From 9e5e60ba4893b22f6bc6289a734415c365712461 Mon Sep 17 00:00:00 2001 From: Gustavo Henrique Nihei Date: Thu, 30 Dec 2021 11:58:24 -0300 Subject: [PATCH] esp32s2/esp32c3: Build MCUboot bootloader with Flash Encryption support --- arch/risc-v/src/esp32c3/Bootloader.mk | 7 ++ arch/risc-v/src/esp32c3/Kconfig | 2 + arch/risc-v/src/esp32c3/Kconfig.security | 94 +++++++++++++++++++++++- arch/xtensa/src/esp32/Kconfig.security | 4 +- arch/xtensa/src/esp32s2/Bootloader.mk | 7 ++ arch/xtensa/src/esp32s2/Kconfig | 10 +++ arch/xtensa/src/esp32s2/Kconfig.security | 94 +++++++++++++++++++++++- tools/esp32s2/Config.mk | 2 +- 8 files changed, 209 insertions(+), 11 deletions(-) diff --git a/arch/risc-v/src/esp32c3/Bootloader.mk b/arch/risc-v/src/esp32c3/Bootloader.mk index 5211259f66..ba399457da 100644 --- a/arch/risc-v/src/esp32c3/Bootloader.mk +++ b/arch/risc-v/src/esp32c3/Bootloader.mk @@ -78,7 +78,14 @@ ifeq ($(CONFIG_ESP32C3_APP_FORMAT_MCUBOOT),y) $(if $(CONFIG_ESP32C3_SECURE_BOOT_ALLOW_JTAG),$(call cfg_en,CONFIG_SECURE_BOOT_ALLOW_JTAG)) \ $(if $(CONFIG_ESP32C3_SECURE_BOOT_ALLOW_EFUSE_RD_DIS),$(call cfg_en,CONFIG_SECURE_BOOT_V2_ALLOW_EFUSE_RD_DIS)) \ $(if $(CONFIG_ESP32C3_SECURE_DISABLE_ROM_DL_MODE),$(call cfg_en,CONFIG_SECURE_DISABLE_ROM_DL_MODE)) \ + $(if $(CONFIG_ESP32C3_SECURE_ENABLE_SECURE_ROM_DL_MODE),$(call cfg_en,CONFIG_SECURE_ENABLE_SECURE_ROM_DL_MODE)) \ $(if $(CONFIG_ESP32C3_SECURE_INSECURE_ALLOW_DL_MODE),$(call cfg_en,CONFIG_SECURE_INSECURE_ALLOW_DL_MODE)) \ + $(if $(CONFIG_ESP32C3_SECURE_FLASH_ENC_ENABLED),$(call cfg_en,CONFIG_SECURE_FLASH_ENC_ENABLED)) \ + $(if $(CONFIG_ESP32C3_SECURE_FLASH_ENCRYPTION_MODE_DEVELOPMENT),$(call cfg_en,CONFIG_SECURE_FLASH_ENCRYPTION_MODE_DEVELOPMENT)) \ + $(if $(CONFIG_ESP32C3_SECURE_FLASH_ENCRYPTION_MODE_RELEASE),$(call cfg_en,CONFIG_SECURE_FLASH_ENCRYPTION_MODE_RELEASE)) \ + $(if $(CONFIG_ESP32C3_SECURE_FLASH_UART_BOOTLOADER_ALLOW_ENC),$(call cfg_en,CONFIG_SECURE_FLASH_UART_BOOTLOADER_ALLOW_ENC)) \ + $(if $(CONFIG_ESP32C3_SECURE_FLASH_UART_BOOTLOADER_ALLOW_CACHE),$(call cfg_en,CONFIG_SECURE_FLASH_UART_BOOTLOADER_ALLOW_CACHE)) \ + $(if $(CONFIG_ESP32C3_SECURE_FLASH_REQUIRE_ALREADY_ENABLED),$(call cfg_en,CONFIG_SECURE_FLASH_REQUIRE_ALREADY_ENABLED)) \ $(call cfg_val,CONFIG_ESP_BOOTLOADER_SIZE,0xF000) \ $(call cfg_val,CONFIG_ESP_APPLICATION_PRIMARY_START_ADDRESS,$(CONFIG_ESP32C3_OTA_PRIMARY_SLOT_OFFSET)) \ $(call cfg_val,CONFIG_ESP_APPLICATION_SIZE,$(CONFIG_ESP32C3_OTA_SLOT_SIZE)) \ diff --git a/arch/risc-v/src/esp32c3/Kconfig b/arch/risc-v/src/esp32c3/Kconfig index a8356bbddb..7b3cdd1719 100644 --- a/arch/risc-v/src/esp32c3/Kconfig +++ b/arch/risc-v/src/esp32c3/Kconfig @@ -77,6 +77,8 @@ config ESP32C3_ESPTOOLPY_NO_STUB The flasher tool sends a precompiled download stub first by default. That stub allows things like compressed downloads and more. Usually you should not need to disable that feature. + It is only required to be disabled in certain scenarios when either + Secure Boot V2 or Flash Encryption is enabled. config ESP32C3_FLASH_DETECT bool "Auto-detect FLASH size" diff --git a/arch/risc-v/src/esp32c3/Kconfig.security b/arch/risc-v/src/esp32c3/Kconfig.security index d4876bd21c..250e33cacf 100644 --- a/arch/risc-v/src/esp32c3/Kconfig.security +++ b/arch/risc-v/src/esp32c3/Kconfig.security @@ -21,7 +21,7 @@ config ESP32C3_SECURE_BOOT if ESP32C3_SECURE_BOOT -comment "Secure Boot support requires building bootloader from source (ESP32C3_BOOTLOADER_BUILD_FROM_SOURCE)" +comment "Secure Boot support requires building the bootloader from source (ESP32C3_BOOTLOADER_BUILD_FROM_SOURCE)" depends on !ESP32C3_BOOTLOADER_BUILD_FROM_SOURCE config ESP32C3_SECURE_BOOT_BUILD_SIGNED_BINARIES @@ -101,8 +101,54 @@ config ESP32C3_SECURE_BOOT_INSECURE endif # ESP32C3_SECURE_BOOT +comment "Flash Encryption" + +config ESP32C3_SECURE_FLASH_ENC_ENABLED + bool "Enable Flash Encryption on boot (READ HELP FIRST)" + default n + depends on ESP32C3_APP_FORMAT_MCUBOOT + ---help--- + If this option is set, flash contents will be encrypted by the bootloader on first boot. + + Note: After first boot, the system will be permanently encrypted. Re-flashing an encrypted + system is complicated and not always possible. + + Read https://docs.espressif.com/projects/esp-idf/en/latest/esp32c3/security/flash-encryption.html + before enabling. + +if ESP32C3_SECURE_FLASH_ENC_ENABLED + +comment "Flash Encryption support requires building the bootloader from source (ESP32C3_BOOTLOADER_BUILD_FROM_SOURCE)" + depends on !ESP32C3_BOOTLOADER_BUILD_FROM_SOURCE + +choice ESP32C3_SECURE_FLASH_ENCRYPTION_MODE + bool "Enable usage mode" + default ESP32C3_SECURE_FLASH_ENCRYPTION_MODE_DEVELOPMENT + ---help--- + By default, Development mode is enabled which allows ROM download mode to perform Flash Encryption + operations (plaintext is sent to the device, and it encrypts it internally and writes ciphertext + to flash). This mode is not secure, it's possible for an attacker to write their own chosen plaintext + to flash. + + Release mode should always be selected for production or manufacturing. Once enabled it's no longer + possible for the device in ROM Download Mode to use the Flash Encryption hardware. + + Refer to the Flash Encryption section of the ESP-IDF Programmer's Guide for details: + https://docs.espressif.com/projects/esp-idf/en/latest/esp32c3/security/flash-encryption.html#flash-encryption-configuration + + config ESP32C3_SECURE_FLASH_ENCRYPTION_MODE_DEVELOPMENT + bool "Development (NOT SECURE)" + select ESP32C3_SECURE_FLASH_UART_BOOTLOADER_ALLOW_ENC + + config ESP32C3_SECURE_FLASH_ENCRYPTION_MODE_RELEASE + bool "Release" + +endchoice + +endif # ESP32C3_SECURE_FLASH_ENC_ENABLED + menu "Potentially insecure options" - visible if ESP32C3_SECURE_BOOT_INSECURE + visible if ESP32C3_SECURE_BOOT_INSECURE || ESP32C3_SECURE_FLASH_ENCRYPTION_MODE_DEVELOPMENT # NOTE: Options in this menu NEED to have ESP32C3_SECURE_BOOT_INSECURE # and/or ESP32C3_SECURE_FLASH_ENCRYPTION_MODE_DEVELOPMENT in "depends on", as the menu @@ -113,7 +159,7 @@ menu "Potentially insecure options" config ESP32C3_SECURE_BOOT_ALLOW_JTAG bool "Allow JTAG Debugging" default n - depends on ESP32C3_SECURE_BOOT_INSECURE + depends on ESP32C3_SECURE_BOOT_INSECURE || ESP32C3_SECURE_FLASH_ENCRYPTION_MODE_DEVELOPMENT ---help--- If not set (default), the bootloader will permanently disable JTAG (across entire chip) on first boot when either Secure Boot or Flash Encryption is enabled. @@ -143,12 +189,51 @@ config ESP32C3_SECURE_BOOT_ALLOW_EFUSE_RD_DIS then it is __NOT__ possible to read/write efuses using espefuse.py utility. However, efuse can be read/written from the application. +config ESP32C3_SECURE_FLASH_UART_BOOTLOADER_ALLOW_ENC + bool "Leave UART bootloader encryption enabled" + default n + depends on ESP32C3_SECURE_FLASH_ENCRYPTION_MODE_DEVELOPMENT + ---help--- + If not set (default), the bootloader will permanently disable UART bootloader encryption access on + first boot. If set, the UART bootloader will still be able to access hardware encryption. + + It is recommended to only set this option in testing environments. + +config ESP32C3_SECURE_FLASH_UART_BOOTLOADER_ALLOW_CACHE + bool "Leave UART bootloader flash cache enabled" + default n + depends on ESP32C3_SECURE_FLASH_ENCRYPTION_MODE_DEVELOPMENT + ---help--- + If not set (default), the bootloader will permanently disable UART bootloader flash cache access on + first boot. If set, the UART bootloader will still be able to access the flash cache. + + Only set this option in testing environments. + +config ESP32C3_SECURE_FLASH_REQUIRE_ALREADY_ENABLED + bool "Require Flash Encryption to be already enabled" + default n + depends on ESP32C3_SECURE_FLASH_ENCRYPTION_MODE_DEVELOPMENT + ---help--- + If not set (default), and Flash Encryption is not yet enabled in eFuses, the 2nd stage bootloader + will enable Flash Encryption: generate the Flash Encryption key and program eFuses. + If this option is set, and Flash Encryption is not yet enabled, the bootloader will error out and + reboot. + If Flash Encryption is enabled in eFuses, this option does not change the bootloader behavior. + + Only use this option in testing environments, to avoid accidentally enabling Flash Encryption on + the wrong device. The device needs to have Flash Encryption already enabled using espefuse.py. + endmenu # Potentially insecure options +config ESP32C3_SECURE_ROM_DL_MODE_ENABLED + bool + default y if !ESP32C3_SECURE_FLASH_ENCRYPTION_MODE_DEVELOPMENT + choice ESP32C3_SECURE_UART_ROM_DL_MODE bool "UART ROM download mode" + default ESP32C3_SECURE_ENABLE_SECURE_ROM_DL_MODE if ESP32C3_SECURE_ROM_DL_MODE_ENABLED default ESP32C3_SECURE_INSECURE_ALLOW_DL_MODE - depends on ESP32C3_SECURE_BOOT + depends on ESP32C3_SECURE_BOOT || ESP32C3_SECURE_FLASH_ENC_ENABLED config ESP32C3_SECURE_DISABLE_ROM_DL_MODE bool "Permanently disabled (recommended)" @@ -167,6 +252,7 @@ choice ESP32C3_SECURE_UART_ROM_DL_MODE config ESP32C3_SECURE_ENABLE_SECURE_ROM_DL_MODE bool "Permanently switch to Secure mode (recommended)" + select ESP32C3_ESPTOOLPY_NO_STUB ---help--- If set, during startup the app will burn an eFuse bit to permanently switch the UART ROM Download Mode into a separate Secure Download mode. This option can only work if diff --git a/arch/xtensa/src/esp32/Kconfig.security b/arch/xtensa/src/esp32/Kconfig.security index b79b2f506c..1422b23e55 100644 --- a/arch/xtensa/src/esp32/Kconfig.security +++ b/arch/xtensa/src/esp32/Kconfig.security @@ -20,7 +20,7 @@ config ESP32_SECURE_BOOT if ESP32_SECURE_BOOT -comment "Secure Boot support requires building bootloader from source (ESP32_BOOTLOADER_BUILD_FROM_SOURCE)" +comment "Secure Boot support requires building the bootloader from source (ESP32_BOOTLOADER_BUILD_FROM_SOURCE)" depends on !ESP32_BOOTLOADER_BUILD_FROM_SOURCE config ESP32_SECURE_BOOT_BUILD_SIGNED_BINARIES @@ -117,7 +117,7 @@ config ESP32_SECURE_FLASH_ENC_ENABLED if ESP32_SECURE_FLASH_ENC_ENABLED -comment "Flash Encryption support requires building bootloader from source (ESP32_BOOTLOADER_BUILD_FROM_SOURCE)" +comment "Flash Encryption support requires building the bootloader from source (ESP32_BOOTLOADER_BUILD_FROM_SOURCE)" depends on !ESP32_BOOTLOADER_BUILD_FROM_SOURCE choice ESP32_SECURE_FLASH_ENCRYPTION_MODE diff --git a/arch/xtensa/src/esp32s2/Bootloader.mk b/arch/xtensa/src/esp32s2/Bootloader.mk index 3ad1fc0f5a..54248dfe50 100644 --- a/arch/xtensa/src/esp32s2/Bootloader.mk +++ b/arch/xtensa/src/esp32s2/Bootloader.mk @@ -78,7 +78,14 @@ ifeq ($(CONFIG_ESP32S2_APP_FORMAT_MCUBOOT),y) $(if $(CONFIG_ESP32S2_SECURE_BOOT_ALLOW_JTAG),$(call cfg_en,CONFIG_SECURE_BOOT_ALLOW_JTAG)) \ $(if $(CONFIG_ESP32S2_SECURE_BOOT_ALLOW_EFUSE_RD_DIS),$(call cfg_en,CONFIG_SECURE_BOOT_V2_ALLOW_EFUSE_RD_DIS)) \ $(if $(CONFIG_ESP32S2_SECURE_DISABLE_ROM_DL_MODE),$(call cfg_en,CONFIG_SECURE_DISABLE_ROM_DL_MODE)) \ + $(if $(CONFIG_ESP32S2_SECURE_ENABLE_SECURE_ROM_DL_MODE),$(call cfg_en,CONFIG_SECURE_ENABLE_SECURE_ROM_DL_MODE)) \ $(if $(CONFIG_ESP32S2_SECURE_INSECURE_ALLOW_DL_MODE),$(call cfg_en,CONFIG_SECURE_INSECURE_ALLOW_DL_MODE)) \ + $(if $(CONFIG_ESP32S2_SECURE_FLASH_ENC_ENABLED),$(call cfg_en,CONFIG_SECURE_FLASH_ENC_ENABLED)) \ + $(if $(CONFIG_ESP32S2_SECURE_FLASH_ENCRYPTION_MODE_DEVELOPMENT),$(call cfg_en,CONFIG_SECURE_FLASH_ENCRYPTION_MODE_DEVELOPMENT)) \ + $(if $(CONFIG_ESP32S2_SECURE_FLASH_ENCRYPTION_MODE_RELEASE),$(call cfg_en,CONFIG_SECURE_FLASH_ENCRYPTION_MODE_RELEASE)) \ + $(if $(CONFIG_ESP32S2_SECURE_FLASH_UART_BOOTLOADER_ALLOW_ENC),$(call cfg_en,CONFIG_SECURE_FLASH_UART_BOOTLOADER_ALLOW_ENC)) \ + $(if $(CONFIG_ESP32S2_SECURE_FLASH_UART_BOOTLOADER_ALLOW_CACHE),$(call cfg_en,CONFIG_SECURE_FLASH_UART_BOOTLOADER_ALLOW_CACHE)) \ + $(if $(CONFIG_ESP32S2_SECURE_FLASH_REQUIRE_ALREADY_ENABLED),$(call cfg_en,CONFIG_SECURE_FLASH_REQUIRE_ALREADY_ENABLED)) \ $(call cfg_val,CONFIG_ESP_BOOTLOADER_SIZE,0xF000) \ $(call cfg_val,CONFIG_ESP_APPLICATION_PRIMARY_START_ADDRESS,$(CONFIG_ESP32S2_OTA_PRIMARY_SLOT_OFFSET)) \ $(call cfg_val,CONFIG_ESP_APPLICATION_SIZE,$(CONFIG_ESP32S2_OTA_SLOT_SIZE)) \ diff --git a/arch/xtensa/src/esp32s2/Kconfig b/arch/xtensa/src/esp32s2/Kconfig index da2c9cb16e..23152d144a 100644 --- a/arch/xtensa/src/esp32s2/Kconfig +++ b/arch/xtensa/src/esp32s2/Kconfig @@ -81,6 +81,16 @@ config ESP32S2_FLASH_16M bool default n +config ESP32S2_ESPTOOLPY_NO_STUB + bool "Disable download stub" + default n + ---help--- + The flasher tool sends a precompiled download stub first by default. + That stub allows things like compressed downloads and more. + Usually you should not need to disable that feature. + It is only required to be disabled in certain scenarios when either + Secure Boot V2 or Flash Encryption is enabled. + config ESP32S2_FLASH_DETECT bool "Auto-detect FLASH size" default y diff --git a/arch/xtensa/src/esp32s2/Kconfig.security b/arch/xtensa/src/esp32s2/Kconfig.security index f9b12975da..f03c975cab 100644 --- a/arch/xtensa/src/esp32s2/Kconfig.security +++ b/arch/xtensa/src/esp32s2/Kconfig.security @@ -20,7 +20,7 @@ config ESP32S2_SECURE_BOOT if ESP32S2_SECURE_BOOT -comment "Secure Boot support requires building bootloader from source (ESP32S2_BOOTLOADER_BUILD_FROM_SOURCE)" +comment "Secure Boot support requires building the bootloader from source (ESP32S2_BOOTLOADER_BUILD_FROM_SOURCE)" depends on !ESP32S2_BOOTLOADER_BUILD_FROM_SOURCE config ESP32S2_SECURE_BOOT_BUILD_SIGNED_BINARIES @@ -100,8 +100,54 @@ config ESP32S2_SECURE_BOOT_INSECURE endif # ESP32S2_SECURE_BOOT +comment "Flash Encryption" + +config ESP32S2_SECURE_FLASH_ENC_ENABLED + bool "Enable Flash Encryption on boot (READ HELP FIRST)" + default n + depends on ESP32S2_APP_FORMAT_MCUBOOT + ---help--- + If this option is set, flash contents will be encrypted by the bootloader on first boot. + + Note: After first boot, the system will be permanently encrypted. Re-flashing an encrypted + system is complicated and not always possible. + + Read https://docs.espressif.com/projects/esp-idf/en/latest/esp32s2/security/flash-encryption.html + before enabling. + +if ESP32S2_SECURE_FLASH_ENC_ENABLED + +comment "Flash Encryption support requires building the bootloader from source (ESP32S2_BOOTLOADER_BUILD_FROM_SOURCE)" + depends on !ESP32S2_BOOTLOADER_BUILD_FROM_SOURCE + +choice ESP32S2_SECURE_FLASH_ENCRYPTION_MODE + bool "Enable usage mode" + default ESP32S2_SECURE_FLASH_ENCRYPTION_MODE_DEVELOPMENT + ---help--- + By default, Development mode is enabled which allows ROM download mode to perform Flash Encryption + operations (plaintext is sent to the device, and it encrypts it internally and writes ciphertext + to flash). This mode is not secure, it's possible for an attacker to write their own chosen plaintext + to flash. + + Release mode should always be selected for production or manufacturing. Once enabled it's no longer + possible for the device in ROM Download Mode to use the Flash Encryption hardware. + + Refer to the Flash Encryption section of the ESP-IDF Programmer's Guide for details: + https://docs.espressif.com/projects/esp-idf/en/latest/esp32s2/security/flash-encryption.html#flash-encryption-configuration + + config ESP32S2_SECURE_FLASH_ENCRYPTION_MODE_DEVELOPMENT + bool "Development (NOT SECURE)" + select ESP32S2_SECURE_FLASH_UART_BOOTLOADER_ALLOW_ENC + + config ESP32S2_SECURE_FLASH_ENCRYPTION_MODE_RELEASE + bool "Release" + +endchoice + +endif # ESP32S2_SECURE_FLASH_ENC_ENABLED + menu "Potentially insecure options" - visible if ESP32S2_SECURE_BOOT_INSECURE + visible if ESP32S2_SECURE_BOOT_INSECURE || ESP32S2_SECURE_FLASH_ENCRYPTION_MODE_DEVELOPMENT # NOTE: Options in this menu NEED to have ESP32S2_SECURE_BOOT_INSECURE # and/or ESP32S2_SECURE_FLASH_ENCRYPTION_MODE_DEVELOPMENT in "depends on", as the menu @@ -112,7 +158,7 @@ menu "Potentially insecure options" config ESP32S2_SECURE_BOOT_ALLOW_JTAG bool "Allow JTAG Debugging" default n - depends on ESP32S2_SECURE_BOOT_INSECURE + depends on ESP32S2_SECURE_BOOT_INSECURE || ESP32S2_SECURE_FLASH_ENCRYPTION_MODE_DEVELOPMENT ---help--- If not set (default), the bootloader will permanently disable JTAG (across entire chip) on first boot when either Secure Boot or Flash Encryption is enabled. @@ -142,12 +188,51 @@ config ESP32S2_SECURE_BOOT_ALLOW_EFUSE_RD_DIS then it is __NOT__ possible to read/write efuses using espefuse.py utility. However, efuse can be read/written from the application. +config ESP32S2_SECURE_FLASH_UART_BOOTLOADER_ALLOW_ENC + bool "Leave UART bootloader encryption enabled" + default n + depends on ESP32S2_SECURE_FLASH_ENCRYPTION_MODE_DEVELOPMENT + ---help--- + If not set (default), the bootloader will permanently disable UART bootloader encryption access on + first boot. If set, the UART bootloader will still be able to access hardware encryption. + + It is recommended to only set this option in testing environments. + +config ESP32S2_SECURE_FLASH_UART_BOOTLOADER_ALLOW_CACHE + bool "Leave UART bootloader flash cache enabled" + default n + depends on ESP32S2_SECURE_FLASH_ENCRYPTION_MODE_DEVELOPMENT + ---help--- + If not set (default), the bootloader will permanently disable UART bootloader flash cache access on + first boot. If set, the UART bootloader will still be able to access the flash cache. + + Only set this option in testing environments. + +config ESP32S2_SECURE_FLASH_REQUIRE_ALREADY_ENABLED + bool "Require Flash Encryption to be already enabled" + default n + depends on ESP32S2_SECURE_FLASH_ENCRYPTION_MODE_DEVELOPMENT + ---help--- + If not set (default), and Flash Encryption is not yet enabled in eFuses, the 2nd stage bootloader + will enable Flash Encryption: generate the Flash Encryption key and program eFuses. + If this option is set, and Flash Encryption is not yet enabled, the bootloader will error out and + reboot. + If Flash Encryption is enabled in eFuses, this option does not change the bootloader behavior. + + Only use this option in testing environments, to avoid accidentally enabling Flash Encryption on + the wrong device. The device needs to have Flash Encryption already enabled using espefuse.py. + endmenu # Potentially insecure options +config ESP32S2_SECURE_ROM_DL_MODE_ENABLED + bool + default y if !ESP32S2_SECURE_FLASH_ENCRYPTION_MODE_DEVELOPMENT + choice ESP32S2_SECURE_UART_ROM_DL_MODE bool "UART ROM download mode" + default ESP32S2_SECURE_ENABLE_SECURE_ROM_DL_MODE if ESP32S2_SECURE_ROM_DL_MODE_ENABLED default ESP32S2_SECURE_INSECURE_ALLOW_DL_MODE - depends on ESP32S2_SECURE_BOOT + depends on ESP32S2_SECURE_BOOT || ESP32S2_SECURE_FLASH_ENC_ENABLED config ESP32S2_SECURE_DISABLE_ROM_DL_MODE bool "Permanently disabled (recommended)" @@ -166,6 +251,7 @@ choice ESP32S2_SECURE_UART_ROM_DL_MODE config ESP32S2_SECURE_ENABLE_SECURE_ROM_DL_MODE bool "Permanently switch to Secure mode (recommended)" + select ESP32S2_ESPTOOLPY_NO_STUB ---help--- If set, during startup the app will burn an eFuse bit to permanently switch the UART ROM Download Mode into a separate Secure Download mode. This option can only work if diff --git a/tools/esp32s2/Config.mk b/tools/esp32s2/Config.mk index ec562069af..8c24c479ff 100644 --- a/tools/esp32s2/Config.mk +++ b/tools/esp32s2/Config.mk @@ -253,7 +253,7 @@ define FLASH echo "USAGE: make flash ESPTOOL_PORT= [ ESPTOOL_BAUD= ] [ ESPTOOL_BINDIR= ]"; \ exit 1; \ fi - $(eval ESPTOOL_OPTS := -c esp32s2 -p $(ESPTOOL_PORT) -b $(ESPTOOL_BAUD) $(ESPTOOL_RESET_OPTS)) + $(eval ESPTOOL_OPTS := -c esp32s2 -p $(ESPTOOL_PORT) -b $(ESPTOOL_BAUD) $(ESPTOOL_RESET_OPTS) $(if $(CONFIG_ESP32S2_ESPTOOLPY_NO_STUB),--no-stub)) esptool.py $(ESPTOOL_OPTS) write_flash $(ESPTOOL_WRITEFLASH_OPTS) $(ESPTOOL_BINS) $(if $(CONFIG_ESP32S2_SECURE_BOOT),$(call HELP_FLASH_BOOTLOADER))