Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

ESP32: bump encrypted ota component and fix the build errors #37950

Merged
merged 7 commits into from
Mar 11, 2025
Merged
Show file tree
Hide file tree
Changes from all commits
Commits
File filter

Filter by extension

Filter by extension

Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
4 changes: 4 additions & 0 deletions config/esp32/components/chip/CMakeLists.txt
Original file line number Diff line number Diff line change
Expand Up @@ -444,6 +444,10 @@ if (CONFIG_SEC_CERT_DAC_PROVIDER)
list(APPEND matter_requires espressif__esp_secure_cert_mgr)
endif()

if (CONFIG_ENABLE_ENCRYPTED_OTA)
list(APPEND matter_requires espressif__esp_encrypted_img)
endif()

add_prebuilt_library(matterlib "${CMAKE_CURRENT_BINARY_DIR}/lib/libCHIP.a"
REQUIRES ${matter_requires})

Expand Down
2 changes: 1 addition & 1 deletion config/esp32/components/chip/idf_component.yml
Original file line number Diff line number Diff line change
Expand Up @@ -11,7 +11,7 @@ dependencies:
- if: "idf_version >=4.3"

espressif/esp_encrypted_img:
version: "2.1.0"
version: "2.3.0"
require: public
rules:
- if: "idf_version >=4.4"
Expand Down
45 changes: 30 additions & 15 deletions docs/platforms/esp32/ota.md
Original file line number Diff line number Diff line change
Expand Up @@ -92,35 +92,50 @@ image can be encrypted/decrypted using an RSA-3072 key pair.

Please follow the steps below to generate an application image for OTA upgrades:

1. Generate a new RSA-3072 key pair or use an existing one.
1. Generate a new RSA-3072 key pair or use an existing one.

- To generate a key pair, use the following command:
- To generate a key pair, use the following command:

```
openssl genrsa -out esp_image_encryption_key.pem 3072
```

- Extract the public key from the key pair:
- Extract the public key from the key pair:
```
openssl rsa -in esp_image_encryption_key.pem -pubout -out esp_image_encryption_public_key.pem
```

2. Encrypt the application binary using the
[esp_enc_img_gen.py](https://github.com/espressif/idf-extra-components/blob/master/esp_encrypted_img/tools/esp_enc_img_gen.py)
script.
2. Encrypt the application binary using the
[esp_enc_img_gen.py](https://github.com/espressif/idf-extra-components/blob/master/esp_encrypted_img/tools/esp_enc_img_gen.py)
script.

- Use the following command to encrypt the OTA image with the public key:
Use the following command to encrypt the OTA image with the public key:

```
python3 esp_enc_img_gen.py encrypt lighting-app.bin esp_image_encryption_public_key.pem lighting-app-encrypted.bin
```
```
python3 esp_enc_img_gen.py encrypt lighting-app.bin esp_image_encryption_public_key.pem lighting-app-encrypted.bin
```

- Append the Matter OTA header:
```
src/app/ota_image_tool.py create --vendor-id 0xFFF1 --product-id 0x8000 --version 2 --version-str "v2.0" -da sha256 lighting-app-encrypted.bin lighting-app-encrypted-ota.bin
```
Optionally, you can use the cmake function `create_esp_enc_img()` to encrypt
the OTA image during the build process. Please find the usage below. This is
also demonstrated in the `examples/lighting-app/esp32/main/CMakeLists.txt`
file.

```
create_esp_enc_img(${CMAKE_BINARY_DIR}/${CMAKE_PROJECT_NAME}.bin
${project_dir}/esp_image_encryption_public_key.pem
${CMAKE_BINARY_DIR}/${CMAKE_PROJECT_NAME}-encrypted.bin
app)
```

3. Append the Matter OTA header

```
src/app/ota_image_tool.py create --vendor-id 0xFFF1 --product-id 0x8000 \
--version 2 --version-str "v2.0" -da sha256 \
lighting-app-encrypted.bin lighting-app-encrypted-ota.bin
```

3. Use the `lighting-app-encrypted-ota.bin` file with the OTA Provider app.
4. Use the `lighting-app-encrypted-ota.bin` file with the OTA Provider app.

## Delta OTA

Expand Down
7 changes: 7 additions & 0 deletions examples/lighting-app/esp32/main/CMakeLists.txt
Original file line number Diff line number Diff line change
Expand Up @@ -82,6 +82,13 @@ target_compile_options(${COMPONENT_LIB} PUBLIC
"-DCHIP_ADDRESS_RESOLVE_IMPL_INCLUDE_HEADER=<lib/address_resolve/AddressResolve_DefaultImpl.h>"
)

if (CONFIG_ENABLE_ENCRYPTED_OTA)
create_esp_enc_img(${CMAKE_BINARY_DIR}/${CMAKE_PROJECT_NAME}.bin
${project_dir}/esp_image_encryption_public_key.pem
${CMAKE_BINARY_DIR}/${CMAKE_PROJECT_NAME}-encrypted.bin
app)
endif()

if (CONFIG_ENABLE_PW_RPC)

get_filename_component(CHIP_ROOT ${CMAKE_SOURCE_DIR}/third_party/connectedhomeip REALPATH)
Expand Down
Loading