feat(pre_encrypted_ota): Moved pre_encrypted_ota example

1. Moved pre_encrypted_ota example from esp-idf to idf-extra-component. 2. Created server on app side 3. Flashed the pre_encrypted_ota_secure.bin in OTA1 4. Provided the URI and binary size from the pytest
espressif · Dec 9, 2024 · d0b9160 · d0b9160
1 parent d402e9c
commit d0b9160
Show file tree

Hide file tree

Showing 20 changed files with 834 additions and 0 deletions.
diff --git a/.build-test-rules.yml b/.build-test-rules.yml
@@ -19,6 +19,11 @@ esp_delta_ota:
     - if: SOC_WIFI_SUPPORTED != 1
       reason: Relevant only for WiFi enabled targets
 
+esp_encrypted_img/examples/pre_encrypted_ota:
+  disable:
+    - if: IDF_TARGET not in ["esp32"]
+      reason: Unable to recieve correct data from pytest
+
 sh2lib/examples/http2_request:
   enable:
     - if: IDF_VERSION_MAJOR > 4 and INCLUDE_DEFAULT == 1

diff --git a/esp_encrypted_img/examples/pre_encrypted_ota/CMakeLists.txt b/esp_encrypted_img/examples/pre_encrypted_ota/CMakeLists.txt
@@ -0,0 +1,17 @@
+# For more information about build system see
+# https://docs.espressif.com/projects/esp-idf/en/latest/api-guides/build-system.html
+# The following five lines of boilerplate have to be in your project's
+# CMakeLists in this exact order for cmake to work correctly
+cmake_minimum_required(VERSION 3.16)
+
+include($ENV{IDF_PATH}/tools/cmake/project.cmake)
+project(pre_encrypted_ota)
+
+# Flash the pre_encrypted_ota_secure.bin to the OTA 1 partition.
+if(CONFIG_EXAMPLE_ENABLE_CI_TEST)
+    set(partition ota_1)
+    idf_build_get_property(build_dir BUILD_DIR)
+    set(image_file ${build_dir}/pre_encrypted_ota_secure.bin)
+    partition_table_get_partition_info(offset "--partition-name ${partition}" "offset")
+    esptool_py_flash_target_image(flash "${partition}" "${offset}" "${image_file}")
+endif()
diff --git a/esp_encrypted_img/examples/pre_encrypted_ota/README.md b/esp_encrypted_img/examples/pre_encrypted_ota/README.md
@@ -0,0 +1,58 @@
+| Supported Targets | ESP32 | ESP32-C2 | ESP32-C3 | ESP32-C5 | ESP32-C6 | ESP32-C61 | ESP32-P4 | ESP32-S2 | ESP32-S3 |
+| ----------------- | ----- | -------- | -------- | -------- | -------- | --------- | -------- | -------- | -------- |
+
+# Encrypted Binary OTA
+
+This example demonstrates OTA updates with pre-encrypted binary using `esp_encrypted_img` component's APIs and tool.
+
+Pre-encrypted firmware binary must be hosted on OTA update server.
+This firmware will be fetched and then decrypted on device before being flashed.
+This allows firmware to remain `confidential` on the OTA update channel irrespective of underlying transport (e.g., non-TLS).
+
+* **NOTE:** Pre-encrypted OTA is a completely different scheme from Flash Encryption. Pre-encrypted OTA helps in ensuring the confidentiality of the firmware on the network channel, whereas Flash Encryption is intended for encrypting the contents of the ESP32's off-chip flash memory.
+
+> [!CAUTION]
+> Using the Pre-encrypted Binary OTA provides confidentiality of the firmware, but it does not ensure authenticity of the firmware. For ensuring that the firmware is coming from trusted source, please consider enabling secure boot feature along with the Pre-encrypted binary OTA. Please refer to security guide in the ESP-IDF docs for more details.
+
+## ESP Encrypted Image Abstraction Layer
+
+This example uses `esp_encrypted_img` component hosted at [idf-extra-components/esp_encrypted_img](https://github.com/espressif/idf-extra-components/blob/master/esp_encrypted_img) and available though the [IDF component manager](https://components.espressif.com/component/espressif/esp_encrypted_img).
+
+Please refer to its documentation [here](https://github.com/espressif/idf-extra-components/blob/master/esp_encrypted_img/README.md) for more details.
+
+
+## How to use the example
+
+To create self-signed certificate and key, refer to README.md in upper level 'examples' directory. This certificate should be flashed with binary as it will be used for connection with server.
+
+### Creating RSA key for encryption
+
+You can generate a public and private RSA key pair using following commands:
+
+`openssl genrsa -out rsa_key/private.pem 3072`
+
+This generates a 3072-bit RSA key pair, and writes them to a file.
+
+Private key is required for decryption process and is used as input to the `esp_encrypted_img` component. Private key can either be embedded into the firmware or stored in NVS.
+
+Encrypted image generation tool will derive public key (from private key) and use it for encryption purpose.
+
+* **NOTE:** We highly recommend the use of flash encryption or NVS encryption to protect the RSA Private Key on the device.
+* **NOTE:** RSA key provided in the example is for demonstration purpose only. We recommend to create a new key for production applications.
+
+### How to take firware URL from STDIN
+
+You can take the firmware URL (or other data, just include the data with URL using " " deliminator) by enabling both CONFIG_EXAMPLE_FIRMWARE_UPGRADE_URL_FROM_STDIN and CONFIG_EXAMPLE_ENABLE_CI_TEST configs.
+
+## Build and Flash example
+
+```
+idf.py build flash
+```
+
+* An encrypted image is automatically generated by build system. Upload the generated encrypted image (`build/pre_encrypted_ota_secure.bin`) to a server for performing OTA update.
+
+
+## Configuration
+
+Refer the README.md in the parent directory for the setup details.
diff --git a/esp_encrypted_img/examples/pre_encrypted_ota/conftest.py b/esp_encrypted_img/examples/pre_encrypted_ota/conftest.py
@@ -0,0 +1,16 @@
+import logging
+import os
+
+import pytest
+from _pytest.fixtures import FixtureRequest
+from pytest_embedded.plugin import multi_dut_fixture
+
+@pytest.fixture
+@multi_dut_fixture
+def build_dir(target: str, config: str) -> str:
+    return f'build_{target}_{config}'
+
+@pytest.fixture
+@multi_dut_fixture
+def config(request: FixtureRequest) -> str:
+    return getattr(request, 'param', None) or "default"
diff --git a/esp_encrypted_img/examples/pre_encrypted_ota/main/CMakeLists.txt b/esp_encrypted_img/examples/pre_encrypted_ota/main/CMakeLists.txt
@@ -0,0 +1,23 @@
+idf_build_get_property(project_dir PROJECT_DIR)
+
+if(CONFIG_EXAMPLE_ENABLE_CI_TEST)
+    list(APPEND SRCS
+        "test_dir/test_local_server_ota.c")
+    list(APPEND INCLUDE_DIRS "test_dir")
+    list(APPEND EMBED_TXTFILES "test_dir/certs/servercert.pem"
+                               "test_dir/certs/prvtkey.pem")
+endif()
+
+idf_component_register(SRCS "pre_encrypted_ota.c" ${SRCS}
+                    PRIV_REQUIRES esp_http_client app_update esp_https_ota nvs_flash esp_netif esp_wifi esp_netif esp_partition
+                    INCLUDE_DIRS "." ${INCLUDE_DIRS}
+                    EMBED_TXTFILES ${project_dir}/server_certs/ca_cert.pem
+                                   ${project_dir}/rsa_key/private.pem
+                                   ${EMBED_TXTFILES})
+
+create_esp_enc_img(${CMAKE_BINARY_DIR}/${CMAKE_PROJECT_NAME}.bin
+    ${project_dir}/rsa_key/private.pem ${CMAKE_BINARY_DIR}/${CMAKE_PROJECT_NAME}_secure.bin app)
+
+if(CONFIG_EXAMPLE_ENABLE_CI_TEST)
+    target_link_libraries(${COMPONENT_LIB} PRIVATE idf::esp_https_server)
+endif()
diff --git a/esp_encrypted_img/examples/pre_encrypted_ota/main/Kconfig.projbuild b/esp_encrypted_img/examples/pre_encrypted_ota/main/Kconfig.projbuild
@@ -0,0 +1,51 @@
+menu "Example Configuration"
+
+    config EXAMPLE_FIRMWARE_UPGRADE_URL
+        string "firmware upgrade url endpoint"
+        default "https://192.168.0.3:8070/hello_world.bin"
+        help
+            URL of server which hosts the encrypted firmware image.
+
+    config EXAMPLE_FIRMWARE_UPGRADE_URL_FROM_STDIN
+        bool
+        default y if EXAMPLE_FIRMWARE_UPGRADE_URL = "FROM_STDIN"
+
+    config EXAMPLE_SKIP_COMMON_NAME_CHECK
+        bool "Skip server certificate CN fieldcheck"
+        default n
+        help
+            This allows you to skip the validation of OTA server certificate CN field.
+
+    config EXAMPLE_SKIP_VERSION_CHECK
+        bool "Skip firmware version check"
+        default n
+        help
+            This allows you to skip the firmware version check.
+
+    config EXAMPLE_OTA_RECV_TIMEOUT
+        int "OTA Receive Timeout"
+        default 5000
+        help
+            Maximum time for reception
+
+    config EXAMPLE_ENABLE_PARTIAL_HTTP_DOWNLOAD
+        bool "Enable partial HTTP download"
+        default n
+        help
+            This enables use of Range header in esp_https_ota component.
+            Firmware image will be downloaded over multiple HTTP requests.
+
+    config EXAMPLE_HTTP_REQUEST_SIZE
+        int "HTTP request size"
+        default MBEDTLS_SSL_IN_CONTENT_LEN
+        depends on EXAMPLE_ENABLE_PARTIAL_HTTP_DOWNLOAD
+        help
+            This options specifies HTTP request size. Number of bytes specified
+            in this option will be downloaded in single HTTP request.
+
+    config EXAMPLE_ENABLE_CI_TEST
+        bool "Enbale the CI test code"
+        default n
+        help
+            This enables the CI test code i.e. https local server code.
+endmenu
diff --git a/esp_encrypted_img/examples/pre_encrypted_ota/main/idf_component.yml b/esp_encrypted_img/examples/pre_encrypted_ota/main/idf_component.yml
@@ -0,0 +1,6 @@
+dependencies:
+  espressif/esp_encrypted_img:
+      version: "^2.0.1"
+      override_path: ../../../
+  protocol_examples_common:
+    path: ${IDF_PATH}/examples/common_components/protocol_examples_common