Skip to content

Commit

Permalink
feat(esp_encrypted_img): Added pre_encrypted_ota example
Browse files Browse the repository at this point in the history
Added the pre_encrypted_ota example in esp_encrypted_img
component

Closes IDF-7818
  • Loading branch information
hrushikesh430 committed Nov 11, 2024
1 parent 9634f8d commit c34f74e
Show file tree
Hide file tree
Showing 14 changed files with 626 additions and 14 deletions.
28 changes: 14 additions & 14 deletions .github/workflows/build_and_run_apps.yml
Original file line number Diff line number Diff line change
Expand Up @@ -72,11 +72,11 @@ jobs:
fail-fast: false
matrix:
idf_ver:
- "release-v5.0"
- "release-v5.1"
- "release-v5.2"
# - "release-v5.0"
# - "release-v5.1"
# - "release-v5.2"
- "release-v5.3"
- "latest"
# - "latest"
parallel_index: [1,2,3,4,5] # Update --parallel-count below when changing this
runs-on: ubuntu-22.04
container: espressif/idf:${{ matrix.idf_ver }}
Expand Down Expand Up @@ -122,28 +122,28 @@ jobs:
fail-fast: false
matrix:
idf_ver:
- "release-v5.0"
- "release-v5.1"
- "release-v5.2"
# - "release-v5.0"
# - "release-v5.1"
# - "release-v5.2"
- "release-v5.3"
- "latest"
# - "latest"
runner:
- runs-on: "esp32"
- runs-on: '["self-hosted", "linux", "docker", "esp32"]'
marker: "generic"
target: "esp32"
- runs-on: "ESP32-ETHERNET-KIT"
- runs-on: '["self-hosted", "linux", "ESP32-ETHERNET-KIT"]'
marker: "ethernet"
target: "esp32"
- runs-on: "spi_nand_flash"
- runs-on: '["self-hosted", "linux", "docker", "spi_nand_flash"]'
marker: "spi_nand_flash"
target: "esp32"
env:
TEST_RESULT_NAME: test_results_${{ matrix.runner.target }}_${{ matrix.runner.marker }}_${{ matrix.idf_ver }}
TEST_RESULT_FILE: test_results_${{ matrix.runner.target }}_${{ matrix.runner.marker }}_${{ matrix.idf_ver }}.xml
runs-on: [self-hosted, linux, docker, "${{ matrix.runner.runs-on }}"]
runs-on: ${{ fromjson(matrix.runner.runs-on) }}
container:
image: python:3.11-bookworm
options: --privileged # Privileged mode has access to serial ports
options: "--privileged -p 8001:8001" # Privileged mode has access to serial ports
steps:
- uses: actions/checkout@v4
- uses: actions/download-artifact@v4
Expand All @@ -153,7 +153,7 @@ jobs:
- name: Install Python packages
env:
PIP_EXTRA_INDEX_URL: "https://dl.espressif.com/pypi/"
run: pip install --prefer-binary cryptography pytest-embedded pytest-embedded-serial-esp pytest-embedded-idf pytest-custom_exit_code
run: pip install --prefer-binary cryptography pytest-embedded pytest-embedded-serial-esp pytest-embedded-idf pytest-custom_exit_code rangehttpserver
- name: Run apps
run: |
python3 .github/get_pytest_args.py --target=${{ matrix.runner.target }} -v 'build_info*.json' pytest-args.txt
Expand Down
8 changes: 8 additions & 0 deletions esp_encrypted_img/examples/pre_encrypted_ota/CMakeLists.txt
Original file line number Diff line number Diff line change
@@ -0,0 +1,8 @@
# For more information about build system see
# https://docs.espressif.com/projects/esp-idf/en/latest/api-guides/build-system.html
# The following five lines of boilerplate have to be in your project's
# CMakeLists in this exact order for cmake to work correctly
cmake_minimum_required(VERSION 3.16)

include($ENV{IDF_PATH}/tools/cmake/project.cmake)
project(pre_encrypted_ota)
54 changes: 54 additions & 0 deletions esp_encrypted_img/examples/pre_encrypted_ota/README.md
Original file line number Diff line number Diff line change
@@ -0,0 +1,54 @@
| Supported Targets | ESP32 | ESP32-C2 | ESP32-C3 | ESP32-C5 | ESP32-C6 | ESP32-C61 | ESP32-P4 | ESP32-S2 | ESP32-S3 |
| ----------------- | ----- | -------- | -------- | -------- | -------- | --------- | -------- | -------- | -------- |

# Encrypted Binary OTA

This example demonstrates OTA updates with pre-encrypted binary using `esp_encrypted_img` component's APIs and tool.

Pre-encrypted firmware binary must be hosted on OTA update server.
This firmware will be fetched and then decrypted on device before being flashed.
This allows firmware to remain `confidential` on the OTA update channel irrespective of underlying transport (e.g., non-TLS).

* **NOTE:** Pre-encrypted OTA is a completely different scheme from Flash Encryption. Pre-encrypted OTA helps in ensuring the confidentiality of the firmware on the network channel, whereas Flash Encryption is intended for encrypting the contents of the ESP32's off-chip flash memory.

> [!CAUTION]
> Using the Pre-encrypted Binary OTA provides confidentiality of the firmware, but it does not ensure authenticity of the firmware. For ensuring that the firmware is coming from trusted source, please consider enabling secure boot feature along with the Pre-encrypted binary OTA. Please refer to security guide in the ESP-IDF docs for more details.
## ESP Encrypted Image Abstraction Layer

This example uses `esp_encrypted_img` component hosted at [idf-extra-components/esp_encrypted_img](https://github.com/espressif/idf-extra-components/blob/master/esp_encrypted_img) and available though the [IDF component manager](https://components.espressif.com/component/espressif/esp_encrypted_img).

Please refer to its documentation [here](https://github.com/espressif/idf-extra-components/blob/master/esp_encrypted_img/README.md) for more details.


## How to use the example

To create self-signed certificate and key, refer to README.md in upper level 'examples' directory. This certificate should be flashed with binary as it will be used for connection with server.

### Creating RSA key for encryption

You can generate a public and private RSA key pair using following commands:

`openssl genrsa -out rsa_key/private.pem 3072`

This generates a 3072-bit RSA key pair, and writes them to a file.

Private key is required for decryption process and is used as input to the `esp_encrypted_img` component. Private key can either be embedded into the firmware or stored in NVS.

Encrypted image generation tool will derive public key (from private key) and use it for encryption purpose.

* **NOTE:** We highly recommend the use of flash encryption or NVS encryption to protect the RSA Private Key on the device.
* **NOTE:** RSA key provided in the example is for demonstration purpose only. We recommend to create a new key for production applications.

## Build and Flash example

```
idf.py build flash
```

* An encrypted image is automatically generated by build system. Upload the generated encrypted image (`build/pre_encrypted_ota_secure.bin`) to a server for performing OTA update.


## Configuration

Refer the README.md in the parent directory for the setup details.
Original file line number Diff line number Diff line change
@@ -0,0 +1,8 @@
idf_build_get_property(project_dir PROJECT_DIR)
idf_component_register(SRCS "pre_encrypted_ota.c"
INCLUDE_DIRS "."
EMBED_TXTFILES ${project_dir}/server_certs/ca_cert.pem
${project_dir}/rsa_key/private.pem)

create_esp_enc_img(${CMAKE_BINARY_DIR}/${CMAKE_PROJECT_NAME}.bin
${project_dir}/rsa_key/private.pem ${CMAKE_BINARY_DIR}/${CMAKE_PROJECT_NAME}_secure.bin app)
Original file line number Diff line number Diff line change
@@ -0,0 +1,45 @@
menu "Example Configuration"

config EXAMPLE_FIRMWARE_UPGRADE_URL
string "firmware upgrade url endpoint"
default "https://192.168.0.3:8070/hello_world.bin"
help
URL of server which hosts the encrypted firmware image.

config EXAMPLE_FIRMWARE_UPGRADE_URL_FROM_STDIN
bool
default y if EXAMPLE_FIRMWARE_UPGRADE_URL = "FROM_STDIN"

config EXAMPLE_SKIP_COMMON_NAME_CHECK
bool "Skip server certificate CN fieldcheck"
default n
help
This allows you to skip the validation of OTA server certificate CN field.

config EXAMPLE_SKIP_VERSION_CHECK
bool "Skip firmware version check"
default n
help
This allows you to skip the firmware version check.

config EXAMPLE_OTA_RECV_TIMEOUT
int "OTA Receive Timeout"
default 5000
help
Maximum time for reception

config EXAMPLE_ENABLE_PARTIAL_HTTP_DOWNLOAD
bool "Enable partial HTTP download"
default n
help
This enables use of Range header in esp_https_ota component.
Firmware image will be downloaded over multiple HTTP requests.

config EXAMPLE_HTTP_REQUEST_SIZE
int "HTTP request size"
default MBEDTLS_SSL_IN_CONTENT_LEN
depends on EXAMPLE_ENABLE_PARTIAL_HTTP_DOWNLOAD
help
This options specifies HTTP request size. Number of bytes specified
in this option will be downloaded in single HTTP request.
endmenu
Original file line number Diff line number Diff line change
@@ -0,0 +1,6 @@
dependencies:
espressif/esp_encrypted_img:
version: "^2.0.1"
override_path: ../../../
protocol_examples_common:
path: ${IDF_PATH}/examples/common_components/protocol_examples_common
Loading

0 comments on commit c34f74e

Please sign in to comment.