secure boot: Derive secure bootloader key from private key

Means only one key needs to be managed.

diff --git a/components/bootloader/Kconfig.projbuild b/components/bootloader/Kconfig.projbuild
index b568f61a04d0c03ad5df15e920ae83b95691e402..536b971268f343ebc4fcc94ff9aad5253202a937 100644 (file)
--- a/components/bootloader/Kconfig.projbuild
+++ b/components/bootloader/Kconfig.projbuild
@@ -54,28 +54,13 @@ config SECURE_BOOTLOADER_ONE_TIME_FLASH
 config SECURE_BOOTLOADER_REFLASHABLE
     bool "Reflashable"
     help
-        Generate the bootloader digest key on the computer instead of inside
-        the chip. Allows the secure bootloader to be re-flashed by using the
-        same key.
+        Generate a reusable secure bootloader key, derived (via SHA-256) from the secure boot signing key.
 
-        This option is less secure than one-time flash, because a leak of the digest key allows reflashing of any device that uses it.
+               This allows the secure bootloader to be re-flashed by anyone with access to the secure boot signing key.
 
-endchoice
-
-config SECURE_BOOTLOADER_KEY_FILE
-    string "Secure bootloader key file"
-    depends on SECURE_BOOTLOADER_REFLASHABLE
-    default secure_boot_key.bin
-    help
-       Path to the key file for a reflashable secure bootloader digest.
-       File must contain 32 randomly generated bytes.
+        This option is less secure than one-time flash, because a leak of the digest key from one device allows reflashing of any device that uses it.
 
-       Path is evaluated relative to the project directory.
-
-       You can generate a new key by running the following command:
-       espsecure.py generate_key secure_boot_key.bin
-
-       See docs/security/secure-boot.rst for details.
+endchoice
 
 config SECURE_BOOT_SIGNING_KEY
      string "Secure boot signing key"

diff --git a/components/bootloader/Makefile.projbuild b/components/bootloader/Makefile.projbuild
index 831d988584a72eda077e4282f1fc9a4a64b6ac67..1b1c07bea35ca14a443de89bd9c03c9503da7528 100644 (file)
--- a/components/bootloader/Makefile.projbuild
+++ b/components/bootloader/Makefile.projbuild
@@ -15,8 +15,7 @@ BOOTLOADER_BUILD_DIR=$(abspath $(BUILD_DIR_BASE)/bootloader)
 BOOTLOADER_BIN=$(BOOTLOADER_BUILD_DIR)/bootloader.bin
 BOOTLOADER_SDKCONFIG=$(BOOTLOADER_BUILD_DIR)/sdkconfig
 
-# both signing key paths are resolved relative to the project directory
-SECURE_BOOTLOADER_KEY=$(abspath $(call dequote,$(CONFIG_SECURE_BOOTLOADER_KEY_FILE)))
+# signing key path is resolved relative to the project directory
 SECURE_BOOT_SIGNING_KEY=$(abspath $(call dequote,$(CONFIG_SECURE_BOOT_SIGNING_KEY)))
 export SECURE_BOOT_SIGNING_KEY  # used by bootloader_support component
 
@@ -31,10 +30,6 @@ BOOTLOADER_MAKE=+$(MAKE) -C $(BOOTLOADER_COMPONENT_PATH)/src \
 $(BOOTLOADER_BIN): | $(BOOTLOADER_BUILD_DIR)/sdkconfig
        $(Q) $(BOOTLOADER_MAKE) $@
 
-bootloader-clean:
-       $(Q) $(BOOTLOADER_MAKE) app-clean config-clean
-       $(Q) rm -f $(BOOTLOADER_SDKCONFIG) $(BOOTLOADER_SDKCONFIG).old
-
 clean: bootloader-clean
 
 ifdef CONFIG_SECURE_BOOTLOADER_DISABLED
@@ -66,7 +61,11 @@ else ifdef CONFIG_SECURE_BOOTLOADER_REFLASHABLE
 # Reflashable secure bootloader
 # generates a digest binary (bootloader + digest)
 
-BOOTLOADER_DIGEST_BIN=$(BOOTLOADER_BUILD_DIR)/bootloader-reflash-digest.bin
+BOOTLOADER_DIGEST_BIN := $(BOOTLOADER_BUILD_DIR)/bootloader-reflash-digest.bin
+SECURE_BOOTLOADER_KEY := $(BOOTLOADER_BUILD_DIR)/secure-bootloader-key.bin
+
+$(SECURE_BOOTLOADER_KEY): $(SECURE_BOOT_SIGNING_KEY)
+       $(Q) $(ESPSECUREPY) digest_private_key -k $< $@
 
 bootloader: $(BOOTLOADER_DIGEST_BIN)
        @echo $(SEPARATOR)
@@ -84,20 +83,16 @@ $(BOOTLOADER_DIGEST_BIN): $(BOOTLOADER_BIN) $(SECURE_BOOTLOADER_KEY)
        @echo "DIGEST $(notdir $@)"
        $(Q) $(ESPSECUREPY) digest_secure_bootloader -k $(SECURE_BOOTLOADER_KEY) -o $@ $<
 
-$(SECURE_BOOTLOADER_KEY):
-       @echo $(SEPARATOR)
-       @echo "Need to generate secure boot signing key. Run following command:"
-       @echo "$(ESPSECUREPY) generate_key $@"
-       @echo "Keep key file safe after generating."
-       @echo "(See secure boot documentation for caveats & alternatives.)")
-       @exit 1
-
 else
 bootloader:
        @echo "Invalid bootloader target: bad sdkconfig?"
        @exit 1
 endif
 
+bootloader-clean:
+       $(Q) $(BOOTLOADER_MAKE) app-clean config-clean
+       $(Q) rm -f $(BOOTLOADER_SDKCONFIG) $(BOOTLOADER_SDKCONFIG).old $(SECURE_BOOTLOADER_KEY) $(BOOTLOADER_DIGEST_BIN)
+
 all_binaries: $(BOOTLOADER_BIN)
 
 # synchronise the project level config to the bootloader's

diff --git a/components/bootloader_support/Makefile.projbuild b/components/bootloader_support/Makefile.projbuild
deleted file mode 100644 (file)
index f93967a..0000000
--- a/components/bootloader_support/Makefile.projbuild
+++ /dev/null
@@ -1,3 +0,0 @@
-# projbuild file for bootloader support
-# (included in bootloader & main app)
-

diff --git a/components/bootloader_support/component.mk b/components/bootloader_support/component.mk
index 7f546dcba94caedb38f9199b4c74be6e2a2ef993..e68949d82a6a09431ed692b33a6c2f155aeeeca6 100755 (executable)
--- a/components/bootloader_support/component.mk
+++ b/components/bootloader_support/component.mk
@@ -17,10 +17,9 @@ COMPONENT_SRCDIRS := src
 #
 ifdef CONFIG_SECURE_BOOTLOADER_ENABLED
 
+# this path is created relative to the component build directory
 SECURE_BOOT_VERIFICATION_KEY := $(abspath signature_verification_key.bin)
 
-COMPONENT_EMBED_FILES := $(SECURE_BOOT_VERIFICATION_KEY)
-
 $(SECURE_BOOT_SIGNING_KEY):
        @echo "Need to generate secure boot signing key."
        @echo "One way is to run this command:"
@@ -31,6 +30,11 @@ $(SECURE_BOOT_SIGNING_KEY):
 
 $(SECURE_BOOT_VERIFICATION_KEY): $(SECURE_BOOT_SIGNING_KEY)
        $(ESPSECUREPY) extract_public_key --keyfile $< $@
+
+COMPONENT_EXTRA_CLEAN += $(SECURE_BOOT_VERIFICATION_KEY)
+
+COMPONENT_EMBED_FILES := $(SECURE_BOOT_VERIFICATION_KEY)
+
 endif
 
 include $(IDF_PATH)/make/component_common.mk

diff --git a/components/esptool_py/esptool b/components/esptool_py/esptool
index 68ed7c7a4e4409899f10dddda1e02b20e5cb32f0..98e5dbfa78fa53cebcb4c56530e683f889bf21c3 160000 (submodule)
--- a/components/esptool_py/esptool
+++ b/components/esptool_py/esptool
@@ -1 +1 @@
-Subproject commit 68ed7c7a4e4409899f10dddda1e02b20e5cb32f0
+Subproject commit 98e5dbfa78fa53cebcb4c56530e683f889bf21c3

diff --git a/make/project.mk b/make/project.mk
index 5a12732a4eacb92d53c6764a81508e02f636e254..e0d578c104be0e7f5b7215247cb6087108541b01 100644 (file)
--- a/make/project.mk
+++ b/make/project.mk
@@ -306,6 +306,9 @@ app-clean: $(addsuffix -clean,$(notdir $(COMPONENT_PATHS_BUILDABLE)))
        $(summary) RM $(APP_ELF)
        $(Q) rm -f $(APP_ELF) $(APP_BIN) $(APP_MAP)
 
-clean: app-clean
+# NB: this ordering is deliberate (app-clean before config-clean),
+# so config remains valid during all component clean targets
+config-clean: app-clean
+clean: config-clean
 
 

diff --git a/make/project_config.mk b/make/project_config.mk
index 7ca83ce5af85c26664374fa494b71ef70702d80c..56a05090bc659f544e4564225cb52c6a30720f3d 100644 (file)
--- a/make/project_config.mk
+++ b/make/project_config.mk
@@ -59,7 +59,6 @@ $(AUTO_CONF_REGEN_TARGET) $(BUILD_DIR_BASE)/include/sdkconfig.h: $(SDKCONFIG) $(
 # sometimes you can get an infinite make loop on Windows where sdkconfig always gets regenerated newer
 # than the target(!)
 
-clean: config-clean
 .PHONY: config-clean
 config-clean:
        $(summary RM CONFIG)