Add cmake script to update otp.json from privateaes.bin (#536)

will-v-pi · web-flow · commit da4e50da69ee · 2024-10-01T10:43:18.000-05:00
diff --git a/bootloaders/encrypted/CMakeLists.txt b/bootloaders/encrypted/CMakeLists.txt
@@ -4,6 +4,17 @@ add_executable(enc_bootloader
         aes.S
         )
 
+# Add command to update otp.json if privateaes.bin changes
+add_custom_command(OUTPUT ${CMAKE_CURRENT_LIST_DIR}/otp.json
+    COMMAND ${CMAKE_COMMAND} -P "${CMAKE_CURRENT_LIST_DIR}/update-key.cmake"
+    DEPENDS ${CMAKE_CURRENT_LIST_DIR}/privateaes.bin)
+# Copy that otp.json file to build directory
+add_custom_command(OUTPUT ${CMAKE_CURRENT_BINARY_DIR}/otp.json
+    COMMAND ${CMAKE_COMMAND} -E copy "${CMAKE_CURRENT_LIST_DIR}/otp.json" "${CMAKE_CURRENT_BINARY_DIR}/otp.json"
+    DEPENDS ${CMAKE_CURRENT_LIST_DIR}/otp.json)
+add_custom_target(otp_json DEPENDS ${CMAKE_CURRENT_BINARY_DIR}/otp.json)
+add_dependencies(enc_bootloader otp_json)
+
 # pull in common dependencies
 target_link_libraries(enc_bootloader pico_stdlib pico_rand)
 
@@ -39,7 +50,6 @@ endfunction()
 add_linker_script(enc_bootloader "0x20070000" "64k")
 
 # configure otp output
-configure_file(${CMAKE_CURRENT_LIST_DIR}/otp.json ${CMAKE_CURRENT_BINARY_DIR}/otp.json COPYONLY)
 pico_set_otp_key_output_file(enc_bootloader ${CMAKE_CURRENT_BINARY_DIR}/otp.json)
 
 # sign, hash, and clear SRAM
diff --git a/bootloaders/encrypted/otp.json b/bootloaders/encrypted/otp.json
@@ -1,78 +1,46 @@
 {
-    "30:0": {
-        "ecc": true,
-        "value": [
-            "0x00",
-            "0x01",
-            "0x02",
-            "0x03",
-            "0x04",
-            "0x05",
-            "0x06",
-            "0x07",
-            "0x08",
-            "0x09",
-            "0x0a",
-            "0x0b",
-            "0x0c",
-            "0x0d",
-            "0x0e",
-            "0x0f",
-            "0x00",
-            "0x10",
-            "0x20",
-            "0x30",
-            "0x40",
-            "0x50",
-            "0x60",
-            "0x70",
-            "0x80",
-            "0x90",
-            "0xA0",
-            "0xB0",
-            "0xC0",
-            "0xD0",
-            "0xE0",
-            "0xF0"
-        ]
-    },
-    "OTP_DATA_KEY1": [
-        0,
-        0,
-        1,
-        1,
-        2,
-        2,
-        3,
-        3,
-        4,
-        4,
-        5,
-        5,
-        6,
-        6,
-        7,
-        7
-    ],
-    "OTP_DATA_KEY1_VALID": "0x010101",
-    "OTP_DATA_KEY2": [
-        7,
-        7,
-        6,
-        6,
-        5,
-        5,
-        4,
-        4,
-        3,
-        3,
-        2,
-        2,
-        1,
-        1,
-        0,
-        0
-    ],
-    "OTP_DATA_KEY2_VALID": "0x010101",
-    "PAGE30_LOCK0": "0x4a4a4a"
-}
+  "30:0" : 
+  {
+    "ecc" : true,
+    "value" : 
+    [
+      "0x00",
+      "0x01",
+      "0x02",
+      "0x03",
+      "0x04",
+      "0x05",
+      "0x06",
+      "0x07",
+      "0x08",
+      "0x09",
+      "0x0a",
+      "0x0b",
+      "0x0c",
+      "0x0d",
+      "0x0e",
+      "0x0f",
+      "0x00",
+      "0x10",
+      "0x20",
+      "0x30",
+      "0x40",
+      "0x50",
+      "0x60",
+      "0x70",
+      "0x80",
+      "0x90",
+      "0xa0",
+      "0xb0",
+      "0xc0",
+      "0xd0",
+      "0xe0",
+      "0xf0"
+    ]
+  },
+  "OTP_DATA_KEY1" : [ 0, 0, 1, 1, 2, 2, 3, 3, 4, 4, 5, 5, 6, 6, 7, 7 ],
+  "OTP_DATA_KEY1_VALID" : "0x010101",
+  "OTP_DATA_KEY2" : [ 7, 7, 6, 6, 5, 5, 4, 4, 3, 3, 2, 2, 1, 1, 0, 0 ],
+  "OTP_DATA_KEY2_VALID" : "0x010101",
+  "PAGE30_LOCK0" : "0x4a4a4a"
+}
diff --git a/bootloaders/encrypted/update-key.cmake b/bootloaders/encrypted/update-key.cmake
@@ -0,0 +1,23 @@
+if (CMAKE_VERSION VERSION_LESS 3.19)
+    # Check if keyfile is not the default, and print warning
+    file(READ ${CMAKE_CURRENT_LIST_DIR}/privateaes.bin key_file HEX)
+    if (NOT ${key_file} STREQUAL "000102030405060708090a0b0c0d0e0f00102030405060708090a0b0c0d0e0f0")
+        message(WARNING
+            "Encrypted bootloader AES key not updated in otp.json file, as CMake version is < 3.19"
+            " - you will need to change the key in otp.json manually and re-run the build"
+        )
+    endif()
+else()
+    # Read the JSON file.
+    file(READ ${CMAKE_CURRENT_LIST_DIR}/otp.json json_string)
+    # Read the key file
+    file(READ ${CMAKE_CURRENT_LIST_DIR}/privateaes.bin key_file HEX)
+
+    # adds '0x' prefix, comma suffix, and quotes for every byte
+    string(REGEX REPLACE "([0-9a-f][0-9a-f])" "\"0x\\1\", " key_file ${key_file})
+    set(key_file_json "[${key_file}]")
+
+    string(JSON json_string SET ${json_string} "30:0" "value" ${key_file_json})
+
+    file(WRITE ${CMAKE_CURRENT_LIST_DIR}/otp.json ${json_string})
+endif()
