project-chip · mergify · Mar 11, 2025 · Mar 10, 2025 · Mar 10, 2025 · Mar 10, 2025
@@ -444,6 +444,10 @@ if (CONFIG_SEC_CERT_DAC_PROVIDER)
     list(APPEND matter_requires espressif__esp_secure_cert_mgr)
 endif()
 
+if (CONFIG_ENABLE_ENCRYPTED_OTA)
+    list(APPEND matter_requires espressif__esp_encrypted_img)
+endif()
+
 add_prebuilt_library(matterlib "${CMAKE_CURRENT_BINARY_DIR}/lib/libCHIP.a"
                      REQUIRES ${matter_requires})
 

@@ -11,7 +11,7 @@ dependencies:
             - if: "idf_version >=4.3"
 
     espressif/esp_encrypted_img:
-        version: "2.1.0"
+        version: "2.3.0"
         require: public
         rules:
             - if: "idf_version >=4.4"

@@ -92,35 +92,50 @@ image can be encrypted/decrypted using an RSA-3072 key pair.
 
 Please follow the steps below to generate an application image for OTA upgrades:
 
-1. Generate a new RSA-3072 key pair or use an existing one.
+1.  Generate a new RSA-3072 key pair or use an existing one.
 
-    - To generate a key pair, use the following command:
+    -   To generate a key pair, use the following command:
 
         ```
         openssl genrsa -out esp_image_encryption_key.pem 3072
         ```
 
-    - Extract the public key from the key pair:
+    -   Extract the public key from the key pair:
         ```
         openssl rsa -in esp_image_encryption_key.pem -pubout -out esp_image_encryption_public_key.pem
         ```
 
-2. Encrypt the application binary using the
-   [esp_enc_img_gen.py](https://github.com/espressif/idf-extra-components/blob/master/esp_encrypted_img/tools/esp_enc_img_gen.py)
-   script.
+2.  Encrypt the application binary using the
+    [esp_enc_img_gen.py](https://github.com/espressif/idf-extra-components/blob/master/esp_encrypted_img/tools/esp_enc_img_gen.py)
+    script.
 
-    - Use the following command to encrypt the OTA image with the public key:
+    Use the following command to encrypt the OTA image with the public key:
 
-        ```
-        python3 esp_enc_img_gen.py encrypt lighting-app.bin esp_image_encryption_public_key.pem lighting-app-encrypted.bin
-        ```
+    ```
+    python3 esp_enc_img_gen.py encrypt lighting-app.bin esp_image_encryption_public_key.pem lighting-app-encrypted.bin
+    ```
 
-    - Append the Matter OTA header:
-        ```
-        src/app/ota_image_tool.py create --vendor-id 0xFFF1 --product-id 0x8000 --version 2 --version-str "v2.0" -da sha256 lighting-app-encrypted.bin lighting-app-encrypted-ota.bin
-        ```
+    Optionally, you can use the cmake function `create_esp_enc_img()` to encrypt
+    the OTA image during the build process. Please find the usage below. This is
+    also demonstrated in the `examples/lighting-app/esp32/main/CMakeLists.txt`
+    file.
+
+    ```
+    create_esp_enc_img(${CMAKE_BINARY_DIR}/${CMAKE_PROJECT_NAME}.bin
+                       ${project_dir}/esp_image_encryption_public_key.pem
+                       ${CMAKE_BINARY_DIR}/${CMAKE_PROJECT_NAME}-encrypted.bin
+                       app)
+    ```
+
+3.  Append the Matter OTA header
+
+    ```
+    src/app/ota_image_tool.py create --vendor-id 0xFFF1 --product-id 0x8000 \
+                                     --version 2 --version-str "v2.0" -da sha256 \
+                                     lighting-app-encrypted.bin lighting-app-encrypted-ota.bin
+    ```
 
-3. Use the `lighting-app-encrypted-ota.bin` file with the OTA Provider app.
+4.  Use the `lighting-app-encrypted-ota.bin` file with the OTA Provider app.
 
 ## Delta OTA
 

@@ -82,6 +82,13 @@ target_compile_options(${COMPONENT_LIB} PUBLIC
            "-DCHIP_ADDRESS_RESOLVE_IMPL_INCLUDE_HEADER=<lib/address_resolve/AddressResolve_DefaultImpl.h>"
 )
 
+if (CONFIG_ENABLE_ENCRYPTED_OTA)
+	create_esp_enc_img(${CMAKE_BINARY_DIR}/${CMAKE_PROJECT_NAME}.bin
+			   ${project_dir}/esp_image_encryption_public_key.pem
+			   ${CMAKE_BINARY_DIR}/${CMAKE_PROJECT_NAME}-encrypted.bin
+			   app)
+endif()
+
 if (CONFIG_ENABLE_PW_RPC)
 
 get_filename_component(CHIP_ROOT ${CMAKE_SOURCE_DIR}/third_party/connectedhomeip REALPATH)