From bfdf934e3a9f6e39496f2434817df776ef35247d Mon Sep 17 00:00:00 2001
From: Almir Okato <almir.okato@espressif.com>
Date: Fri, 27 Jan 2023 16:24:00 -0300
Subject: [PATCH] espressif: ci: Add new building jobs configs for Espressif
 chips

Add jobs for testing build ESP32-XX within more features:
Serial Recovery, Multi Image and Multi Boot

Signed-off-by: Almir Okato <almir.okato@espressif.com>
---
 .github/workflows/espressif.yaml              | 11 +++++-
 boot/espressif/ci_configs/multi-boot.conf     | 10 +++++
 boot/espressif/ci_configs/multi-image.conf    |  9 +++++
 .../secureboot-sign-ec256.conf                |  2 +
 .../secureboot-sign-ed25519.conf              |  2 +
 .../secureboot-sign-rsa2048.conf              |  2 +
 .../secureboot-sign-rsa3072.conf              |  2 +
 boot/espressif/ci_configs/serialrecovery.conf | 10 +++++
 .../port/esp32/bootloader-multi.conf          | 34 +++++++++++++++++
 .../port/esp32s3/bootloader-multi.conf        | 38 +++++++++++++++++++
 ci/espressif_run.sh                           | 14 +++++--
 11 files changed, 129 insertions(+), 5 deletions(-)
 create mode 100644 boot/espressif/ci_configs/multi-boot.conf
 create mode 100644 boot/espressif/ci_configs/multi-image.conf
 rename boot/espressif/{ => ci_configs}/secureboot-sign-ec256.conf (89%)
 rename boot/espressif/{ => ci_configs}/secureboot-sign-ed25519.conf (89%)
 rename boot/espressif/{ => ci_configs}/secureboot-sign-rsa2048.conf (89%)
 rename boot/espressif/{ => ci_configs}/secureboot-sign-rsa3072.conf (89%)
 create mode 100644 boot/espressif/ci_configs/serialrecovery.conf
 create mode 100644 boot/espressif/port/esp32/bootloader-multi.conf
 create mode 100644 boot/espressif/port/esp32s3/bootloader-multi.conf

diff --git a/.github/workflows/espressif.yaml b/.github/workflows/espressif.yaml
index 5996407c..a5c3a75c 100644
--- a/.github/workflows/espressif.yaml
+++ b/.github/workflows/espressif.yaml
@@ -20,11 +20,20 @@ jobs:
       matrix:
         targets: [esp32, esp32s2, esp32s3, esp32c3]
         features:
-        - "sign-rsa2048,sign-rsa3072,sign-ec256,sign-ed25519"
+        - "secureboot-sign-rsa2048,secureboot-sign-rsa3072,secureboot-sign-ec256,secureboot-sign-ed25519"
+        - "serialrecovery"
+        include:
+          - targets: esp32
+            features: "multi-image,multi-boot"
+            img: "multi"
+          - targets: esp32s3
+            features: "multi-image,multi-boot"
+            img: "multi"
     runs-on: ubuntu-latest
     env:
       MCUBOOT_TARGETS: ${{ matrix.targets }}
       MCUBOOT_FEATURES: ${{ matrix.features }}
+      MCUBOOT_IMG_NUM: ${{ matrix.img }}
     steps:
     - uses: actions/checkout@v2
       with:
diff --git a/boot/espressif/ci_configs/multi-boot.conf b/boot/espressif/ci_configs/multi-boot.conf
new file mode 100644
index 00000000..4adf2537
--- /dev/null
+++ b/boot/espressif/ci_configs/multi-boot.conf
@@ -0,0 +1,10 @@
+# SPDX-FileCopyrightText: 2023 Espressif Systems (Shanghai) CO LTD
+#
+# SPDX-License-Identifier: Apache-2.0
+
+# ATTENTION:
+# This configuration file targets the building for CI environment and contains
+# a set of definitions to resemble a bootloader image for RELEASE environment.
+
+CONFIG_ESP_IMAGE_NUMBER=2
+CONFIG_ESP_MULTI_PROCESSOR_BOOT=y
diff --git a/boot/espressif/ci_configs/multi-image.conf b/boot/espressif/ci_configs/multi-image.conf
new file mode 100644
index 00000000..895a865e
--- /dev/null
+++ b/boot/espressif/ci_configs/multi-image.conf
@@ -0,0 +1,9 @@
+# SPDX-FileCopyrightText: 2023 Espressif Systems (Shanghai) CO LTD
+#
+# SPDX-License-Identifier: Apache-2.0
+
+# ATTENTION:
+# This configuration file targets the building for CI environment and contains
+# a set of definitions to resemble a bootloader image for RELEASE environment.
+
+CONFIG_ESP_IMAGE_NUMBER=2
diff --git a/boot/espressif/secureboot-sign-ec256.conf b/boot/espressif/ci_configs/secureboot-sign-ec256.conf
similarity index 89%
rename from boot/espressif/secureboot-sign-ec256.conf
rename to boot/espressif/ci_configs/secureboot-sign-ec256.conf
index 37d4f7bf..17b032b2 100644
--- a/boot/espressif/secureboot-sign-ec256.conf
+++ b/boot/espressif/ci_configs/secureboot-sign-ec256.conf
@@ -18,3 +18,5 @@ CONFIG_SECURE_FLASH_ENCRYPTION_MODE_RELEASE=1
 CONFIG_ESP_SIGN_KEY_FILE=root-ec-p256.pem
 CONFIG_ESP_USE_TINYCRYPT=1
 CONFIG_ESP_SIGN_EC256=1
+CONFIG_ESP_DOWNGRADE_PREVENTION=1
+CONFIG_ESP_DOWNGRADE_PREVENTION_SECURITY_COUNTER=1
diff --git a/boot/espressif/secureboot-sign-ed25519.conf b/boot/espressif/ci_configs/secureboot-sign-ed25519.conf
similarity index 89%
rename from boot/espressif/secureboot-sign-ed25519.conf
rename to boot/espressif/ci_configs/secureboot-sign-ed25519.conf
index a317aa44..9cbdcd67 100644
--- a/boot/espressif/secureboot-sign-ed25519.conf
+++ b/boot/espressif/ci_configs/secureboot-sign-ed25519.conf
@@ -18,3 +18,5 @@ CONFIG_SECURE_FLASH_ENCRYPTION_MODE_RELEASE=1
 CONFIG_ESP_SIGN_KEY_FILE=root-ed25519.pem
 CONFIG_ESP_USE_TINYCRYPT=1
 CONFIG_ESP_SIGN_ED25519=1
+CONFIG_ESP_DOWNGRADE_PREVENTION=1
+CONFIG_ESP_DOWNGRADE_PREVENTION_SECURITY_COUNTER=1
diff --git a/boot/espressif/secureboot-sign-rsa2048.conf b/boot/espressif/ci_configs/secureboot-sign-rsa2048.conf
similarity index 89%
rename from boot/espressif/secureboot-sign-rsa2048.conf
rename to boot/espressif/ci_configs/secureboot-sign-rsa2048.conf
index f5ad8832..2b221501 100644
--- a/boot/espressif/secureboot-sign-rsa2048.conf
+++ b/boot/espressif/ci_configs/secureboot-sign-rsa2048.conf
@@ -19,3 +19,5 @@ CONFIG_ESP_SIGN_KEY_FILE=root-rsa-2048.pem
 CONFIG_ESP_USE_MBEDTLS=1
 CONFIG_ESP_SIGN_RSA=1
 CONFIG_ESP_SIGN_RSA_LEN=2048
+CONFIG_ESP_DOWNGRADE_PREVENTION=1
+CONFIG_ESP_DOWNGRADE_PREVENTION_SECURITY_COUNTER=1
diff --git a/boot/espressif/secureboot-sign-rsa3072.conf b/boot/espressif/ci_configs/secureboot-sign-rsa3072.conf
similarity index 89%
rename from boot/espressif/secureboot-sign-rsa3072.conf
rename to boot/espressif/ci_configs/secureboot-sign-rsa3072.conf
index f6b2c9b8..9f137850 100644
--- a/boot/espressif/secureboot-sign-rsa3072.conf
+++ b/boot/espressif/ci_configs/secureboot-sign-rsa3072.conf
@@ -19,3 +19,5 @@ CONFIG_ESP_SIGN_KEY_FILE=root-rsa-3072.pem
 CONFIG_ESP_USE_MBEDTLS=1
 CONFIG_ESP_SIGN_RSA=1
 CONFIG_ESP_SIGN_RSA_LEN=3072
+CONFIG_ESP_DOWNGRADE_PREVENTION=1
+CONFIG_ESP_DOWNGRADE_PREVENTION_SECURITY_COUNTER=1
diff --git a/boot/espressif/ci_configs/serialrecovery.conf b/boot/espressif/ci_configs/serialrecovery.conf
new file mode 100644
index 00000000..7e81bdee
--- /dev/null
+++ b/boot/espressif/ci_configs/serialrecovery.conf
@@ -0,0 +1,10 @@
+# SPDX-FileCopyrightText: 2023 Espressif Systems (Shanghai) CO LTD
+#
+# SPDX-License-Identifier: Apache-2.0
+
+# ATTENTION:
+# This configuration file targets the building for CI environment and contains
+# a set of definitions to resemble a bootloader image for RELEASE environment.
+
+CONFIG_ESP_MCUBOOT_SERIAL=y
+CONFIG_ESP_MCUBOOT_ERASE_PROGRESSIVELY=y
diff --git a/boot/espressif/port/esp32/bootloader-multi.conf b/boot/espressif/port/esp32/bootloader-multi.conf
new file mode 100644
index 00000000..ad3355ec
--- /dev/null
+++ b/boot/espressif/port/esp32/bootloader-multi.conf
@@ -0,0 +1,34 @@
+# SPDX-FileCopyrightText: 2023 Espressif Systems (Shanghai) CO LTD
+#
+# SPDX-License-Identifier: Apache-2.0
+
+CONFIG_ESP_FLASH_SIZE=4MB
+CONFIG_ESP_BOOTLOADER_SIZE=0xF000
+CONFIG_ESP_BOOTLOADER_OFFSET=0x1000
+# Example of values to be used when multi image is enabled
+# Notice that the OS layer and update agent must be aware
+# of these regions
+CONFIG_ESP_APPLICATION_SIZE=0x80000
+CONFIG_ESP_IMAGE0_PRIMARY_START_ADDRESS=0x10000
+CONFIG_ESP_IMAGE0_SECONDARY_START_ADDRESS=0x90000
+CONFIG_ESP_IMAGE1_PRIMARY_START_ADDRESS=0x110000
+CONFIG_ESP_IMAGE1_SECONDARY_START_ADDRESS=0x190000
+CONFIG_ESP_SCRATCH_OFFSET=0x210000
+CONFIG_ESP_SCRATCH_SIZE=0x40000
+CONFIG_ESP_MCUBOOT_WDT_ENABLE=y
+
+CONFIG_ESP_CONSOLE_UART=y
+CONFIG_ESP_CONSOLE_UART_NUM=0
+# Configures alternative UART port for console printing
+# CONFIG_ESP_CONSOLE_UART_CUSTOM=y
+# CONFIG_ESP_CONSOLE_UART_TX_GPIO=26
+# CONFIG_ESP_CONSOLE_UART_RX_GPIO=25
+
+# Enables multi image, if it is not defined, it is assumed
+# only one updatable image
+# CONFIG_ESP_IMAGE_NUMBER=2
+
+# Enables multi image boot on independent processors
+# (main host OS is not responsible for booting the second image)
+# Use only with CONFIG_ESP_IMAGE_NUMBER=2
+# CONFIG_ESP_MULTI_PROCESSOR_BOOT=y
diff --git a/boot/espressif/port/esp32s3/bootloader-multi.conf b/boot/espressif/port/esp32s3/bootloader-multi.conf
new file mode 100644
index 00000000..21c3457a
--- /dev/null
+++ b/boot/espressif/port/esp32s3/bootloader-multi.conf
@@ -0,0 +1,38 @@
+# SPDX-FileCopyrightText: 2023 Espressif Systems (Shanghai) CO LTD
+#
+# SPDX-License-Identifier: Apache-2.0
+
+CONFIG_ESP_FLASH_SIZE=4MB
+CONFIG_ESP_BOOTLOADER_SIZE=0xF000
+CONFIG_ESP_BOOTLOADER_OFFSET=0x0000
+CONFIG_ESP_MCUBOOT_WDT_ENABLE=y
+# Example of values to be used when multi image is enabled
+# Notice that the OS layer and update agent must be aware
+# of these regions
+CONFIG_ESP_APPLICATION_SIZE=0x80000
+CONFIG_ESP_IMAGE0_PRIMARY_START_ADDRESS=0x10000
+CONFIG_ESP_IMAGE0_SECONDARY_START_ADDRESS=0x90000
+CONFIG_ESP_IMAGE1_PRIMARY_START_ADDRESS=0x110000
+CONFIG_ESP_IMAGE1_SECONDARY_START_ADDRESS=0x190000
+CONFIG_ESP_SCRATCH_OFFSET=0x210000
+CONFIG_ESP_SCRATCH_SIZE=0x40000
+
+# Use UART0 for console printing (use either UART or USB alone)
+CONFIG_ESP_CONSOLE_UART=y
+CONFIG_ESP_CONSOLE_UART_NUM=0
+# Configures alternative UART port for console printing
+# (UART_NUM=0 must not be changed)
+# CONFIG_ESP_CONSOLE_UART_CUSTOM=y
+# CONFIG_ESP_CONSOLE_UART_TX_GPIO=17
+# CONFIG_ESP_CONSOLE_UART_RX_GPIO=18
+# Use USB JTAG Serial for console printing
+# CONFIG_ESP_CONSOLE_USB_SERIAL_JTAG=y
+
+# Enables multi image, if it is not defined, it is assumed
+# only one updatable image
+# CONFIG_ESP_IMAGE_NUMBER=2
+
+# Enables multi image boot on independent processors
+# (main host OS is not responsible for booting the second image)
+# Use only with CONFIG_ESP_IMAGE_NUMBER=2
+# CONFIG_ESP_MULTI_PROCESSOR_BOOT=y
diff --git a/ci/espressif_run.sh b/ci/espressif_run.sh
index 30e10820..e4729fe8 100755
--- a/ci/espressif_run.sh
+++ b/ci/espressif_run.sh
@@ -18,12 +18,17 @@ prepare_environment() {
 build_mcuboot() {
   local target=${1}
   local feature=${2}
-  local toolchain_file="${ESPRESSIF_ROOT}/tools/toolchain-${target}.cmake"
-  local mcuboot_config="${ESPRESSIF_ROOT}/port/${target}/bootloader.conf"
+  local img_num=${3}
   local build_dir=".build-${target}"
+  local toolchain_file="${ESPRESSIF_ROOT}/tools/toolchain-${target}.cmake"
+
+  if [ -n "$img_num" ]; then
+    img_num="-${img_num}"
+  fi
+  local mcuboot_config="${ESPRESSIF_ROOT}/port/${target}/bootloader${img_num}.conf"
 
   if [ -n "${feature}" ]; then
-    mcuboot_config="${mcuboot_config};${ESPRESSIF_ROOT}/secureboot-${feature}.conf"
+    mcuboot_config="${mcuboot_config};${ESPRESSIF_ROOT}/ci_configs/${feature}.conf"
     build_dir=".build-${target}-${feature}"
   fi
 
@@ -44,11 +49,12 @@ prepare_environment
 if [ -n "${MCUBOOT_FEATURES}" ]; then
   IFS=','
   read -ra target_list <<< "${MCUBOOT_TARGETS}"
+  read img_num <<< "${MCUBOOT_IMG_NUM}"
   for target in "${target_list[@]}"; do
     read -ra feature_list <<< "${MCUBOOT_FEATURES}"
     for feature in "${feature_list[@]}"; do
       echo "Building MCUboot for \"${target}\" with support for \"${feature}\""
-      build_mcuboot "${target}" "${feature}"
+      build_mcuboot "${target}" "${feature}" "${img_num}"
     done
   done
 fi