PlatformIO Community

Troubles with secure boot signature verification key

Hello guys!
I have ESP-WROOM-32 module and make project using secure boot.
Secure boot version is 1.
ESP-IDF framework version is 4.4.1.
I don’t use signing images during build.
I need that signing with a private key will be proceed after build, on another machine.
So, in build process i use signature_verification_key.bin and secure-bootloader-key-256.bin.

There are 3 problems.

1st of them i solved using pre-build script.
Trouble is that i must put by myself secure-bootloader-key-256.bin at the .pio\build\esp32-devkit-v1-secureboot\bootloader directory each build.

2nd problem is strange…
In platformio.ini i should set build embed files.
board_build.embed_files = …/…/Resource/SecureBoot/Keys/signature_verification_key.bin
But it’s not enough.
It’s need to put signature_verification_key.bin.S file to .pio\build\esp32-devkit-v1-secureboot\bootloader directory also, not only root of build.
Ok, i also solved this trouble with pre-build script.

But 3rd problem is terrible!
I have bootloader build error!
And trouble is deep in esp-idf cmake script.
Look at the .platformio\packages\framework-espidf\components\bootloader_support\CMakeLists.txt at the line 104.
There you can see variable ${SECURE_BOOT_VERIFICATION_KEY} that is not defined anywhere!!!

So, the question is, where i can find it?
How can i define it?
Where i was wrong with secure boot build process?

My temporally fix is adding a few lines of code to esp-idf cmake script to define that variable and use CONFIG_SECURE_BOOT_VERIFICATION_KEY for finding absolute path to key (relative path impossible cause PROJECT_DIR variable value is .platformio\packages\framework-espidf\components\bootloader_support.

string(FIND ${SDKCONFIG} “/” dtLastSlashIndex REVERSE)
string(SUBSTRING ${SDKCONFIG} 0 ${dtLastSlashIndex} dtProjPath)
string(CONCAT SECURE_BOOT_VERIFICATION_KEY ${dtProjPath} “/” ${CONFIG_SECURE_BOOT_VERIFICATION_KEY})

Снимок

But i should not change anything in esp-idf framework.
That is not correct.
I should only use framework for my projects without any changes.

That’s why i asking your help.

Secure boot is sadly still not supported (https://github.com/platformio/platform-espressif32/issues/305), it’s on the developers to add support.