From 17e11961d3d7a1e177b86e06a70c5273161ab0e1 Mon Sep 17 00:00:00 2001 From: Shubham Patil Date: Mon, 10 Mar 2025 20:54:22 +0530 Subject: [PATCH 1/6] ESP32: bump encrypted ota component and fix the build errors - Upgrade esp_encrypted_img dependency to version 2.3.0 - Update OTA documentation with new encrypted image generation method - Add cmake function create_esp_enc_img() to lighting-app example --- config/esp32/components/chip/CMakeLists.txt | 4 ++++ config/esp32/components/chip/idf_component.yml | 2 +- docs/platforms/esp32/ota.md | 15 ++++++++++++--- examples/lighting-app/esp32/main/CMakeLists.txt | 5 +++++ 4 files changed, 22 insertions(+), 4 deletions(-) diff --git a/config/esp32/components/chip/CMakeLists.txt b/config/esp32/components/chip/CMakeLists.txt index f63d8a90387694..c1b0e0b6440cbe 100644 --- a/config/esp32/components/chip/CMakeLists.txt +++ b/config/esp32/components/chip/CMakeLists.txt @@ -444,6 +444,10 @@ if (CONFIG_SEC_CERT_DAC_PROVIDER) list(APPEND matter_requires espressif__esp_secure_cert_mgr) endif() +if (CONFIG_ENABLE_ENCRYPTED_OTA) + list(APPEND matter_requires espressif__esp_encrypted_img) +endif() + add_prebuilt_library(matterlib "${CMAKE_CURRENT_BINARY_DIR}/lib/libCHIP.a" REQUIRES ${matter_requires}) diff --git a/config/esp32/components/chip/idf_component.yml b/config/esp32/components/chip/idf_component.yml index c11eef55d97129..e2b68574fc8bb7 100644 --- a/config/esp32/components/chip/idf_component.yml +++ b/config/esp32/components/chip/idf_component.yml @@ -11,7 +11,7 @@ dependencies: - if: "idf_version >=4.3" espressif/esp_encrypted_img: - version: "2.1.0" + version: "2.3.0" require: public rules: - if: "idf_version >=4.4" diff --git a/docs/platforms/esp32/ota.md b/docs/platforms/esp32/ota.md index ae43e09bc08264..ef947d11bf40a0 100644 --- a/docs/platforms/esp32/ota.md +++ b/docs/platforms/esp32/ota.md @@ -115,12 +115,21 @@ Please follow the steps below to generate an application image for OTA upgrades: python3 esp_enc_img_gen.py encrypt lighting-app.bin esp_image_encryption_public_key.pem lighting-app-encrypted.bin ``` - - Append the Matter OTA header: + Optionally, you can use the cmake function `create_esp_enc_img()` to encrypt the OTA image during the build process. Please find the usage below. This is also demonstrated in the `examples/lighting-app/esp32/main/CMakeLists.txt` file. + ``` - src/app/ota_image_tool.py create --vendor-id 0xFFF1 --product-id 0x8000 --version 2 --version-str "v2.0" -da sha256 lighting-app-encrypted.bin lighting-app-encrypted-ota.bin + create_esp_enc_img(${CMAKE_BINARY_DIR}/${CMAKE_PROJECT_NAME}.bin + ${project_dir}/esp_image_encryption_public_key.pem + ${CMAKE_BINARY_DIR}/${CMAKE_PROJECT_NAME}-encrypted.bin + app) ``` -3. Use the `lighting-app-encrypted-ota.bin` file with the OTA Provider app. +3. Append the Matter OTA header + ``` + src/app/ota_image_tool.py create --vendor-id 0xFFF1 --product-id 0x8000 --version 2 --version-str "v2.0" -da sha256 lighting-app-encrypted.bin lighting-app-encrypted-ota.bin + ``` + +4. Use the `lighting-app-encrypted-ota.bin` file with the OTA Provider app. ## Delta OTA diff --git a/examples/lighting-app/esp32/main/CMakeLists.txt b/examples/lighting-app/esp32/main/CMakeLists.txt index 1fbda23c0fb930..41cfb485917dd8 100644 --- a/examples/lighting-app/esp32/main/CMakeLists.txt +++ b/examples/lighting-app/esp32/main/CMakeLists.txt @@ -82,6 +82,11 @@ target_compile_options(${COMPONENT_LIB} PUBLIC "-DCHIP_ADDRESS_RESOLVE_IMPL_INCLUDE_HEADER=" ) +create_esp_enc_img(${CMAKE_BINARY_DIR}/${CMAKE_PROJECT_NAME}.bin + ${project_dir}/esp_image_encryption_public_key.pem + ${CMAKE_BINARY_DIR}/${CMAKE_PROJECT_NAME}-encrypted.bin + app) + if (CONFIG_ENABLE_PW_RPC) get_filename_component(CHIP_ROOT ${CMAKE_SOURCE_DIR}/third_party/connectedhomeip REALPATH) From d41fc2d63981c2e838ba4981c2b6ecb024f82684 Mon Sep 17 00:00:00 2001 From: "Restyled.io" Date: Mon, 10 Mar 2025 15:28:17 +0000 Subject: [PATCH 2/6] Restyled by prettier-markdown --- docs/platforms/esp32/ota.md | 30 +++++++++++++++++------------- 1 file changed, 17 insertions(+), 13 deletions(-) diff --git a/docs/platforms/esp32/ota.md b/docs/platforms/esp32/ota.md index ef947d11bf40a0..9c8e97079a2544 100644 --- a/docs/platforms/esp32/ota.md +++ b/docs/platforms/esp32/ota.md @@ -92,7 +92,7 @@ image can be encrypted/decrypted using an RSA-3072 key pair. Please follow the steps below to generate an application image for OTA upgrades: -1. Generate a new RSA-3072 key pair or use an existing one. +1. Generate a new RSA-3072 key pair or use an existing one. - To generate a key pair, use the following command: @@ -105,9 +105,9 @@ Please follow the steps below to generate an application image for OTA upgrades: openssl rsa -in esp_image_encryption_key.pem -pubout -out esp_image_encryption_public_key.pem ``` -2. Encrypt the application binary using the - [esp_enc_img_gen.py](https://github.com/espressif/idf-extra-components/blob/master/esp_encrypted_img/tools/esp_enc_img_gen.py) - script. +2. Encrypt the application binary using the + [esp_enc_img_gen.py](https://github.com/espressif/idf-extra-components/blob/master/esp_encrypted_img/tools/esp_enc_img_gen.py) + script. - Use the following command to encrypt the OTA image with the public key: @@ -115,21 +115,25 @@ Please follow the steps below to generate an application image for OTA upgrades: python3 esp_enc_img_gen.py encrypt lighting-app.bin esp_image_encryption_public_key.pem lighting-app-encrypted.bin ``` - Optionally, you can use the cmake function `create_esp_enc_img()` to encrypt the OTA image during the build process. Please find the usage below. This is also demonstrated in the `examples/lighting-app/esp32/main/CMakeLists.txt` file. + Optionally, you can use the cmake function `create_esp_enc_img()` to encrypt + the OTA image during the build process. Please find the usage below. This is + also demonstrated in the `examples/lighting-app/esp32/main/CMakeLists.txt` + file. - ``` - create_esp_enc_img(${CMAKE_BINARY_DIR}/${CMAKE_PROJECT_NAME}.bin - ${project_dir}/esp_image_encryption_public_key.pem - ${CMAKE_BINARY_DIR}/${CMAKE_PROJECT_NAME}-encrypted.bin - app) - ``` + ``` + create_esp_enc_img(${CMAKE_BINARY_DIR}/${CMAKE_PROJECT_NAME}.bin + ${project_dir}/esp_image_encryption_public_key.pem + ${CMAKE_BINARY_DIR}/${CMAKE_PROJECT_NAME}-encrypted.bin + app) + ``` + +3. Append the Matter OTA header -3. Append the Matter OTA header ``` src/app/ota_image_tool.py create --vendor-id 0xFFF1 --product-id 0x8000 --version 2 --version-str "v2.0" -da sha256 lighting-app-encrypted.bin lighting-app-encrypted-ota.bin ``` -4. Use the `lighting-app-encrypted-ota.bin` file with the OTA Provider app. +4. Use the `lighting-app-encrypted-ota.bin` file with the OTA Provider app. ## Delta OTA From fbe904337225b6b1ba1e7dd7a3be92bd98323602 Mon Sep 17 00:00:00 2001 From: "Restyled.io" Date: Mon, 10 Mar 2025 15:30:15 +0000 Subject: [PATCH 3/6] Restyled by prettier-markdown --- docs/platforms/esp32/ota.md | 6 +++--- 1 file changed, 3 insertions(+), 3 deletions(-) diff --git a/docs/platforms/esp32/ota.md b/docs/platforms/esp32/ota.md index 9c8e97079a2544..5baf646567a7c0 100644 --- a/docs/platforms/esp32/ota.md +++ b/docs/platforms/esp32/ota.md @@ -94,13 +94,13 @@ Please follow the steps below to generate an application image for OTA upgrades: 1. Generate a new RSA-3072 key pair or use an existing one. - - To generate a key pair, use the following command: + - To generate a key pair, use the following command: ``` openssl genrsa -out esp_image_encryption_key.pem 3072 ``` - - Extract the public key from the key pair: + - Extract the public key from the key pair: ``` openssl rsa -in esp_image_encryption_key.pem -pubout -out esp_image_encryption_public_key.pem ``` @@ -109,7 +109,7 @@ Please follow the steps below to generate an application image for OTA upgrades: [esp_enc_img_gen.py](https://github.com/espressif/idf-extra-components/blob/master/esp_encrypted_img/tools/esp_enc_img_gen.py) script. - - Use the following command to encrypt the OTA image with the public key: + - Use the following command to encrypt the OTA image with the public key: ``` python3 esp_enc_img_gen.py encrypt lighting-app.bin esp_image_encryption_public_key.pem lighting-app-encrypted.bin From ab3125e51e099e64bd34d44c1c27a29ab12d8fb5 Mon Sep 17 00:00:00 2001 From: Shubham Patil Date: Mon, 10 Mar 2025 21:04:04 +0530 Subject: [PATCH 4/6] some markdown fixes --- docs/platforms/esp32/ota.md | 16 +++++++++------- 1 file changed, 9 insertions(+), 7 deletions(-) diff --git a/docs/platforms/esp32/ota.md b/docs/platforms/esp32/ota.md index 5baf646567a7c0..6c39fd339f2d4d 100644 --- a/docs/platforms/esp32/ota.md +++ b/docs/platforms/esp32/ota.md @@ -120,17 +120,19 @@ Please follow the steps below to generate an application image for OTA upgrades: also demonstrated in the `examples/lighting-app/esp32/main/CMakeLists.txt` file. - ``` - create_esp_enc_img(${CMAKE_BINARY_DIR}/${CMAKE_PROJECT_NAME}.bin - ${project_dir}/esp_image_encryption_public_key.pem - ${CMAKE_BINARY_DIR}/${CMAKE_PROJECT_NAME}-encrypted.bin - app) - ``` + ``` + create_esp_enc_img(${CMAKE_BINARY_DIR}/${CMAKE_PROJECT_NAME}.bin + ${project_dir}/esp_image_encryption_public_key.pem + ${CMAKE_BINARY_DIR}/${CMAKE_PROJECT_NAME}-encrypted.bin + app) + ``` 3. Append the Matter OTA header ``` - src/app/ota_image_tool.py create --vendor-id 0xFFF1 --product-id 0x8000 --version 2 --version-str "v2.0" -da sha256 lighting-app-encrypted.bin lighting-app-encrypted-ota.bin + src/app/ota_image_tool.py create --vendor-id 0xFFF1 --product-id 0x8000 \ + --version 2 --version-str "v2.0" -da sha256 \ + lighting-app-encrypted.bin lighting-app-encrypted-ota.bin ``` 4. Use the `lighting-app-encrypted-ota.bin` file with the OTA Provider app. From 42125b95637793bfe736d6c7904765775df9ff5e Mon Sep 17 00:00:00 2001 From: Shubham Patil Date: Mon, 10 Mar 2025 21:06:03 +0530 Subject: [PATCH 5/6] some more mardown restyling --- docs/platforms/esp32/ota.md | 20 ++++++++++---------- 1 file changed, 10 insertions(+), 10 deletions(-) diff --git a/docs/platforms/esp32/ota.md b/docs/platforms/esp32/ota.md index 6c39fd339f2d4d..a76364ac8acca5 100644 --- a/docs/platforms/esp32/ota.md +++ b/docs/platforms/esp32/ota.md @@ -109,23 +109,23 @@ Please follow the steps below to generate an application image for OTA upgrades: [esp_enc_img_gen.py](https://github.com/espressif/idf-extra-components/blob/master/esp_encrypted_img/tools/esp_enc_img_gen.py) script. - - Use the following command to encrypt the OTA image with the public key: + Use the following command to encrypt the OTA image with the public key: - ``` - python3 esp_enc_img_gen.py encrypt lighting-app.bin esp_image_encryption_public_key.pem lighting-app-encrypted.bin - ``` + ``` + python3 esp_enc_img_gen.py encrypt lighting-app.bin esp_image_encryption_public_key.pem lighting-app-encrypted.bin + ``` Optionally, you can use the cmake function `create_esp_enc_img()` to encrypt the OTA image during the build process. Please find the usage below. This is also demonstrated in the `examples/lighting-app/esp32/main/CMakeLists.txt` file. - ``` - create_esp_enc_img(${CMAKE_BINARY_DIR}/${CMAKE_PROJECT_NAME}.bin - ${project_dir}/esp_image_encryption_public_key.pem - ${CMAKE_BINARY_DIR}/${CMAKE_PROJECT_NAME}-encrypted.bin - app) - ``` + ``` + create_esp_enc_img(${CMAKE_BINARY_DIR}/${CMAKE_PROJECT_NAME}.bin + ${project_dir}/esp_image_encryption_public_key.pem + ${CMAKE_BINARY_DIR}/${CMAKE_PROJECT_NAME}-encrypted.bin + app) + ``` 3. Append the Matter OTA header From 92669c2f2c9bc9f36a7ff2b161fa1d2b94d08e04 Mon Sep 17 00:00:00 2001 From: Shubham Patil Date: Tue, 11 Mar 2025 10:25:12 +0530 Subject: [PATCH 6/6] conditionally generate the encrypted ota image --- examples/lighting-app/esp32/main/CMakeLists.txt | 10 ++++++---- 1 file changed, 6 insertions(+), 4 deletions(-) diff --git a/examples/lighting-app/esp32/main/CMakeLists.txt b/examples/lighting-app/esp32/main/CMakeLists.txt index 41cfb485917dd8..dacf2735b9c1a1 100644 --- a/examples/lighting-app/esp32/main/CMakeLists.txt +++ b/examples/lighting-app/esp32/main/CMakeLists.txt @@ -82,10 +82,12 @@ target_compile_options(${COMPONENT_LIB} PUBLIC "-DCHIP_ADDRESS_RESOLVE_IMPL_INCLUDE_HEADER=" ) -create_esp_enc_img(${CMAKE_BINARY_DIR}/${CMAKE_PROJECT_NAME}.bin - ${project_dir}/esp_image_encryption_public_key.pem - ${CMAKE_BINARY_DIR}/${CMAKE_PROJECT_NAME}-encrypted.bin - app) +if (CONFIG_ENABLE_ENCRYPTED_OTA) + create_esp_enc_img(${CMAKE_BINARY_DIR}/${CMAKE_PROJECT_NAME}.bin + ${project_dir}/esp_image_encryption_public_key.pem + ${CMAKE_BINARY_DIR}/${CMAKE_PROJECT_NAME}-encrypted.bin + app) +endif() if (CONFIG_ENABLE_PW_RPC)