project_include.cmake
1 set(BOOTLOADER_OFFSET CONFIG_BOOTLOADER_OFFSET_IN_FLASH) 2 3 # Do not generate flash file when building bootloader 4 if(BOOTLOADER_BUILD OR NOT CONFIG_APP_BUILD_BOOTLOADER) 5 return() 6 endif() 7 8 # Glue to build the bootloader subproject binary as an external 9 # cmake project under this one 10 # 11 # 12 idf_build_get_property(build_dir BUILD_DIR) 13 set(BOOTLOADER_BUILD_DIR "${build_dir}/bootloader") 14 set(bootloader_binary_files 15 "${BOOTLOADER_BUILD_DIR}/bootloader.elf" 16 "${BOOTLOADER_BUILD_DIR}/bootloader.bin" 17 "${BOOTLOADER_BUILD_DIR}/bootloader.map" 18 ) 19 20 idf_build_get_property(project_dir PROJECT_DIR) 21 22 # There are some additional processing when CONFIG_SECURE_SIGNED_APPS. This happens 23 # when either CONFIG_SECURE_BOOT_V1_ENABLED or CONFIG_SECURE_BOOT_BUILD_SIGNED_BINARIES. 24 # For both cases, the user either sets binaries to be signed during build or not 25 # using CONFIG_SECURE_BOOT_BUILD_SIGNED_BINARIES. 26 # 27 # Regardless, pass the main project's keys (signing/verification) to the bootloader subproject 28 # via config. 29 if(CONFIG_SECURE_SIGNED_APPS) 30 add_custom_target(gen_secure_boot_keys) 31 32 if(CONFIG_SECURE_SIGNED_APPS_ECDSA_SCHEME) 33 set(secure_apps_signing_scheme "1") 34 elseif(CONFIG_SECURE_SIGNED_APPS_RSA_SCHEME) 35 set(secure_apps_signing_scheme "2") 36 endif() 37 38 if(CONFIG_SECURE_BOOT_V1_ENABLED) 39 # Check that the configuration is sane 40 if((CONFIG_SECURE_BOOTLOADER_REFLASHABLE AND CONFIG_SECURE_BOOTLOADER_ONE_TIME_FLASH) OR 41 (NOT CONFIG_SECURE_BOOTLOADER_REFLASHABLE AND NOT CONFIG_SECURE_BOOTLOADER_ONE_TIME_FLASH)) 42 fail_at_build_time(bootloader "Invalid bootloader target: bad sdkconfig?") 43 endif() 44 45 if(CONFIG_SECURE_BOOTLOADER_REFLASHABLE) 46 set(bootloader_binary_files 47 ${bootloader_binary_files} 48 "${BOOTLOADER_BUILD_DIR}/bootloader-reflash-digest.bin" 49 "${BOOTLOADER_BUILD_DIR}/secure-bootloader-key-192.bin" 50 "${BOOTLOADER_BUILD_DIR}/secure-bootloader-key-256.bin" 51 ) 52 endif() 53 endif() 54 55 # Since keys are usually given relative to main project dir, get the absolute paths to the keys 56 # for use by the bootloader subproject. Replace the values in config with these absolute paths, 57 # so that bootloader subproject does not need to assume main project dir to obtain path to the keys. 58 if(CONFIG_SECURE_BOOT_BUILD_SIGNED_BINARIES) 59 get_filename_component(secure_boot_signing_key 60 "${CONFIG_SECURE_BOOT_SIGNING_KEY}" 61 ABSOLUTE BASE_DIR "${project_dir}") 62 63 if(NOT EXISTS ${secure_boot_signing_key}) 64 # If the signing key is not found, create a phony gen_secure_boot_signing_key target that 65 # fails the build. fail_at_build_time causes a cmake run next time 66 # (to pick up a new signing key if one exists, etc.) 67 fail_at_build_time(gen_secure_boot_signing_key 68 "Secure Boot Signing Key ${CONFIG_SECURE_BOOT_SIGNING_KEY} does not exist. Generate using:" 69 "\tespsecure.py generate_signing_key --version ${secure_apps_signing_scheme} \ 70 ${CONFIG_SECURE_BOOT_SIGNING_KEY}") 71 else() 72 add_custom_target(gen_secure_boot_signing_key) 73 endif() 74 75 set(SECURE_BOOT_SIGNING_KEY ${secure_boot_signing_key}) # needed by some other components 76 set(sign_key_arg "-DSECURE_BOOT_SIGNING_KEY=${secure_boot_signing_key}") 77 set(ver_key_arg) 78 79 add_dependencies(gen_secure_boot_keys gen_secure_boot_signing_key) 80 elseif(CONFIG_SECURE_SIGNED_APPS_ECDSA_SCHEME) 81 82 get_filename_component(secure_boot_verification_key 83 ${CONFIG_SECURE_BOOT_VERIFICATION_KEY} 84 ABSOLUTE BASE_DIR "${project_dir}") 85 86 if(NOT EXISTS ${secure_boot_verification_key}) 87 # If the verification key is not found, create a phony gen_secure_boot_verification_key target that 88 # fails the build. fail_at_build_time causes a cmake run next time 89 # (to pick up a new verification key if one exists, etc.) 90 fail_at_build_time(gen_secure_boot_verification_key 91 "Secure Boot Verification Public Key ${CONFIG_SECURE_BOOT_VERIFICATION_KEY} does not exist." 92 "\tThis can be extracted from the private signing key." 93 "\tSee docs/security/secure-boot-v1.rst for details.") 94 else() 95 add_custom_target(gen_secure_boot_verification_key) 96 endif() 97 98 set(sign_key_arg) 99 set(ver_key_arg "-DSECURE_BOOT_VERIFICATION_KEY=${secure_boot_verification_key}") 100 101 add_dependencies(gen_secure_boot_keys gen_secure_boot_verification_key) 102 endif() 103 else() 104 set(sign_key_arg) 105 set(ver_key_arg) 106 endif() 107 108 idf_build_get_property(idf_path IDF_PATH) 109 idf_build_get_property(idf_target IDF_TARGET) 110 idf_build_get_property(sdkconfig SDKCONFIG) 111 idf_build_get_property(python PYTHON) 112 idf_build_get_property(extra_cmake_args EXTRA_CMAKE_ARGS) 113 114 externalproject_add(bootloader 115 SOURCE_DIR "${CMAKE_CURRENT_LIST_DIR}/subproject" 116 BINARY_DIR "${BOOTLOADER_BUILD_DIR}" 117 CMAKE_ARGS -DSDKCONFIG=${sdkconfig} -DIDF_PATH=${idf_path} -DIDF_TARGET=${idf_target} 118 -DPYTHON_DEPS_CHECKED=1 -DPYTHON=${python} 119 -DEXTRA_COMPONENT_DIRS=${CMAKE_CURRENT_LIST_DIR} 120 ${sign_key_arg} ${ver_key_arg} 121 # LEGACY_INCLUDE_COMMON_HEADERS has to be passed in via cache variable since 122 # the bootloader common component requirements depends on this and 123 # config variables are not available before project() call. 124 -DLEGACY_INCLUDE_COMMON_HEADERS=${CONFIG_LEGACY_INCLUDE_COMMON_HEADERS} 125 ${extra_cmake_args} 126 INSTALL_COMMAND "" 127 BUILD_ALWAYS 1 # no easy way around this... 128 BUILD_BYPRODUCTS ${bootloader_binary_files} 129 ) 130 131 if(CONFIG_SECURE_SIGNED_APPS) 132 add_dependencies(bootloader gen_secure_boot_keys) 133 endif() 134 135 # this is a hack due to an (annoying) shortcoming in cmake, it can't 136 # extend the 'clean' target to the external project 137 # see thread: https://cmake.org/pipermail/cmake/2016-December/064660.html 138 # 139 # So for now we just have the top-level build remove the final build products... 140 set_property(DIRECTORY "${CMAKE_CURRENT_SOURCE_DIR}" APPEND PROPERTY 141 ADDITIONAL_MAKE_CLEAN_FILES 142 ${bootloader_binary_files})