@]}"; do
+ echo "Building MCUboot with support for \"${feature}\""
+ build_mcuboot "${feature}"
+ done
+fi