esp32: Merge with master up to version 1.17.2.b1.

Author: Daniel Campora

.gitignore

@@ -42,3 +42,11 @@ user.props
 .project
 .pydevproject
 .settings
+
+# Key files (for Flash Encryption and Secure Boot)
+secure_boot_signing_key.pem
+signature_verification_key.bin
+secure-bootloader-key.bin
+flash_encryption_key.bin
+ 
+.DS_Store

Jenkinsfile

@@ -21,21 +21,13 @@ node {
           make all'''
     }
 
-    stage('IDF-LIBS') {
-        // build the libs from esp-idf
-       sh '''export PATH=$PATH:/opt/xtensa-esp32-elf/bin;
-        		 export IDF_PATH=${WORKSPACE}/esp-idf;
-        		 cd $IDF_PATH/examples/wifi/scan;
-        		 make clean && make all'''
-    }
-
- 	for (board in boards_to_build) {
-		stage(board) {
-			def parallelSteps = [:]
+    stage('firmware-build') {
+        def parallelSteps = [:]
+ 	    for (board in boards_to_build) {
             def board_u = board.toUpperCase()
         		parallelSteps[board] = boardBuild(board)
-        		parallel parallelSteps
   		}
+  		parallel parallelSteps
   	}
 
     stash includes: '**/*.bin', name: 'binary'
@@ -89,7 +81,7 @@ def boardBuild(name) {
         cd firmware_package;
         cp ../bootloader/bootloader.bin .;
         mv ../application.elf ''' + release_dir + name + "-" + PYCOM_VERSION + '''-application.elf;
-        cp ../appimg.bin .;
+        cp ../''' + app_bin + ''' appimg.bin;
         cp ../lib/partitions.bin .;
         cp ../../../../boards/''' + name_short + '''/''' + name_u + '''/script .;
         cp ../''' + app_bin + ''' .;
@@ -111,7 +103,7 @@ def flashBuild(short_name) {
       sh 'python esp32/tools/pypic.py --port ' + device_name +' --enter'
       sh 'esp-idf/components/esptool_py/esptool/esptool.py --chip esp32 --port ' + device_name +' --baud 921600 erase_flash'
       sh 'python esp32/tools/pypic.py --port ' + device_name +' --enter'
-      sh 'esp-idf/components/esptool_py/esptool/esptool.py --chip esp32 --port ' + device_name +' --baud 921600 --before no_reset --after no_reset write_flash -pz --flash_mode dio --flash_freq 80m --flash_size detect 0x1000 esp32/build/'+ board_name_u +'/release/bootloader/bootloader.bin 0x8000 esp32/build/'+ board_name_u +'/release/lib/partitions.bin 0x10000 esp32/build/'+ board_name_u +'/release/appimg.bin'
+      sh 'esp-idf/components/esptool_py/esptool/esptool.py --chip esp32 --port ' + device_name +' --baud 921600 --before no_reset --after no_reset write_flash -pz --flash_mode dio --flash_freq 80m --flash_size detect 0x1000 esp32/build/'+ board_name_u +'/release/bootloader/bootloader.bin 0x8000 esp32/build/'+ board_name_u +'/release/lib/partitions.bin 0x10000 esp32/build/'+ board_name_u +'/release/' + board_name_u.toLowerCase() + '.bin'
       sh 'python esp32/tools/pypic.py --port ' + device_name +' --exit'
     }
   }

README.md

@@ -16,7 +16,7 @@ MicroPython implements the entire Python 3.4 syntax (including exceptions,
 The following core datatypes are provided: str (including basic Unicode
 support), bytes, bytearray, tuple, list, dict, set, frozenset, array.array,
 collections.namedtuple, classes and instances. Builtin modules include sys,
-time, and struct, etc. Select ports have support for _thread module
+time, and struct, etc. Select ports have support for `_thread` module
 (multithreading). Note that only subset of Python 3.4 functionality
 implemented for the data types and modules.
 
@@ -142,5 +142,88 @@ To build and flash a LoPy:
 The above also applies to the FiPy and LoPy4
 
 Make sure that your board is placed into programming mode, otherwise flashing will fail.<br>
-PyTrack and PySense boards will automatically switch into programming mode (currently supported on MacOS and Linux only!)<br>
+PyTrack and PySense boards will automatically switch into programming mode<br>
+(currently supported on MacOS and Linux only!)<br><br>
 Expansion Board 2.0 users, please connect ``P2`` to ``GND`` and then reset the board.
+
+## Steps for using Secure Boot and Flash Encryption
+
+### Summary
+
+1. Obtain keys (for Secure Boot and Flash Encryption)
+2. Flash keys and parameters in efuses
+3. Compile bootloader and application with `make SECURE=on`
+4. Flash: bootloader-digest at address 0x0 and encrypted; all the others (partitions and application) encrypted, too.
+
+### Prerequisites
+
+    $ export $IDF_PATH=<pycom-esp-idf_PATH>
+    $ cd esp32
+
+Hold valid keys for Flash Encryption and Secure Boot; they can be generated randomly with the following commands:
+
+    python $IDF_PATH/components/esptool_py/esptool/espsecure.py generate_flash_encryption_key flash_encryption_key.bin
+    python $IDF_PATH/components/esptool_py/esptool/espsecure.py generate_signing_key secure_boot_signing_key.pem
+
+The Secure Boot key `secure_boot_signing_key.pem` has to be transformed into `secure-bootloader-key.bin`, to be burnt into efuses. This can be done in 2 ways:
+
+    python $IDF_PATH/components/esptool_py/esptool/espefuse.py extract_public_key --keyfile secure_boot_signing_key.pem signature_verification_key.bin
+
+    # or, as an artifact of the make build process, on the same directory level as Makefile
+    make BOARD=GPY SECURE=on TARGET=boot
+
+Flash keys (`flash_encryption_key.bin` and `secure-bootloader-key.bin`) into the efuses (write and read protected):
+
+**_Note: Irreversible operations_**
+
+    # Burning Encryption Key
+    python $IDF_PATH/components/esptool_py/esptool/espefuse.py --port /dev/ttyUSB0 burn_key flash_encryption flash_encryption_key.bin
+    # Burning Secure Boot Key
+    python $IDF_PATH/components/esptool_py/esptool/espefuse.py --port /dev/ttyUSB0 burn_key secure_boot secure-bootloader-key.bin
+    # Enabling Flash Encryption mechanism
+    python $IDF_PATH/components/esptool_py/esptool/espefuse.py --port /dev/ttyUSB0 burn_efuse FLASH_CRYPT_CNT
+    # Configuring Flash Encryption to use all address bits togheter with Encryption key (max value 0x0F)
+    python $IDF_PATH/components/esptool_py/esptool/espefuse.py --port /dev/ttyUSB0 burn_efuse FLASH_CRYPT_CONFIG 0x0F
+    # Enabling Secure Boot mechanism
+    python $IDF_PATH/components/esptool_py/esptool/espefuse.py --port /dev/ttyUSB0 burn_efuse ABS_DONE_0
+
+**_If the keys are not written in efuse, before flashing the bootloader, then random keys will be generated by the ESP32, they can never be read nor re-written, so bootloader can never be updated. Even more, the application can be re-flashed (by USB) just 3 more times._**
+
+### Makefile options:
+
+    make BOARD=GPY SECURE=on SECURE_KEY=secure_boot_signing_key.pem ENCRYPT_KEY=flash_encryption_key.bin TARGET=[boot|app]
+
+- `SECURE=on` is the main flag; it's not optional
+- if `SECURE=on` by default:
+    - encryption is enabled        
+    - secure_boot_signing_key.pem is the secure boot key, located relatively to Makefile
+    - flash_encryption_key.bin is the flash encryption key, located relatively to Makefile
+
+For flashing the bootloader digest and the encrypted versions of all binaries:
+
+    make BOARD=GPY SECURE=on flash
+
+### Flashing
+
+For flashing the bootloader-reflash-digest.bin has to be written at address 0x0, instead of the bootloader.bin (at address 0x1000).
+
+Build is done using `SECURE=on` option; additionally, all the binaries are pre-encrypted.
+
+    make BOARD=GPY clean
+    make BOARD=GPY SECURE=on TARGET=boot
+    make BOARD=GPY SECURE=on TARGET=app
+    make BOARD=GPY SECURE=on flash
+
+Manual flash command:
+
+    python $IDF_PATH/components/esptool_py/esptool/esptool.py --chip esp32 --port /dev/ttyUSB0 --baud 921600 --before no_reset --after no_reset write_flash -z --flash_mode dio --flash_freq 80m --flash_size detect 0x0 build/GPY/release/bootloader/bootloader-reflash-digest.bin_enc 0x8000 build/GPY/release/lib/partitions.bin_enc 0x10000 build/GPY/release/gpy.bin_enc_0x10000
+
+### OTA update
+
+The OTA should be done using the pre-encrypted application image.
+
+Because the encryption is done based on the physical flash address, there are 2 application binaries generated:
+- gpy.bin_enc_0x10000 which has to be written at default factory address: 0x10000
+- gpy.bin_enc_0x1A0000 which has to be written at the ota_0 partition address (0x1A0000)
+
+*__Hint:__ on micropython interface, the method `pycom.ota_slot()` responds with the address of the next OTA partition available (either 0x10000 or 0x1A0000).*

drivers/sx127x/sx1272/sx1272.c

@@ -33,6 +33,7 @@ Maintainer: Miguel Luis and Gregory Cristian
 #include "sx1272.h"
 #include "sx1272-board.h"
 #include "esp_attr.h"
+#include "esp32_mphal.h"
 
 /*
  * Local types definition
@@ -1054,8 +1055,6 @@ static IRAM_ATTR void SX1272OnDioIrq (void) {
     }
 }
 
-extern uint64_t system_get_rtc_time(void);
-
 IRAM_ATTR void SX1272OnDio0Irq( void )
 {
     volatile uint8_t irqFlags = 0;
@@ -1073,7 +1072,7 @@ IRAM_ATTR void SX1272OnDio0Irq( void )
                     int8_t snr = 0;
 
                     // Store the packet timestamp
-                    SX1272.Settings.LoRaPacketHandler.TimeStamp = system_get_rtc_time();
+                    SX1272.Settings.LoRaPacketHandler.TimeStamp = mp_hal_ticks_us();
 
                     // Clear Irq
                     SX1272Write( REG_LR_IRQFLAGS, RFLR_IRQFLAGS_RXDONE );

drivers/sx127x/sx1276/sx1276.c

@@ -33,6 +33,7 @@ Maintainer: Miguel Luis, Gregory Cristian and Wael Guibene
 #include "sx1276.h"
 #include "sx1276-board.h"
 #include "esp_attr.h"
+#include "esp32_mphal.h"
 
 /*
  * Local types definition
@@ -1219,8 +1220,6 @@ static IRAM_ATTR void SX1276OnDioIrq (void) {
     }
 }
 
-extern uint64_t system_get_rtc_time(void);
-
 IRAM_ATTR void SX1276OnDio0Irq( void )
 {
     volatile uint8_t irqFlags = 0;
@@ -1238,7 +1237,7 @@ IRAM_ATTR void SX1276OnDio0Irq( void )
                     int8_t snr = 0;
 
                     // Store the packet timestamp
-                    SX1276.Settings.LoRaPacketHandler.TimeStamp = system_get_rtc_time();
+                    SX1276.Settings.LoRaPacketHandler.TimeStamp = mp_hal_ticks_us();
 
                     // Clear Irq
                     SX1276Write( REG_LR_IRQFLAGS, RFLR_IRQFLAGS_RXDONE );

esp32/Makefile

@@ -23,6 +23,32 @@ BTYPE ?= release
 
 BUILD = build/$(BOARD)/$(BTYPE)
 
+# by default Secure Boot and Flash Encryption are disabled
+SECURE ?= off
+
+ifeq ($(SECURE), on)
+	# filename of the private key, used for 2 things:
+	# 1. signing partitions.bin and board.bin
+	# 2. extracting public key, which is embedded into bootloader.bin
+	# Generation is done using command:
+	# espsecure.py generate_signing_key secure_boot_signing_key.pem
+	SECURE_KEY ?= secure_boot_signing_key.pem
+
+    # Flash Encryption key is generated using command:
+	# espsecure.py generate_flash_encryption_key flash_encryption_key.bin
+	# Writing it is done using:
+	# espefuse.py --port PORT burn_key flash_encryption flash_encryption_key.bin
+    	ENCRYPT_KEY ?= flash_encryption_key.bin
+else
+$(info Use make SECURE=on [optionally SECURE_KEY ?= secure_boot_signing_key.pem] to enable Secure Boot and Flash Encryption mechanisms.)
+endif # ifeq ($(SECURE), on)
+
+# Default path to the project: we assume the Makefile including this file
+# is in the project directory
+ifndef PROJECT_PATH
+PROJECT_PATH := $(abspath $(dir $(firstword $(MAKEFILE_LIST))))
+endif
+
 FROZEN_MPY_DIR = frozen
 
 include ../py/mkenv.mk
@@ -55,7 +81,7 @@ LIBS = -L$(ESP_IDF_COMP_PATH)/esp32/lib -L$(ESP_IDF_COMP_PATH)/esp32/ld -L$(ESP_
        $(ESP_IDF_COMP_PATH)/newlib/lib/libm-psram-workaround.a \
        $(ESP_IDF_COMP_PATH)/newlib/lib/libc-psram-workaround.a \
        -lfreertos -ljson -ljsmn -llwip -lnewlib -lvfs -lopenssl -lmbedtls -lwpa_supplicant \
-       -lxtensa-debug-module -lbt -lsdmmc -lsoc -lheap -u ld_include_panic_highint_hdl \
+       -lxtensa-debug-module -lbt -lsdmmc -lsoc -lheap -lbootloader_support -lmicro-ecc -u ld_include_panic_highint_hdl \
 
 ifeq ($(BOARD), $(filter $(BOARD), FIPY))
     LIBS += sigfox/modsigfox_fipy.a
@@ -73,6 +99,9 @@ B_LIBS = -Lbootloader/lib -Lbootloader -L$(BUILD)/bootloader -L$(ESP_IDF_COMP_PA
          -L$(ESP_IDF_COMP_PATH)/esp32/lib -llog -lcore -lbootloader_support \
          -lspi_flash -lsoc -lmicro-ecc -lgcc -lstdc++ -lgcov
 
+# objcopy paramters, to transform a binary file into an object file
+OBJCOPY_EMBED_ARGS = --input-target binary --output-target elf32-xtensa-le --binary-architecture xtensa --rename-section .data=.rodata.embedded
+
 # qstr definitions (must come before including py.mk)
 QSTR_DEFS = qstrdefsport.h $(BUILD)/pins_qstr.h
 # include py core make definitions