espressif: automate build system for flash enc

Modifies Kconfig and build tools to support flash encryption and E-Fuse burning when flash encryption is enabled. Signed-off-by: Filipe Cavalcanti <filipe.cavalcanti@espressif.com>
2026-05-29 20:56:47 +08:00 · 2025-10-21 11:41:46 -03:00
parent 8f42a6f6d7
commit 49d6177c68
8 changed files with 489 additions and 36 deletions
@@ -107,11 +107,19 @@ else ifeq ($(CONFIG_ESP32S3_APP_FORMAT_MCUBOOT),y)

 	APP_IMAGE      := nuttx.bin
 	FLASH_APP      := $(APP_OFFSET) $(APP_IMAGE)
-ifeq ($(CONFIG_ESPRESSIF_SECURE_FLASH_ENC_ENABLED),y)
-	IMGTOOL_ALIGN_ARGS := --align 32 --max-align 32
-else
- 	IMGTOOL_ALIGN_ARGS := --align 4
-endif
+
+	ifeq ($(CONFIG_ESPRESSIF_SECURE_FLASH_ENC_ENABLED),y)
+		ifeq ($(CONFIG_ESPRESSIF_SPIFLASH),y)
+			ENC_APP := $(CONFIG_ESP32S3_STORAGE_MTD_OFFSET) enc_mtd.bin
+		endif
+	endif
+
+	ifeq ($(CONFIG_ESPRESSIF_SECURE_FLASH_ENC_ENABLED),y)
+		IMGTOOL_ALIGN_ARGS := --align 32 --max-align 32
+	else
+		IMGTOOL_ALIGN_ARGS := --align 4
+	endif
+
 	IMGTOOL_SIGN_ARGS  := --pad $(VERIFIED) $(IMGTOOL_ALIGN_ARGS) -v 0 -s auto \
 		-H $(CONFIG_ESP32S3_APP_MCUBOOT_HEADER_SIZE) --pad-header \
 		-S $(CONFIG_ESP32S3_OTA_SLOT_SIZE)
@@ -124,7 +132,7 @@ else
 	ESPTOOL_BINDIR := .
 endif

-ESPTOOL_BINS += $(FLASH_APP)
+ESPTOOL_BINS += $(FLASH_APP) $(ENC_APP)

 ifeq ($(CONFIG_BUILD_PROTECTED),y)
 	# Check the operating system
@@ -138,6 +146,75 @@ ifeq ($(CONFIG_BUILD_PROTECTED),y)
 	endif
 endif

+# Commands for colored and formatted output
+
+RED    = \033[1;31m
+YELLOW = \033[1;33m
+BOLD   = \033[1m
+RST    = \033[0m
+
+# Flash encryption procedure
+
+define FLASH_ENC
+	$(Q) echo -e "$(YELLOW)Flash Encryption is enabled!$(RST)";
+
+	$(Q) if [ "$(CONFIG_ESPRESSIF_EFUSE_VIRTUAL)" = "y" ]; then \
+		echo -e "$(YELLOW)WARN: Virtual E-Fuses are enabled! E-Fuses will not be burned. $(RST)"; \
+	fi
+
+	$(Q) if [ "$(CONFIG_ESPRESSIF_SECURE_FLASH_ENC_USE_HOST_KEY)" = "y" ]; then \
+		if [ ! -f "$(CONFIG_ESPRESSIF_SECURE_FLASH_ENC_HOST_KEY_NAME)" ]; then \
+			echo -e "$(RED)FLASH ENCRYPTION error: Key file '$(CONFIG_ESPRESSIF_SECURE_FLASH_ENC_HOST_KEY_NAME)' not found.$(RST)"; \
+			echo -e "$(YELLOW)Generate the encryption key using: espsecure.py generate_flash_encryption_key <key_name.bin>$(RST)"; \
+			echo -e "$(YELLOW)Refer to the documentation on flash encryption before proceeding.$(RST)"; \
+			exit 1; \
+		fi; \
+	fi
+
+	$(Q) if [ "$(CONFIG_ESPRESSIF_SPIFLASH)" = "y" ]; then \
+		echo "Applying encryption to user MTD partition on flash."; \
+		if [ ! -f "$(CONFIG_ESPRESSIF_SECURE_FLASH_ENC_HOST_KEY_NAME)" ]; then \
+			echo -e "$(RED)Flash encryption key is required for user MTD partition encryption. Key file: '$(CONFIG_ESPRESSIF_SECURE_FLASH_ENC_HOST_KEY_NAME)'$(RST)"; \
+			echo -e "$(RED)Make sure CONFIG_ESPRESSIF_SECURE_FLASH_ENC_HOST_KEY_NAME is set or disable SPI Flash.$(RST)"; \
+			exit 1; \
+		fi; \
+		size_int=$$(( $(CONFIG_ESP32S3_STORAGE_MTD_SIZE) )); \
+		echo -e "Encrypting user MTD partition offset: $(CONFIG_ESP32S3_STORAGE_MTD_OFFSET), size: $(CONFIG_ESP32S3_STORAGE_MTD_SIZE) ($$size_int)"; \
+		dd if=/dev/zero ibs=1 count=$$size_int | LC_ALL=C tr "\000" "\377" > blank_mtd.bin; \
+        espsecure.py encrypt_flash_data --aes_xts --keyfile $(CONFIG_ESPRESSIF_SECURE_FLASH_ENC_HOST_KEY_NAME) --address 0 --output enc_mtd.bin blank_mtd.bin; \
+		rm blank_mtd.bin; \
+	fi
+
+endef
+
+# BURN_EFUSES -- Burn the flash encryption key E-Fuses if: not already burned, not virtual, not device already encrypted
+
+define BURN_EFUSES
+	$(Q) if [ "$(CONFIG_ESPRESSIF_SECURE_FLASH_ENC_FLASH_DEVICE_ENCRYPTED)" = "y" ]; then \
+		echo -e "$(YELLOW)WARN: Device is already encrypted. Skipping flash encryption key burning. $(RST)"; \
+	elif [ "$(CONFIG_ESPRESSIF_EFUSE_VIRTUAL)" = "y" ]; then \
+		echo -e "$(YELLOW)WARN: Virtual E-Fuses are enabled! Skipping flash encryption key burning. $(RST)"; \
+	else \
+		if [ "$(CONFIG_ESPRESSIF_SECURE_FLASH_ENC_USE_HOST_KEY)" = "y" ]; then \
+			echo -e "$(YELLOW)Proceeding will burn the flash encryption key E-Fuses using: $(CONFIG_ESPRESSIF_SECURE_FLASH_ENC_HOST_KEY_NAME).$(RST)"; \
+		else \
+			echo -e "$(YELLOW)Proceeding will burn a *randomly generated* flash encryption key (NOT user-provided).$(RST)"; \
+		fi; \
+		echo -e "$(YELLOW)This operation is NOT REVERSIBLE! Make sure to have read the documentation.$(RST)"; \
+		efuse_summary=$$(espefuse.py --port $(ESPTOOL_PORT) summary | grep -A 1 BLOCK1); \
+		if echo "$$efuse_summary" | grep -q '?? ??'; then \
+			echo -e "$(YELLOW)Encryption key already burned. Skipping...$(RST)"; \
+		else \
+			echo -e "$(YELLOW)Burning flash encryption key...$(RST)"; \
+			if [ -z "$(NOCHECK)" ] ; then \
+				espefuse.py --port $(ESPTOOL_PORT) burn_key BLOCK_KEY0 $(CONFIG_ESPRESSIF_SECURE_FLASH_ENC_HOST_KEY_NAME) XTS_AES_128_KEY; \
+			else \
+				espefuse.py --do-not-confirm --port $(ESPTOOL_PORT) burn_key BLOCK_KEY0 $(CONFIG_ESPRESSIF_SECURE_FLASH_ENC_HOST_KEY_NAME) XTS_AES_128_KEY; \
+			fi; \
+		fi; \
+	fi
+endef
+
 # MERGEBIN -- Merge raw binary files into a single file

 define MERGEBIN
@@ -157,7 +234,7 @@ define MERGEBIN
 			$(ESPTOOL_FLASH_OPTS)                                                \
 		)                                                                        \
 	)
-	esptool.py -c esp32s3 merge_bin --output nuttx.merged.bin $(ESPTOOL_MERGEBIN_OPTS) $(ESPTOOL_BINS)
+	esptool.py -c esp32s3 merge_bin $(ESPTOOL_MERGEBIN_OPTS) --output nuttx.merged.bin $(ESPTOOL_BINS)
 	$(Q) echo nuttx.merged.bin >> nuttx.manifest
 	$(Q) echo "Generated: nuttx.merged.bin"
 endef
@@ -220,6 +297,7 @@ endif
 define POSTBUILD
 	$(call MKIMAGE)
 	$(if $(CONFIG_ESPRESSIF_BOOTLOADER_MCUBOOT),$(call MAKE_VIRTUAL_EFUSE_BIN))
+	$(if $(CONFIG_ESPRESSIF_SECURE_FLASH_ENC_ENABLED),$(call FLASH_ENC))
 	$(if $(CONFIG_ESP32S3_MERGE_BINS),$(call MERGEBIN))
 endef

@@ -235,6 +313,7 @@ define FLASH
 		echo "USAGE: make flash ESPTOOL_PORT=<port> [ ESPTOOL_BAUD=<baud> ] [ ESPTOOL_BINDIR=<dir> ]"; \
 		exit 1; \
 	fi
+	$(if $(CONFIG_ESPRESSIF_SECURE_FLASH_ENC_ENABLED),$(call BURN_EFUSES))
 	$(eval ESPTOOL_OPTS := -c esp32s3 -p $(ESPTOOL_PORT) -b $(ESPTOOL_BAUD) $(if $(CONFIG_ESP32S3_ESPTOOLPY_NO_STUB),--no-stub))
 	esptool.py $(ESPTOOL_OPTS) write_flash $(ESPTOOL_WRITEFLASH_OPTS) $(ESPTOOL_BINS)
 endef